Extending HIPAA’s Security Rule on Electronic Health Records (EHRs)
HIPAA and EHRs
The Congress of the United States passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996, which sets the national standard for electronic transfer of health data. It led to the subsequent implementation of the Privacy Rule in 2003 and the Security Rule in 2005. Both rules were enacted to protect the privacy and security of the public. Meanwhile, the American Recovery and Reinvestment Act of 2009 (ARRA) also known as Affordable Care Act or Obama Care has allocated $19 billion for the implementation of electronic health records by 2014.
Privacy Rule
Under the Privacy Rule, a “minimum necessary” standard has to be followed in terms of how much information should be disclosed by doctors and hospitals to others. The minimum necessary amount of information to be disclosed to others, however, is left to the discretion of the provider and not the patient. Moreover, the minimum limit does not prevent the provider to disclose the information regarding the treatment rendered and also when the patient authorized the disclosure of the health information (Privacy Rights Clearinghouse, 2013).
The HIPAA Privacy Rule sets a distinction in the patient’s ability to control how their medical information is used in the form of “consent’ and “authorization.” Patients do not have the right to consent or object when their information is used for treatment, payment, or when it is necessary that the information has to be disclosed to the business associate of the patient’s health care provider or plan. Special authorization is required under circumstances of psychotherapy treatment or when the disclosure involves marketing of a product based on a patient’s health information (Privacy Rights Clearinghouse, 2013).
The patient’s control of his or her personal health information is not absolute because like it or not, other stakeholders such as the government, the medical profession, and related businesses, may also have keen interest. In general, HIPAA safeguards for a patient’s past, present, and future physical and mental well-being, including information about the patient’s payment for care. But not everyone that is involved in a patient’s care is covered by HIPAA’s regulations. To be protected by HIPAA, the patient’s medical information must be kept health by these covered entities: providers, health plans, and health care clearinghouses. A patient’s name, address, telephone number, and Social Security number are called “protected health information” or PHI under HIPAA. PHI can be in oral, written, or entry in a computer, that is why a conversation between a physician and a nurse about a patient’s condition carry the same weight as information written on a patient’s record (Privacy Rights Clearinghouse, 2013).
A provider is a covered entity under HIPAA as long as they transmit patient information electronically. Health plans that pays for a patient care is covered by HIPAA, which includes health insurance companies, HMOs, Medicare and Medicaid, etc. The last entity is health care clearing houses which are also covered by HIPPA. They are entities that are intermediaries between providers and health plans, such as medical billing services that solicit patient information from providers and convert the information into codes.
The following are entities are not covered, which means they are not subject to HIPAA Privacy Rule (Privacy Rights Clearinghouse, 2013):
- Law enforcement agencies
- Places that offer free blood pressure checks, cholesterol, spinal alignment, etc.
- Researchers that collects data from health care providers
- Researchers that collects health data from patients who voluntarily agreed to it
- Internet based free health information and assessment
- Social Security and welfare benefits
- Workers Compensation
- Life insurance companies
- Auto insurance plans that offer health benefits
HIPAA protect patients in such that an authorization is required whenever a patient undergoes psychotherapy, however, when the information is used for training or in defending a physician or health plan in the court of law, it becomes permissible. Patient’s authorization is also required whenever patients are being sold something (marketing) based on their health information, but there is a fine line between marketing that requires consent and marketing that does not. Two instances that consent or authorization is not required of patients (Privacy Rights Clearinghouse, 2013):
- Hospitals are authorized to release listings of patients when announcing the formation of a new specialty group (e.g., orthopedic or cardiology, etc.) or if a new equipment is acquired, e.g., magnetic resonance machine).
- Health plans are authorized to send mailing to subscribers approaching Medicare-eligible age explaining their Medicare plan and application form.
Patient’s Right to Access their Own Medical Records
Patient access to their medical record is an important element of HIPAA because it is perhaps the most important single right that patients enjoy under HIPAA (Privacy Rights Clearinghouse, 2013). HIPAA limits the number of people who have access to patient’s medical information, however, it almost an impossible proposition to track how many have seen the patient’s information during a hospital visit or surgery.
Disclosure of patient’s health information by these entities (partial listing) is allowed under HIPAA as long as they are connected with the following (Privacy Rights Clearinghouse, 2013):
- Workers compensation
- Public health officials
- A person exposed to a communicable disease
- An employer investigating a work-related injury
- Abuse or domestic violence victim
- Court proceedings in response to a court order or subpoena
- Collection agency asking for payment of unpaid bills
- Organ donor organizations
- Funeral directors
- Medical research being conducted by researcher with institutional review board approval
Security Rule
The security rule ensures that patient’s medical files are secure. Like the Privacy Rule, the Security Rule is a national standard for which covered entities (providers, health plans, healthcare clearing houses) are required to have written data security framework which includes administrative safeguards, physical safeguards, and technical safeguards. The security rule, however, can only protect data that are maintained and transmitted in electronic format, meaning paper records stored in cabinets are not covered.
In general, the Security Rule adopted in 2005, lacks the requirement for individual notice. However, notices are required by state laws. Further, the Health Information for Technology for Economic and Clinical Health (HITECH) Act under the American Recovery and Reinvestment Act of 2009 (ARRA) requires agencies to issue breach of notifications. Breach of the Security Rule applies to all covered entities under HIPAA (Miaoulis, 2010). The Department of the Human and Health Services enforces the HIPAA regulations and works directly with the Federal Trade Commission (FTC) to jointly study and report on the privacy and data security of personal health information (name, age, telephone, and social security number).
For example, if more than 500 individual’s protected health information are breached, notice must be made to the individuals by their providers, who must describe the nature of the breach, what kind of information is affected, what procedures are being done to correct the problem, including contact information for questions, toll-free telephone number, and e-mail address, a Web site or postal address. For breaches under 500 individuals, notices are required only to be posted annually in the HHS Web site, i.e., no individual notice required (Privacy Rights Clearinghouse, 2013).
The Health Information for Technology for Economic and Clinical Health (HITECH) Act
ARRA has allocated $19 billion for the implementation of electronic health records by 2014. Driven by rising costs and ever increasing medical errors, the need to have an electronic health record to replace paper record has been widely emphasized in recent years. But even with the thought of having an electronic form of health record, the public is still concerned with the efficacy of such technology in terms of privacy and security, given the ever increasing stories about health data being accessed by hackers and curious employees reading patients information, especially those of celebrities.
A portion of the ARRA law created the HITECH Act which has ushered in a stricter enforcement of how organizations address the access, use, and disclosure of protected health information (PHI). Under HITECH, all organizations using EHRs must account for all disclosures specifically the external use of PHI (Miaoulis, 2010). It expanded the scope of the HIPAA Privacy and Security Rules including increasing the penalties for any breach of the Act. The new requirements are as follows (Miaoulis, 2010):
- Privacy and Security requirements are now applied directly to business associates.
- New breach reporting requirements for HIPAA covered entities and their business associates.
- New privacy requirements for HIPAA covered entities including stricter accounting, marketing, and fundraising rules.
- Stricter criminal and civil penalties for organization’s failure to comply with the provisions of the Act.
Cesar Aquino is a Cytotechnologist with an MBA in Healthcare Management and currently a PhD Candidate in Healthcare Administration. He is currently with the Anatomic Pathology Department of the Riverside County Regional Medical Center (RCRMC), Moreno Valley, California.