Healthcare entities leary of new government policy extending beyond HIPAA

As the Health IT Policy Committee’s Privacy and Security “Tiger Team” continues its work to provide recommendations and suggested policy guidance on health information exchange, there appears to be some concern among hospitals and other HIPAA-covered entities that the recommendations, if implemented in federal rulemaking, would go add to the security and privacy requirements already in effect under the HIPAA Security Rule and Privacy Rule, and would go beyond the strengthened federal regulations included in the Health Information Technology for Economic and Clinical Health (HITECH) Act. According to a report from Modern Healthcare‘s Joseph Conn, a representative of the Federation of American Hospitals raised such concerns during the public comment period of the Health IT Policy Committee’s November 19 meeting. The comments offered at the meeting related specifically to still-pending recommendations on patient privacy and, especially, consent. Previous briefings by Tiger Team leaders have both acknowledged the applicability of HIPAA and other relevant laws in specifying situations in which consent is not required, but in the face of potentially expanded health data sharing through the adoption of electronic health record (EHR) and health information exchange (HIE) systems, committee members have suggested that current regulations do not adequately reflect patient expectations about controlling the use and disclosure of their personal health information, especially when that information is shared via HIE. With so much attention focused on the government’s meaningful use incentive program to encourage EHR technology adoption, the lack (so far) of any privacy provisions in meaningful use rules and standards has prompted Tiger Team discussions about ways to do more to protect patient privacy rights.

During the November 19 meeting, Tiger Team co-chairs Deven McGraw and Paul Egerman presented a set of proposed recommendations for provider authentication in health information exchange, intended in part to address a perceived gap in the HIPAA Security Rule, which requires that HIPAA-covered entities implement policies and procedures to authenticate individual users or entities seeking access to protected health information (45 CFR §164.312(d)), but does not stipulate the means by which such authentication should occur. The Tiger Team advocates mandating the use of digital certificates for entity authentication for all entities involved in health information exchange. Adopting such an approach would require not only the technical capability to implement and use digital certificates among entities participating in HIEs, but also the establishment of a formal process for validating would-be participants (to ensure they are legitimate organizations) and for issuing credentials to approved entities. The authentication model for the Nationwide Health Information Network (NHIN) has long been envisioned to use a single, centralized certificate authority to issue credentials and manage certificate validity, revocation, and related maintenance processes. The most recent recommendations from the Tiger Team suggest that instead of relying on a central authority, the Office of the National Coordinator should establish an accreditation program (perhaps similar to the one used for accrediting EHR testing and certifying bodies under the meaningful use program) to authorize multiple certificate issuers. While a federated or distributed model for credentialing would almost certainly be more scalable than a single-issuer model, there remain unaddressed aspects of governance and oversight related to how ONC can ensure that organizations seeking approval as certificate issuers conform to all relevant technical and governance criteria, and are sufficiently trustworthy to handle entity identity proofing and issue authentication credentials.

Even though some changes to federal health data privacy and security regulations included in HITECH have not yet been implemented, HIPAA remains established law, and additional changes to the provisions in the Security Rule and Privacy Rule cannot be made simply through rulemaking by an executive agency like HHS. While specific changes to the law must be made by the legislature, the Office of the National Coordinator and the HHS Office for Civil Rights generally have the authority to impose additional criteria or specific requirements on HIPAA-covered entities associated with audit standard used to assess compliance, or as conditions for receiving federal funds, whether under meaningful use or one the various federal grant programs intended to promote or expand the adoption of health IT. There seems to be some renewed emphasis on HIPAA compliance, based in part on the expectation that OCR will soon begin to proactively audit covered entities and business associates for compliance with the Security and Privacy Rules. In this environment, it is perhaps understandable that covered entities would object in advance to the prospect of any further changes in the regulatory requirements for which these entities will be held accountable. The fact remains, however, that the law as enacted was not primarily intended to encourage health IT adoption, and if widespread use of such technology is going to be achieved, some of the regulatory areas that leave room for interpretation may need to be augmented with more specific guidance or requirements.