CDT’s Sheel Pandya, Policy Counsel for the Health Privacy Project wrote a guest blog post on American Constitution Society’s blog discussing a comprehensive privacy and security framework as the key to health IT’s success. The passage of the American Recovery and Reinvestment Act of 2009 (ARRA) in February has helped shine a brighter spotlight on health IT especially within the overall health care reform debate. The post talks about what is needed to see the marriage of health technology and health policy work to the greatest extent while protecting patient privacy. Check it out and leave your feedback.

Last month, we blogged about how Humana (and maybe some other health plans) sent warnings through letters to its Medicare beneficiaries that they could lose their health care benefits and services due to health care reform legislation pending in Congress. In response, the Centers for Medicare and Medicaid Services (CMS) issued an order to all health plans serving Medicare beneficiaries to stop sending letters. Some reacted to this order by accusing CMS of attempting to censor “free speech.�

Free speech, however, is not the only issue implicated by Humana’s activity. Humana arguably violated the HIPAA Privacy Rule (the federal health privacy Rule that limits how health plans (and other covered entities) can use and disclose personal health data (including mere demographic information)) when it used beneficiaries’ names and addresses to send the letters. Yet, everyone continues to ignore the privacy issue!

Health care entities do not have unfettered use of individuals’ health data. Should health plans like Humana be able to use this data for whatever reason they find important? The answer is no — and the HIPAA Privacy Rule makes this clear. The Privacy Rule requires Humana and other health plans in general to be good stewards of personal data — the same data that individuals entrust to them to manage their health care. After they share their data, individuals expect the data will be protected, kept confidential, and only used for legitimate purposes — not misused as Humana (and potentially others) have in this case. Now Humana may try to legitimize its action by arguing that sending letters to beneficiaries is permitted under the Privacy Rule as a “health care operationâ€� — a laundry list of business and administrative activities under the Rule for which personal data can be used without needing to get the consent of the individual. However, such an interpretation would only underscore the need to narrow this overly broad category — a recommendation CDT has made in the past.

Regrettably, The Office of Civil Rights (OCR) within the U.S. Dept. of Health and Human Services (HHS), which has the authority to enforce the HIPAA Privacy Rule, has yet to speak up on this issue. As far as we can tell, no further inquiry will be done on this issue. CDT continues to urge OCR (and HHS) to prioritize enforcement of HIPAA rules and make clear that ensuring protections for personal health data is a high priority.

On October 1st, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) issued a Proposed Rule with respect to the Genetic Information Nondiscrimination Act (GINA), a federal law passed in May 2008 that protects individuals against discrimination in health care coverage and employment based on genetic information. Many states already have similar laws in place, but GINA provides a new federal baseline level of protection against genetic discrimination in health care coverage and employment.

The proposed rule attempts to implement new privacy and confidentiality protections in Title I of GINA, which deals with nondiscrimination in health care coverage, and makes changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The Privacy Rule protects individuals’ health information by limiting how it can be used or disclosed by “covered entities,� which includes health insurers and plans. This post highlights some of the major changes, which are based both on GINA as well as HHS’ general authority under HIPAA. (Of note, proposed regulations to implement the employment nondiscrimination provisions were issued earlier this year by the Equal Opportunity Employment Commission (EEOC).

First, GINA requires HHS to clarify that genetic information is protected health information and therefore subject to the Privacy Rule, and the proposed rule makes this clarification. Of note, HHS has always maintained in guidance that genetic information is protected under HIPAA as long as it is individually identifiable and maintained by a covered entity. However, the proposed change goes a step further and makes this indisputable in the Rule.

Second, GINA also requires HHS to change the Privacy Rule to prohibit health plans from using or disclosing genetic information for underwriting purposes, including determining eligibility or benefits, calculating premiums or contribution amounts, and imposing pre-existing condition exclusions (and this prohibition applies even if an individual authorizes the use of his or her information for this purpose). (The Privacy Rule historically has allowed covered entities to use any protected health information for underwriting purposes). Although Title I of GINA specifies that only certain plans be subject to this prohibition, OCR proposes to apply the prohibition to all health plans governed by the Privacy Rule, including long-term care policies and employee benefit welfare plans. HHS maintains that this interpretation is consistent with both GINA and HHS’ authority under HIPAA.

Third, OCR proposes to require plans that use or disclose protected information for underwriting purposes to include a statement in their Notice of Privacy Practices about how they are prohibited from using or disclosing genetic information for underwriting purposes. The Privacy Rule already requires health plans (and most other covered entities) to provide a notice to individuals that describes how they use and disclose personal health information. However, requiring plans that perform underwriting to include a specific statement about genetic information increases transparency and further educates individuals about specific protections on genetic data.

OCR coordinated its work on the proposed rule with the Departments of Labor and Treasury, and the Centers for Medicare and Medicaid Services, which are tasked with implementing regulations for Title I of GINA and which released their interim final rule the same day that OCR issued its rule. The public has 60 days to comment on the proposed rule. Comments are due to HHS no later than December 7, 2009 and can be submitted electronically at www.regulations.gov.

Alex Howard put together a fantastic write up of our panel discussion last week about the progress that has been made nine months into the implementation of the HITECH provisions of the American Recovery and Reinvestment Act of 2009. You can check out video from the event here and Alex’s write up for SearchCompliance.com here.

CDT recently hosted the “Implementing Health IT: Progress and Promise� panel at the National Press Club. The event focused on the progress that has been made nine months into the implementation of the HITECH provisions of the American Recovery and Reinvestment Act of 2009. A short video recapping the highlights of the panel discussion can be found here.

Moderated by Leslie Harris, CEO and President of CDT, and sponsored by Gemalto, the panel included renowned experts from the field of health IT:

Deven McGraw is the Director of the Health Privacy Project at CDT, where she focuses on developing and promoting policies that ensure privacy in health IT. She also serves on the Health IT Policy Committee, a federal advisory committee established in the American Recovery and Reinvestment Act of 2009.

John D. Halamka, MD, MS, is the Chief Information Officer at both Beth Israel Deaconess Medical Center and Harvard Medical School. At Beth Israel Deaconess, he is responsible for information technology serving two million patients. Dr. Halamka is also co-chair of the federal Health IT Standards Committee and a practicing emergency physician.

Jamie Ferguson, a nationally recognized expert on health information interoperability, is the Executive Director of Health IT Strategy and Policy for Kaiser Permanente. He also serves as co-chair of the Clinical Operations Workgroup of the Health IT Standards Committee.

Peter Basch, MD, FACP, is the Senior Fellow for Health IT Policy with the Center for American Progress and serves as the Medical Director for Ambulatory Clinical Systems at MedStar Health, an eight hospital not-for-profit health system in the Baltimore-Washington corridor. In 2007, he received the HIMSS Physician IT Leadership Award. Dr. Basch practices general internal medicine in Washington, D.C.

Last week we learned that Humana — and possibly some other Medicare plans — inappropriately used enrollees’ personal data to send them letters saying they could lose their benefits and services due to the impending health care reform legislation in Congress. The Centers for Medicare and Medicaid Services (CMS) called on all plans serving Medicare beneficiaries to stop such communications and launched an investigation into whether Humana’s use of the personal data violated any federal laws.

Some reacted by accusing CMS of trying to squelch the “free speechâ€� of private health plans – but whether Medicare has the right to place some limits on communications from its contractor plans is only one of the issues implicated by this activity. Humana — in using enrollees’ names and addresses to facilitate communications — arguably committed a violation of the HIPAA Privacy Rule. The Privacy Rule sets forth very specific rules governing how health plans (and other health care entities) access, use and disclose an individual’s protected health information (PHI), which includes mere demographic data like names and addresses. We do not see how the Privacy Rule permits plans to use enrollee personal data for this purpose.
(more…)

CDT published an article in iHealthBeat yesterday, calling on the U.S. Dept. of Health and Human Services (HHS) to take charge on privacy issues. In the iHealthBeat article, CDT points out that HHS should take full advantage of the opportunities before it to establish strong rules in favor of privacy and meaningful enforcement. CDT also urges HHS to enhance communication and coordination on privacy issues within its subagencies and other federal agencies.

The American Recovery and Re-investment Act of 2009 (ARRA) makes a significant taxpayer investment in health information technology (health IT). A new generation of improved privacy protection is critical to preserve patient trust in a system of digitized health records. In ARRA, Congress provides HHS with numerous opportunities to strengthen privacy in health care, such as through rulemakings and staff appointments.

There is some evidence of improvement in both the coordination and regulation areas.
For example, the HIPAA Privacy and Security Rules were previously enforced by two different offices within HHS, but both are now enforced through the Office of Civil Rights (OCR). HHS should grab this opportunity to ensure better compliance and enforcement with the Privacy and Security Rules. To do so, OCR will have to coordinate closely with the HHS Office of the National Coordinator (ONC), which oversees the national strategy for the electronic health information exchange.

In the area of regulation, HHS took some positive steps forward in its recent breach notification rulemaking. HHS granted an exemption to notification of data breaches in instances where the data was protected through strong encryption or destruction standards, but HHS declined to extend the same exemption to limited data sets. However, HHS also included a “harm standard� which allows health care companies to decide for themselves whether to notify patients of a breach if they determine the breach does not pose a ‘significant risk’ of financial, reputational or other harm to patients. This harm standard undermines the incentives for health care companies to encrypt data in the first place.

(See CDT’s recent blog post on the HHS harm standard for more information.)

As the iHealthBeat article points out, there are still a lot of chances for HHS to establish and implement patient-oriented health privacy rules. Through ARRA, Congress laid the groundwork for effective system-wide stewardship of patient data – but this promise will not be realized without strong leadership from HHS.

In late August, the Dept. of Health and Human Services (HHS) released an interim final rule on health data breach notification. Through the rule, HHS establishes data security standards that HHS believes are strong enough to eliminate the need to notify consumers of a data breach. That is, if a health care entity applies one of these security processes to its data, and then that data is lost or otherwise breached, the entity does not have to inform patients. Some of the rule’s security processes are quite good, such as strong encryption standards. Unfortunately, however, HHS packed an overly broad and unreliable standard in with the good ones: the “harm standard.”

(CDT had issued comments to the HHS rulemaking in May 09. For more information about the interim final rule and CDT’s comments, please see our earlier blog post.)

The American Recovery and Reinvestment Act of 2009 (ARRA) required HHS to issue a rule on breach notification. In its interim final rule, HHS established a harm standard: breach does not occur unless the access, use or disclosure poses “a significant risk of financial, reputational, or other harm to individual.” In the event of a breach, HHS’ rule requires covered entities to perform a risk assessment to determine if the harm standard is met. If they decide that the risk of harm to the individual is not significant, the covered entities never have to tell their patients that their sensitive health information was breached.

The primary purpose for mandatory breach notification is to provide incentives for health care companies to protect data. Breach notification is costly to health care companies, both in financial and reputational terms. Therefore, health care companies naturally seek to avoid this expense. In its interim final rule, HHS gave health care companies the opportunity to avoid notification if the companies protect the data through strong encryption or destruction methodologies.
(more…)

On Wednesday, the U.S. Dept. of Health and Human Services (HHS) released its interim final rule on health data breach notification. The interim rule establishes, among other things, technological standards regarding how to secure health information strongly enough to obviate the need to notify consumers of a data breach. The public has 60 days to comment on the interim rule provisions before they are final. CDT had issued comments to the HHS rulemaking in May 09.

Health care providers are required by law to notify consumers when unsecured protected health information is breached. In this interim ruling, HHS offered guidance on what “unsecured protected health information�? means. HHS identified technologies and methodologies that would adequately “secure�? personal health data. If the data is breached, health care providers properly using these technologies or methodologies need not notify consumers of the breach. Two of those technologies/methodologies are strong data encryption and destruction standards. CDT supported the approach of offering this exception to notification because it gives companies an incentive to strongly protect consumer data. However, CDT’s comments made clear that such data protections are but one necessary component of a comprehensive framework needed to foster HIT privacy.

CDT’s comments recommended that HHS decline to add the “limited data set�? to the methodologies that secure health data. Under the HIPAA law, the “limited data set�? is data with certain identifiers stripped from it. However, CDT cited research indicating that a significant portion of the population could still be re-identified with the information contained in the limited data set. Referencing this risk in the interim ruling, HHS agreed that the limited data set alone was not a proper way to secure health information. However, HHS offered an exception to this standard: health care entities and business associates must perform a risk assessment after a data breach of a limited data set, and if this assessment determines that there is “no significant risk of harm�? to the individual, then the entity does not need to notify the individual. This appears to be an internal decision on the part of the company.
(more…)

On Monday night, a website called HealthDataRights.org went live.  The site promotes better access to one’s own health data, and serves as a portal where individuals and entities can endorse/support A Declaration of Health Data Rights.

“We the people,� the site asserts: 1) Have the right to our own health data; 2) Have the right to know the source of each health data element; 3) Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be available in that form; 4) Have the right to share our health data with others as we see fit.

Having access to one’s own health data is already a right – just not one that is well known or enforced.  Under the HIPAA Privacy Rule, individuals have a right to obtain a copy of their health data.  They can also get this copy “in the form or format requestedâ€? (e.g. electronic format), if it is “readily producibleâ€? in that format.  There are some exceptions to this right, including health data compiled for the purpose of a civil or criminal proceeding.  Also under the Rule, covered entities have 30 days to comply with an individual’s request (and this can be extended to 60 days).  Entities can charge a reasonable fee for copying the health record, the limits of which are set by state law.  Notwithstanding this legal right, failure to provide individuals with access to their data is one of the top 5 HIPAA-related complaints received by the U.S. Department of Health and Human Services (HHS) — the agency responsible for enforcing the HIPAA Privacy Rule.
(more…)