HIPAA Updates Strengthen Patient RightsEnhancements Designed to Build Trust
"The new regulations would enhance individuals' access and control over electronic health records and, therefore, trust in EHRs and the electronic exchange of health information," says Rita Bowen, president of the board of directors of the American Health Information Management Association. "This is important as our nation works to improve the health of individuals by having accurate health information available where and when it is needed to treat patients."
The Department of Health and Human Services' Office for Civil Rights prepared the proposed rule, which is required under the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH Act.
The "notice of proposed rulemaking" issued July 8 also includes extensive details about how healthcare organizations' business associates must comply with the HIPAA privacy and security rules.
Patient AccessDeborah C. Peel, M.D., a consumer advocate who has been critical of government efforts to ensure the privacy of health information, says she senses a "change in direction" among regulators.
Peel, founder and chair of Patient Privacy Rights, says that when federal officials announced the rule, they used clear language that "supported building American's rights to consent and control over protected health information in electronic health systems and data exchange." She hopes the rule, when it's finalized, actually carries out that commitment.
The proposed rule requires that if a healthcare organization maintains electronic records, it must offer electronic copies to patients upon request.
The rule includes details on many options for the electronic format for copies, and it would allow organizations to charge a fee to cover their costs. It also would enable patients to request that an electronic record be transmitted to another organization.
More Detail NeededBut the proposal needs to be fleshed out to add more details on providing patients with access to information, says Dan Rode, vice president of policy and government relations at the American Health Information Management Association.
One sticky issue, Rode says, involves how to provide patients with copies of their complete records when most organizations use a "hybrid" approach that involves a mix of electronic and paper records.
Nevertheless, Rode says the proposed rule is a good first step toward a HIPAA overhaul that gives patients more rights to their information. "It recognizes that consumers now take a more active role in their healthcare and may want to download information into their personal health record or access it via a portal."
But providing patients with improved access to their health information will raise new security issues, contends security expert Rebecca Herold, owner of Rebecca Herold & Associates. The proposed rule doesn't spell out how to secure information provided to patients online or on CDs or USB drives, she notes. But the original HIPAA rules note that encryption should be applied if it's appropriate to mitigate risk, she stresses.
Herold also anticipates that more healthcare organizations will implement two-factor authentication for online access to patient records, following in the footsteps of online banking.
Restricting AccessThe proposed rule would enable individuals to obtain restrictions on certain disclosures of information to health insurers if they pay out of their own pockets for services.
"That's a powerful, long overdue privacy right," says security expert Kate Borten, president of The Marblehead Group.
But the provision raises some challenges, she acknowledges. For example, she poses this question: If a patient comes back for a follow-up visit and wants insurance to pay for it, what happens if the payer wants information about the previous visit in order to justify the claim?
The proposal also would establish new limitations on the use and disclosure of protected health information for marketing and fundraising purposes.
It would require organizations to give individuals "a clear and conspicuous opportunity" to opt out of future solicitations. And it would require a healthcare organization to receive authorization from individuals before it could sell their protected health information to others for marketing purposes.
All of these patient rights provisions will need to be reflected in revamped "notices of privacy practices" that consumers receive, Herold stresses.
These privacy notices must contain specific examples of restrictions on the use of patient information, Borten adds. The regulators "want this information to be spelled out more clearly than it has been," she says. "As a consumer, I think that's good."
Unfinished BusinessThe proposed rule does not address the issue of how to give patients an accounting of who has accessed their records, as is required under HITECH. It notes that topic will be tackled in "future rulemakings."
"Knowing that we'll have more information coming out on that issue keeps vendors and providers in the dark on how accounting for disclosures is going to work," says Rode of AHIMA. And that uncertainty, he fears, could create some anxiety for hospitals and physicians investing in new software and applying for federal incentive payments for using EHRs.
Rode is hopeful that once the proposed rule is final, regulators will issue updated versions of the HIPAA privacy, security and enforcement rules to incorporate all the complex changes. That would prove far more practical, he says, than having to look at the changes in the latest rule and compare it to the original HIPAA provisions.
Striking a BalanceAHIMA's Bowen gave the HHS Office for Civil Rights high marks for its efforts. "These proposed rules represent a striking of the difficult balance between improving appropriate health information access and transfer with the necessary confidentiality and security of that same information and data, and the very important inclusion of patients and their guardians in these activities."
Federal regulators will accept comments on the proposed rule through Sept 13 before making final revisions.