Privacy and Health Information Technology

Privacy and Health Information
Technology
executive summary
Prepared by the O’Neill Institute
Introduction ensure that health information is rapidly accessible to

The increased use of health information technol- those authorized, but kept confidential and protected
ogy (health IT) is a common element of nearly every from inappropriate use.
health reform proposal because it has the potential to
decrease costs, improve health outcomes, coordinate • Who Is Covered: The Privacy Rule only applies
care, and improve public health. However, it raises to entities expressly defined in the HIPAA stat-
concerns about security and privacy of medical infor- ute, which places unmentioned, new, and emerg-
mation. This paper examines some of the “gaps” in ing entities outside the direct coverage of the
privacy protections that arise out of the current fed- rule.
eral health privacy standard, the Health Insurance • What Is Covered: The Privacy Rule regulates
Portability and Accountability (HIPAA) Privacy Rule, the type of health information that can be shared
the main federal law which governs the use and dis- by covered entities and for what purposes. But
closure of health information. Additionally, it puts individuals are concerned that their personal
forth a range of possible solutions, accompanied by health information will not be protected in the
arguments for and against each. The solutions pro- emerging e-health environment. For example,
vide some options for strengthening the current legal privacy may be at risk due to the lack of federal
framework of privacy protections in order to build notification standards for breaches; the possibil-
public trust in health IT and facilitate its use for health ity that developments in technology may make
reform. The American Recovery and Reinvestment Act “de-identified” data (not covered under the Pri-
(ARRA) enacted in February 2009 includes a number vacy Rule) re-identifiable; and the lack of strong
of changes to HIPAA and its regulations, and those prohibition on the use of personal health infor-
changes are clearly noted among the list of solutions mation for marketing purposes.
(and ARRA is indicated below where the Act has a rel- • State Law Variation: The Privacy Rule is only a
evant provision). minimum standard, which gives states the power
to enact more stringent protections for health
Law in Effect Pre-ARRA and Perceived Gaps privacy. The resulting variations in state privacy
The Health Insurance Portability and Account- laws may pose an obstacle to health information
ability Act (HIPAA): The use of health information exchange across state lines and/or to a national
is currently covered by HIPAA and its implementing health information system.
regulations. The Department of Health and Human • Insufficient Comprehension of and Compli-
Services (HHS) issued final regulations in 2002, ance with the Privacy Rule and Enforcement:
which became effective for most entities covered by Entities covered by the Privacy Rule and indi-
HIPAA in 2003. The HIPAA privacy regulations set viduals/patients do not adequately comprehend
forth rules governing the access, use, and disclosure the Privacy Rule’s provisions, leading health
of personal health information by most traditional care entities to either over- or under-interpret
health care entities. The goal of the regulations is to the Rule and leaving individuals unaware of
legal solutions in health reform • fall 2009 121

JL ME SUPPLEMENT
their privacy rights. In addition, there has been establish, and increase compliance with HIPAA
debate among policymakers and stakeholders rules regarding the use of personal information
over the following: (1) whether the Rule to date for marketing (ARRA); adopt rules governing
has been appropriately enforced; (2) whether marketing uses by non-covered entities such as
or not the current mechanisms are adequate to Internet health sites; issue more guidance on
ensure compliance; and (3) what the limits of how to comply with the Privacy Rule (ARRA);
the enforcement mechanisms should be. issue new regulations regarding terms of access
to health information exchanges.
Potential Solutions • State Law Variation: “Wipe the slate clean”
The perceived “gaps” in federal legal protections for and have Congress could establish a new federal
health information can be grouped into four catego- privacy law that preempts existing state laws but
ries: (1) who is covered; (2) what is covered; (3) state allows states to pass new stronger privacy provi-
law variation; and (4) insufficient comprehension of sions; and/or keep the status quo with the fed-
and compliance with privacy protections. The solu- eral standard as a floor.
tions range from amending existing law or regulation • Improving Comprehension of and Compli-
to encouraging private action through market or other ance with the Privacy Rule and Enforcement:
incentives. Revise the Privacy Rule to make it less complex;
provide more guidance and better education on
• Who Is Covered: Amend HIPAA to create new the requirements of the rules (ARRA); improve
categories of covered entities and require the consumer education on HIPAA rights by requir-
federal agencies to issue new privacy regulations ing entities to provide a summary notice; ensure
to cover activities of new entities; revise regula- a proper enforcement regime for entities not
tions and expand recent guidance on business covered by HIPAA that handle personal health
associate agreements to include all health infor- information; amend HIPAA enforcement to
mation exchanges in existence or development clarify enforcement authority and also direct the
(ARRA); require all entities handling health Secretary to pursue civil actions (ARRA); amend
information to adopt policies consistent with fair HIPAA to allow the Secretary to directly enforce
information practices; and/or keep the law in its HIPAA regulations against business associates
current state and encourage adoption of good (ARRA); and/or amend HIPAA to allow a pri-
privacy practices through voluntary business vate right of action (ARRA).
agreements.
• What Is Covered: Enact federal legislation pro- Conclusion
hibiting the use of personal heath information to Generally, there is consensus that efforts to facilitate
determine the terms and conditions of employ- widespread adoption and use of health information
ment or health insurance; establish a federal technology must move forward with appropriate pro-
breach notification law applicable to identifiable tections for privacy and security. However, achieving
health information (ARRA); seek the input of consensus on the details of what privacy and security
experts and public to examine the de-identifica- measures need to be put in place continues to be a
tion safe harbor exception (ARRA); create more challenge. The new Administration and Congress are
options for the use of health data stripped of moving forward to increase the use of health IT. Any
some individual identifiers (ARRA) and require efforts to reform the nation’s health systems and to
data use agreements for all data disclosures; increase the adoption of health IT will need to address
require those obtaining data stripped of patient the concerns surrounding the privacy and security of
identifiers to commit to keeping data de-identi- personal health information.
fied except in certain circumstances; strengthen,
122 journal of law, medicine & ethics

Privacy and Health Information
Technology
Deven McGraw
Introduction data regarding the effectiveness of certain treatments.

In discussions of health reform, the increased use of Finally, health IT is also expected to help decrease
health information technology (health IT) is a com- health care costs by reducing the duplication of services
mon element of nearly every serious proposal on the and the delivery of unnecessary or inappropriate care.
table. Health IT includes electronic health records This paper briefly summarizes current federal
kept by providers, personal health records offered by health privacy law and examines some “gaps” in pri-
health insurance plans or owned by consumers, and vacy protections that have been identified by some
electronic health information exchanges. Although policymakers and stakeholders in recent debates on
health reform initiatives being discussed contain this topic. Additionally, the paper puts forth a range of
little detail regarding health IT, in general they pro- possible solutions, accompanied by some arguments
mote health IT to facilitate the electronic sharing of for and against each idea. The proposals in the paper
health information to improve individual and popula- do not represent the universe of possible solutions to
tion health. During the 2008 presidential campaign, each issue; many of them also are not mutually exclu-
the health care proposals of both President Obama sive. The arguments provided in support for or against
and Senator McCain discussed health IT. President a particular idea also do not represent all of the argu-
Obama’s proposal invests $50 billion over the next five ments for or against any policy option. The solutions
years to promote the adoption of health IT with pri- do, however, provide some options for continuing the
vacy safeguards.1 Senator McCain’s plan also encour- conversation about how we can best strengthen our
aged the adoption of health IT, with an emphasis on legal framework of privacy protections to build public
coordination.2 trust in health IT and facilitate its use to reform the
Proponents hope that the increased use of health IT health care system.
will improve health outcomes for individual patients
by facilitating the delivery of evidence-based care and Note: The initial version of this paper was completed
reducing medical errors. Additionally, proponents before enactment of the American Recovery and Rein-
hope that increasing information sharing among pro- vestment Act in February 2009 (ARRA). 3 ARRA
viders will better coordinate care within and across includes a number of provisions amending the Health
health care settings. Health IT facilitates the creation Insurance Portability and Accountability Act (HIPAA)
of a comprehensive health record that can move with and its regulations, the main federal law which gov-
an individual over his or her lifetime, in contrast to the erns the use and disclosure of health information.
fragmented records that exist today. Further, health IT Because much of the details of the privacy and secu-
is promoted as a critical tool for improving population rity provisions in ARRA will need to be fleshed out in
health by allowing for the more efficient gathering of agency guidance or regulations, and because most of
the provisions do not take effect until at least a year
Deven McGraw, J.D., LL.M., M.P.H., is the Director of the after enactment, the author of this paper decided not to
Health Privacy Project at the Center for Democracy & Tech- completely revise the paper to incorporate the changes
nology. in the law. Instead, where there is a provision in ARRA

JL ME SUPPLEMENT
dealing with an issue identified in this paper, a brief be attractive targets for marketers and those seeking
summary of that provision is clearly indicated within health data for commercial gain, or that can be vul-
the list of solutions. nerable to security breaches. If a system is breached,
sensitive data can be protected, in part, by encryption
There is widespread agreement that protecting indi- and other security methods. Technology can never be
viduals’ health information is necessary in order to made 100% tamperproof; however, it can be more
build public trust in e-health systems and to help drive protective than paper records at preventing inappro-
the widespread adoption of health IT. But unlike other priate access to information and helping ensure that
topics addressed in the “Legal Solutions in Health when there is abuse, the perpetrators will be detected
Reform” project, current health privacy laws arguably and punished.
do not pose a legal obstacle to health IT. For example, At the same time, absent strong privacy and security
there are no federal health privacy laws that prohibit safeguards, the computerization of personal health
or directly inhibit the sharing of information elec- information can magnify the risk to privacy. Tens of
tronically for health purposes and that require specific thousands of health records can be accessed through
action to resolve. Instead, the debate centers more a single breach.5 Recent headlines about breaches of
around whether current health privacy laws are suf- electronic records underscore these concerns. The
ficient to build a foundation of trust in health IT that cumulative effect of reports of data breaches and inap-
will support an information sharing environment that propriate access to medical records deepens consumer
will improve health care and our health care system distrust in the ability of electronic health informa-
— and if not, what more needs to be done. This makes tion systems to provide adequate privacy and security
the path to resolution more difficult, as stakeholders protections.
may hold very different opinions about the extent of Failing to address public concerns about the pri-
the problem and the appropriate solutions. vacy of their health information could have significant
Survey data show that a large majority of the pub- consequences. Without appropriate protections for
lic wants electronic access to their health information privacy and security in the healthcare system, some
— both for themselves and for their health care pro- patients engage in “privacy-protective” behaviors to
viders — because they believe such access is likely to avoid having their personal health information used
increase the quality of their health care. At the same inappropriately.6 According to a recent poll, one in
time, people have significant concerns about the pri- six adults (17%) — representing about 38 million
vacy of their health information online. In a 2006 sur- persons — say they withhold information from their
vey, when Americans were asked about the benefits of health providers due to worries about how the medi-
and concerns about online health information: cal data might be disclosed.7 Persons who report that
they are in fair or poor health and racial and ethnic
• 80% were very concerned about identity theft or minorities (who report even higher levels of concern
fraud; about the privacy of their personal medical records)
• 77% were very concerned about their medical are more likely than average to practice privacy-pro-
information being used for marketing purposes; tective behaviors.8 Due to the reality of privacy risks
• 56% were concerned about employers having associated with the computerization of health infor-
access to their health information; and mation, the movement to e-health could increase the
• 53% were concerned about insurers gaining percentage of people who engage in privacy protective
access to this information.4 behaviors. Ignoring these concerns — or inadequately
addressing them — will significantly threaten public
Health IT is better equipped than are paper records trust in these new systems.
to protect sensitive personal health information. For In general, stakeholders largely agree that entities
example, it is often impossible to tell whether some- that handle electronic personal health information
one has inappropriately accessed a paper record. By should be subject to a baseline set of privacy stan-
contrast, technology — including strong user authen- dards. This consensus breaks down, however, when
tication and tracking mechanisms — can be employed the discussion gets to the details. For example:
to automatically limit and monitor access to electronic
health information. Additionally, electronic health • Do we extend the privacy rules under the Health
information exchange networks can be designed to Insurance Portability and Accountability Act
facilitate data sharing among health care entities for (HIPAA) to all entities that now handle health
appropriate purposes without needing to create new, information, or create new legal standards for
centralized databases of sensitive information that will entities not currently covered?

Deven McGraw
• What protections need to be in place? For health plans). In summary, the Privacy Rule permits
example, do we rely on current HIPAA rules or covered entities10 to access, use, and disclose “pro-
are modifications needed, either to address new tected health information”11 for purposes of treat-
challenges or because the rules, in the view of ment,12 payment,13 and health care operations.14 The
some, were imperfect from the start? Rule also allows access, use, and disclosure for the fol-
• Are these concerns best addressed through lowing: (1) certain lawful public health purposes, as
changes in statute or regulations, or is it best to required by law; (2) reporting abuse or domestic vio-
police this nascent marketplace through busi- lence; (3) health oversight activities; (4) judicial and
ness best practices (or a combination of both)? administrative proceedings; and (5) law enforcement
• Should we allow for some state law variation purposes. Covered entities may disclose information
or establish federal standards that preempt the to family members, and in facility or office directories,
field? as long as the patient does not object. All other pur-
• What should we do to ensure compliance poses not specifically mentioned in the Rule require
with and appropriate enforcement of privacy prior patient authorization to access, use, or disclose
protections? information. The Privacy Rule applies to identifiable
health information regardless of whether it is in paper
A brief list of all proposed solutions in each category or electronic form.
(without explanatory text and without the sample HIPAA provides a federal floor, or minimum stan-
arguments for and against) can be found at Appendix dard, of privacy protection. It expressly preserves state
A at the end of this paper. laws that provide stronger privacy protections for
health information.15 Such state privacy laws include
I. Federal Law Prior to Passage of ARRA more stringent requirements regarding access, use and
(As noted above, changes to law enacted in ARRA are disclosure of particularly sensitive categories of health
set forth below in the “possible solutions” proposed for information, such as mental health records and HIV
each issue.) testing and treatment records. The variation in state
With respect to protecting health information pri- laws poses difficulties to a uniform privacy standard.
vacy, public policymakers are not faced with a blank Other federal laws apply privacy protections to
slate. Within the traditional healthcare system, uses specific types of information, or have limited appli-
of health information are covered by the Health cation in specific contexts. For example, the Genetic
Insurance Portability and Accountability Act of 1996 Information Nondiscrimination Act of 2008 prohib-
(HIPAA) and its implementing regulations. When its employers from using genetic information to make
Congress enacted HIPAA to facilitate, among other employment decisions and prohibits health insurers
things, the electronic transmission of health care from using such information to make coverage and
claims to reduce administrative costs, lawmakers rec- underwriting determinations.16 The Federal Educa-
ognized the need to protect the privacy and security tion Rights and Privacy Act, the regulations governing
of health information when data moves electronically. substance abuse treatment facilities receiving federal
Congress gave itself two years to enact federal privacy funds (commonly known as Part 2), and the Privacy
legislation — but ended up tasking the Department Act of 1974 cover only certain settings of care.17
of Health and Human Services to promulgate privacy With respect to health information online or in
and security regulations to cover information trans- consumer-owned personal health records, the Fed-
actions under the purview of HIPAA. The regulations eral Trade Commission can use its “unfair and decep-
were finalized in 2002 and effective for most entities tive trade practices” authority to hold some entities
covered by HIPAA by 2003. The HIPAA statute sets accountable for failure to comply with their privacy
forth the definition of entities covered by the law and policies. Federal law does not require these entities
important provisions with respect to HIPAA enforce- to have a privacy policy, or require that certain ele-
ment; the bulk of the HIPAA privacy and security ments be included in such a policy if it exists. Some
requirements are in the regulations. have said that the Electronic Communications Privacy
The HIPAA privacy regulations— known collec- Act (ECPA) protects personal health records (PHRs)
tively as the “Privacy Rule” — are based on fair infor- because it prohibits the vendors of those services from
mation practices and set forth rules governing the disclosing the contents of those records without the
access, use, and disclosure of personal health infor- authorization of the record holder. However, the rel-
mation (or “protected health information”)9 by most evant ECPA provision applies only to services that are
traditional health care system entities (for example, offered to the public.18 PHRs available exclusively to
providers, hospitals, laboratories, pharmacies, and employees of a particular company, for example, likely

JL ME SUPPLEMENT
fall outside of this part of ECPA. Moreover, ECPA suggested approaching this question by focus-
applies only if the provider is not authorized to access ing only on what is new in the e-health environ-
the contents of a customer’s records for purposes of ment — new actors or new ways to access, use,
providing any services other than storage or computer or disclose information not contemplated when
processing.19 This caveat may knock out a lot of PHRs the HIPAA regulations were implemented — in
that provide services beyond data storage, or that order to avoid getting mired in old debates about
are advertising-based and analyze individual patient the current HIPAA regulations.
records to target ads. • State Law Variation: As noted above, HIPAA
To keep this paper to a manageable length, it focuses provides a floor of health privacy protection.
on federal privacy protections that are (or could be) State laws that provide more stringent protec-
more broadly applicable. tions for health privacy are expressly preserved
and not preempted. Some are concerned that the
II. Possible Issues to Be Resolved multiplicity of state privacy laws will create an
The perceived “gaps” in pre-ARRA federal legal pro- obstacle to cross-state or nationwide electronic
tections for health information can be grouped into exchange of health information. The obstacles
the following categories: may arise because of the operation of a state law
that prohibits information sharing except under
• Who Is Covered: The HIPAA Privacy Rule cov- certain circumstances (such as with patient con-
ers only certain “covered entities” as defined in sent or authorization), or because health care
the HIPAA statute: specifically, providers, plans, entities are afraid to disclose information in a
and health care clearinghouses. Many of the new way that might violate an applicable state law.
entities storing, handling, or managing personal Others suggest that any information sharing
health information electronically do not qualify obstacles are primarily due to a lack of under-
as covered entities, and thus are not directly cov- standing and varying interpretations of state
ered by the Privacy Rule. As noted above, other laws, which does not necessarily justify eliminat-
federal health privacy laws apply only in specific ing stronger state privacy protections and enact-
contexts or are otherwise limited in their appli- ing a single federal standard.
cation. As a result, there is no baseline set of fed- • Improving Understanding of (and Compliance
eral health privacy protections that apply to all with) Privacy Protections: Even five years after
entities that handle personal health information. the Privacy Rule went into effect, there is still a
• What Is Covered: The Privacy Rule is based great deal of confusion on the part of some enti-
on a model of one-to-one electronic transmis- ties covered by the Rule about its provisions. For
sion of health information among traditional example, the 34 state teams participating in the
health care system entities and their business Agency for Healthcare Research and Quality
partners who perform health-related functions (AHRQ)-funded Privacy and Security Solutions
on their behalf. Since the HIPAA requirements for Interoperable Health Information Exchange
were enacted and promulgated, new opportuni- consistently found a “general lack of under-
ties to access and disclose health information standing about some of the basic tenets” of the
have arisen (e.g., electronic health information Privacy Rule as well as of state laws concerning
exchanges) which can enhance access to greater health information disclosure.20 The frequent
volumes of identifiable health information more result is a more conservative interpretation of
effectively and efficiently. The Rule also did the law — a reluctance to disclose information
not envision the rise of personal health records even in circumstances where it is expressly per-
designed for use by consumers. Some believe mitted — which could create unnecessary and
that truly building public trust in e-health sys- sometimes inappropriate barriers to electronic
tems requires strengthening a number of the Pri- health information exchange.21 Patients and their
vacy Rule’s current provisions and/or the prom- families also rarely understand the provisions of
ulgation of new or additional legal protections. the HIPAA privacy notice, which is the vehicle in
Others believe the Privacy Rule provides suf- the Privacy Rule for informing patients about the
ficient protections for health information in the potential uses of their health information and
new e-health environment, and that policymak- their rights under the Rule.22
ers merely need to extend its coverage to apply
to entities that did not exist when the Privacy
Rule was implemented. Similarly, some have

Deven McGraw
A. Who Is Covered ple, Dossia, the consortium of eight of America’s

As noted above, HIPAA by statute covers only pro- largest employers), are not covered by HIPAA.28
viders (including health care professionals, hospitals, Because these tools are being designed for pri-
pharmacies, laboratories), health plans, and health mary use by the consumer, individual autho-
care clearinghouses.23 Thus, the HIPAA privacy and rization is typically required in order to move
security regulations also apply only to these covered information into or out of a PHR. As a result, the
entities. Under the Privacy Rule, a covered entity can vendors of these products have concluded that
contract with a “business associate:” an organization a business associate agreement is not required;
that receives personal health information to perform OCR has issued no guidance on this practice.
activities or services on behalf of the covered entity, • Personal health information is migrating onto
but is not part of their workforce. The HIPAA rules the Internet through an array of health infor-
do not apply directly to business associates; instead, mation sites, online support groups, and other
business associates must be obligated by contract with on-line health tools. Often this information
the covered entity to comply with the HIPAA regula- is voluntarily posted or shared by individuals.
tions. A business associate must enter into a “business These potential repositories of sensitive health
associate agreement” with the covered entity in order information are not covered by HIPAA as either
to access protected health information.24 This agree- covered entities or business associates — and
ment must: (1) spell out the required uses and disclo- privacy protections are guaranteed primarily
sures of such information by the business associate; through enforcement by the Federal Trade Com-
(2) include a provision prohibiting the business asso- mission (FTC) of the general prohibition against
ciate from further using or disclosing the data other unfair and deceptive trade practices, such as
than as permitted in the contract or required by law; a failure to follow promises made in a privacy
and (3) contain “satisfactory assurances” that the busi- policy.
ness associate will “appropriately safeguard the infor-
mation.”25 The HIPAA rules cannot be enforced by the The gaps in HIPAA coverage of these new entities is
federal government against business associates, as of concern to some policymakers and industry stake-
discussed in more detail below. holders and may be an obstacle to promoting the use
HIPAA currently does not cover a number of enti- of these new technologies. For example, the public may
ties that have emerged as part of the movement to not trust that their information will be protected when
electronic health records. For example: it is exchanged or stored electronically because these
non-covered entities are not required to comply with
• State and regional electronic health information any minimum health information privacy standards.
exchanges — often called Regional Health Infor- Covered entities may be concerned about an unlevel
mation Organizations (or RHIOs) or Health playing field, where their products and services are
Information Exchanges (HIEs) — and ePrescrib- required to be compliant with current law and the
ing Gateways, all of which may collect or facili- products and services of their competitors are not.
tate the exchange of personal health informa-
tion, usually among health care system entities, Possible Solutions
are not HIPAA covered entities.26 In December Section 13408 of ARRA clarifies that entities transmit-
2008 HHS issued guidance clarifying that health ting or processing data on behalf of covered entities, like
information networks that merely exchange data Regional Health Information Organizations (RHIOs),
on behalf of covered entities must be business Health Information Exchanges, or E-Prescribing Gate-
associates and thus must execute business asso- ways, are business associates for purposes of HIPAA.
ciate agreements.27 However, such guidance does Section 13408 also provides that vendors who contract
not cover all of the health information exchanges with a covered entity in order to allow that entity, as
currently in existence or in development. For part of its electronic health records, to offer patients a
example, exchanges that collect and directly personal health record, must also be business associ-
access information in a centralized database ates. Section 13424 requires HHS, working with the
are not covered by this guidance, and as a result FTC, to issue a report within one year of enactment
their status under HIPAA is unclear. recommending privacy and security protections for
• Personal health records (PHRs) and other con- information accessed and stored online. This study
sumer-facing health IT tools now being created must include a recommendation for which agency
by Internet companies like Microsoft, Google, should have oversight over uses of health information
and WebMD, as well as by employers (for exam- on the Internet and a timetable for regulation.

JL ME SUPPLEMENT
♦♦Require (or encourage) HHS to issue new regu-

♦♦Amend HIPAA to create new categories of lations or guidance to clarify that entities such
covered entities and require the Office of Civil as health information exchanges or PHRs that
Rights (OCR) to promulgate new privacy regula- receive protected health information from a cov-
tions to cover the activities of these new entities. ered entity must enter into a business associate
agreement and at least be contractually bound
Arguments For to safeguard the information and comply with
* Arguably provides the most certainty to the HIPAA. (partially addressed in ARRA)
market and a more level playing field (even if the
regulations applied to these new entities are tai- Arguments For
lored to the particular challenges raised by each, * Does not require legislative action; thus poten-
as is the case today among the major categories tially could be accomplished promptly in 2009.
of covered entities). (steps to accomplish taken in
ARRA) Arguments Against
* Would likely apply only to those entities that are
Arguments Against receiving protected health information from a
* This could be difficult to achieve, as some enti- covered entity and thus would not protect per-
ties may resist coverage under HIPAA; others sonal health information entered into PHRs or
may welcome a more certain legal environment. onto Internet health sites directly by individu-
* With respect to PHRs, some have argued that als. Also, the business associate model currently
HIPAA may not be the appropriate vehicle for applies to entities performing tasks on behalf of
regulating those provided by non-health care a covered entity (emphasis added). Thus, this
entities. For example, The National Committee model may make sense for health information
for Vital and Health Statistics (NCVHS) called exchanges (or at least those that are operating
for protections at least equal to HIPAA to be for the benefit of their covered entity partici-
extended to all PHRs, but did not recommend pants), but it makes less sense for PHRs, which
extending HIPAA to do so.29 The Center for operate for the benefit of the consumer.
Democracy & Technology has argued that HIPAA * Business associates are contractually obligated to
will not address the particular concerns raised by adopt health information safeguards or to com-
the handling of personal health information by ply with HIPAA. However, as discussed in more
Internet-based companies and other non-health detail below, federal authorities cannot hold them
care entities.30 Two of the prominent House accountable for failure to comply with HIPAA.
bills from the 110th Congress — the Protecting
Records, Optimizing Treatment, and Easing ♦♦Require any entity that holds or manages pro-
Communication Through Health Care Technol- tected health information to adopt policies that
ogy Act of 2008 (the PRO (TECH) T Act) (H.R. are consistent with fair information practices,
6357) and the Health-e Information Technology which is the model typically relied on to estab-
Act of 2008 (H.R. 6898) (referred to collectively lish appropriate policies for handling personal
in this paper as the “House bills”) — instead information.32
called on HHS and FTC to work together to
come up with recommendations (or regulations) Arguments For
for privacy protections for information in PHRs.31 * Model is endorsed by NCVHS and the Markle
* This concern could be ameliorated by ensuring Foundation’s Connecting for Health multi-stake-
that all health care entities (including exchanges) holder initiative.
that handle personal health information are * Ensures that anyone who handles personal
required to comply with HIPAA (either as cov- health information is subject to at least a uni-
ered entities or business associates, depending form baseline set of standards.
on their structure and function), and imposing * Eliminates need to continue to revisit this issue
new standards on non-health care entities that as the market evolves and new entities/models
provide protections similar to HIPAA but that for sharing health information are introduced.
are targeted to address the particular concerns * Partial coverage can be achieved by imposing the
raised in this environment. requirement as a federal funding condition.
* Model is more consistent with data privacy stan-
dards adopted by the European Commission,

Deven McGraw
thus helping resolve a potential barrier to global other entities working in the same space to be
data exchange. relieved of these corresponding responsibilities
and expenses.
Arguments Against
* Could result in HIPAA requirements for some B. What Is Covered
entities and other, less onerous requirements for Electronic health information exchanges and the rise
other entities. of consumer-focused health management tools hold
* Fair information practices (FIPs) provide a good great potential for improving the flow of information
model for moving forward, but FIPs are articu- necessary for good health care and helping individuals
lated so broadly that building trust in electronic take a greater role in improving their own health. But
health information sharing may require more to realize this potential, consumers need to trust that
clearly defined rules (and achieving broad sup- their personal health information will be kept private,
port for such rules may be difficult). confidential, and secure. As information becomes
* If new framework deviates significantly from more accessible and moves more freely in an elec-
current HIPAA rules, then there will be costs tronic exchange environment, current policies regard-
and disruptions in information flows due to cov- ing access to, and use and disclosure of, health infor-
ered entities and their business associates having mation may be inadequate and contribute to a lack of
to adjust to new or even dual standards. Further, public trust in health IT.
the resources already spent coming into com- A number of the issues discussed below relate to per-
pliance with HIPAA will be wasted. (Note that ceived deficiencies in the HIPAA Privacy Rule. Some
these concerns could be ameliorated by building argue that it makes little sense to try to re-open the
on the current HIPAA rules or by applying new compromises that were reached in the current Privacy
standards only to entities not currently covered Rule and instead urge policymakers to focus on how
by HIPAA). best to address the new challenges raised by the emerg-
ing e-health environment. Others argue that perceived
♦♦Keep the law in its current state and encour- deficiencies in the Rule will need to be addressed in
age the adoption of good privacy practices order to build trust in e-health, regardless of the source
through voluntary business agreements and/or of the problem. The following have been raised as issues
certification. that may need to be addressed in order to remove dis-
trust as an obstacle to the widespread adoption of
Arguments For health IT and health information exchange.
* Requires no further action from Congress or the
Administration. 1. addressing privacy concerns through
* Less stringent approach arguably allows for anti-discrimination laws
more innovative responses to addressing privacy Some have suggested dealing with privacy concerns
and security issues. by prohibiting the use of personal health informa-
tion to discriminate against individuals with respect
Arguments Against to health insurance and employment — two of the
* Compliance through voluntary business agree- key privacy concerns raised by consumers. This is the
ments or certification (or other voluntary busi- approach taken in the Genetic Information Nondis-
ness commitments) will not achieve a uniform crimination Act of 2008 (GINA), which prohibits the
baseline of protections. Consumers do not always use of genetic information to make health insurance
have the option to choose providers, plans, or coverage determinations and in employment-related
other health services based on privacy and secu- decisions. Some believe that passing anti-discrimina-
rity practices when care is needed and resources tion legislation based on health information or health
are scarce. status33 would address the most critical privacy con-
* Will be perceived by some stakeholders as a lack cerns and relieve the pressure to enact standards that
of response to the privacy and security concerns “micromanage” an entity’s use of health information,
raised by e-health; thus, may not accomplish which could create obstacles to the information shar-
much with respect to building trust in e-health ing that can improve individual health and the U.S.
systems. healthcare system.
* Requires covered entities to continue the
expense and administrative efforts to comply
with the HIPAA privacy requirements and allows

JL ME SUPPLEMENT
Possible Solutions Possible Solutions

♦♦Enact federal legislation prohibiting the use of Sections 13402 and 13407 of ARRA establish a federal
personal health information in determining the breach notification law that applies to entities covered
terms and conditions of employment or health by HIPAA and vendors of personal health records and
insurance coverage. other Internet-based health entities.
♦♦Establish a federal breach notification law that
Arguments For applies to identifiable health information. (argu-
* As noted above, addresses the most criti- ably accomplished in ARRA)
cal consumer fears about use of their health
information; could obviate need for specific, Arguments For
detailed provisions on information uses for other * Establishes a national right of individuals to be
purposes. notified if health information is breached and
establishes national consensus on what consti-
Arguments Against tutes a breach.
* Raises larger public policy issues that in the past * Enactment of a strong federal standard could
have been difficult to resolve and that should be help facilitate stakeholder agreement for pre-
discussed in the broader context of health reform emption of state health information breach
(e.g., to what extent employers can use health notification laws, which would provide a more
status in making employment decisions, particu- consistent policy environment for organizations
larly where fitness for duty is a work issue; and that operate nationwide.
to what extent should government (particularly * Could be done by regulation (modification to the
the federal government) regulate the business of Privacy Rule) with respect to covered entities.
insurance, which is dependent on the ability to
assess and manage health claims risk). Arguments Against
* May be more difficult than enacting specific * Could be difficult to come to consensus on
standards governing use of information in a the trigger for breach notification. However,
range of other contexts; even if anti-discrimi- without such a standard, consumers could be
nation legislation could be enacted, it wouldn’t inundated with alerts about data breaches that
necessarily resolve all privacy concerns. do not involve their information, where there is
little chance data recipients could access their
2. lack of a federal breach notification personal information, or that the breach would
standard be used to harm them. California, for example,
Prior to passage of ARRA, there was no federal law imposes a strict liability standard — requir-
requiring that individuals be notified if their personal ing notification except in cases where the data
health information is breached — i.e., inadvertently is encrypted. Other states follow a harm-based
disclosed to or accessed by the public or persons or standard — requiring notification only if the
entities not authorized to see it. A number of states individual suffers some type of harm. Consumer
have enacted laws requiring persons to be notified if advocates argue that defining “harm” with
their personal data is breached. Only three of these respect to breaches of personal health informa-
laws explicitly apply to identifiable health information requires a standard beyond financial harm,
tion,34 but some general state breach notification laws such as discrimination, stigma, or embarrass-
may be interpreted to apply to health information.35 ment. Data holders may find it difficult to deter-
As a result, individuals only had a right to be notified mine whether or not a particular breach rises
if their personal health information is inappropri- to this standard; consumers may not trust data
ately accessed or disclosed if they happened to live in holders to appropriately make this determina-
a state with an applicable law, or if their information tion on their behalf.
was breached by an organization that voluntarily pro- * If requirement applies only to covered entities,
vides breach notification as part of its risk mitigation it leaves out many organizations and institutions
practices. Receiving notice of health data breaches that hold or manage personal health informa-
gives individuals an opportunity to prepare or to try to tion, including: HIPAA business associates (who
minimize any potential damage (if possible). A breach could be required in regulation to notify the cov-
notification requirement also arguably provides incen- ered entity of any breach); PHRs offered by non-
tives for holders of health data to take the strongest HIPAA covered entities; and Internet health
measures possible to protect against breach. sites that collect personal health information.

Deven McGraw
Imposing a requirement to notify individuals of of these activities occur now with the use of informa-
breaches on these entities would require a law of tion stripped of patient identifiers, and some privacy
broader application, which may be more difficult advocates have begun calling for increased use of data
to enact. stripped of patient identifiers in lieu of using fully
identifiable information where it is possible to do so
♦♦Status quo (i.e., leave for states to address or to and still accomplish the purpose for which the data
market forces). was legitimately accessed.
The Privacy Rule includes two ways that covered
Arguments For entities may use or disclose data stripped of patient
* Companies will develop more innovative tech- identifiers: de-identification and the limited data set.
nologies for protecting information if they com- Data that qualifies as “de-identified” is not protected
pete based on their privacy and security policies by the provisions of the Rule, and therefore there are
and practices, including those dealing with no limits on how such data can be used and to whom
breach notification. it can be disclosed.
* It is not clear that that this is a new issue raised Data can qualify as “de-identified” in one of two
by the movement to electronic records, which ways. Under what is known as the statistical method,
suggests it is not something that needs to be an expert must determine that the “risk is very small
addressed at this time. that the information could be used, alone or in com-
bination with other reasonably available information,
Arguments Against by an anticipated recipient to identify an individual
* It is unclear that this is something the market who is a subject of the information.”36 The alterna-
alone will fix. Entities holding health informa- tive method (often referred to as the “safe harbor”)
tion would likely come to different conclusions requires that the covered entity strip out a number of
as to whether or not it is necessary to notify in specific data points, including name, address, identi-
the event of a breach. fying numbers, and biometric data.37 In addition, the
* Breaches of greater volumes of records are more covered entity releasing the data must have no actual
likely to occur as we store and move informa- knowledge, or reasonable basis to believe, that the
tion electronically. Failure to address this issue information can be easily re-identified.38
creates an obstacle to building trust in e-health A limited data set is information stripped of a num-
systems. ber of the same specific data points as required for the
* Relying on states is unlikely to achieve protec- de-identification safe harbor.39 Covered entities may
tion for all patients. release a limited data set only for purposes of research,
* Continuing to leave this to state law exacerbates public health, and health care operations, and must
the inconsistent policy environment for health execute a data use agreement with the entity receiv-
care entities that operate nationally or across ing the data set that sets forth the permitted uses and
state lines. disclosures of the data and that does not authorize use
or disclosure in contravention of the provisions of the
3. need for data stripped of patient identifiers Privacy Rule.40
for a range of health purposes Some believe the current de-identification and lim-
The major health reform proposals all require the ited data set provisions raise a number of concerns:
robust collection of health data for a number of pur-
poses, including: measuring provider performance; • The de-identification safe harbor standard is
determining whether particular treatments are effec- now more than five years old, and today there is
tive; monitoring health data for safety signals with much greater access to information via public
respect to new drugs and devices; health research; databases (a development that will only increase
public health surveillance and bioterrorism; and for in the future). It may now be easier to re-identify
commercial purposes (for example, determining how data,41 and some have called for an update to the
often providers are prescribing a particular drug standard, or at least an examination of whether
product). The Privacy Rule permits the use or dis- it is as effective as it was when first enacted. Oth-
closure of identifiable information for some of these ers have questioned whether it remains good
purposes, including: quality assessment and improve- public policy to allow data that fits the de-iden-
ment activities; public health reporting; and for tification standard to remain uncovered by the
health care operations such as the credentialing and Privacy Rule.
licensing of health care professionals. However, some

JL ME SUPPLEMENT
• Limited data set users must commit to not re- to provide a very low risk of re-identification,
identifying the data, and covered entities may and make any appropriate revisions to the Rule.
only release de-identified data if it meets the (arguably accomplished in ARRA)
standard, which is supposed to ensure a very
low risk of re-identification. But if data is re- Arguments For
identified, either by limited data set recipients * Allows for a public process for re-examining the
or by holders of de-identified data, the ability standard and helps ensure that any changes to
to hold those persons or entities accountable is the standard are based on the latest science.
very limited. In the case of a limited data set, * The House bills each had provisions tasking
the data holder is only contractually obligated to HHS to examine the de-identification standard,
the covered entity not to re-identify; a covered indicating some support for such an initiative.
entity can be held responsible for the actions of
the data set recipient if (1) the entity knew of a Arguments Against
“pattern or practice” that constituted a material * Because the current standard requires data hold-
breach or a violation of the data use agreement ers to have no “reasonable basis” for believing
and (2) the covered entity took no action.42 With the de-identified data could be used to identify
fully de-identified data, the information can be an individual (and no actual knowledge that the
shared with non-covered entities and does not information could be re-identified), the standard
require the execution of a contract. Thus, there is already flexible and robust enough.
are no applicable legal prohibitions against, or
penalties for, re-identification, and such prohi- ♦♦Create more options for use of health data
bitions are not required to be imposed on the stripped of some individual identifiers, and
data recipient via contract (although nothing in require data use agreements for all data disclo-
the law prevents data holders from voluntarily sures (or at least all that do not meet the thresh-
imposing such a condition). old of full de-identification). (steps to accomplish
• Researchers and others, including people with taken in ARRA)
rare or chronic illnesses, are concerned that the
limited data set and de-identification standards Arguments For
— in particular, the provisions that require the * Could address concerns raised by some that
elimination of specific data points — make the the current options do not serve many legiti-
data unusable for many research and public mate needs for data stripped of some patient
health purposes. They would prefer some middle identifiers.
ground, where the data is stripped of those iden- * Could help entities use such “lesser identified”
tifiers that can be easily used to re-identify (such data for activities that today use fully identifiable
as name, full address, and identifying numbers), data (for example, many of the activities covered
but where a sufficient amount of data is retained by health care operations and some research).
to accomplish the purposes for which the data is * Helps ensure that all data recipients are held
sought. accountable.
Possible Solutions Arguments Against

Section 13424 of ARRA requires HHS to study the * Policymakers will face a difficult task in deter-
current HIPAA de-identification provisions. Section mining the permitted uses of various new data
13405 requires the Secretary to establish guidance on set options. Could result in an environment that
the “minimum necessary” standard, which must be fol- is either less protective or overly stringent com-
lowed for access, use, and disclosure of personal health pared to the one that exists today.
information for most purposes other than treatment. * Requiring data use agreements for all disclo-
Until such guidance is issued, covered entities and sures can be a cumbersome process with little
their business associates are directed to use a limited relation to privacy protections.
data set to meet the minimum necessary standard if * Requiring such agreements could obstruct the
doing so is “practicable.” flow of information for public health reporting,
syndromic surveillance, bioterrorism detection,
♦♦HHS should seek the input of experts and the and other important public purposes.
public and examine the de-identification safe * Data recipients are only held accountable by the
harbor to determine if it is still robust enough terms of their contracts.

Deven McGraw
case management or care coordination, or to recom-

♦♦At a minimum, require those who obtain data mend alternative therapies, providers, or settings of
stripped of patient identifiers to commit to not care; or to describe products or services in a benefits
re-identifying the data, except in specific cir- plan or value-added services available only to plan
cumstances (for example, notifications about a enrollees.45 Individuals whose personal information is
serious public health threat or drug safety/recall used to make a communication exempt from the mar-
notifications). keting rule also do not have the right to object to (or
opt out of ) their personal information being used for
Arguments For these purposes.46
* Attacks the key concern with respect to the use The Privacy Rule prohibits a covered entity from
of data stripped of patient identifiers without the selling (without authorization) protected health infor-
perceived risks associated with a more compre- mation about its patients or enrollees to outside enti-
hensive re-opening of the Rule or the de-identifi- ties so that those entities can directly market their
cation standard. products and services. However, such outside entities
could pay the covered entity to use protected health
Arguments Against information to make those communications — and as
* The arguments above apply here. Most likely, long as those communications fell under one of the
this is possible only through a data use agree- exceptions to the marketing definition, authorization
ment, and currently such agreements are not would not be required. Some see this as a loophole,
required when information is de-identified. enabling outside entities to pay covered entities to send
targeted marketing communications that the entities
4. prohibitions on use of personal information could not send themselves without express individual
for marketing purposes authorization. Others believe the rule strikes the right
Among consumer views on health information pri- balance — ensuring that protected health information
vacy, use of their personal information for marketing remains with the covered entity (or its business asso-
purposes ranks among the top concerns. For example, ciate), and allowing beneficial communications to be
in a 2006 survey asking Americans about the benefits sent to patients and enrollees without having to ask
of and concerns about online health information, 77% first for patient authorization (which under the Pri-
reported being “very concerned” about their informa- vacy Rule must be fairly detailed).
tion being used for marketing purposes.43 The HIPAA The polling data is clear that individuals feel strongly
Privacy Rule governs a covered entity’s use of an indi- about the use of their information without their con-
vidual’s health information for marketing purposes, sent for marketing purposes. There does not appear
but there are no rules regarding use of health infor- to be consensus, however, on whether the marketing
mation for marketing purposes by entities not covered provisions in the Privacy Rule need to be revised in
by the Rule. With respect to information in personal order to build trust in e-health systems. Some claim
health records, or voluntarily shared on Internet health that direct marketing to individuals helps drive up the
sites, use for marketing purposes will be governed by cost of care; others point to communications that can
whether the HIPAA Privacy Rule requirements apply, help lower costs and ensure individuals get appropri-
the vendor’s or site’s terms of use or privacy policy, ate care (such as communications to facilitate medica-
or what individuals may knowingly or inadvertently tion adherence, or about lower-cost therapeutic alter-
authorize. natives or free or low-cost prevention services).
The Privacy Rule prohibits covered entities from Policymakers have not yet begun to address con-
using a person’s identifiable information for mar- cerns about the use of personal health information in
keting purposes without his or her prior authoriza- PHRs and on Internet sites for marketing purposes.
tion. The definition of what constitutes “marketing”
is a communication about a product or service that Possible Solutions
encourages the recipient to purchase or use that prod- Section 13406 of ARRA revises the HIPAA marketing
uct or service.44 The definition includes a number of rule to require prior authorization when an individu-
exceptions that were crafted to allow covered entities al’s protected health information will be used to make a
to send important health-related communications to communication that is paid for (directly or indirectly)
their patients and enrollees without having to first by an outside entity. Exceptions include: communica-
obtain individual authorization. For example, covered tions about drugs or biologics that are currently pre-
entities may use personal information to communi- scribed for, or administered to, an individual – as long
cate with an individual about his or her treatment; for as the payment from the outside entity is reasonable

JL ME SUPPLEMENT
in amount. The provision also makes an exception Arguments For

for remuneration that constitutes payment for treat- * Does not require amendment to the Rule
ment of an individual. Other related ARRA provisions (although could be done in conjunction with
include: Section 13406, requiring covered entities to amending the Rule to enhance understanding of
allow individuals to opt-out of receiving fundraising the Rule’s provisions and improve compliance).
communications; and Section 13405, prohibiting the * Could result in more communications, which
direct or indirect receipt of remuneration in exchange today are allowable under different interpre-
for an individual’s protected health information. tations of the marketing exemptions, being
deemed to be “marketing” and therefore requir-
♦♦Strengthen HIPAA rules requiring prior autho- ing prior authorization.
rization for use of personal information for * Would continue to allow essential communica-
marketing by covered entities and establish tions to individuals that directly impact their
rules for use of information for marketing pur- health, care, and outcomes.
poses by non-covered entities. (at least partially
addressed in ARRA) Arguments Against
* Depending on the content of the guidance, could
Arguments For inadvertently bless more marketing uses without
* Attacks a key concern of the public with respect patient authorization than occur today.
to uses of their health information. Could be * Because it preserves the perceived inadequacies
structured in a way that permits some targeted in the current Rule, unclear how well such an
communication with patients for legitimate initiative would build consumer trust.
health purposes but without creating loopholes
that end up permitting the use of personal infor- ♦♦Leave Rule as is for current covered entities, but
mation for the purpose of marketing a broad set more stringent rules for use of information
range of health-related products and services. for marketing purposes by health information
* Could be accomplished by regulatory change exchanges, and adopt rules governing marketing
with respect to marketing by covered entities uses by PHRs and Internet health sites.
and their business associates.
Arguments For
Arguments Against * Avoids more difficult re-negotiation of the Rule
* Would require legislation for non-covered for current actors and instead targets new chal-
entities. lenges raised by e-health.
* Drawing the line between “good marketing” * Challenge of finding a viable business model
— using individuals’ information to send com- for electronic exchange networks — and poten-
munications that clearly advance their health tially PHRs — makes the information held in or
or health care — and “commercial marketing” exchanged through these vehicles a potentially
— where the communication is arguably related attractive target for marketers, strengthening the
to health but where the benefit to the individual case for targeting this area for strong regulation.
is less clear or is secondary to the commercial
interests of the entity sponsoring the communi- Arguments Against
cation — can be difficult. There also are stake- * Does not address what some perceive to be defi-
holders either firmly committed to preserving ciencies in the Rule today (for example, the use
the status quo or concerned that any changes of protected health information without prior
could have unintended consequences for patient patient authorization by covered entities to send
health or health care business operations. communications that are paid for by an outside
* There could be negative health consequences for company and that encourage the patient to use
individuals (e.g., no or less information about that company’s goods and services).
available benefits, treatment alternatives, etc.). * Depending on the terms of the specific rule,
could potentially cut off a source of operating
♦♦Increase compliance with the Privacy Rule’s cur- revenue for these exchanges.
rent provisions by issuing additional guidance
about the types of communications that are or ♦♦Change Rule from the current “opt-in (but with
are not “marketing.” exceptions)” approach to instead allow individu-
als to opt-out of receiving all marketing commu-

Deven McGraw
nications, including those that today are exempt a myriad of important variables — and where
from the definition of marketing. (at least par- many individuals do not have choices (or a wide
tially addressed in ARRA) range of choices) with respect to their sources of
care.
Arguments For * Unless the policy is clearly articulated, explana-
* Could be easier to implement without the need tions of uses of information in a privacy policy
to determine which communications are “good” may not be clear. A clear policy could explicitly
(and thus should be permitted without autho- state, in part: “we do not use your information
rization) and which should first require explicit to recommend products or services to you under
patient permission. any circumstances.”
* Assumes patients want to receive these commu-
nications but empowers patients to stop them if 5. other areas where hipaa could
they object. be strengthened
* In a variation, could also retain the authorization As personal health information is accessed and
requirement for communications that qualify exchanged more easily in the new electronic environ-
under the current marketing definition (thus, ment, HIPAA policies regarding access to, and use and
permitting opt-out for those communications disclosure of, health information may be inadequate
that are currently exempt from the definition but and contribute to a lack of public trust in health IT
that consumers could still view as marketing). and health information exchange. Some of these issues
are new ones raised by the new e-health environment,
Arguments Against while others were initially raised during the HIPAA
* Places burden on individual to police how their regulatory debates and may or may not be exacerbated
information is and is not used — clear boundar- by the new information sharing models. In the past
ies on use of information provide more reliable year policymakers have considered addressing the
protections for privacy. following:
* Arguably less protective than current rule, which
requires authorization to use information for • Uncertainty regarding how to apply the “mini-
marketing with some exceptions (unless authori- mum necessary” standard. Under the Privacy
zation requirement is retained for those uses that Rule, access to, and uses and disclosures of, per-
currently qualify as marketing). sonal health information must be limited to the
* Stifles needed information for individuals and minimum necessary to accomplish the legitimate
could result in negative health outcomes. purpose for accessing the information, except
with respect to treatment.47 This standard was
♦♦Leave current Rule as is; allow non-HIPAA intended to be flexible in order to accommodate
covered entities to compete on the basis of their a broad range of circumstances, but the lack of
policies with respect to use of information for clear boundaries has resulted in a great deal of
marketing purposes (HIPAA-covered entities confusion about how to comply.48 Some believe
could also voluntarily implement more stringent further guidance on the minimum necessary stan-
controls on uses of information for marketing dard could help resolve this uncertainty. (As noted
purposes, and compete on that basis). above, ARRA requires the Secretary to issue guid-
ance on the minimum necessary standard and
Arguments For strongly encourages the use of a limited data set.)
* Does not require changes to current law. • Perception among some privacy and patient
* Could lead to more privacy-protective environ- advocates that “health care operations” permits
ment if robust “privacy competition” emerges. too much sharing of personal health informa-
tion. Under the Privacy Rule, “health care opera-
Arguments Against tions” is specifically defined. However, a number
* Few individuals know the extent to which their of the descriptions are very broad and permit use
information is used to market or make health- and disclosure of personal health information for
related communications to them. Thus, they may functions that could be achieved without patient
be unlikely to inquire or make decisions based identifiers or could be done only with the con-
on use of their information for these purposes. sent or authorization of the patient. For example,
This may be particularly true in a health care health care operations include activities such as:
context, where choice of care provider involves conducting quality assessment and improvement

JL ME SUPPLEMENT
activities; reviewing the competence or qualifica- treatment of the individual, or can it be accessed
tions of health care professionals; underwriting to treat another individual? Under the Privacy
and premium rating; auditing; and business Rule today, covered entities can use one patient’s
management and general administrative activi- identifiable information for treating another
ties — such as due diligence related to a merger, patient. 50 This permissive use raises privacy
customer service functions, and fundraising for concerns, particularly when data on any patient
the benefit of the covered entity (see Appendix can be accessed across multiple institutions and
B for a complete list). The Privacy Rule also per- providers participating in a network. Should
mits covered entities to share health information exchanges be accessible for payment purposes,
with another covered entity for the purpose of or to accomplish health care operations? Should
the recipient entities’ health care operations, as exchanges exist only to facilitate the health care
long as both entities have a relationship with the activities of the covered entities participating in
patient.49 the exchange, or should the exchange itself be
• The PRO(TECH)T Act of 2008 would have permitted to use data for its own purposes? What
required patient consent (not authorization) if some of the entities providing support for and
for health care operations uses. A number of participating in the exchange are not themselves
stakeholders expressed concern that this pro- covered by HIPAA? In the absence of clear rules,
vision would significantly stifle uses of health health exchanges are working out the rules of the
care information for important purposes like road on their own, often with multi-stakeholder
public health and quality measurement; oth- involvement. There has been no objective study
ers noted that because treatment and coverage of the results to date.
could be conditioned on patients giving their • Confusion regarding whether quality improve-
consent to health care operations uses, it would ment uses of identifiable health information is
provide little meaningful privacy protection. The a health care operation (not requiring patient
Health-e Technology Act of 2008 took a differ- consent) or research, which requires authoriza-
ent approach, tasking HHS to examine the defi- tion except in certain circumstances. As noted
nition of health care operations and determine multiple times throughout this paper, health
which functions could be performed with de- reform proposals are looking to health IT as the
identified data and which should require prior linchpin for providing the data that will help
authorization. improve quality of care. The Privacy Rule per-
• Uncertainty regarding which Privacy Rule mits the use of identifiable health information
provisions should apply to health information without patient consent for “quality assessment
exchanges. As noted above, the Privacy Rule and improvement activities, including outcomes
historically has not applied to health informa- evaluation and development of clinical guide-
tion exchanges (for example, RHIOs, HIEs, and lines” — as long as “obtaining generalizable
ePrescribing Gateways), except those that may knowledge is not the primary purpose of any
qualify as healthcare clearinghouses. Many of studies resulting from those activities.”51 The
these entities have executed business associate Privacy Rule also permits the use of identifiable
agreements with the covered entities that par- information without patient consent for popula-
ticipate in the exchange. However, it is not clear tion-based activities relating to improving health
that all have done so, which has prompted some or reducing health care costs, and protocol devel-
to call for a requirement that these exchanges opment.52 Separate provisions of the Privacy
either be covered entities or enter into business Rule permit covered entities to use and disclose
associate agreements (depending on their struc- identifiable information for research purposes;
ture and function). (As noted above, ARRA clari- such research requires specific authorization
fies that some of these entities must enter into from the patient unless an IRB or Privacy Board
business associate agreements.) waives the requirement based on the low risk
But securing coverage under HIPAA, either to patient privacy.53 (As noted above, use of de-
directly or as a business associate, only addresses identified data or a limited data set for research
part of the question. Once covered, policymakers purposes is also permitted and in most cases will
need to determine the data access, use, and dis- not require prior patient authorization.) Confu-
closure rules that will apply to these new entities. sion about which provision applies to what types
For example, should a person’s identifiable health of quality improvement activities could hinder
information be used in these exchanges only for efforts to implement more robust measurement

Deven McGraw
and other quality improvement efforts. (Some their health care through the use of consumer-
have expressed concerns about the possible nega- facing electronic tools such as PHRs will not
tive impact of ARRA’s prohibition (13405) on be successful if individuals cannot easily and
the receipt of remuneration for protected health promptly obtain electronic access to, or elec-
information on uses of data for research and tronic copies of, their health records. Under the
public health.) Privacy Rule, patients have the right to access,
• Inability to meaningfully restrict access to and and obtain a copy of, their health information in
disclosure of health information. Under the the form or format requested, “if it is readily pro-
Privacy Rule, individuals have a right to request ducible in that form or format.”58 Some believe
a restriction on the use and disclosure of their that this language already obligates providers
health information — but covered entities are and plans with electronic health records to pro-
neither required to comply with the request, vide an electronic copy of the record. Anecdotal
nor provide a reason for noncompliance.54 If a reports, however, suggest that providers are not
covered entity grants the request, however, it clear on their obligations and that patients have
must comply. Some have advocated for granting had difficulty obtaining copies of their health
a stronger right to restrict access to information, records in electronic format, in part because not
particularly with respect to information that is all electronic health record applications facilitate
exchanged electronically through the “National the easy production of electronic copies. In gen-
Health Information Network” (NHIN). For eral, difficulty in obtaining a copy of one’s record,
example, NCVHS has recommended allowing even in paper format, is the one of the top five
people to choose whether or not their informa- HIPAA complaints investigated by OCR.59 Also,
tion is included in the NHIN, and to be able some believe that the timeframe for responding
to restrict network access to data in certain to a records request — which is at least 30 days
sensitive categories.55 In its recommendation under the current Rule60 — should be short-
regarding the right to restrict access to sensitive ened when those records are kept electronically,
information, NCVHS acknowledged that few and that the cost to consumers of obtaining an
individuals would likely make such a request; electronic copy should be free or set at a level
but noted that individuals would strongly value more commensurate with the costs of making
the right and ability to do so.56 (Section 13405 electronic an electronic copy available. Under
of ARRA gives individuals a right to request a the current Rule, such costs are required to be
restriction on disclosures to health plans for pay- “reasonable” and “cost-based”;61 however, most
ment and health care operations when they pay states set limits on copying charges for medi-
for their care out-of-pocket in full). cal records, which range from free (Kentucky)
Technology may improve the ability for health to $37.00 for up to the first 10 pages of a hos-
data holders to segregate sensitive data and com- pital record (Texas).62 (Section 13405 of ARRA
ply with a patient request to restrict data access. requires covered entities using “electronic health
However, if compliance with such a restriction records” (a defined term in ARRA) to provide
is mandatory, providers, plans and other health individuals with an electronic copy. Any fee
data holders will likely seek to be held harmless charged for this electronic copy cannot exceed the
for inadvertent access and disclosure of infor- entity’s labor costs in responding to the request.
mation in contravention of a patient’s requested Individuals can have their electronic copy trans-
restriction, as long as the holders used reason- mitted to another person or entity, as long as
able efforts to comply. NCVHS also recognized their choice is “clear, conspicuous, and specific”.)
that providers should be notified if a patient has • Controversy over the appropriate role for patient
decided to sequester or restrict access to informa- consent or authorization. The Privacy Rule
tion in a sensitive category, but they left for fur- permits the gathering and sharing of informa-
ther discussion how this notification would take tion for a range of purposes without the need
place.57 Further, a requirement that applies only to first obtain the patient’s consent. For uses
to those with electronic records risks creating dis- and disclosures not specifically permitted under
incentives for providers and others to move from the Privacy Rule, a patient’s specific written
paper to electronic systems. authorization is required. An earlier version
• Uncertainty over patients’ rights to access their of the Rule would have required patient con-
records electronically, or receive an electronic sent for treatment, payment, and health care
copy. The effort to engage more individuals in operations; but providers and plans could have

JL ME SUPPLEMENT
conditioned treatment or coverage on obtain- mends giving patients control by allowing them to
ing patient consent for these routine uses of create a second or third identity for records they
their information.63 However, this version was want to keep out of networked electronic records
harshly criticized by the health care industry, exchanges.70 Although a number of sources have
who argued that the requirements would hinder begun informally tracking the policies of various
the delivery of treatment, the processing of pay- exchanges throughout the country, there has been
ments, and other routine activities by requiring no systematic study of the impact of the various
consent to be obtained over and over again.64 In policy models being adopted.
response, HHS amended this version in 2002
before it went into effect and replaced it with the Possible Solutions
structure that is in place today: permissive use of ♦♦HHS could issue more guidance on how to com-
information for certain routine health purposes: ply with the Privacy Rule. (As noted on page 16,
authorization required for uses and disclosures ARRA directs the Secretary to issue guidance on
not specifically enumerated in the Rule; and the minimum necessary standard.)
plans and providers may not condition providing
coverage or treatment on the patient’s execution Arguments For
of such an authorization.65 A number of privacy * A common sense and prompt way to address a
advocates harshly criticized the amendment, and number of the above issues, including: confusion
some continue to call for restoration of the ear- regarding the minimum necessary rule; which
lier version requiring consent for nearly all uses quality measurement/improvement activities are
and disclosures of health information.66 Others permitted without consent as health care opera-
note that such consent could not possibly be vol- tions and which constitute research and require
untary, and that overreliance on consent unfairly authorization absent a waiver; and the obligation
shifts the burden for protecting privacy to indi- of covered entities to provide individuals with
viduals and not to the organizations holding the electronic copies of their health records.
data.67 Some entities would not likely support * Could be combined with a new system whereby
such a proposal, as requiring individual consent stakeholders, without penalty, can ask the Office
for routine health care functions could stifle nec- of Civil Rights (OCR) to publicly opine on
essary payment and other important processes. whether certain proposed health information uses
Also relevant is whether there should be an or disclosures are in compliance with the Rule.
enhanced role for patient choice with respect to
whether or not health information is included in Arguments Against
an electronic exchange network. Exchange net- * OCR is already under-resourced, and without a
works across the country are considering, and resource increase may not be able to issue guid-
some have begun to implement, consent policies ance promptly and on as broad a range of topics as
that require people to opt-in to, or allow them desirable. Also probably not possible without more
to opt-out of, sharing their health information resources to institute any new program to publicly
through an exchange network either in whole or issue specific responses to stakeholder questions.
in part (such as by provider or by type of infor- * Guidance alone may not be sufficient to address
mation).68 In general, those networks must bal- all of the concerns raised above.
ance the extent to which providing consumers
with meaningful choice about having their per- ♦♦HHS could examine the health care operations
sonal information exchanged in a local, state, or definition and issue new regulations that limit
national network increases patient trust and val- the use of identifiable data without consent.
ues individual autonomy against the consequences The regulations could require more of the cur-
both for individuals and for the system of having rent health care operations to be done with
potentially incomplete data available for treat- data stripped of some patient identifiers, or
ment decisions and public health. As noted above, could potentially require authorization for some
NCVHS has recommended that individuals at uses that today are permitted without consent.
least have the right to opt-out of information shar- Another possible option is for HHS to issue
ing through the NHIN.69 Additionally, the Markle guidance on the “minimum necessary” stan-
Foundation’s Common Framework released in dard that encompasses both the extent of data
2006 - Resources for Implementing Private and accessed, as well as the extent of “identifiability”
Secure Health Information Exchanges, recom-

Deven McGraw
of the data, for health care operations purposes. Arguments Against

(partially accomplished in ARRA) * It is too early to establish rules to govern the
behavior of these exchanges. Premature regu-
Arguments For lation may stifle local variation and innova-
* Addresses directly one of the biggest concerns tion. (Note that, in the alternative, exchanges
that privacy advocates have with the Privacy could at least be required to adopt policies that
Rule. are consistent with a health fair information
* Outcome could enhance privacy while still practices models such as the Markle Common
allowing the use of data for a range of opera- Framework).
tional purposes. * Viable business models for long-term operation
of these exchanges have yet to be established and
Arguments Against regulating too stringently or early in this space
* Health care industry has five years of experi- could jeopardize their implementation.
ence working with HIPAA and will be concerned
about not being permitted to use identifiable ♦♦Filling gaps in HIPAA and establishing privacy
data for the same broad range of purposes as is protections that go beyond the HIPAA floor
permitted today. A possible compromise could could occur through voluntary adherence to best
be to allow use of identifiable data only for an practices or certification.
entity’s own health care operations, whether per-
formed by the entity itself or a business associate Arguments For
on its behalf. However, this compromise may * Such an approach is consistent with the HIPAA
not be feasible in a more interconnected health model, which provides a baseline floor of stan-
system. dards and allows for states to adopt more strin-
* Because of the significant interests involved, gent laws and for the private sector to voluntarily
could be difficult to achieve, even in a regulatory promote and adopt more stringent privacy
context. protections.
* Requiring the use of data stripped of patient * Likely easier to accomplish than regulatory or
identifiers for routine operations could increase legislative change.
health care costs. Additionally, as many health * May be more cost-effective than imposing
care operations are closely linked to treatment through a top-down regulatory approach.
and payment functions, delays may result in
information sharing for these purposes as well Arguments Against
as for health care operations that help facilitate * Patients care about their health information
quality improvement efforts. privacy, but often do not make health care deci-
* Could result in broad requirements that nega- sions based on an institution’s privacy policies,
tively impact essential health care operations as noted above. There will be few (if any) market
such as quality improvement programs. incentives for enhancing privacy; thus there is a
strong role for public policy to play.
♦♦HHS could issue new regulations regarding the * Voluntary adoption of best practices and certifi-
terms of access to health information exchanges, cation is less likely to achieve broad-based adop-
including defining minimum standards for con- tion of stronger privacy protection.
sumer choice. * Certification, which typically occurs only in time
intervals, may be inappropriate for ensuring
Arguments For adequate protections for privacy. For example,
* For states currently establishing exchanges, a a health IT product may be certified to include
clear set of baseline rules could clarify the dif- certain functionalities that are privacy-enhanc-
ficulty of trying to achieve a mutual agreement ing, such as role-based access and audit trails.
among stakeholders. But if these functions are not being consistently
* Public trust will be enhanced if these entities are used, or if the entity is not monitoring compli-
subject to enforceable rules about how they can ance (or being actively monitored for compli-
and cannot use health information. ance), certification does little to enhance privacy
protection.

JL ME SUPPLEMENT
C. State Law Variation using the states with the most expansive privacy
As noted above, because HIPAA was structured to protections as model). However, this may be
provide a floor of protections, state laws providing opposed by industry stakeholders, particularly
more stringent protections for health information are those whose business operations are primarily in
expressly preserved. Movement towards an intercon- states with less stringent privacy laws.
nected national health information network raises * Many of the state protections for health data
concerns that the multiplicity of state privacy laws were enacted as part of state public health
will create an obstacle to the nationwide electronic reporting statutes — so eliminating the protec-
exchange of health information or the exchange of tions could inadvertently jeopardize the report-
information regionally across state lines. Others have ing provisions.
noted the difficulty in determining a particular state’s
health privacy laws, as they are often a combination of ♦♦Status quo — federal standards are a floor, with
statute, regulation and guidance, customary practice, states able to adopt more protective measures.
and common law. Arguments for and against this option are the
reverse of those for the above option.
Possible Solutions
♦♦Establish a federal health privacy law that pre- D. Improving Understanding of and
empts all state health privacy laws. A possible Compliance with HIPAA Protections
alternative is to set a single federal standard As noted above in the introduction, confusion about
that preempts existing state law (i.e., “wipes the the Privacy Rule persists, which often results in overly
slate clean”), but allow states to pass new laws conservative interpretations of the Rule and a failure
establishing stronger privacy provisions (perhaps to share health information even for legitimate pur-
within a certain window of time). poses. Some attribute this confusion to a lack of edu-
cation about the substance of the Rule; others believe
Arguments For the Rule is too complex to be effective. In addition, pri-
* Should eliminate confusion and create a more vacy advocates express concerns about what they per-
consistent policy environment for privacy ceive to be a lack of aggressive enforcement of HIPAA.
and nationwide electronic health information Others are concerned about oversight and enforce-
exchange. ment over entities handling personal health informa-
* Makes more sense in a health care arena increas- tion that are not covered by HIPAA. This section of
ingly dominated by multi-state players. the paper discusses these concerns in more detail.
* The alternative approach preserves the ability
for states to re-enact those privacy provisions 1. complexity of the rule/lack of
they deem to be most important while making understanding
it easier for cross-state actors to understand and
comply with relevant laws (because there will Possible Solutions
likely be fewer of them). Section 13403 of ARRA requires HHS to develop and
maintain a “multi-faceted national education initia-
Arguments Against tive” to educate individuals on the uses of their health
* Congress intended the HIPAA Privacy Rule to information and their privacy rights.
provide a floor of protections — not a ceiling.
Thus, if the single national standard is the set ♦♦Revise the Privacy Rule to make it less complex.
of current HIPAA rules, some stakeholders will For example, rely more on broadly worded fair
fight any attempts to decrease privacy protec- information practices and principles and address
tions for individuals living in states with laws detailed circumstances through guidance, model
that are currently stronger than HIPAA. policies, etc.
* The more stringent state laws typically cover
more sensitive health information, such as men- Arguments For
tal health, sexually transmitted diseases, or HIV/ * Increases the likelihood that patients and cov-
AIDS. Efforts to eliminate these protections will ered entities will understand their rights and
be opposed by their constituencies and could obligations.
erode public trust. * Provides more opportunities for innovative
* Another alternative is to create a national approaches to protecting privacy.
standard that is greater than HIPAA (perhaps

Deven McGraw
Arguments Against Arguments Against

* Industry has had five years to become accus- * HHS has insufficient resources to accomplish
tomed to current law. Notwithstanding that this.
some confusion persists, is it not more disruptive * It is already burdensome for covered entities to
to start over? provide, and for patients to read, the extensive
* Arguably will not result in a consistent set of HIPAA privacy notice that is already required
baseline rules, and consumers will have to read under the law: why should the response be to
and understand an entity’s policies in order to provide consumers with yet another summary of
get a clear picture of how well their health infor- their rights?
mation is protected. * Consumers may not welcome yet another notice
* Alternative is to task HHS with identifying about their privacy rights.
those areas of the Rule that have been the larg-
est sources of confusion and target those for 2. compliance with the rule and enforcement
simplification. When Congress enacted HIPAA in 1996, it included
civil and criminal penalties for failure to comply with
♦♦Provide more guidance and better education on the statute, and these penalties applied to the subse-
the requirements of the Rule to entities covered quent privacy and security rules implemented years
by it. later. But whether the HIPAA rules are being ade-
quately enforced is the subject of some debate among
Arguments For policymakers and stakeholders.
* More guidance and extensive education on the OCR has not levied a single penalty against a HIPAA-
requirements of the Rules could help clear up covered entity in the nearly five years since the rules
any remaining areas of confusion. were implemented, even though that office has found
numerous violations of the rules.71 The Justice Depart-
Arguments Against ment (DOJ) has levied some penalties under the crim-
* There may not be resources at OCR to support inal provisions of the statute, but a 2005 opinion from
an effective education program. Is OCR the ideal DOJ’s Office of Legal Counsel (OLC) expressly limits
entity to conduct this education, or are there the application of the criminal provisions to covered
better alternatives (such as an OCR partnership entities and not to individuals working within or on
with health industry trade associations)? behalf of those covered entities (except in cases where
* Further, who would set the standards for such an individual’s criminal behavior was actually sanc-
programs, and is it possible to generate any mea- tioned by the covered entity). 72 Although DOJ has
surable outcomes from them? prosecuted individuals for criminal HIPAA violations
in at least two instances subsequent to the OLC opin-
♦♦Improve consumer education on HIPAA rights ion, some have argued that its release has had a chill-
by requiring entities to provide a one-page sum- ing effect on HIPAA criminal enforcement.73
mary privacy notice, written in plain English at Congress tasked HHS and DOJ with enforcing
average reading levels. This could be provided in HIPAA: HHS for civil enforcement and DOJ for crim-
addition to the more detailed notice; HHS could inal enforcement. Within HHS, OCR enforces the Pri-
create models. (partially accomplished in ARRA) vacy Rule, and the Centers for Medicare and Medic-
aid Services (CMS) enforces the Security Rule. State
Arguments For authorities may be able to enforce HIPAA if their state
* Ensures consumers are provided with a more statutes authorize them to enforce federal consumer
digestible summary of the most important protection laws. Otherwise, state authorities can only
aspects of the Rule. enforce state health privacy laws.
* The summary would be provided in addition to Some privacy advocates believe that the failure of
the more detailed notice, which would still be pro- HHS to aggressively pursue civil monetary penalties
vided for patients who want to read more details. sends a message to entities that they need not devote
* Is consistent with the “layered notice” approach significant resources to compliance with the rules. They
recommended by privacy advocates. also argue that, without strong enforcement, even the
* If models are developed and disseminated by strongest privacy and security protections are but an
HHS, notices will be more consistent. This also empty promise for patients. Privacy advocates also are
helps promote greater understanding of the law. concerned about HIPAA’s failure to include a private
right of action, which leaves consumers dependent on

JL ME SUPPLEMENT
the federal government and without a way to be made respect to enforcement priorities and a lack of suffi-
whole for any harm due to HIPAA noncompliance. cient enforcement resources as more significant fac-
Covered entities repeatedly express concern about tors. On the other hand, some industry stakeholders
protecting patient privacy and cite the potential irre- believe that the enforcement provisions in the stat-
versible damage to their reputations if patients lose ute and regulations provide sufficient and clear legal
confidence in their ability to protect personal health authority for enforcement of the rules, and that the
information. The covered entities believe this provides combination of the law and non-legal penalties for
a powerful incentive for them to comply with the law. failure to comply with HIPAA provides sufficient pro-
They argue that strengthening HIPAA’s enforcement tection for consumers.
provisions would have the unintended consequence For entities not covered by HIPAA, enforcement
of stifling appropriate health information sharing, depends on the particular health privacy law that
because entities could over interpret the Rule in an applies. For example, the FTC can use its unfair and
effort to ensure that they are not using or disclosing deceptive trade practices authority to penalize those
information in violation of the Rule or in contraven- companies that fail to abide by their privacy policies
tion of a patient’s right. They are worried that provid- with respect to the personal health information they
ing patients with a private right of action would have collect, manage, or store. Similarly, for those personal
the same consequence and is more likely to profit health record vendors subject to the Electronic Com-
attorneys than to provide a fair way of promptly communications Protection Act, the Justice Department
pensating patients for any harm that results from fail- can impose criminal fines and penalties against enti-
ure of a covered entity to comply with HIPAA. In addi- ties that release personal health information without
tion, some believe that an enforcement approach that the individual record holder’s authorization. Such
seeks voluntary compliance from covered entities is a entities may also be subject to state law claims.
more effective method for actually achieving compli-
ance with the requirements. Possible Solutions
As discussed above in this paper, privacy advocates ARRA contains a number of provisions addressing the
have also been concerned about the federal govern- enforcement issues raised above:
ment’s lack of authority before the passage of ARRA
to hold business associates accountable for failure • Section 13401 makes business associates directly
to comply with HIPAA. Instead, business associates accountable to authorities for complying with
could only be held accountable to the covered enti- applicable HIPAA regulations.
ties with which they contract for complying with the • Section 13409 clarifies that HIPAA criminal pen-
contract terms and any applicable HIPAA rules. OCR alties can be enforced against individuals.
could only hold covered entities responsible for the • Section 13410 clarifies that HHS can pursue a
actions of their business associates if an entity knew HIPAA violation civilly when criminal penalties
of a “pattern of activity or practice of the business could apply but DOJ declines to prosecute.
associated that constituted a material breach or vio- • Section 13410 also requires HHS to impose civil
lation” of its contract and the entity did nothing to monetary penalties in cases of willful neglect
cure the breach or terminate the contract.74 Of inter- of HIPAA rules (and requires the Secretary to
est, if the covered entity decided that terminating the formally investigate any complaint where the
contract was “not feasible,” the entity was required facts indicate a possible violation due to willful
to report the problem to the Secretary. 75 However, neglect).
HIPAA did not give the Secretary any further author- • Section 13410 increases the civil monetary penal-
ity to enforce the statute and regulations against ties for HIPAA violations.
the business associate or to hold the covered entity • Section 13410 authorizes State Attorneys General
responsible for the violation. Entities serving in the to enforce HIPAA.
role as business associates argue that contractual • Section 13411 requires the Secretary to conduct
liability to the covered entity is sufficient to ensure periodic audits for compliance with HIPAA
enforcement of applicable HIPAA rules, as the busi- regulations.
ness associate’s business and public reputation is at • Section 13410 further requires that civil penalties
stake if there is a failure to comply. or monetary settlements for HIPAA violations
Some believe the enforcement provisions of the be transferred to HHS to be used for enforcement
HIPAA statute are poorly worded and partly to blame purposes. In addition, GAO is required to pro-
for the current enforcement environment, while oth- pose a methodology for providing individuals
ers attribute the Bush administration’s discretion with harmed by HIPAA violations with a percentage

Deven McGraw
of any penalties or monetary settlements col- * Covered entities may oppose any effort to
lected; the Secretary is required to implement clarify statutory enforcement authority, view-
such a methodology within three years of ARRA ing it as opening the door to more aggressive
enactment. enforcement.
• Section 13424 requires HHS to submit an
annual report to Congress on enforcement. ♦♦Amend HIPAA to allow the Secretary of HHS to
directly enforce the HIPAA regulations against
♦♦Ensure that there is an enforcement regime to business associates. (addressed in ARRA)
address entities not covered by HIPAA that are
handling personal health information. (at least Arguments For
partially addressed in ARRA) * Closes an enforcement loophole and allows
the federal government to directly hold busi-
Arguments For ness associates accountable for complying with
* Enforcement is a critical part of fair information HIPAA (provisions to accomplish this were in
practices. Ensuring that non-HIPAA entities are the House bills).
subject to enforcement of either currently appli- * Brings federal health privacy law closer to a data
cable standards or any new standards adopted by stewardship model (i.e., all entities that handle
Congress and/or the new Administration should personal health information have to comply
be a focus in 2009. with baseline standards and can be held legally
accountable).
Arguments Against
* Few will argue that some enforcement struc- Arguments Against
ture is needed to build public trust in these new * Will be vigorously opposed by entities who fre-
health information exchange tools. It may be quently act as business associates to covered
harder to agree on the details: what the stan- entities. Could cause these entities to be unwill-
dards are, who enforces, whether the penalty ing to contract with health care entities out of
structure is appropriate, etc. fear of increased penalties. If these entities cease
providing services, the cost of health care prod-
♦♦ Amend the HIPAA statutory enforcement provi- ucts and services could be affected.
sions to clarify current enforcement authority. * As an alternative, policymakers could make cov-
The amendments could require the Secretary to ered entities responsible for the actions of their
formally investigate and impose civil monetary business associates, which will generate vigor-
penalties in cases of willful neglect of the HIPAA ous opposition from covered entities who do not
rules. Or, the provision could clearly state that want to be legally responsible for behavior not in
the Secretary can pursue civil actions in cases their control.
where a criminal violation may have occurred
but the Justice Department decides not to pur- ♦♦Amend HIPAA to provide a private right of
sue the case. Finally, an amendment could cor- action for individuals to seek redress for HIPAA
rect the Office of Legal Counsel’s interpretation violations. (at least partially addressed in ARRA)
of HIPAA with respect to the ability to pursue
individuals who violate HIPAA’s criminal provi- Arguments For
sions. (addressed in ARRA) * Patients will not have to depend on the govern-
ment’s taking action when their privacy rights
Arguments For have been violated.
* Arguably this is just a clarification of current * Provides patients with a way to directly seek
enforcement authority, so it may not be as con- redress for privacy violations.
troversial (note that provisions accomplishing
the above were part of the Health-e Information Arguments Against
Technology Act of 2008). * Will generate aggressive opposition, including
from those promoting general tort reform. A
Arguments Against possible alternative is to re-direct some or all of
* There is already sufficient statutory and regula- the civil monetary and criminal penalties col-
tory authority to enforce HIPAA. lected to individuals whose privacy is violated.
(Provisions to eventually establish a method for

JL ME SUPPLEMENT
distributing a percentage of civil monetary pen-

alties to individuals harmed by HIPAA violations ♦♦Status quo with respect to HIPAA enforcement
were included in the Health-e Information Tech- provisions.
nology Act of 2008.)
* Not clear that allowing individuals to sue to seek Arguments For
redress for privacy violations is the most effective * There is no objective evidence that the current
or efficient way to improve enforcement of pri- enforcement provisions are flawed. DOJ has pur-
vacy protections or get individuals compensation sued a handful of criminal violations, notwith-
for harm due to a HIPAA violation. standing the OLC memo.
* Individuals are likely to be frustrated with such a * The new administration should and will set its
cumbersome process. Litigation is time-consum- own enforcement policies with respect to crimi-
ing and expensive. Often, individuals are con- nal and civil HIPAA violations.
cerned with exercising their privacy rights under * Covered entities will vigorously enforce the
HIPAA (e.g., access, amendment) and litigation terms of their business associate contracts
is neither an efficient nor cost-effective way to because it is in their best interests to do so, and
provide immediate results or access. business associates will use their best efforts to
* Increased costs from litigation expenses can comply because it makes good business sense to
affect overall health care costs for consumers. do so.
♦♦Expressly authorize state authorities to also Arguments Against

enforce the federal HIPAA rules. (addressed in * Such an approach ignores the flaws in the stat-
ARRA) ute, and the potential that the Obama Adminis-
tration will have the same perceived difficulty as
Arguments For the Bush administration in navigating them.
* There is precedent for doing this (see CAN- * Such an approach fails to address the frustration
SPAM, which authorizes state attorneys general felt by consumers about the perceived lack of
to enforce federal anti-spam provisions76). enforcement of the law.
* Devotes more resources to enforcement without * Such an approach leaves business associates with
a change to the current provisions. a free pass, creating an unlevel playing field.
Arguments Against Conclusion

* Requires federal legislation to clearly authorize Many believe more efficient sharing of accurate health
authorities in all states to enforce HIPAA. information is a critical factor in improving health care
* Likely controversial, as covered entities may be quality for individual patients and for the nation as a
concerned about overly zealous state authori- whole. Health information technology provides the
ties and the possibility that legitimate data necessary infrastructure for creating the information-
sharing will be thwarted because entities will rich health care system we seek, but building the infra-
be more cautious. Provisions were included in structure is not enough. Consumers, providers, health
the as-introduced version of Health-e Informa- plans, and other health system stakeholders will be
tion Technology Act of 2008, but attempts to reluctant to put information in the system if they do
add such a provision to the PRO(TECH)T Act not trust that it will be protected. Privacy and security
were unsuccessful because the provision did protections are essential to building this foundation of
not have the support of all of the bill’s primary trust and allowing us to reap the benefits that health
co-sponsors. IT can provide.
* Potentially opens up the Privacy Rule to 50 dif- For the most part, there is consensus that efforts to
ferent state interpretations. facilitate widespread adoption and use of health infor-
* Presents an opportunity for duplicate fines for mation technology must move forward with appro-
the same acts/offenses. priate protections for privacy and security. However,
* Unclear whether this would result in better achieving consensus on the details of what privacy and
enforcement, as state authorities cannot be com- security measures need to be put in place continues to
pelled to enforce federal law. As a result, only be a challenge. The enactment of ARRA represents a
those state authorities with a strong desire to new generation of health privacy, but implementation
enforce HIPAA will likely take advantage of the challenges remain to be addressed.
provision.

Deven McGraw
The new administration and new Congress present regulations, or is it best to police this nascent market-
us with new opportunities to break the privacy “grid- place through business best practices (or a combina-
lock.” Notwithstanding other critical national issues tion of both)?
that need urgent attention, we have never had a better
opportunity to pursue reform of our health care sys- Addressing Privacy Concerns through
tem, facilitated by interoperable health IT with protec- Anti-Discrimination Laws
tions for privacy and security. Consistent with the goal ♦♦Enact federal legislation prohibiting the use of
of the “Legal Solutions in Health Reform” project, this personal health information in determining the
paper presents a range of possible solutions to privacy terms and conditions of employment or health
concerns that have been raised by some policymakers insurance coverage.
and stakeholders, along a few of the likely arguments
for and against each. Hopefully, it will be a catalyst for Lack of a Federal Breach Notification Standard
continuing to make progress on this difficult issue. ♦♦Establish a federal breach notification law
that applies to identifiable health information.
APPENDIX A (ARRA)
List of Possible Solutions by Issue Category (issues ♦♦Status quo (i.e., leave for states address or to
addressed at least in part by ARRA are so designated) market forces).
Who Is Covered: Do we extend the privacy rules Need for Data Stripped of Patient Identifiers
under the Health Insurance Portability and Account- for a Range of Health Purposes
ability Act (HIPAA) to all entities that now handle ♦♦HHS could seek the input of experts and the
health information, or create new legal standards for public and examine the de-identification safe
entities not currently covered? harbor. This could help determine if it is still
robust enough to provide a very low risk of
♦♦Amend HIPAA to create new categories of cov- re-identification. If not, HHS could make any
ered entities and require OCR to promulgate appropriate revisions to the Rule. (ARRA)
new privacy regulations to cover the activities of ♦♦Create more options for use of health data
these new entities. stripped of some individual identifiers, and
♦♦Clarify business associate agreements. Require require data use agreements for all data disclo-
(or encourage) HHS to issue new regulations or sures (or at least all that do not meet the thresh-
strengthen current guidance to ensure that enti- old of full de-identification). (ARRA)
ties receiving protected health information from ♦♦At a minimum, require those who obtain data
a covered entity — such as exchanges or PHRs stripped of patient identifiers to commit to not
that offered by that entity — must enter into a re-identifying the data, except in specific circum-
business associate agreement or at least be con- stances (for example, such as notifications about
tractually bound to safeguard the information a serious public health threat or drug safety/
and comply with HIPAA. (ARRA) recall notifications)
♦♦Require any entity that holds or manages
protected health information to adopt poli- Prohibitions on Use of Personal Information for
cies consistent with fair information practices, Marketing Purposes
which is the model typically relied on to estab- ♦♦Strengthen HIPAA rules for use of personal
lish appropriate policies for handling personal information for marketing by covered entities by
information. requiring prior authorization in more circum-
♦♦Keep the law in its current state but encour- stances. (ARRA) Establish rules for use of infor-
age the adoption of good privacy practices mation for marketing purposes by non-covered
through voluntary business agreements and/or entities.
certification. ♦♦Increase compliance with the Privacy Rule’s cur-
rent provisions rule by issuing additional guid-
What Is Covered: What protections need to be in ance about the types of communications that are
place? For example, do we rely on current HIPAA or are not “marketing.”
rules, or are modifications needed either to address ♦♦Leave Rule as is for current covered entities but
new challenges or because, in the view of some, the set more stringent rules for use of information
rules were insufficient from the start? Are these con- for marketing purposes by health information
cerns best addressed through changes in statute or

JL ME SUPPLEMENT
exchanges, and adopt rules governing marketing Complexity of the Rule/Lack of Understanding
uses by PHRs and Internet health sites. ♦♦Revise the Privacy Rule to make it less complex.
♦♦Change Rule to allow individuals to opt-out For example, the rule could rely on more on
of receiving any marketing communications, broadly worded fair information practices and
including those that today are exempt from the principles and addressing detailed circumstances
definition of marketing. (ARRA with respect to through guidance, model policies, etc.)
fundraising by a covered entity) ♦♦Provide more guidance and better education on
♦♦Leave current Rule as is and allow non-HIPAA the requirements of the Rule to entities covered
covered entities to compete on the basis of their by it. (ARRA)
policies with respect to use of information for ♦♦Better educate consumers on their HIPAA rights
marketing purposes (HIPAA-covered entities by requiring entities to provide a one-page sum-
could also voluntarily implement more stringent mary privacy notice, written in plain English at
controls on uses of information for marketing average reading levels. This could be provided in
purposes, and compete on that basis). addition to the more detailed notice; HHS could
come up with models.
Other Areas Where HIPAA Could Be Strengthened
♦♦HHS could issue more guidance on how to com- Compliance with the Rule and Enforcement
ply with the Privacy Rule. (ARRA) ♦♦ Ensure that there is an enforcement regime to
♦♦HHS could examine the health care opera- address entities not covered by HIPAA that are
tions definition and issue new regulations that handling personal health information. (ARRA)
limit the use of identifiable data without con- ♦♦Amend the HIPAA statutory enforcement provi-
sent, which require more of the current health sions to clarify current enforcement authority.
care operations to be done with data stripped For example, require the Secretary to formally
of some patient identifiers, and to potentially investigate, and impose civil monetary penal-
require authorization for some uses that today ties, in cases of willful neglect of the HIPAA
are permitted without consent. HHS could also rules; make it clear that the Secretary can pursue
issue guidance on the “minimum necessary” civil actions in cases where a criminal violation
standard that encompasses both the extent of may have occurred but the Justice Department
data accessed and the extent of “identifiability” decides not to pursue the case; and correct
of the data, for health care operations purposes. the Office of Legal Counsel’s interpretation of
(ARRA) HIPAA with respect to the ability to pursue
♦♦HHS should issue new regulations regarding the individuals who violate HIPAA’s criminal provi-
terms of access to health information exchanges, sions). (ARRA)
including defining minimum standards for con- ♦♦Amend HIPAA to allow the Secretary of HHS to
sumer choice. directly enforce the HIPAA regulations against
♦♦Filling gaps in HIPAA and establishing privacy business associates. (ARRA)
protections that go beyond the HIPAA floor ♦♦Amend HIPAA to provide a private right of
through voluntary adherence to best practices or action for individuals to seek redress for HIPAA
certification. violations. (ARRA)
♦♦Expressly authorize state authorities to also
State Law Variation: Should we allow for some state enforce the federal HIPAA rules. (ARRA)
law variation or establish federal standards that pre- ♦♦Status quo with respect to HIPAA enforcement
empt the field? provisions.
♦♦Establish a federal health privacy law that pre-

empts all state health privacy laws. APPENDIX B
♦♦Status quo — federal standards are a floor, with Health Care Operations (defined at
states able to adopt more protective measures. 45 CFR 164.501)
Health care operations means any of the following
Improving Understanding of (and Compliance activities of the covered entity to the extent that the
with) Privacy Protections: How do we ensure com- activities are related to covered functions:
pliance and appropriate enforcement of privacy
protections? (1) Conducting quality assessment and improve-
ment activities, including outcomes evaluation

Deven McGraw
and development of clinical guidelines, pro- (iv) The sale, transfer, merger, or consolidation of
vided that the obtaining of generalizable knowl- all or part of the covered entity with another
edge is not the primary purpose of any studies covered entity, or an entity that following
resulting from such activities; population-based such activity will become a covered entity and
activities relating to improving health or reduc- due diligence related to such activity; and
ing health care costs, protocol development, (v) Consistent with the applicable requirements
case management and care coordination, con- of §164.514, creating de-identified health
tacting of health care providers and patients information or a limited data set, and fund-
with information about treatment alterna- raising for the benefit of the covered entity.
tives; and related functions that do not include
treatment;
(2) R
eviewing the competence or qualifications References
of health care professionals, evaluating practi- 1. Obama-Biden 2008, “Barack Obama and Joe Biden’s Plan to
Lower Health Care Costs and Ensure Affordable, Accessible
tioner and provider performance, health plan Health Coverage for All,” available at <http://www.baracko-
performance, conducting training programs bama.com/pdf/issues/HealthCareFullPlan.pdf> (last visited
in which students, trainees, or practitioners in June 24, 2009).
2. Health08.org, Kaiser Family Foundation, “2008 Presidential
areas of health care learn under supervision to Candidates: Health Care Issues Side-by-Side,” available at
practice or improve their skills as health care <http://www.health08.org/healthissues_sidebyside.cfm> (last
providers, training of non-health care profes- visited June 24, 2009).
3. The American Recovery and Reinvestment Act of 2009, Public
sionals, accreditation, certification, licensing, or Law No. 111-5.
credentialing activities; 4. Connecting for Health, Markle Foundation, Survey Finds
(3) U
nderwriting, premium rating, and other Americans Want Electronic Personal Health Information to
Improve Own Health Care, survey conducted by Lake Research
activities relating to the creation, renewal or Partners and American Viewpoint in November 2006 for the
replacement of a contract of health insurance Markle Foundation’s conference, Connecting Americans to
or health benefits, and ceding, securing, or Their Health Care: Empowered Consumers, Personal Health
Records and Emerging Technologies, available at <http://www.
placing a contract for reinsurance of risk relat- markle.org/downloadable_assets/research_doc_120706.pdf>
ing to claims for health care (including stop- (last visited June 24, 2009).
loss insurance and excess of loss insurance), 5. There is a difference between “privacy” and “security.” Although
there are no universally accepted definitions of those terms, in
provided that the requirements of §164.514(g) general privacy refers to policies and practices that govern the
are met, if applicable; access, use, and disclosure of personal health information, and
(4) C
onducting or arranging for medical review, security refers to the technological tools that are used to imple-
ment those policies.
legal services, and auditing functions, includ- 6. See J. Goldman, “Protecting Privacy to Improve Health Care,”
ing fraud and abuse detection and compliance Health Affairs 10, no. 6 (1998): 47-60, at 49; J. Goldman and
programs; Z. Hudson, California Healthcare Foundation, Promoting
Health/Protecting Privacy: A Primer, January 1999, available
(5) B
usiness planning and development, such as at <http://www.chcf.org/topics/view.cfm?itemID=12502> (last
conducting cost-management and planning- visited June 24, 2009).
related analyses related to managing and 7. Harris Interactive, “Many U.S. Adults Are Satisfied with Use
of Their Personal Health Information,” The Harris Poll #27,
operating the entity, including formulary devel- March 26, 2007, available at <http://www.harrisinteractive.
opment and administration, development or com/harris_poll/index.asp?PID=743> (last visited June 24,
improvement of methods of payment or cover- 2009).
8. L. S. Bishop et al., California Healthcare Foundation, National
age policies; and Consumer Health Privacy Survey 2005, November 2005, avail-
(6) B
usiness management and general administra- able at <http://www.chcf.org/topics/view.cfm?itemID=115694>
tive activities of the entity, including, but not (last visited June 24, 2009).
9. This paper uses the term “personal health information” to refer
limited to: generally to an individual’s identifiable health information,
(i) Management activities relating to imple- and uses the term “protected health information” to refer to
mentation of and compliance with the information expressly protected by HIPAA.
10. Covered entities are health plans, health care clearinghouses,
requirements of this subchapter; and most health care providers who submit health care claims
(ii) Customer service, including the provision electronically (specifically, those who transmit health informa-
of data analyses for policy holders, plan tion in electronic form for those transactions for which the
Secretary has adopted standards (i.e., transaction code sets).
sponsors, or other customers, provided that See 45 C.F.R. § 160.102(a) (2007).
protected health information is not dis- 11. Protected health information is individually identifiable health
closed to such policy holder, plan sponsor, information that includes demographic information and “that
relates to the past, present, or future physical or mental health
or customer. or condition of an individual; the provision of health care to
(iii) Resolution of internal grievances; an individual; or the past, present, or future payment for the

JL ME SUPPLEMENT
provision of health care; and that identifies the individual” or June 24, 2009) [hereinafter cited as “HIPAA Privacy Rule”]
“there is a reasonable basis to believe the information can be (which recommended additional clarification of HIPAA regu-
used to identify the individual.” See 45 C.F.R. § 160.201 (2007) lations, standardized instructions, and extensive training of
for the precise definition. healthcare workers).
12. Treatment is the provision, coordination, or management of 21. Id. (HIPAA Privacy Rule).
health care and related services for an individual by one or 22. See M. K. Paasche-Orlow et al., “Notices of Privacy Practices:
more health care providers, including consultation between A Survey of the Health Insurance Portability and Accountabil-
providers regarding a patient and referral of a patient by one ity Act of 1996 Documents Presented to Patients at U.S. Hospi-
provider to another. See 45 C.F.R. § 164.501 (2007). tals,” Medical Care 43, no. 6 (June 2005): 558-564; M. Hoch-
13. Payment includes activities of a health plan to obtain pre- hauser, “Why Patients Won’t Understand Their HIPAA Privacy
miums, determine or fulfill responsibilities for coverage and Notices” Privacy Rights Clearinghouse (April 10, 2003), avail-
provision of benefits, and to furnish or obtain reimbursement able at <http://www.privacyrights.org/ar/HIPAA-Readability.
for health care delivered to a patient. See 45 C.F.R. § 164.501 htm> (last visited June 24, 2009); M. C. Pollio, “The Inad-
(2007). equacy of HIPAA’s Privacy Rule: The Plain Language Notice of
14. Health care operations include the following: (1) conducting Privacy Practices and Patient Understanding,” New York Uni-
quality assessment and improvement activities, population- versity Annual Survey of American Law 60 (2005): 579-620,
based activities relating to improving health or reducing at 593.
health care costs, and case management and care coordina- 23. A health care clearinghouse is “a public or private entity that
tion; (2) reviewing the competence or qualifications of health processes or facilitates the processing of nonstandard data ele-
care professionals, evaluating provider and health plan per- ments of health information into standard data elements.” See
formance, training health care and non-health care profes- Social Security Act § 1171(2), 42. U.S.C. § 1320d (2009).
sionals, accreditation, certification, licensing, or credentialing 24. 45 C.F.R. § 165.504(e)(2) (2007).
activities; (3) underwriting and other activities relating to 25. Id.
the creation, renewal, or replacement of a contract of health 26. Those who meet the definition of a health care clearinghouse
insurance or health benefits, and ceding, securing, or plac- would be covered by HIPAA.
ing a contract for reinsurance of risk relating to health care 27. See The HIPAA Privacy Rule and Health IT, Health Informa-
claims; (4) conducting or arranging for medical review, legal, tion Techonolgy, Department of Health and Human Services,
and auditing services, including fraud and abuse detection and available at <http://healthit.hhs.gov/portal/server.pt> (last
compliance programs; (5) business planning and development, visited June 24, 2009).
such as conducting cost-management and planning analyses 28. Personal health records offered by covered entities would be
related to managing and operating the entity; and (6) business covered by the Privacy Rule.
management and general administrative activities, including 29. National Committee on Vital and Health Statistics (NCVHS)
those related to implementing and complying with the Privacy Reports and Recommendations, Letter to the Secretary of the
Rule and other Administrative Simplification Rules, customer U.S. Department of Health and Human Services: Personal
service, resolution of internal grievances, sale or transfer of Health Record (PHR) Systems, September 9, 2005, available
assets, creating de-identified health information or a limited at <http://ncvhs.hhs.gov/050909lt.htm> (last visited June 24,
data set, and fundraising for the benefit of the covered entity. 2009).
See Appendix A and 45 C.F.R. § 164.501 (2007). 30. S ee Center for Democracy and Technology, Comprehen-
15. Social Security Act § 1178, 42. U.S.C. § 1320d-7 (2009); 45 sive Privacy and Security: Critical for Health Information
C.F.R. § 160.203 (2007). Technology, May 2008, available at <http://www.cdt.org/
16. K. Pollitz, Georgetown University Health Policy Institute, the healthprivacy/20080514HPframe.pdf> (last visited June 24,
Genetics and Public Policy Center at Johns Hopkins University, 2009); see also Promoting the Adoption and Use of Health
Summaries of the Genetic Information Nondiscrimination Act Information Technology: Hearing before the Subcomm. on
of 2008 (GINA), Public Law 110-28, Title 1: Health Insurance Health of the H. Comm. on Ways and Means, 110th Cong.
available at <http://www.dnapolicy.org/resources/GINATitle- (2008) (statement of Deven McGraw, Director, Health Privacy
1summary.pdf>; Public law 110-233, Title II: Employment, Project, Center for Democracy and Technology), available at
available at <http://www.dnapolicy.org/resources/GINATitle- <http://cdt.org/testimony/20080724mcgraw.pdf> (last visited
IIsummary.pdf> (last visited February 3, 2009). June 24, 2009).
17. FERPA applies to health and other records in educational 31. With respect to the leading bill in the Senate, the Wired for
settings; part 2 applies to federally funded substance abuse Health Care Quality Act (S.1693), the version marked up by
treatment facilities; and the Privacy Act applies to federal the Health, Education, Labor and Pensions (HELP) Commit-
facilities. tee included a provision that would have subjected PHRs to
18. See 18 U.S.C. §§ 2702 (a)(1)-(3) (2007). coverage under HIPAA; however, a proposed amendment from
19. See 18 U.S.C. § 2701 (c)(1) (2007); see also 18 U.S.C. § 2702 (a) Senator Leahy that was under serious consideration by bill
(2)(B) (2007). sponsors would have stripped out this provision and replaced
20. See L. L. Dimitropoulos, Agency for Healthcare Research it a provision similar to those in the House bills.
and Quality, Privacy and Security Solutions for Interoper- 32. For an articulation of fair information practices as applied to
able Health Information Exchange: Assessment of Varia- a health information exchange environment, see The Markle
tions and Analysis of Solutions Report, July 2007, 3-8 – Foundation, “Connecting Professionals: Private and Secure
3-9, available at <http://healthit.ahrq.gov/portal/server. Information Exchange,” 2006, available at <http://www.con-
pt/gateway/P TARGS_0_1248_661882_0_0_18/AVAS. nectingforhealth.org/commonframework/index.html> (last
pdf> (last visited June 24, 2009) [hereinafter cited as “Privacy visited June 24, 2009). See also the Organization for Eco-
and Security Solutions”]. For an “Overzealous” interpretation nomic Cooperation and Development (OECD) Data Protection
of HIPAA, see J. Gross, “Keeping Patients’ Details Private, Even Principles (1980) extract from Guidelines on the Protection of
from Kin,” New York Times, July 3, 2007, available at <http:// Privacy and Transborder Flows of Personal Data, available at
www.nytimes.com/2007/07/03/health/policy/03hipaa.html?_ <http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.
r=1> (last visited June 24, 2009); see also S. H. Houser et html> (last visited June 24, 2009).
al., “Assessing the Effects of the HIPAA Privacy Rule on the 33. HIPAA nondiscrimination provisions (Title I) prohibit indi-
Release of Patient Information by Healthcare Facilities,” Per- viduals in group health plans from being denied eligibility for
spectives in Health Information Management 4, no. 1 (spring benefits or charged more for coverage because of any “health
2007), available at <http://www.pubmedcentral.nih.gov/arti- factor,” which includes health status and medical history or
clerender.fcgi?artid=2082070&tool=pmcentrez> (last visited condition. These provisions do not apply to insurance pur-

Deven McGraw
chased in the individual market. For a summary of these pro- hipaa/enforcement/data/top5issues.html> (last visited June
visions, see Employee Benefits Security Administration, U.S. 24, 2009).
Department of Labor, “FAQs: About the HIPAA Nondiscrimi- 60. 45 C.F.R § 164.524(b)(2) (2007).
nation Requirements,” available at <http://www.dol.gov/ebsa/ 61. 45 C.F.R. § 164.524(c)(4) (2007).
faqs/faq_hipaa_ND.html> (last visited June 24, 2009). 62. See Georgetown University Health Policy Institute, Health
34. The three states are Arkansas, California, and Delaware. For Policy Institute, Center on Medical Record Rights and Privacy,
more information, see D. Gage, “California Data-Breach Law available at <http://hpi.georgetown.edu/privacy/records.html
Now Covers Medical Information,” San Francisco Gate, Janu- for more information> (last visited June 24, 2009).
ary 4, 2008, available at <http://www.sfgate.com/cgi-bin/arti- 63. Standards for Privacy of Individually Identifiable Health Infor-
cle.cgi?f=/c/a/2008/01/04/BUR6U9000.DTL> (last visited mation, 67 Federal Register 53,182 (August 14, 2002) (to be
June 24, 2009). codified at 45 C.F.R pt. 160, 164).
35. A comprehensive analysis of state breach notification laws is 64. U.S. Department of Health and Human Services, HIPAA Fre-
beyond the scope of this paper. quently Asked Questions: About the Privacy Rule, “Why Was
36. 45 C.F.R. § 164.514(b)(1) (2007). the Consent Requirement Eliminated from the HIPAA Privacy
37. 45 C.F.R. § 164.514(b)(2) (2007). Rule, and How Will It Affect Individuals’ Privacy Protections?”
38. 45 C.F.R. § 164.514(a)(b)(2)(ii) (2007). November 9, 2006, available at <www.hhs.gov/hipaafaq/
39. 45 C.F.R. § 164.514(e) (2007). about/193.html> (last visited February 3, 2009).
40. 45 C.F.R. § 164.514(e)(3)-(4) (2007). 65. 45 C.F.R. § 164.508(b)(4) (2007).
41. L. Sweeney, The Identifiability of Data (forthcoming book pub- 66. See, e.g., Discussion Draft of Health Information Technol-
lication); see S. Ocha et al., Massachusetts Institute of Tech- ogy and Privacy Legislation: Hearing before Subcomm. on
nology, “Reidentification of Individuals in Chicago’s Homicide Health of the H. Comm. on Energy and Commerce, 110th
Database, A Technical and Legal Study,” November 2008, Cong. (2008) (written testimony of Dr. Deborah Peel, Founder
available at <http://web.mit.edu/sem083/www/assignments/ & Chair, Patient Privacy Rights) available at <http://www.
reidentification.html> (last visited June 24, 2009). patientprivacyrights.org/site/DocServer/Peel_written_tes-
42. 45 C.F.R. § 164.514(e)(4)(iii)(A) (2007). timony_06.04.08.pdf ?docID=4021> (last visited June 24,
43. See supra note 4. 2009). See also Privacy and Health Information: Hearing
44. 45 C.F.R. § 164.501 (2007). Before Subcomm. on Privacy and Confidentiality of the Nat’l
45. Id. Comm. on Vital and Health Statistics, U.S. Department of
46. The Privacy Rule gives individuals a right to request a restric- Health and Human Services, February 23, 2005 (testimony
tion on uses or disclosures of protected health information for of Sue A. Blevins, Founder and President, Institute for Health
treatment, payment and health care operations (and on disclo- Freedom), available at <http://www.ncvhs.hhs.gov/050224p6.
sures to family or friends who are assisting in the individual’s htm> (last visited June 24, 2009).
care), but the covered entity does not have to comply with the 67. See, e.g., Center for Democracy & Technology, Rethink-
request. See 45 C.F.R. § 164.522(a) (2007). ing the Role of Consent in Protecting Health Information
47. 45 C.F.R. § 164.514(d) (2007). Privacy, January 2009, available at <http://www.cdt.org/
48. See Privacy and Security Solutions, supra note 20, at 3-5, 3-7. healthprivacy/20090126Consent.pdf> (last visited June 24,
49. 45 C.F.R. § 164.506(c)(4) (2007). 2009).
50. For an explanation of the definition of “treatment,” see the Pre- 68. Id., at 14-19 for examples of approaches to consent taken by
amble to the Final HIPAA Privacy Rule, available at <http:// some state electronic exchange networks. For state profiles, see
aspe.hhs.gov/ADMNSIMP/final/PvcPre02.htm> (last visited generally State-Level Health Information Exchange Consensus
June 24, 2009); see also OCR’s clarification of the definition Project, Profiles of Sate-Level HIE Efforts, available at <http://
of “treatment” in its FAQs, available at <http://www.hhs.gov/ www.slhie.org/efforts.asp> (last visited June 24, 2009).
hipaafaq/providers/treatment/481.html> (last visited June 24, 69. See NCVHS Letter to the Secretary (June 22, 2006), supra
2009). note 56.
51. See section (1) in the definition of health care operations, 45 70. T he Markle Foundation, Connecting for Health, “The
C.F.R. § 164.501 (2007). Common Framework: Networked Health Informa-
52. Id. tion,” available at <http://www.connectingforhealth.org/
53. 45 C.F.R. § 164.512(i) (2007). commonframework/#guide> (last visited June 24, 2009).
54. 45 C.F.R. § 164.522(a) (2007). 71. R. Alonso-Zaldivar, “Effectiveness of Medical Privacy Law
55. National Committee on Vital and Health Statistics (NCVHS) Is Questioned,” Los Angeles Times, April 9, 2008, avail-
Reports and Recommendations, Letter to the Secretary of the able at <http://www.latimes.com/business/la-na-privacy-
U.S. Department of Health and Human Services: Privacy and 9apr09,0,5722394.story> (last visited June 24, 2009). In July
Confidentiality in the a Nationwide Health Information Net- 2008, HHS announced that Seattle-based Providence Health
work (NHIN), June 22, 2006, recommending that individuals & Services agreed to pay $100,000 as part of a settlement of
have a choice regarding whether or not their information is multiple violations of the HIPAA regulations. But the press
included in the NHIN. See also NCVHS Reports and Recom- release from HHS made clear that this amount was not a civil
mendations, Report to the Secretary of the U.S. Department monetary penalty. See also U.S. Department of Health and
of Health and Human Services: Individual Control of Sensi- Human Services, HHS, Providence Health & Services Agree on
tive Health Information Accessible via the NHIN for Purposes Corrective Action Plan to Protect Health Information, News
of Treatment, February 20, 2008, recommending individu- Release, July 17, 2008, available at <http://www.hhs.gov/
als be allowed to sequester information in certain sensitive news/press/2008pres/07/20080717a.html> (last visited June
categories. 24, 2009).
56. Id. (NCVHS Report to the Secretary, February 20, 2008). 72. For more information on the OLC memo and consequences,
57. Id. see P. Swire, “Justice Department Opinion Undermines Pro-
58. 45 C.F.R. § 164.524(c)(2) (2007). Such access right is to infor- tection of Medical Privacy,” Center for American Progress, June
mation maintained in a designated record set, and exempts 7, 2005, available at <http://www.americanprogress.org/
psychotherapy notes and a few other categories of information; issues/2005/06/b743281.html> (last visited June 24, 2009).
see also 45 C.F.R. 164.524(a)(1) (2007). 73. Id.
59. U.S. Department of Health and Human Services, Health 74. 45 C.F.R. § 164.504(e)(1)(ii) (2007).
Information Privacy, Compliance and Enforcement, “Top Five 75. 45 C.F.R. § 164.504(e)(1)(ii)(A)-(B) (2007).
Issues in Investigated Cases Closed with Corrective Action, by 76. See 15 U.S.C. § 7706(f ) (Supp. 2004).
Calendar Year,” available at <http://www.hhs.gov/ocr/privacy/

Privacy and Health Information Technology

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Privacy and Health Information Technology

Hochgeladen von

Copyright:

Verfügbare Formate

Privacy and Health Information

Introduction ensure that health information is rapidly accessible to

legal solutions in health reform • fall 2009 121

122 journal of law, medicine & ethics

Introduction data regarding the effectiveness of certain treatments.

legal solutions in health reform • fall 2009 123

124 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 125

126 journal of law, medicine & ethics

A. Who Is Covered ple, Dossia, the consortium of eight of America’s

legal solutions in health reform • fall 2009 127

♦♦Require (or encourage) HHS to issue new regu-

128 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 129

Possible Solutions Possible Solutions

130 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 131

Possible Solutions Arguments Against

132 journal of law, medicine & ethics

case management or care coordination, or to recom-

legal solutions in health reform • fall 2009 133

in amount. The provision also makes an exception Arguments For

134 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 135

136 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 137

138 journal of law, medicine & ethics

of the data, for health care operations purposes. Arguments Against

legal solutions in health reform • fall 2009 139

140 journal of law, medicine & ethics

Arguments Against Arguments Against

legal solutions in health reform • fall 2009 141

142 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 143

distributing a percentage of civil monetary pen-

♦♦Expressly authorize state authorities to also Arguments Against

Arguments Against Conclusion

144 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 145

♦♦Establish a federal health privacy law that pre-

146 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 147

148 journal of law, medicine & ethics

legal solutions in health reform • fall 2009 149

Das könnte Ihnen auch gefallen