Tuesday, March 31, 2009

Health Records Privacy and the Stimulus Bill (ARRA)

Americans who routinely yield up to strangers every detail of their financial status and life history to borrow money, who trust Social Security and the Internal Revenue Service with their most trusted personal information, tend to get indignant about privacy when it comes to medical records. I've puzzled about this and decided it may have to do with STD's.

Seriously, though, privacy is a big deal in the medical community. During the time I worked in a hospital environment, HIPAA provisions were more sacrosanct than anything in a Chaplain's job description. Even casual conversation in the privacy of a restroom was subject to review in case anyone in the next stall might be listening. John Halamka at Life as a Healthcare CIO summarizes how the stimulus bill handles the privacy issue. It looks to be as airtight as possible, given today's technology.

ARRA has a provision that requires covered entities keep a list of all data disclosures to third parties and provide a comprehensive audit log to patients upon request. This tracking of third party data exchange is not currently part of HIPAA requirements and will require significant enhancement to our auditing systems, our patient services reporting tools, and our personal health records which give patient access to their own audit trails.

Based on at least one interpretation of ARRA, the covered entity must take responsibility for patient notification when third parties improperly disclose patient information. There does seem to be some variation in interpretation in this area.

ARRA specifies that disclosure of a record containing a name and medical information (John Smith, Hematocrit 37) is considered a breach. Massachusetts requires the name and at least one other identifiable piece of information (John Smith, 5/23/1962, Hematocrit 37). This could have significant implications since even simple audit logs could be considered restricted/confidential information.

ARRA provides some definition about the actual notification methods required. In breaches where the contact information of more then 10 individuals is not known the covered entity must post the breach on their web site. If the breach is of more the 500 records the covered entity must make a public disclosure to “prominent” media outlets. Prior to this the only obligation was to contact the individuals directly.

ARRA also includes some language that requires covered entities limit the amount and type of information shared with providers to be the minimum required for the business need. It also requires that if patients pay for services out of pocket that covered entities provide a way for the individual to request that no information relative to the treatment be transmitted to any provider.

Privacy is foundational and we certainly cannot argue with the need to keep information confidential per patient preferences. However, some of these provisions, such as the "out of pocket" clause will be extremely challenging to implement.

Over the next few months, HITSP is working on standards which will support these ARRA provisions, including web services using XACML, WS*, and TLS.

Don't you just love those acronyms? I can follow most of them but these last three or four I will have to look up. They seem to refer to data platforms that may not share a common interface. This is the most tedious detail of information technology. We have come a long way since Apple's OS didn't work with that of Microsoft, but the same dynamic is alive and well as new creations are invented that owners wish to remain proprietary, not trusting copyright or patent laws to protect them.

No comments: