A workgroup of the American Health Information Community is likely to recommend in May that the privacy and security rules associated with the Health Insurance Portability and Accountability Act of 1996 be extended to apply to almost all users of health information exchanges.
Although AHIC’s Confidentiality, Privacy and Security Workgroup is still debating the exact wording, members did not take issue with the intent of the recommendation during an April 12 meeting at the Department of Health and Human Services headquarters in Washington.
A draft, labeled a working hypothesis, states that “all persons and entities that participate in an electronic health information exchange network, at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted or accessed, should be required to meet privacy and security criteria at least equivalent to relevant HIPAA requirements.”
During the workgroup meeting, representatives from a half-dozen organizations that provide health information technology services, including three regional health information exchanges, testified that they comply with HIPAA privacy and security requirements even though the law doesn’t require them to do so.
Workgroup Chairman Kirk Nahra, a lawyer at the firm of Wiley and Rein, called the witnesses “a good sampling of the kinds of businesses that might be affected by this” recommendation.
HIPAA applies only to certain covered entities, primarily health care providers and insurance companies. Some observers believe that public confidence in health information exchanges might be buttressed by extending the law to them.
Many organizations that handle individuals’ health information are somewhat covered by HIPAA because the law requires them to agree to protect the information they obtain from a covered entity. However, there is no government enforcement of these “business associate” agreements. Enforcement is supposed to occur when a covered entity sues a business associate for failure to comply with the terms of the agreement.
In addition, some organizations, such as companies offering personal health records to the public, may not be business associates of covered entities.
In an exchange, Nahra said, so many people potentially could access protected health data, “the business associate control model doesn’t work very well in that setting.”
He said he does not know how the HIPAA rules would be extended to new kinds of organizations.
Although there was general agreement that the extension would be a good idea, Steve Bernstein, a lawyer for the Massachusetts e-Health Collaborative, said it might be difficult to determine which portions of the HIPAA rules apply, given the variations among exchange organizations.
In a passing remark at a recent conference, Dr. Robert Kolodner, acting national coordinator of health IT, endorsed extending HIPAA’s applicability but said it was not yet clear how that would occur.
The Confidentiality, Privacy and Security Workgroup is a group of volunteers working with AHIC, a high-level advisory body to HHS.
Government Health IT presents Liesa Jo Jenkins, executive director of CareSpark, in this recent eSeminar, where she shared her experiences and insight into building a health information exchange that enhances community health, rewards regional collaboration and drives economic progress.
