Privacy and Security of Electronic Health Records: New Challenges, New Protections

Author: Joy Pritts
July 26, 2012

Health Care System Is Broken

• • • • •

Focus on “treatment” Sporadic Fragmented Uncoordinated care Inconsistent delivery of evidence-based care • Misaligned reimbursement system


Improving the Health System
Health Information Technology Provider Payment

Health Insurance Market Quality Improvement

Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)

• Creates financial incentives for eligible providers and hospitals to “meaningfully use” electronic health records (EHRs), including exchanging health information electronically
• Promotes development of a nationwide health information network to permit the secure exchange of electronic health information among providers.


Electronic Health Records (EHRs) • Onsite server, network • Cloud based solution – Third party – Off site server – Promoted as • Less expensive • Simpler


Office of the National Coordinator for Health Information Technology


Models for Electronic Health Information Exchange • Directly between providers – E.g., Referral from one doctor directly to another • Decentralized with a record locator service • Centralized data bases • Different models raise different privacy concerns


HIPAA Privacy Rule • Federal baseline: scope • Applies to most health care providers, as well as to health plans and health care clearinghouses (“covered entities”) • Detailed provisions on the use and disclosure of protected health information • Treats all health information the same (except separately maintained psychotherapy notes)


HIPAA Security Rule • Applies to electronic protected health information • Establishes administrative, physical and technical standards for securing ePHI to ensure access only by authorized persons and entities • Scalable and flexible to meet requirements of various organizations


Office of the National Coordinator for Health Information Technology


Meaningful Use Incentives • Eligible provider must conduct a security risk assessment per HIPAA Security Rule • Qualified E H R technology must be able to be encrypted


Office of the National Coordinator for Health Information Technology


HITECH Improvements

• Extends HIPAA to directly cover “business associates” (entities that perform services on behalf of covered entities that need access to PHI on regular basis)
– HITECH expressly clarifies that health information exchange organizations are business associates – Cloud-based EHRs are business associates


Business Associates Under HITECH

• Subject to use and disclosure limits of HIPAA Privacy Rule • Must comply with substantive provisions of HIPAA Security Rule
– Access limitations – Authentication – Encryption


Patient Protection and Affordable Care Act (ACA)

Improve patient access to quality care through • Broader health insurance coverage
• Health benefit exchanges for individuals and small groups

• No denial of coverage for pre-existing conditions • Coordination of care

Accountable Care Organizations
• Network of doctors and hospitals that shares responsibility for providing care to patients.
• Manage all of the health care needs of a minimum of 5,000 Medicare beneficiaries for at least three years. • Receive bonuses when providers keep costs down and meet specific quality benchmarks, focusing on prevention and carefully managing patients with chronic diseases


Accountable Care Organizations

• Accountable Care Organizations Final Rule
– Federal Register, vol. 76 Page 67802 (11/02/11)

• ACOs may be business associates • Providers in ACO are eligible to receive Medicare claims data generated by other providers • Individuals may opt out of having certain identifiable information shared

ACA Performance Measurement • ACA requires CMS to make available to third parties (Qualified Entities) Medicare Data to be combined with other claims data for provider performance measurement.


Office of the National Coordinator for Health Information Technology


ACA Performance Measurement • Final Rule on Availability of Medicare Data for Performance Management
• Federal Register, vol. 76, page 76542 (!2/07/11)

• Qualified entities (conduct data analytics)
• Are not considered business associates of CMS • Must have a rigorous data privacy and security program to qualify to receive Medicare data • Must sign a stringent data use agreement
Office of the National Coordinator for Health Information Technology



Health Insurance Exchange Rule Privacy and Security • Establishment of Exchanges and Qualified Health Plans Final Rule – Federal Register, vol. 77, page 18310 (03/27/12)
• State health insurance exchanges must establish and implement privacy and security standards that are consistent with the Fair Information Practice Principles.
– 45 CFR 155.260

Electronic Health Information: A Balancing Act

Accessible for care

Protecting Privacy

Sign up to vote on this title
UsefulNot useful