Stronger provisions coming with the stimulus bill

The American Recovery and Reinvestment Act of 2009, which the president is expected to sign into law on Tuesday, contains within it the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Title XIII. Subtitle D of the HITECH Act effects a number of changes to current privacy and security law intended to strengthen the protection of individually identifiable health information, especially that contained in electronic medial records. This is the first of several posts highlighting notable features of the new legislation.

One big change is the expansion of applicability of security and privacy requirements under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA has both a Privacy Rule and a Security Rule, the provisions of which have applied to what HIPAA terms “covered entities” — health plans, health care providers, and health care clearinghouses — and to a lesser degree to “business associates” with contractual relationships with covered entities. In essence, HIPAA said that covered entities are responsible for the compliance of their business associates, and the requirements with which business associates should comply need to be spelled out in the agreements (contracts) covered entities make with business associates. The HITECH Act removes this distinction, so that business associates are now held to the same requirements as covered entities. The law also now considers as business associates a class of organizations that were previously considered non-covered entities under HIPAA: those that provide “data transmission of protected health information” to covered entities or their business associates and that require “access on a routine basis to such protected health information.” (Sect. 13408) This provision is meant to extend Privacy and Security Rule requirements to regional health information organizations (RHIOs), health information exchange gateways, or vendors providing personal health records to covered entities’ customers under contract to the covered entities.

Despite this expansion in HIPAA coverage, there are still significant potential players in health information exchange that remain non-covered entities, most notably including vendors of personal health records like Google Health and Microsoft Health Vault. These are data aggregation applications that depend on pulling personal health information from records maintained by insurance plans, health providers, labs, and other covered entities, so resolving the disparity in required privacy and security protections is necessary to establish sufficient trust to allow personal health record systems to function as intended. Personal health records are often promoted as the best mechanism for allowing individuals to control their own health information, including providing or revoking consent to disclose their information for specific purposes. To make this vision feasible, it is essential that personal health record systems are able to retrieve individually identifiable health information from a broad range of covered and non-covered entities.