|
| Sample Newsletters | MarketPlace AIS Products & Services |
|
AIS's Health Business Daily
Influential Federal Privacy Committee Proposes Massive Changes in HIPAA's Protections for Personal Health Information Reprinted from DRUG BENEFIT NEWS, biweekly news, data and business strategies for health plans, PBMs and pharmaceutical companies. The nation's top advisory board to the federal government on health care privacy believes the current laws and rules are woefully inadequate and recommends that new legislation be passed to strengthen and expand protections. That's the long-term goal of the National Committee on Vital and Health Statistics (NCVHS), as signaled by its approval Nov. 28 of a letter to be sent to the Secretary of HHS. If enacted whole cloth — a big if, to be sure — it could result in massive changes. The 40-page report began as a request from Robert Kolodner, the national health information technology coordinator, to have the committee look into what protections might be necessary to safeguard so-called "secondary uses" of data from inappropriate disclosures and other possible harm to patients. But the committee dispensed with the notion of "secondary," saying it had no real meaning, and went full-bore into the whole privacy-security labyrinth itself, declaring that "NCVHS does not use the term secondary to describe categories of uses." Instead, NCVHS urges that the term be abandoned in favor of explicit description of each use of health data. While it's unlikely these reforms will be adopted in the final year of the Bush administration, these ideas could be the foundation for change if federal privacy policy is Democratic-controlled in 2009. 'Data Stewardship Principles' Proposed The committee is endorsing a new "framework" for the protection of health data so that, regardless of whether an organization is considered a covered entity (CE), it must adhere to certain concepts of "health data stewardship." The focus or regulation should be "on enhanced protections for all uses of health data by all users, independent of whether an organization is covered under HIPAA. NCVHS believes that data stewardship principles should be applied to all organizations that have access to personal health data. Data stewardship includes: accountability, transparency, individual participation and control, de-identification, security safeguards and controls, oversight of data uses, and data integrity and quality measures." The report adds, "Enhanced and more widely adopted data stewardship principles and other measures are needed to enable optimal uses of health data, while respecting the privacy of the individuals who are the sources of those data," the committee said. "Particular emphasis is placed on the immediate need to ensure that appropriate protections surround uses of health data for quality measurement, reporting, and improvement." HHS is being urged to issue guidance and to push for new laws, adopting "whatever means is most expeditious and will promote the broadest possible adoption" of the committee's recommendations. The report advocates an expansion of the universe of organizations that would have to follow privacy and security-type regulations and laws. It urges HHS to "work with other federal agencies and the Congress for more inclusive, federal privacy legislation so that all individuals and entities that use and disclose individually identifiable health information are covered by the data stewardship principles, including a range of entities not currently covered by HIPAA." Enhancing the transparency of data exchanges is another recommendation. "HHS should issue guidance to covered entities and all other organizations responsible for managing, collecting, viewing, storing, sharing, disclosing, or otherwise making use of personal health information, whether identified or de-identified, to ensure that individuals have the opportunity to be informed about all potential uses of their health data that might not reasonably be anticipated to flow from the individual's disclosure of health information," the report states. Shorter-Term Solutions Also Proposed NCVHS also recommends that efforts be made to "harmonize" state and federal privacy laws, and that HHS "support a state law mapping repository that clarifies where states differ and which aspects of state laws are more stringent than HIPAA." If such grand actions like new legislation aren't forthcoming, HHS should still push for changes to expand the definition of a CE. "In the absence of comprehensive privacy legislation, HHS should advocate for more limited legislation that expands the definition of covered entity under HIPAA from its focus on financial and administrative transactions to cover any entity that manages, collects, views, stores, shares, discloses, or otherwise makes use of personal health information," the committee said. Entities not covered by HIPAA should also be required to get patient authorization each time they use or disclose identifiable personal health information, the report states. And it lays out specific requirements CEs should have in their contracts with business associates that deal with limits on the use of the CE's data. This could result in a rewrite of hundreds of thousands of business associate (BA) agreements nationwide. The committee also recommended that CEs rewrite their notice of privacy practices to include more information about all the possible uses of data by themselves and by others. Patient privacy groups have criticized the report as lessening protections and opening up access even more. Perhaps they are disappointed because they still want patients to have to give their consent for the release of information, a provision that was removed from the final rule once it was released by the Bush White House. Some have released statements indicating that NCVHS is tossing HIPAA out with this report and offering nothing in its place. Others have offered praise, but noted the difficult political climate. "Overall, I think the committee took a broad view of health privacy and identified a lot of problems. Many of its recommendations are thoughtful," Bob Gellman, a Washington, D.C.-based privacy and information policy consultant, told RPP. "But I do not think that HHS will pay much attention to them. I doubt that there will be any significant changes to the HIPAA privacy rule in the last year of the Bush administration." The National Business Group on Health, whose members represent 55 million workers, said it opposed any changes to the privacy rule, but supports harmonization of state laws. In addition, it is opposed to any changes in BA agreements. Patient Control Is Important The committee also reviewed the draft of a letter that its privacy and confidentiality subcommittee has been working on, which spells out the rights that individuals should have to control the release of certain data in their health record that they considered to be "sensitive" or, for some other reason, do not want to be revealed to certain providers. This control would exist only when information is to be exchanged for treatment purposes, he said. Currently, patients have no control over what is in their medical record except if they want to have an error corrected. The privacy rule permits them to ask the provider to make a change, but the hospital or physician can deny that request. "In the letter we try to make the case for why individual control is so important," subcommitee chair Mark Rothstein said at the meeting. Without it, many individuals will probably choose not to have their records in an electronic format, or choose to sit out of a national or regional electronic network. Rothstein said the subcommittee had made progress but was concerned the full subcommittee could reject its hard-fought efforts. "I think we are close [to a vote] on the subcommittee, but because it has taken 10 drafts so far, we did not want to push that last mile and bring it to the committee, and then have the committee have fundamental problems and send us back home," he said at the meeting. Instead, he said the subcommittee wanted to "give the non-subcommittee members an opportunity to review the concepts that we are proposing tentatively, and give us feedback and guidance...about what you can live with or don't like or can't live with." The subcommittee's idea is that individuals could "sequester" or wall off part of the information that might fall into certain categories, such as mental health or reproductive health, or information that is older than a certain number of years. When the record is transmitted to a hospital or a physician, the receiver of the information would see that some information was sequestered and unavailable, but not even the type of information would be known. This is controversial because some believe there should not be even a hint that some information is hidden, while others believe physicians deserve full access. Fear That Doctors Would Object "We are also recommending that there be a `break-the-glass feature' incorporated in the system, so that in a genuine emergency, a provider could get access to everything," Rothstein added. Considerable discussion followed his comment, centering on whether it would be possible to hide this information again once it was revealed, and how this would be done. Some committee members commented that perhaps it is premature to try and address this issue, especially if achieving consensus is proving so difficult for the subcommittee itself. But others said that because HHS is now in the process of beginning to test electronic health networks, the letter is prescient and must not be delayed. Ultimately, the full committee told Rothstein to continue working on the draft. "We are going forward and expect to have a letter vote at the February meeting," Rothstein told RPP. NCHVS will meet next Feb. 20-21, 2008. Visit www.ncvhs.hhs.gov. |
| ||||||||
