The Coming Federal Health IT Monopoly: Electronic Health Records and Health Privacy Rules under the American Recovery and Reinvestment Act of 2009
February 26, 2009 by Bierce & Kenerson, P.C.
Buried in the Obama administration’s economic stimulus bill (American Recovery and Reinvestment Act of 2009, or ARRA) is the “HITECH Act”, a major revision to the healthcare industry technology, promoting universal electronic health records (defined in the laws as “EHR”, which some call e-medical records, or “EMR”). The stimulus law lays the groundwork for socialized medicine by 2016. It’s consistent with Obanomics policies of more regulation and eventual federalization of health care. Third party administrators, SAAS-based healthcare software companies and other “business associates” of “covered entities” (health care providers, health plans and health insurance carriers) face new statutory liability for breach of protected health records. The HITECH Act also applies to data vendors.
The HITECH Act brings outsourcing data processors, data vendors and others not previously covered under the HIPAA and new federal data breach notification rules.
A new bureaucracy is established. For the HITECH Act Regulatory Organizational chart, click here.
The Regulators of Health Care Information Technology.
The management (including data processing and outsourcing) of protected health information under HIPAA will get a new boost (with new security rules) under the chapter called “Health Information Technology for Economic and Clinical Health Act” (acronym: “HITECH Act”). See H.R. 1 (111 th Cong., 1 st Sess.), amending the Public Health Service Act (42 U.S.C. 201 et seq.) by adopting 42 U.S.C. 13001 et seq. A new National Coordinator will update the existing Federal Health IT Strategic Plan to include specific objectives, milestones and metrics for managing electronic health records (“EHR”). Targeting the use of certified EHR’s covering all persons in the United States by 2014, the strategic plan will cover the electronic exchange and use of health information, integration of “enterprises” into an electronic exchange, new privacy and security protections for individually identifiable health information and adoption of specifications for encryption.
Unlike Canada and the EU, the U.S. does not have a general law on the right of electronic privacy. This new EHR regime under the HITECH Act builds on the rules of privacy and security under HIPAA by adding encryption and “data stewardship” and designating a National Coordinator for Health IT (“HIT”). The standards for HIT will include specifications for named standards, architectures and software schemes for authentication and security of individually identifiable health information (and other information needed to ensure common solutions across disparate entities). Such standards will likely become de facto the standards for other personally identifiable information.
Individuals will have access to reviews and correct their EHR’s, similar to the regime for credit reporting agencies for consumers of financial services.
Adoption of National Standards of Health Information Technology (“HIT”).
The regulation of electronic health records of U.S. residents will include national standards (adopted with the National Institute of Standards and Technology) and a voluntary certification program. As a practical matter, it is safe to predict that the certification will become required for anyone handling EHR, including third-party IT service providers. The government (as payer under Medicaid and Medicare), employers, insurers, health services providers and patients will want the comfort of such certification. The HIT Standards Committee will include health care providers, ancillary health workers, federal agencies, health plans, technology vendors (including “outsourcers”), researchers and individuals with technical expertise on health care quality, privacy, security and on the electronic exchange and use of health information. The Federal Advisory Committee Act, 5 U.S.C. App. (other than Section 14) will apply to the HIT Standards Committee.
The new EHR standards are intended to comply with the privacy and data security rules under HIPAA governing personal health information. See Health Insurance Portability and Accountability Act of 1996, Section 264, and related regulations.
Adoption of EHR HIT technology standards will be compulsory for each federal agency administering or sponsoring health care programs. Agencies will be required to use, when available, such standards in their direct exchange of individually identifiable health information with non-Federal entities. The President is directed to ensure that, within 3 years after a standard is adopted,, all federal activities involving the broad collection and submission of health information are consistent with such standard.
Implementation by the private sector will be rolled out over time. Federal agencies administering or sponsoring health care programs are required to require in contracts or agreements with health care providers, health plans, or health insurance issuers that such private sector operations adopt the new HIT standards, when available, upon acquisition, implementation or upgrade of health information technology.
Impact of National Standards on Competition.
Will mandatory standards for IT architecture and data limit competition? Will it promote innovation? There are conflicting views.
- Regulation Stifles Competition and Innovation. Some think a new federal bureaucracy to manage IT architecture and standards will slow down the flow of information and defeat private enterprise efforts at development of data bases and inter-operable data types. Under this thinking, the government will adopt the lowest common denominator in technology to achieve universality.
- Regulation Promotes Innovation. Others think that, by setting minimal security standards for access control and/or encryption, the government will enable future improvements on basic IT records management standards. This is a question of timing.
The answer will probably lie in between these extremes. Software developers with the most robust security and encryption will likely seek a role in the design of the new federal standards. Others will lobby to broaden the rules so that their own flavors of security will be covered by regulation. Ultimately, the outcome depends on the National Coordinator for HIT and the Secretary of Health and Human Services.
Economic Stimulus.
Council on Comparative Effectiveness. The ARRA stimulus law contains $400 million “to accelerate the development and dissemination of research assessing the comparative effectiveness of health care treatments and strategies, through efforts that:
- (1) conduct, support, or synthesize research that compares the clinical outcomes, effectiveness, and appropriateness of items, services, and procedures that are used to prevent, diagnose, or treat diseases, disorders, and other health conditions; and
- (2) encourage the development and use of clinical registries, clinical data networks, and other forms of electronic health data that can used to generate or obtain outcomes data.”
To implement this program, the ARRA stimulus law establishes a Federal Coordinating Council for Comparative Effectiveness Research (the “Council”) to “foster optimum coordination of comparative effectiveness and related health services research conducted or supported by relevant Federal departments and agencies, with the goal of reducing duplicative efforts and encouraging coordinated and complementary use of resources.” For the moment, the Council will have no role in directing outcomes: “Nothing in this section shall be construed to permit the Council to mandate coverage, reimbursement, or other policies for any public or private payer.” HITECH Act, Sec. 804(g).
Office of National Coordinator for Heath Information Technology. Within the Department Of Health And Human Services, the ARRA stimulus law creates a new Office of the National Coordinator for Health Information Technology, with a $2.0 billion budget till the money is spent. From this budget, $20 million goes to the Director of the National Institute of Standards and Technology in the Department of Commerce for “continued work on advancing health care information enterprise integration through activities such as technical standards analysis and establishment of conformance testing infrastructure.” A further $40 million of such funds will cover the Commissioner of Social Security for “health information technology research and activities to facilitate the adoption of electronic medical records in disability claims.”
The National Coordinator will be responsible for developing a national health IT infrastructure that allows for the electronic use and exchange of information and that:
- improves health care quality, reduces medical errors, reduces health disparities, and advances the delivery of patient-centered medical care;
- reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information;
- provides appropriate information to help guide medical decisions at the time and place of care;
- ensures the inclusion of meaningful public input in such development of such infrastructure;
- improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information;
- improves public health activities and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
- facilitates health and clinical research and health care quality;
- promotes early detection, prevention, and management of chronic diseases;
- promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and
- improves efforts to reduce health disparities.
These goals may result in new conflicts between patients, covered entities, business associates and non-HIPAA outsourcing service providers.
Medicare and Medicaid. The ARRA stimulus law also appropriates $17 billion in Medicare and Medicaid funding for health IT.
Data Breach.
The HITECH Act portion of the ARRA stimulus bill adopts a broad federal definition of “breach” of private data, with a suite of notification rules in case a breach occurs. A “breach “ the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person.” By definition, no “breach” occurs in cases of “any unintentional acquisition, access, use, or disclosure of such information by an employee or agent of the covered entity or business associate involved if such acquisition, access, use, or disclosure, respectively, was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, accessed, used, or disclosed by such employee or agent.” 42 U.S.C. 13400.
Business Associates” Now Have Extended Obligations on Data Security and “Breach” Notification.
The HITECH Act contemplates a secure supply chain of data processing in health care data. Any “business associate” (such as a third-party administrator or data processing service provider) that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses “unsecured protected health information” must report security breaches to their customers (“covered entities”). Business associates will henceforth have direct statutory liability for breach of data privacy and may be sued by federal and state prosecutors even if their enterprise customers (the “covered entities”) are not pursued. The Hitech Act:
- Extends the security provisions of HIPAA (under 45 CFR 164.308, 164.310, 164.312, and 164.316) to a business associate of a covered entity in the same manner that such sections apply to the “covered entity
- Requires that “business associates” undertake, in the business associate agreement between the business associate and the covered entity, to comply with the new security obligations applicable to covered entities.
- Applies to a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) the same criminal and civil liability that now apply to a covered entity that violates such security provision.
- Extends the responsibilities of data processors and other “business associates” of health care providers for breaches of security of unencrypted data.
- Requires each “business associate” of a covered entity to disclose to the covered entity any data breach of “unsecured” protected health information, where the business associate “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.” 42 U.S.C. 13402(b).
- Treats breaches as being “discovered” when first known (or when the covered entity or its business associate “should reasonably have known” of the breach, and conduct the notification process “without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach.”
- Requires use of first-class mail or (where the individual has expressed a preference for e-mail) e-mail to notify affected individuals, or use alternative methods (such as websites, broadcast and print media, with contact telephone numbers) if there are 10 or more individuals with insufficient or out-of-date contact information. Postings on websites must be on the home page of the covered entity or business associate. Notices by broadcast media in a “State or jurisdiction” must be given if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. Notifications must include notices to the Secretary of Health and Human Services, with a log book to be maintained. Immediate notice is required if 500 individuals are affected. The HHS Secretary then posts the notices on its website. Notification may be delayed it it would “impede a criminal investigation or cause damage to national security” under existing regulations.” 45 C.F.R. 164.528(a)(2).
- Specifies that the content of the notice of a brhttp://www.outsourcing-law.com/2010/07/the-coming-federal-health-it-monopoly/each must include, to the extent possible, the following:
-
- a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.
- A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).
- The steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.
- Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.
Protected Health Data.
The HITECH Act part of the ARRA stimulus law extends special breach notification requirements to “unprotected” protected health data. “Unsecured Protected Health Information” protected health information that is not secured through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued” within 60 days after enactment. If the Secretary fails to issues such “guidance,” then, as a default, the term `unsecured protected health information’ shall mean “protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.” The Secretary is directed to promulgate interim final regulations within 180 days of the February 17, 2009 enactment date.
Obligations of Outsourcers Other Than Business Associates.
The HITECH Act of 2009 adds special breach notification requirements for vendors of personal health records (“PHR”) and their service providers that are not covered by HIPAA as a “business associate” or “covered entity.” Thus, each vendor of personal health records and its third-party service providers must notify the U.S. citizen or U.S. resident individuals affected and the Federal Trade Commission in case of security breach. Outsourcing service providers covered under this rule, 42 USC 13407, include each service provider that offers or maintains “a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services.” Violations of such notification procedures become “unfair and deceptive” trade practices enforceable by the Federal Trade Commission.
In conclusion, the HITECH Act offers a broad plan for new users of IT In health care. Service providers and enterprise customers and other sectors should take note and address the emergency of new federal standards on data protection, privacy and IT security. Compliance and risk management issues may require some changes in the contracting process and in service delivery of outsourced data processing. (For key definitions, click here.)