Beruflich Dokumente
Kultur Dokumente
Technology
executive summary
Prepared by the O’Neill Institute
their privacy rights. In addition, there has been establish, and increase compliance with HIPAA
debate among policymakers and stakeholders rules regarding the use of personal information
over the following: (1) whether the Rule to date for marketing (ARRA); adopt rules governing
has been appropriately enforced; (2) whether marketing uses by non-covered entities such as
or not the current mechanisms are adequate to Internet health sites; issue more guidance on
ensure compliance; and (3) what the limits of how to comply with the Privacy Rule (ARRA);
the enforcement mechanisms should be. issue new regulations regarding terms of access
to health information exchanges.
Potential Solutions • State Law Variation: “Wipe the slate clean”
The perceived “gaps” in federal legal protections for and have Congress could establish a new federal
health information can be grouped into four catego- privacy law that preempts existing state laws but
ries: (1) who is covered; (2) what is covered; (3) state allows states to pass new stronger privacy provi-
law variation; and (4) insufficient comprehension of sions; and/or keep the status quo with the fed-
and compliance with privacy protections. The solu- eral standard as a floor.
tions range from amending existing law or regulation • Improving Comprehension of and Compli-
to encouraging private action through market or other ance with the Privacy Rule and Enforcement:
incentives. Revise the Privacy Rule to make it less complex;
provide more guidance and better education on
• Who Is Covered: Amend HIPAA to create new the requirements of the rules (ARRA); improve
categories of covered entities and require the consumer education on HIPAA rights by requir-
federal agencies to issue new privacy regulations ing entities to provide a summary notice; ensure
to cover activities of new entities; revise regula- a proper enforcement regime for entities not
tions and expand recent guidance on business covered by HIPAA that handle personal health
associate agreements to include all health infor- information; amend HIPAA enforcement to
mation exchanges in existence or development clarify enforcement authority and also direct the
(ARRA); require all entities handling health Secretary to pursue civil actions (ARRA); amend
information to adopt policies consistent with fair HIPAA to allow the Secretary to directly enforce
information practices; and/or keep the law in its HIPAA regulations against business associates
current state and encourage adoption of good (ARRA); and/or amend HIPAA to allow a pri-
privacy practices through voluntary business vate right of action (ARRA).
agreements.
• What Is Covered: Enact federal legislation pro- Conclusion
hibiting the use of personal heath information to Generally, there is consensus that efforts to facilitate
determine the terms and conditions of employ- widespread adoption and use of health information
ment or health insurance; establish a federal technology must move forward with appropriate pro-
breach notification law applicable to identifiable tections for privacy and security. However, achieving
health information (ARRA); seek the input of consensus on the details of what privacy and security
experts and public to examine the de-identifica- measures need to be put in place continues to be a
tion safe harbor exception (ARRA); create more challenge. The new Administration and Congress are
options for the use of health data stripped of moving forward to increase the use of health IT. Any
some individual identifiers (ARRA) and require efforts to reform the nation’s health systems and to
data use agreements for all data disclosures; increase the adoption of health IT will need to address
require those obtaining data stripped of patient the concerns surrounding the privacy and security of
identifiers to commit to keeping data de-identi- personal health information.
fied except in certain circumstances; strengthen,
dealing with an issue identified in this paper, a brief be attractive targets for marketers and those seeking
summary of that provision is clearly indicated within health data for commercial gain, or that can be vul-
the list of solutions. nerable to security breaches. If a system is breached,
sensitive data can be protected, in part, by encryption
There is widespread agreement that protecting indi- and other security methods. Technology can never be
viduals’ health information is necessary in order to made 100% tamperproof; however, it can be more
build public trust in e-health systems and to help drive protective than paper records at preventing inappro-
the widespread adoption of health IT. But unlike other priate access to information and helping ensure that
topics addressed in the “Legal Solutions in Health when there is abuse, the perpetrators will be detected
Reform” project, current health privacy laws arguably and punished.
do not pose a legal obstacle to health IT. For example, At the same time, absent strong privacy and security
there are no federal health privacy laws that prohibit safeguards, the computerization of personal health
or directly inhibit the sharing of information elec- information can magnify the risk to privacy. Tens of
tronically for health purposes and that require specific thousands of health records can be accessed through
action to resolve. Instead, the debate centers more a single breach.5 Recent headlines about breaches of
around whether current health privacy laws are suf- electronic records underscore these concerns. The
ficient to build a foundation of trust in health IT that cumulative effect of reports of data breaches and inap-
will support an information sharing environment that propriate access to medical records deepens consumer
will improve health care and our health care system distrust in the ability of electronic health informa-
— and if not, what more needs to be done. This makes tion systems to provide adequate privacy and security
the path to resolution more difficult, as stakeholders protections.
may hold very different opinions about the extent of Failing to address public concerns about the pri-
the problem and the appropriate solutions. vacy of their health information could have significant
Survey data show that a large majority of the pub- consequences. Without appropriate protections for
lic wants electronic access to their health information privacy and security in the healthcare system, some
— both for themselves and for their health care pro- patients engage in “privacy-protective” behaviors to
viders — because they believe such access is likely to avoid having their personal health information used
increase the quality of their health care. At the same inappropriately.6 According to a recent poll, one in
time, people have significant concerns about the pri- six adults (17%) — representing about 38 million
vacy of their health information online. In a 2006 sur- persons — say they withhold information from their
vey, when Americans were asked about the benefits of health providers due to worries about how the medi-
and concerns about online health information: cal data might be disclosed.7 Persons who report that
they are in fair or poor health and racial and ethnic
• 80% were very concerned about identity theft or minorities (who report even higher levels of concern
fraud; about the privacy of their personal medical records)
• 77% were very concerned about their medical are more likely than average to practice privacy-pro-
information being used for marketing purposes; tective behaviors.8 Due to the reality of privacy risks
• 56% were concerned about employers having associated with the computerization of health infor-
access to their health information; and mation, the movement to e-health could increase the
• 53% were concerned about insurers gaining percentage of people who engage in privacy protective
access to this information.4 behaviors. Ignoring these concerns — or inadequately
addressing them — will significantly threaten public
Health IT is better equipped than are paper records trust in these new systems.
to protect sensitive personal health information. For In general, stakeholders largely agree that entities
example, it is often impossible to tell whether some- that handle electronic personal health information
one has inappropriately accessed a paper record. By should be subject to a baseline set of privacy stan-
contrast, technology — including strong user authen- dards. This consensus breaks down, however, when
tication and tracking mechanisms — can be employed the discussion gets to the details. For example:
to automatically limit and monitor access to electronic
health information. Additionally, electronic health • Do we extend the privacy rules under the Health
information exchange networks can be designed to Insurance Portability and Accountability Act
facilitate data sharing among health care entities for (HIPAA) to all entities that now handle health
appropriate purposes without needing to create new, information, or create new legal standards for
centralized databases of sensitive information that will entities not currently covered?
• What protections need to be in place? For health plans). In summary, the Privacy Rule permits
example, do we rely on current HIPAA rules or covered entities10 to access, use, and disclose “pro-
are modifications needed, either to address new tected health information”11 for purposes of treat-
challenges or because the rules, in the view of ment,12 payment,13 and health care operations.14 The
some, were imperfect from the start? Rule also allows access, use, and disclosure for the fol-
• Are these concerns best addressed through lowing: (1) certain lawful public health purposes, as
changes in statute or regulations, or is it best to required by law; (2) reporting abuse or domestic vio-
police this nascent marketplace through busi- lence; (3) health oversight activities; (4) judicial and
ness best practices (or a combination of both)? administrative proceedings; and (5) law enforcement
• Should we allow for some state law variation purposes. Covered entities may disclose information
or establish federal standards that preempt the to family members, and in facility or office directories,
field? as long as the patient does not object. All other pur-
• What should we do to ensure compliance poses not specifically mentioned in the Rule require
with and appropriate enforcement of privacy prior patient authorization to access, use, or disclose
protections? information. The Privacy Rule applies to identifiable
health information regardless of whether it is in paper
A brief list of all proposed solutions in each category or electronic form.
(without explanatory text and without the sample HIPAA provides a federal floor, or minimum stan-
arguments for and against) can be found at Appendix dard, of privacy protection. It expressly preserves state
A at the end of this paper. laws that provide stronger privacy protections for
health information.15 Such state privacy laws include
I. Federal Law Prior to Passage of ARRA more stringent requirements regarding access, use and
(As noted above, changes to law enacted in ARRA are disclosure of particularly sensitive categories of health
set forth below in the “possible solutions” proposed for information, such as mental health records and HIV
each issue.) testing and treatment records. The variation in state
With respect to protecting health information pri- laws poses difficulties to a uniform privacy standard.
vacy, public policymakers are not faced with a blank Other federal laws apply privacy protections to
slate. Within the traditional healthcare system, uses specific types of information, or have limited appli-
of health information are covered by the Health cation in specific contexts. For example, the Genetic
Insurance Portability and Accountability Act of 1996 Information Nondiscrimination Act of 2008 prohib-
(HIPAA) and its implementing regulations. When its employers from using genetic information to make
Congress enacted HIPAA to facilitate, among other employment decisions and prohibits health insurers
things, the electronic transmission of health care from using such information to make coverage and
claims to reduce administrative costs, lawmakers rec- underwriting determinations.16 The Federal Educa-
ognized the need to protect the privacy and security tion Rights and Privacy Act, the regulations governing
of health information when data moves electronically. substance abuse treatment facilities receiving federal
Congress gave itself two years to enact federal privacy funds (commonly known as Part 2), and the Privacy
legislation — but ended up tasking the Department Act of 1974 cover only certain settings of care.17
of Health and Human Services to promulgate privacy With respect to health information online or in
and security regulations to cover information trans- consumer-owned personal health records, the Fed-
actions under the purview of HIPAA. The regulations eral Trade Commission can use its “unfair and decep-
were finalized in 2002 and effective for most entities tive trade practices” authority to hold some entities
covered by HIPAA by 2003. The HIPAA statute sets accountable for failure to comply with their privacy
forth the definition of entities covered by the law and policies. Federal law does not require these entities
important provisions with respect to HIPAA enforce- to have a privacy policy, or require that certain ele-
ment; the bulk of the HIPAA privacy and security ments be included in such a policy if it exists. Some
requirements are in the regulations. have said that the Electronic Communications Privacy
The HIPAA privacy regulations— known collec- Act (ECPA) protects personal health records (PHRs)
tively as the “Privacy Rule” — are based on fair infor- because it prohibits the vendors of those services from
mation practices and set forth rules governing the disclosing the contents of those records without the
access, use, and disclosure of personal health infor- authorization of the record holder. However, the rel-
mation (or “protected health information”)9 by most evant ECPA provision applies only to services that are
traditional health care system entities (for example, offered to the public.18 PHRs available exclusively to
providers, hospitals, laboratories, pharmacies, and employees of a particular company, for example, likely
fall outside of this part of ECPA. Moreover, ECPA suggested approaching this question by focus-
applies only if the provider is not authorized to access ing only on what is new in the e-health environ-
the contents of a customer’s records for purposes of ment — new actors or new ways to access, use,
providing any services other than storage or computer or disclose information not contemplated when
processing.19 This caveat may knock out a lot of PHRs the HIPAA regulations were implemented — in
that provide services beyond data storage, or that order to avoid getting mired in old debates about
are advertising-based and analyze individual patient the current HIPAA regulations.
records to target ads. • State Law Variation: As noted above, HIPAA
To keep this paper to a manageable length, it focuses provides a floor of health privacy protection.
on federal privacy protections that are (or could be) State laws that provide more stringent protec-
more broadly applicable. tions for health privacy are expressly preserved
and not preempted. Some are concerned that the
II. Possible Issues to Be Resolved multiplicity of state privacy laws will create an
The perceived “gaps” in pre-ARRA federal legal pro- obstacle to cross-state or nationwide electronic
tections for health information can be grouped into exchange of health information. The obstacles
the following categories: may arise because of the operation of a state law
that prohibits information sharing except under
• Who Is Covered: The HIPAA Privacy Rule cov- certain circumstances (such as with patient con-
ers only certain “covered entities” as defined in sent or authorization), or because health care
the HIPAA statute: specifically, providers, plans, entities are afraid to disclose information in a
and health care clearinghouses. Many of the new way that might violate an applicable state law.
entities storing, handling, or managing personal Others suggest that any information sharing
health information electronically do not qualify obstacles are primarily due to a lack of under-
as covered entities, and thus are not directly cov- standing and varying interpretations of state
ered by the Privacy Rule. As noted above, other laws, which does not necessarily justify eliminat-
federal health privacy laws apply only in specific ing stronger state privacy protections and enact-
contexts or are otherwise limited in their appli- ing a single federal standard.
cation. As a result, there is no baseline set of fed- • Improving Understanding of (and Compliance
eral health privacy protections that apply to all with) Privacy Protections: Even five years after
entities that handle personal health information. the Privacy Rule went into effect, there is still a
• What Is Covered: The Privacy Rule is based great deal of confusion on the part of some enti-
on a model of one-to-one electronic transmis- ties covered by the Rule about its provisions. For
sion of health information among traditional example, the 34 state teams participating in the
health care system entities and their business Agency for Healthcare Research and Quality
partners who perform health-related functions (AHRQ)-funded Privacy and Security Solutions
on their behalf. Since the HIPAA requirements for Interoperable Health Information Exchange
were enacted and promulgated, new opportuni- consistently found a “general lack of under-
ties to access and disclose health information standing about some of the basic tenets” of the
have arisen (e.g., electronic health information Privacy Rule as well as of state laws concerning
exchanges) which can enhance access to greater health information disclosure.20 The frequent
volumes of identifiable health information more result is a more conservative interpretation of
effectively and efficiently. The Rule also did the law — a reluctance to disclose information
not envision the rise of personal health records even in circumstances where it is expressly per-
designed for use by consumers. Some believe mitted — which could create unnecessary and
that truly building public trust in e-health sys- sometimes inappropriate barriers to electronic
tems requires strengthening a number of the Pri- health information exchange.21 Patients and their
vacy Rule’s current provisions and/or the prom- families also rarely understand the provisions of
ulgation of new or additional legal protections. the HIPAA privacy notice, which is the vehicle in
Others believe the Privacy Rule provides suf- the Privacy Rule for informing patients about the
ficient protections for health information in the potential uses of their health information and
new e-health environment, and that policymak- their rights under the Rule.22
ers merely need to extend its coverage to apply
to entities that did not exist when the Privacy
Rule was implemented. Similarly, some have
thus helping resolve a potential barrier to global other entities working in the same space to be
data exchange. relieved of these corresponding responsibilities
and expenses.
Arguments Against
* Could result in HIPAA requirements for some B. What Is Covered
entities and other, less onerous requirements for Electronic health information exchanges and the rise
other entities. of consumer-focused health management tools hold
* Fair information practices (FIPs) provide a good great potential for improving the flow of information
model for moving forward, but FIPs are articu- necessary for good health care and helping individuals
lated so broadly that building trust in electronic take a greater role in improving their own health. But
health information sharing may require more to realize this potential, consumers need to trust that
clearly defined rules (and achieving broad sup- their personal health information will be kept private,
port for such rules may be difficult). confidential, and secure. As information becomes
* If new framework deviates significantly from more accessible and moves more freely in an elec-
current HIPAA rules, then there will be costs tronic exchange environment, current policies regard-
and disruptions in information flows due to cov- ing access to, and use and disclosure of, health infor-
ered entities and their business associates having mation may be inadequate and contribute to a lack of
to adjust to new or even dual standards. Further, public trust in health IT.
the resources already spent coming into com- A number of the issues discussed below relate to per-
pliance with HIPAA will be wasted. (Note that ceived deficiencies in the HIPAA Privacy Rule. Some
these concerns could be ameliorated by building argue that it makes little sense to try to re-open the
on the current HIPAA rules or by applying new compromises that were reached in the current Privacy
standards only to entities not currently covered Rule and instead urge policymakers to focus on how
by HIPAA). best to address the new challenges raised by the emerg-
ing e-health environment. Others argue that perceived
♦♦Keep the law in its current state and encour- deficiencies in the Rule will need to be addressed in
age the adoption of good privacy practices order to build trust in e-health, regardless of the source
through voluntary business agreements and/or of the problem. The following have been raised as issues
certification. that may need to be addressed in order to remove dis-
trust as an obstacle to the widespread adoption of
Arguments For health IT and health information exchange.
* Requires no further action from Congress or the
Administration. 1. addressing privacy concerns through
* Less stringent approach arguably allows for anti-discrimination laws
more innovative responses to addressing privacy Some have suggested dealing with privacy concerns
and security issues. by prohibiting the use of personal health informa-
tion to discriminate against individuals with respect
Arguments Against to health insurance and employment — two of the
* Compliance through voluntary business agree- key privacy concerns raised by consumers. This is the
ments or certification (or other voluntary busi- approach taken in the Genetic Information Nondis-
ness commitments) will not achieve a uniform crimination Act of 2008 (GINA), which prohibits the
baseline of protections. Consumers do not always use of genetic information to make health insurance
have the option to choose providers, plans, or coverage determinations and in employment-related
other health services based on privacy and secu- decisions. Some believe that passing anti-discrimina-
rity practices when care is needed and resources tion legislation based on health information or health
are scarce. status33 would address the most critical privacy con-
* Will be perceived by some stakeholders as a lack cerns and relieve the pressure to enact standards that
of response to the privacy and security concerns “micromanage” an entity’s use of health information,
raised by e-health; thus, may not accomplish which could create obstacles to the information shar-
much with respect to building trust in e-health ing that can improve individual health and the U.S.
systems. healthcare system.
* Requires covered entities to continue the
expense and administrative efforts to comply
with the HIPAA privacy requirements and allows
Imposing a requirement to notify individuals of of these activities occur now with the use of informa-
breaches on these entities would require a law of tion stripped of patient identifiers, and some privacy
broader application, which may be more difficult advocates have begun calling for increased use of data
to enact. stripped of patient identifiers in lieu of using fully
identifiable information where it is possible to do so
♦♦Status quo (i.e., leave for states to address or to and still accomplish the purpose for which the data
market forces). was legitimately accessed.
The Privacy Rule includes two ways that covered
Arguments For entities may use or disclose data stripped of patient
* Companies will develop more innovative tech- identifiers: de-identification and the limited data set.
nologies for protecting information if they com- Data that qualifies as “de-identified” is not protected
pete based on their privacy and security policies by the provisions of the Rule, and therefore there are
and practices, including those dealing with no limits on how such data can be used and to whom
breach notification. it can be disclosed.
* It is not clear that that this is a new issue raised Data can qualify as “de-identified” in one of two
by the movement to electronic records, which ways. Under what is known as the statistical method,
suggests it is not something that needs to be an expert must determine that the “risk is very small
addressed at this time. that the information could be used, alone or in com-
bination with other reasonably available information,
Arguments Against by an anticipated recipient to identify an individual
* It is unclear that this is something the market who is a subject of the information.”36 The alterna-
alone will fix. Entities holding health informa- tive method (often referred to as the “safe harbor”)
tion would likely come to different conclusions requires that the covered entity strip out a number of
as to whether or not it is necessary to notify in specific data points, including name, address, identi-
the event of a breach. fying numbers, and biometric data.37 In addition, the
* Breaches of greater volumes of records are more covered entity releasing the data must have no actual
likely to occur as we store and move informa- knowledge, or reasonable basis to believe, that the
tion electronically. Failure to address this issue information can be easily re-identified.38
creates an obstacle to building trust in e-health A limited data set is information stripped of a num-
systems. ber of the same specific data points as required for the
* Relying on states is unlikely to achieve protec- de-identification safe harbor.39 Covered entities may
tion for all patients. release a limited data set only for purposes of research,
* Continuing to leave this to state law exacerbates public health, and health care operations, and must
the inconsistent policy environment for health execute a data use agreement with the entity receiv-
care entities that operate nationally or across ing the data set that sets forth the permitted uses and
state lines. disclosures of the data and that does not authorize use
or disclosure in contravention of the provisions of the
3. need for data stripped of patient identifiers Privacy Rule.40
for a range of health purposes Some believe the current de-identification and lim-
The major health reform proposals all require the ited data set provisions raise a number of concerns:
robust collection of health data for a number of pur-
poses, including: measuring provider performance; • The de-identification safe harbor standard is
determining whether particular treatments are effec- now more than five years old, and today there is
tive; monitoring health data for safety signals with much greater access to information via public
respect to new drugs and devices; health research; databases (a development that will only increase
public health surveillance and bioterrorism; and for in the future). It may now be easier to re-identify
commercial purposes (for example, determining how data,41 and some have called for an update to the
often providers are prescribing a particular drug standard, or at least an examination of whether
product). The Privacy Rule permits the use or dis- it is as effective as it was when first enacted. Oth-
closure of identifiable information for some of these ers have questioned whether it remains good
purposes, including: quality assessment and improve- public policy to allow data that fits the de-iden-
ment activities; public health reporting; and for tification standard to remain uncovered by the
health care operations such as the credentialing and Privacy Rule.
licensing of health care professionals. However, some
• Limited data set users must commit to not re- to provide a very low risk of re-identification,
identifying the data, and covered entities may and make any appropriate revisions to the Rule.
only release de-identified data if it meets the (arguably accomplished in ARRA)
standard, which is supposed to ensure a very
low risk of re-identification. But if data is re- Arguments For
identified, either by limited data set recipients * Allows for a public process for re-examining the
or by holders of de-identified data, the ability standard and helps ensure that any changes to
to hold those persons or entities accountable is the standard are based on the latest science.
very limited. In the case of a limited data set, * The House bills each had provisions tasking
the data holder is only contractually obligated to HHS to examine the de-identification standard,
the covered entity not to re-identify; a covered indicating some support for such an initiative.
entity can be held responsible for the actions of
the data set recipient if (1) the entity knew of a Arguments Against
“pattern or practice” that constituted a material * Because the current standard requires data hold-
breach or a violation of the data use agreement ers to have no “reasonable basis” for believing
and (2) the covered entity took no action.42 With the de-identified data could be used to identify
fully de-identified data, the information can be an individual (and no actual knowledge that the
shared with non-covered entities and does not information could be re-identified), the standard
require the execution of a contract. Thus, there is already flexible and robust enough.
are no applicable legal prohibitions against, or
penalties for, re-identification, and such prohi- ♦♦Create more options for use of health data
bitions are not required to be imposed on the stripped of some individual identifiers, and
data recipient via contract (although nothing in require data use agreements for all data disclo-
the law prevents data holders from voluntarily sures (or at least all that do not meet the thresh-
imposing such a condition). old of full de-identification). (steps to accomplish
• Researchers and others, including people with taken in ARRA)
rare or chronic illnesses, are concerned that the
limited data set and de-identification standards Arguments For
— in particular, the provisions that require the * Could address concerns raised by some that
elimination of specific data points — make the the current options do not serve many legiti-
data unusable for many research and public mate needs for data stripped of some patient
health purposes. They would prefer some middle identifiers.
ground, where the data is stripped of those iden- * Could help entities use such “lesser identified”
tifiers that can be easily used to re-identify (such data for activities that today use fully identifiable
as name, full address, and identifying numbers), data (for example, many of the activities covered
but where a sufficient amount of data is retained by health care operations and some research).
to accomplish the purposes for which the data is * Helps ensure that all data recipients are held
sought. accountable.
nications, including those that today are exempt a myriad of important variables — and where
from the definition of marketing. (at least par- many individuals do not have choices (or a wide
tially addressed in ARRA) range of choices) with respect to their sources of
care.
Arguments For * Unless the policy is clearly articulated, explana-
* Could be easier to implement without the need tions of uses of information in a privacy policy
to determine which communications are “good” may not be clear. A clear policy could explicitly
(and thus should be permitted without autho- state, in part: “we do not use your information
rization) and which should first require explicit to recommend products or services to you under
patient permission. any circumstances.”
* Assumes patients want to receive these commu-
nications but empowers patients to stop them if 5. other areas where hipaa could
they object. be strengthened
* In a variation, could also retain the authorization As personal health information is accessed and
requirement for communications that qualify exchanged more easily in the new electronic environ-
under the current marketing definition (thus, ment, HIPAA policies regarding access to, and use and
permitting opt-out for those communications disclosure of, health information may be inadequate
that are currently exempt from the definition but and contribute to a lack of public trust in health IT
that consumers could still view as marketing). and health information exchange. Some of these issues
are new ones raised by the new e-health environment,
Arguments Against while others were initially raised during the HIPAA
* Places burden on individual to police how their regulatory debates and may or may not be exacerbated
information is and is not used — clear boundar- by the new information sharing models. In the past
ies on use of information provide more reliable year policymakers have considered addressing the
protections for privacy. following:
* Arguably less protective than current rule, which
requires authorization to use information for • Uncertainty regarding how to apply the “mini-
marketing with some exceptions (unless authori- mum necessary” standard. Under the Privacy
zation requirement is retained for those uses that Rule, access to, and uses and disclosures of, per-
currently qualify as marketing). sonal health information must be limited to the
* Stifles needed information for individuals and minimum necessary to accomplish the legitimate
could result in negative health outcomes. purpose for accessing the information, except
with respect to treatment.47 This standard was
♦♦Leave current Rule as is; allow non-HIPAA intended to be flexible in order to accommodate
covered entities to compete on the basis of their a broad range of circumstances, but the lack of
policies with respect to use of information for clear boundaries has resulted in a great deal of
marketing purposes (HIPAA-covered entities confusion about how to comply.48 Some believe
could also voluntarily implement more stringent further guidance on the minimum necessary stan-
controls on uses of information for marketing dard could help resolve this uncertainty. (As noted
purposes, and compete on that basis). above, ARRA requires the Secretary to issue guid-
ance on the minimum necessary standard and
Arguments For strongly encourages the use of a limited data set.)
* Does not require changes to current law. • Perception among some privacy and patient
* Could lead to more privacy-protective environ- advocates that “health care operations” permits
ment if robust “privacy competition” emerges. too much sharing of personal health informa-
tion. Under the Privacy Rule, “health care opera-
Arguments Against tions” is specifically defined. However, a number
* Few individuals know the extent to which their of the descriptions are very broad and permit use
information is used to market or make health- and disclosure of personal health information for
related communications to them. Thus, they may functions that could be achieved without patient
be unlikely to inquire or make decisions based identifiers or could be done only with the con-
on use of their information for these purposes. sent or authorization of the patient. For example,
This may be particularly true in a health care health care operations include activities such as:
context, where choice of care provider involves conducting quality assessment and improvement
activities; reviewing the competence or qualifica- treatment of the individual, or can it be accessed
tions of health care professionals; underwriting to treat another individual? Under the Privacy
and premium rating; auditing; and business Rule today, covered entities can use one patient’s
management and general administrative activi- identifiable information for treating another
ties — such as due diligence related to a merger, patient. 50 This permissive use raises privacy
customer service functions, and fundraising for concerns, particularly when data on any patient
the benefit of the covered entity (see Appendix can be accessed across multiple institutions and
B for a complete list). The Privacy Rule also per- providers participating in a network. Should
mits covered entities to share health information exchanges be accessible for payment purposes,
with another covered entity for the purpose of or to accomplish health care operations? Should
the recipient entities’ health care operations, as exchanges exist only to facilitate the health care
long as both entities have a relationship with the activities of the covered entities participating in
patient.49 the exchange, or should the exchange itself be
• The PRO(TECH)T Act of 2008 would have permitted to use data for its own purposes? What
required patient consent (not authorization) if some of the entities providing support for and
for health care operations uses. A number of participating in the exchange are not themselves
stakeholders expressed concern that this pro- covered by HIPAA? In the absence of clear rules,
vision would significantly stifle uses of health health exchanges are working out the rules of the
care information for important purposes like road on their own, often with multi-stakeholder
public health and quality measurement; oth- involvement. There has been no objective study
ers noted that because treatment and coverage of the results to date.
could be conditioned on patients giving their • Confusion regarding whether quality improve-
consent to health care operations uses, it would ment uses of identifiable health information is
provide little meaningful privacy protection. The a health care operation (not requiring patient
Health-e Technology Act of 2008 took a differ- consent) or research, which requires authoriza-
ent approach, tasking HHS to examine the defi- tion except in certain circumstances. As noted
nition of health care operations and determine multiple times throughout this paper, health
which functions could be performed with de- reform proposals are looking to health IT as the
identified data and which should require prior linchpin for providing the data that will help
authorization. improve quality of care. The Privacy Rule per-
• Uncertainty regarding which Privacy Rule mits the use of identifiable health information
provisions should apply to health information without patient consent for “quality assessment
exchanges. As noted above, the Privacy Rule and improvement activities, including outcomes
historically has not applied to health informa- evaluation and development of clinical guide-
tion exchanges (for example, RHIOs, HIEs, and lines” — as long as “obtaining generalizable
ePrescribing Gateways), except those that may knowledge is not the primary purpose of any
qualify as healthcare clearinghouses. Many of studies resulting from those activities.”51 The
these entities have executed business associate Privacy Rule also permits the use of identifiable
agreements with the covered entities that par- information without patient consent for popula-
ticipate in the exchange. However, it is not clear tion-based activities relating to improving health
that all have done so, which has prompted some or reducing health care costs, and protocol devel-
to call for a requirement that these exchanges opment.52 Separate provisions of the Privacy
either be covered entities or enter into business Rule permit covered entities to use and disclose
associate agreements (depending on their struc- identifiable information for research purposes;
ture and function). (As noted above, ARRA clari- such research requires specific authorization
fies that some of these entities must enter into from the patient unless an IRB or Privacy Board
business associate agreements.) waives the requirement based on the low risk
But securing coverage under HIPAA, either to patient privacy.53 (As noted above, use of de-
directly or as a business associate, only addresses identified data or a limited data set for research
part of the question. Once covered, policymakers purposes is also permitted and in most cases will
need to determine the data access, use, and dis- not require prior patient authorization.) Confu-
closure rules that will apply to these new entities. sion about which provision applies to what types
For example, should a person’s identifiable health of quality improvement activities could hinder
information be used in these exchanges only for efforts to implement more robust measurement
and other quality improvement efforts. (Some their health care through the use of consumer-
have expressed concerns about the possible nega- facing electronic tools such as PHRs will not
tive impact of ARRA’s prohibition (13405) on be successful if individuals cannot easily and
the receipt of remuneration for protected health promptly obtain electronic access to, or elec-
information on uses of data for research and tronic copies of, their health records. Under the
public health.) Privacy Rule, patients have the right to access,
• Inability to meaningfully restrict access to and and obtain a copy of, their health information in
disclosure of health information. Under the the form or format requested, “if it is readily pro-
Privacy Rule, individuals have a right to request ducible in that form or format.”58 Some believe
a restriction on the use and disclosure of their that this language already obligates providers
health information — but covered entities are and plans with electronic health records to pro-
neither required to comply with the request, vide an electronic copy of the record. Anecdotal
nor provide a reason for noncompliance.54 If a reports, however, suggest that providers are not
covered entity grants the request, however, it clear on their obligations and that patients have
must comply. Some have advocated for granting had difficulty obtaining copies of their health
a stronger right to restrict access to information, records in electronic format, in part because not
particularly with respect to information that is all electronic health record applications facilitate
exchanged electronically through the “National the easy production of electronic copies. In gen-
Health Information Network” (NHIN). For eral, difficulty in obtaining a copy of one’s record,
example, NCVHS has recommended allowing even in paper format, is the one of the top five
people to choose whether or not their informa- HIPAA complaints investigated by OCR.59 Also,
tion is included in the NHIN, and to be able some believe that the timeframe for responding
to restrict network access to data in certain to a records request — which is at least 30 days
sensitive categories.55 In its recommendation under the current Rule60 — should be short-
regarding the right to restrict access to sensitive ened when those records are kept electronically,
information, NCVHS acknowledged that few and that the cost to consumers of obtaining an
individuals would likely make such a request; electronic copy should be free or set at a level
but noted that individuals would strongly value more commensurate with the costs of making
the right and ability to do so.56 (Section 13405 electronic an electronic copy available. Under
of ARRA gives individuals a right to request a the current Rule, such costs are required to be
restriction on disclosures to health plans for pay- “reasonable” and “cost-based”;61 however, most
ment and health care operations when they pay states set limits on copying charges for medi-
for their care out-of-pocket in full). cal records, which range from free (Kentucky)
Technology may improve the ability for health to $37.00 for up to the first 10 pages of a hos-
data holders to segregate sensitive data and com- pital record (Texas).62 (Section 13405 of ARRA
ply with a patient request to restrict data access. requires covered entities using “electronic health
However, if compliance with such a restriction records” (a defined term in ARRA) to provide
is mandatory, providers, plans and other health individuals with an electronic copy. Any fee
data holders will likely seek to be held harmless charged for this electronic copy cannot exceed the
for inadvertent access and disclosure of infor- entity’s labor costs in responding to the request.
mation in contravention of a patient’s requested Individuals can have their electronic copy trans-
restriction, as long as the holders used reason- mitted to another person or entity, as long as
able efforts to comply. NCVHS also recognized their choice is “clear, conspicuous, and specific”.)
that providers should be notified if a patient has • Controversy over the appropriate role for patient
decided to sequester or restrict access to informa- consent or authorization. The Privacy Rule
tion in a sensitive category, but they left for fur- permits the gathering and sharing of informa-
ther discussion how this notification would take tion for a range of purposes without the need
place.57 Further, a requirement that applies only to first obtain the patient’s consent. For uses
to those with electronic records risks creating dis- and disclosures not specifically permitted under
incentives for providers and others to move from the Privacy Rule, a patient’s specific written
paper to electronic systems. authorization is required. An earlier version
• Uncertainty over patients’ rights to access their of the Rule would have required patient con-
records electronically, or receive an electronic sent for treatment, payment, and health care
copy. The effort to engage more individuals in operations; but providers and plans could have
conditioned treatment or coverage on obtain- mends giving patients control by allowing them to
ing patient consent for these routine uses of create a second or third identity for records they
their information.63 However, this version was want to keep out of networked electronic records
harshly criticized by the health care industry, exchanges.70 Although a number of sources have
who argued that the requirements would hinder begun informally tracking the policies of various
the delivery of treatment, the processing of pay- exchanges throughout the country, there has been
ments, and other routine activities by requiring no systematic study of the impact of the various
consent to be obtained over and over again.64 In policy models being adopted.
response, HHS amended this version in 2002
before it went into effect and replaced it with the Possible Solutions
structure that is in place today: permissive use of ♦♦HHS could issue more guidance on how to com-
information for certain routine health purposes: ply with the Privacy Rule. (As noted on page 16,
authorization required for uses and disclosures ARRA directs the Secretary to issue guidance on
not specifically enumerated in the Rule; and the minimum necessary standard.)
plans and providers may not condition providing
coverage or treatment on the patient’s execution Arguments For
of such an authorization.65 A number of privacy * A common sense and prompt way to address a
advocates harshly criticized the amendment, and number of the above issues, including: confusion
some continue to call for restoration of the ear- regarding the minimum necessary rule; which
lier version requiring consent for nearly all uses quality measurement/improvement activities are
and disclosures of health information.66 Others permitted without consent as health care opera-
note that such consent could not possibly be vol- tions and which constitute research and require
untary, and that overreliance on consent unfairly authorization absent a waiver; and the obligation
shifts the burden for protecting privacy to indi- of covered entities to provide individuals with
viduals and not to the organizations holding the electronic copies of their health records.
data.67 Some entities would not likely support * Could be combined with a new system whereby
such a proposal, as requiring individual consent stakeholders, without penalty, can ask the Office
for routine health care functions could stifle nec- of Civil Rights (OCR) to publicly opine on
essary payment and other important processes. whether certain proposed health information uses
Also relevant is whether there should be an or disclosures are in compliance with the Rule.
enhanced role for patient choice with respect to
whether or not health information is included in Arguments Against
an electronic exchange network. Exchange net- * OCR is already under-resourced, and without a
works across the country are considering, and resource increase may not be able to issue guid-
some have begun to implement, consent policies ance promptly and on as broad a range of topics as
that require people to opt-in to, or allow them desirable. Also probably not possible without more
to opt-out of, sharing their health information resources to institute any new program to publicly
through an exchange network either in whole or issue specific responses to stakeholder questions.
in part (such as by provider or by type of infor- * Guidance alone may not be sufficient to address
mation).68 In general, those networks must bal- all of the concerns raised above.
ance the extent to which providing consumers
with meaningful choice about having their per- ♦♦HHS could examine the health care operations
sonal information exchanged in a local, state, or definition and issue new regulations that limit
national network increases patient trust and val- the use of identifiable data without consent.
ues individual autonomy against the consequences The regulations could require more of the cur-
both for individuals and for the system of having rent health care operations to be done with
potentially incomplete data available for treat- data stripped of some patient identifiers, or
ment decisions and public health. As noted above, could potentially require authorization for some
NCVHS has recommended that individuals at uses that today are permitted without consent.
least have the right to opt-out of information shar- Another possible option is for HHS to issue
ing through the NHIN.69 Additionally, the Markle guidance on the “minimum necessary” stan-
Foundation’s Common Framework released in dard that encompasses both the extent of data
2006 - Resources for Implementing Private and accessed, as well as the extent of “identifiability”
Secure Health Information Exchanges, recom-
C. State Law Variation using the states with the most expansive privacy
As noted above, because HIPAA was structured to protections as model). However, this may be
provide a floor of protections, state laws providing opposed by industry stakeholders, particularly
more stringent protections for health information are those whose business operations are primarily in
expressly preserved. Movement towards an intercon- states with less stringent privacy laws.
nected national health information network raises * Many of the state protections for health data
concerns that the multiplicity of state privacy laws were enacted as part of state public health
will create an obstacle to the nationwide electronic reporting statutes — so eliminating the protec-
exchange of health information or the exchange of tions could inadvertently jeopardize the report-
information regionally across state lines. Others have ing provisions.
noted the difficulty in determining a particular state’s
health privacy laws, as they are often a combination of ♦♦Status quo — federal standards are a floor, with
statute, regulation and guidance, customary practice, states able to adopt more protective measures.
and common law. Arguments for and against this option are the
reverse of those for the above option.
Possible Solutions
♦♦Establish a federal health privacy law that pre- D. Improving Understanding of and
empts all state health privacy laws. A possible Compliance with HIPAA Protections
alternative is to set a single federal standard As noted above in the introduction, confusion about
that preempts existing state law (i.e., “wipes the the Privacy Rule persists, which often results in overly
slate clean”), but allow states to pass new laws conservative interpretations of the Rule and a failure
establishing stronger privacy provisions (perhaps to share health information even for legitimate pur-
within a certain window of time). poses. Some attribute this confusion to a lack of edu-
cation about the substance of the Rule; others believe
Arguments For the Rule is too complex to be effective. In addition, pri-
* Should eliminate confusion and create a more vacy advocates express concerns about what they per-
consistent policy environment for privacy ceive to be a lack of aggressive enforcement of HIPAA.
and nationwide electronic health information Others are concerned about oversight and enforce-
exchange. ment over entities handling personal health informa-
* Makes more sense in a health care arena increas- tion that are not covered by HIPAA. This section of
ingly dominated by multi-state players. the paper discusses these concerns in more detail.
* The alternative approach preserves the ability
for states to re-enact those privacy provisions 1. complexity of the rule/lack of
they deem to be most important while making understanding
it easier for cross-state actors to understand and
comply with relevant laws (because there will Possible Solutions
likely be fewer of them). Section 13403 of ARRA requires HHS to develop and
maintain a “multi-faceted national education initia-
Arguments Against tive” to educate individuals on the uses of their health
* Congress intended the HIPAA Privacy Rule to information and their privacy rights.
provide a floor of protections — not a ceiling.
Thus, if the single national standard is the set ♦♦Revise the Privacy Rule to make it less complex.
of current HIPAA rules, some stakeholders will For example, rely more on broadly worded fair
fight any attempts to decrease privacy protec- information practices and principles and address
tions for individuals living in states with laws detailed circumstances through guidance, model
that are currently stronger than HIPAA. policies, etc.
* The more stringent state laws typically cover
more sensitive health information, such as men- Arguments For
tal health, sexually transmitted diseases, or HIV/ * Increases the likelihood that patients and cov-
AIDS. Efforts to eliminate these protections will ered entities will understand their rights and
be opposed by their constituencies and could obligations.
erode public trust. * Provides more opportunities for innovative
* Another alternative is to create a national approaches to protecting privacy.
standard that is greater than HIPAA (perhaps
the federal government and without a way to be made respect to enforcement priorities and a lack of suffi-
whole for any harm due to HIPAA noncompliance. cient enforcement resources as more significant fac-
Covered entities repeatedly express concern about tors. On the other hand, some industry stakeholders
protecting patient privacy and cite the potential irre- believe that the enforcement provisions in the stat-
versible damage to their reputations if patients lose ute and regulations provide sufficient and clear legal
confidence in their ability to protect personal health authority for enforcement of the rules, and that the
information. The covered entities believe this provides combination of the law and non-legal penalties for
a powerful incentive for them to comply with the law. failure to comply with HIPAA provides sufficient pro-
They argue that strengthening HIPAA’s enforcement tection for consumers.
provisions would have the unintended consequence For entities not covered by HIPAA, enforcement
of stifling appropriate health information sharing, depends on the particular health privacy law that
because entities could over interpret the Rule in an applies. For example, the FTC can use its unfair and
effort to ensure that they are not using or disclosing deceptive trade practices authority to penalize those
information in violation of the Rule or in contraven- companies that fail to abide by their privacy policies
tion of a patient’s right. They are worried that provid- with respect to the personal health information they
ing patients with a private right of action would have collect, manage, or store. Similarly, for those personal
the same consequence and is more likely to profit health record vendors subject to the Electronic Com-
attorneys than to provide a fair way of promptly com- munications Protection Act, the Justice Department
pensating patients for any harm that results from fail- can impose criminal fines and penalties against enti-
ure of a covered entity to comply with HIPAA. In addi- ties that release personal health information without
tion, some believe that an enforcement approach that the individual record holder’s authorization. Such
seeks voluntary compliance from covered entities is a entities may also be subject to state law claims.
more effective method for actually achieving compli-
ance with the requirements. Possible Solutions
As discussed above in this paper, privacy advocates ARRA contains a number of provisions addressing the
have also been concerned about the federal govern- enforcement issues raised above:
ment’s lack of authority before the passage of ARRA
to hold business associates accountable for failure • Section 13401 makes business associates directly
to comply with HIPAA. Instead, business associates accountable to authorities for complying with
could only be held accountable to the covered enti- applicable HIPAA regulations.
ties with which they contract for complying with the • Section 13409 clarifies that HIPAA criminal pen-
contract terms and any applicable HIPAA rules. OCR alties can be enforced against individuals.
could only hold covered entities responsible for the • Section 13410 clarifies that HHS can pursue a
actions of their business associates if an entity knew HIPAA violation civilly when criminal penalties
of a “pattern of activity or practice of the business could apply but DOJ declines to prosecute.
associated that constituted a material breach or vio- • Section 13410 also requires HHS to impose civil
lation” of its contract and the entity did nothing to monetary penalties in cases of willful neglect
cure the breach or terminate the contract.74 Of inter- of HIPAA rules (and requires the Secretary to
est, if the covered entity decided that terminating the formally investigate any complaint where the
contract was “not feasible,” the entity was required facts indicate a possible violation due to willful
to report the problem to the Secretary. 75 However, neglect).
HIPAA did not give the Secretary any further author- • Section 13410 increases the civil monetary penal-
ity to enforce the statute and regulations against ties for HIPAA violations.
the business associate or to hold the covered entity • Section 13410 authorizes State Attorneys General
responsible for the violation. Entities serving in the to enforce HIPAA.
role as business associates argue that contractual • Section 13411 requires the Secretary to conduct
liability to the covered entity is sufficient to ensure periodic audits for compliance with HIPAA
enforcement of applicable HIPAA rules, as the busi- regulations.
ness associate’s business and public reputation is at • Section 13410 further requires that civil penalties
stake if there is a failure to comply. or monetary settlements for HIPAA violations
Some believe the enforcement provisions of the be transferred to HHS to be used for enforcement
HIPAA statute are poorly worded and partly to blame purposes. In addition, GAO is required to pro-
for the current enforcement environment, while oth- pose a methodology for providing individuals
ers attribute the Bush administration’s discretion with harmed by HIPAA violations with a percentage
of any penalties or monetary settlements col- * Covered entities may oppose any effort to
lected; the Secretary is required to implement clarify statutory enforcement authority, view-
such a methodology within three years of ARRA ing it as opening the door to more aggressive
enactment. enforcement.
• Section 13424 requires HHS to submit an
annual report to Congress on enforcement. ♦♦Amend HIPAA to allow the Secretary of HHS to
directly enforce the HIPAA regulations against
♦♦Ensure that there is an enforcement regime to business associates. (addressed in ARRA)
address entities not covered by HIPAA that are
handling personal health information. (at least Arguments For
partially addressed in ARRA) * Closes an enforcement loophole and allows
the federal government to directly hold busi-
Arguments For ness associates accountable for complying with
* Enforcement is a critical part of fair information HIPAA (provisions to accomplish this were in
practices. Ensuring that non-HIPAA entities are the House bills).
subject to enforcement of either currently appli- * Brings federal health privacy law closer to a data
cable standards or any new standards adopted by stewardship model (i.e., all entities that handle
Congress and/or the new Administration should personal health information have to comply
be a focus in 2009. with baseline standards and can be held legally
accountable).
Arguments Against
* Few will argue that some enforcement struc- Arguments Against
ture is needed to build public trust in these new * Will be vigorously opposed by entities who fre-
health information exchange tools. It may be quently act as business associates to covered
harder to agree on the details: what the stan- entities. Could cause these entities to be unwill-
dards are, who enforces, whether the penalty ing to contract with health care entities out of
structure is appropriate, etc. fear of increased penalties. If these entities cease
providing services, the cost of health care prod-
♦♦ Amend the HIPAA statutory enforcement provi- ucts and services could be affected.
sions to clarify current enforcement authority. * As an alternative, policymakers could make cov-
The amendments could require the Secretary to ered entities responsible for the actions of their
formally investigate and impose civil monetary business associates, which will generate vigor-
penalties in cases of willful neglect of the HIPAA ous opposition from covered entities who do not
rules. Or, the provision could clearly state that want to be legally responsible for behavior not in
the Secretary can pursue civil actions in cases their control.
where a criminal violation may have occurred
but the Justice Department decides not to pur- ♦♦Amend HIPAA to provide a private right of
sue the case. Finally, an amendment could cor- action for individuals to seek redress for HIPAA
rect the Office of Legal Counsel’s interpretation violations. (at least partially addressed in ARRA)
of HIPAA with respect to the ability to pursue
individuals who violate HIPAA’s criminal provi- Arguments For
sions. (addressed in ARRA) * Patients will not have to depend on the govern-
ment’s taking action when their privacy rights
Arguments For have been violated.
* Arguably this is just a clarification of current * Provides patients with a way to directly seek
enforcement authority, so it may not be as con- redress for privacy violations.
troversial (note that provisions accomplishing
the above were part of the Health-e Information Arguments Against
Technology Act of 2008). * Will generate aggressive opposition, including
from those promoting general tort reform. A
Arguments Against possible alternative is to re-direct some or all of
* There is already sufficient statutory and regula- the civil monetary and criminal penalties col-
tory authority to enforce HIPAA. lected to individuals whose privacy is violated.
(Provisions to eventually establish a method for
The new administration and new Congress present regulations, or is it best to police this nascent market-
us with new opportunities to break the privacy “grid- place through business best practices (or a combina-
lock.” Notwithstanding other critical national issues tion of both)?
that need urgent attention, we have never had a better
opportunity to pursue reform of our health care sys- Addressing Privacy Concerns through
tem, facilitated by interoperable health IT with protec- Anti-Discrimination Laws
tions for privacy and security. Consistent with the goal ♦♦Enact federal legislation prohibiting the use of
of the “Legal Solutions in Health Reform” project, this personal health information in determining the
paper presents a range of possible solutions to privacy terms and conditions of employment or health
concerns that have been raised by some policymakers insurance coverage.
and stakeholders, along a few of the likely arguments
for and against each. Hopefully, it will be a catalyst for Lack of a Federal Breach Notification Standard
continuing to make progress on this difficult issue. ♦♦Establish a federal breach notification law
that applies to identifiable health information.
APPENDIX A (ARRA)
List of Possible Solutions by Issue Category (issues ♦♦Status quo (i.e., leave for states address or to
addressed at least in part by ARRA are so designated) market forces).
Who Is Covered: Do we extend the privacy rules Need for Data Stripped of Patient Identifiers
under the Health Insurance Portability and Account- for a Range of Health Purposes
ability Act (HIPAA) to all entities that now handle ♦♦HHS could seek the input of experts and the
health information, or create new legal standards for public and examine the de-identification safe
entities not currently covered? harbor. This could help determine if it is still
robust enough to provide a very low risk of
♦♦Amend HIPAA to create new categories of cov- re-identification. If not, HHS could make any
ered entities and require OCR to promulgate appropriate revisions to the Rule. (ARRA)
new privacy regulations to cover the activities of ♦♦Create more options for use of health data
these new entities. stripped of some individual identifiers, and
♦♦Clarify business associate agreements. Require require data use agreements for all data disclo-
(or encourage) HHS to issue new regulations or sures (or at least all that do not meet the thresh-
strengthen current guidance to ensure that enti- old of full de-identification). (ARRA)
ties receiving protected health information from ♦♦At a minimum, require those who obtain data
a covered entity — such as exchanges or PHRs stripped of patient identifiers to commit to not
that offered by that entity — must enter into a re-identifying the data, except in specific circum-
business associate agreement or at least be con- stances (for example, such as notifications about
tractually bound to safeguard the information a serious public health threat or drug safety/
and comply with HIPAA. (ARRA) recall notifications)
♦♦Require any entity that holds or manages
protected health information to adopt poli- Prohibitions on Use of Personal Information for
cies consistent with fair information practices, Marketing Purposes
which is the model typically relied on to estab- ♦♦Strengthen HIPAA rules for use of personal
lish appropriate policies for handling personal information for marketing by covered entities by
information. requiring prior authorization in more circum-
♦♦Keep the law in its current state but encour- stances. (ARRA) Establish rules for use of infor-
age the adoption of good privacy practices mation for marketing purposes by non-covered
through voluntary business agreements and/or entities.
certification. ♦♦Increase compliance with the Privacy Rule’s cur-
rent provisions rule by issuing additional guid-
What Is Covered: What protections need to be in ance about the types of communications that are
place? For example, do we rely on current HIPAA or are not “marketing.”
rules, or are modifications needed either to address ♦♦Leave Rule as is for current covered entities but
new challenges or because, in the view of some, the set more stringent rules for use of information
rules were insufficient from the start? Are these con- for marketing purposes by health information
cerns best addressed through changes in statute or
exchanges, and adopt rules governing marketing Complexity of the Rule/Lack of Understanding
uses by PHRs and Internet health sites. ♦♦Revise the Privacy Rule to make it less complex.
♦♦Change Rule to allow individuals to opt-out For example, the rule could rely on more on
of receiving any marketing communications, broadly worded fair information practices and
including those that today are exempt from the principles and addressing detailed circumstances
definition of marketing. (ARRA with respect to through guidance, model policies, etc.)
fundraising by a covered entity) ♦♦Provide more guidance and better education on
♦♦Leave current Rule as is and allow non-HIPAA the requirements of the Rule to entities covered
covered entities to compete on the basis of their by it. (ARRA)
policies with respect to use of information for ♦♦Better educate consumers on their HIPAA rights
marketing purposes (HIPAA-covered entities by requiring entities to provide a one-page sum-
could also voluntarily implement more stringent mary privacy notice, written in plain English at
controls on uses of information for marketing average reading levels. This could be provided in
purposes, and compete on that basis). addition to the more detailed notice; HHS could
come up with models.
Other Areas Where HIPAA Could Be Strengthened
♦♦HHS could issue more guidance on how to com- Compliance with the Rule and Enforcement
ply with the Privacy Rule. (ARRA) ♦♦ Ensure that there is an enforcement regime to
♦♦HHS could examine the health care opera- address entities not covered by HIPAA that are
tions definition and issue new regulations that handling personal health information. (ARRA)
limit the use of identifiable data without con- ♦♦Amend the HIPAA statutory enforcement provi-
sent, which require more of the current health sions to clarify current enforcement authority.
care operations to be done with data stripped For example, require the Secretary to formally
of some patient identifiers, and to potentially investigate, and impose civil monetary penal-
require authorization for some uses that today ties, in cases of willful neglect of the HIPAA
are permitted without consent. HHS could also rules; make it clear that the Secretary can pursue
issue guidance on the “minimum necessary” civil actions in cases where a criminal violation
standard that encompasses both the extent of may have occurred but the Justice Department
data accessed and the extent of “identifiability” decides not to pursue the case; and correct
of the data, for health care operations purposes. the Office of Legal Counsel’s interpretation of
(ARRA) HIPAA with respect to the ability to pursue
♦♦HHS should issue new regulations regarding the individuals who violate HIPAA’s criminal provi-
terms of access to health information exchanges, sions). (ARRA)
including defining minimum standards for con- ♦♦Amend HIPAA to allow the Secretary of HHS to
sumer choice. directly enforce the HIPAA regulations against
♦♦Filling gaps in HIPAA and establishing privacy business associates. (ARRA)
protections that go beyond the HIPAA floor ♦♦Amend HIPAA to provide a private right of
through voluntary adherence to best practices or action for individuals to seek redress for HIPAA
certification. violations. (ARRA)
♦♦Expressly authorize state authorities to also
State Law Variation: Should we allow for some state enforce the federal HIPAA rules. (ARRA)
law variation or establish federal standards that pre- ♦♦Status quo with respect to HIPAA enforcement
empt the field? provisions.
and development of clinical guidelines, pro- (iv) The sale, transfer, merger, or consolidation of
vided that the obtaining of generalizable knowl- all or part of the covered entity with another
edge is not the primary purpose of any studies covered entity, or an entity that following
resulting from such activities; population-based such activity will become a covered entity and
activities relating to improving health or reduc- due diligence related to such activity; and
ing health care costs, protocol development, (v) Consistent with the applicable requirements
case management and care coordination, con- of §164.514, creating de-identified health
tacting of health care providers and patients information or a limited data set, and fund-
with information about treatment alterna- raising for the benefit of the covered entity.
tives; and related functions that do not include
treatment;
(2) R
eviewing the competence or qualifications References
of health care professionals, evaluating practi- 1. Obama-Biden 2008, “Barack Obama and Joe Biden’s Plan to
Lower Health Care Costs and Ensure Affordable, Accessible
tioner and provider performance, health plan Health Coverage for All,” available at <http://www.baracko-
performance, conducting training programs bama.com/pdf/issues/HealthCareFullPlan.pdf> (last visited
in which students, trainees, or practitioners in June 24, 2009).
2. Health08.org, Kaiser Family Foundation, “2008 Presidential
areas of health care learn under supervision to Candidates: Health Care Issues Side-by-Side,” available at
practice or improve their skills as health care <http://www.health08.org/healthissues_sidebyside.cfm> (last
providers, training of non-health care profes- visited June 24, 2009).
3. The American Recovery and Reinvestment Act of 2009, Public
sionals, accreditation, certification, licensing, or Law No. 111-5.
credentialing activities; 4. Connecting for Health, Markle Foundation, Survey Finds
(3) U
nderwriting, premium rating, and other Americans Want Electronic Personal Health Information to
Improve Own Health Care, survey conducted by Lake Research
activities relating to the creation, renewal or Partners and American Viewpoint in November 2006 for the
replacement of a contract of health insurance Markle Foundation’s conference, Connecting Americans to
or health benefits, and ceding, securing, or Their Health Care: Empowered Consumers, Personal Health
Records and Emerging Technologies, available at <http://www.
placing a contract for reinsurance of risk relat- markle.org/downloadable_assets/research_doc_120706.pdf>
ing to claims for health care (including stop- (last visited June 24, 2009).
loss insurance and excess of loss insurance), 5. There is a difference between “privacy” and “security.” Although
there are no universally accepted definitions of those terms, in
provided that the requirements of §164.514(g) general privacy refers to policies and practices that govern the
are met, if applicable; access, use, and disclosure of personal health information, and
(4) C
onducting or arranging for medical review, security refers to the technological tools that are used to imple-
ment those policies.
legal services, and auditing functions, includ- 6. See J. Goldman, “Protecting Privacy to Improve Health Care,”
ing fraud and abuse detection and compliance Health Affairs 10, no. 6 (1998): 47-60, at 49; J. Goldman and
programs; Z. Hudson, California Healthcare Foundation, Promoting
Health/Protecting Privacy: A Primer, January 1999, available
(5) B
usiness planning and development, such as at <http://www.chcf.org/topics/view.cfm?itemID=12502> (last
conducting cost-management and planning- visited June 24, 2009).
related analyses related to managing and 7. Harris Interactive, “Many U.S. Adults Are Satisfied with Use
of Their Personal Health Information,” The Harris Poll #27,
operating the entity, including formulary devel- March 26, 2007, available at <http://www.harrisinteractive.
opment and administration, development or com/harris_poll/index.asp?PID=743> (last visited June 24,
improvement of methods of payment or cover- 2009).
8. L. S. Bishop et al., California Healthcare Foundation, National
age policies; and Consumer Health Privacy Survey 2005, November 2005, avail-
(6) B
usiness management and general administra- able at <http://www.chcf.org/topics/view.cfm?itemID=115694>
tive activities of the entity, including, but not (last visited June 24, 2009).
9. This paper uses the term “personal health information” to refer
limited to: generally to an individual’s identifiable health information,
(i) Management activities relating to imple- and uses the term “protected health information” to refer to
mentation of and compliance with the information expressly protected by HIPAA.
10. Covered entities are health plans, health care clearinghouses,
requirements of this subchapter; and most health care providers who submit health care claims
(ii) Customer service, including the provision electronically (specifically, those who transmit health informa-
of data analyses for policy holders, plan tion in electronic form for those transactions for which the
Secretary has adopted standards (i.e., transaction code sets).
sponsors, or other customers, provided that See 45 C.F.R. § 160.102(a) (2007).
protected health information is not dis- 11. Protected health information is individually identifiable health
closed to such policy holder, plan sponsor, information that includes demographic information and “that
relates to the past, present, or future physical or mental health
or customer. or condition of an individual; the provision of health care to
(iii) Resolution of internal grievances; an individual; or the past, present, or future payment for the
provision of health care; and that identifies the individual” or June 24, 2009) [hereinafter cited as “HIPAA Privacy Rule”]
“there is a reasonable basis to believe the information can be (which recommended additional clarification of HIPAA regu-
used to identify the individual.” See 45 C.F.R. § 160.201 (2007) lations, standardized instructions, and extensive training of
for the precise definition. healthcare workers).
12. Treatment is the provision, coordination, or management of 21. Id. (HIPAA Privacy Rule).
health care and related services for an individual by one or 22. See M. K. Paasche-Orlow et al., “Notices of Privacy Practices:
more health care providers, including consultation between A Survey of the Health Insurance Portability and Accountabil-
providers regarding a patient and referral of a patient by one ity Act of 1996 Documents Presented to Patients at U.S. Hospi-
provider to another. See 45 C.F.R. § 164.501 (2007). tals,” Medical Care 43, no. 6 (June 2005): 558-564; M. Hoch-
13. Payment includes activities of a health plan to obtain pre- hauser, “Why Patients Won’t Understand Their HIPAA Privacy
miums, determine or fulfill responsibilities for coverage and Notices” Privacy Rights Clearinghouse (April 10, 2003), avail-
provision of benefits, and to furnish or obtain reimbursement able at <http://www.privacyrights.org/ar/HIPAA-Readability.
for health care delivered to a patient. See 45 C.F.R. § 164.501 htm> (last visited June 24, 2009); M. C. Pollio, “The Inad-
(2007). equacy of HIPAA’s Privacy Rule: The Plain Language Notice of
14. Health care operations include the following: (1) conducting Privacy Practices and Patient Understanding,” New York Uni-
quality assessment and improvement activities, population- versity Annual Survey of American Law 60 (2005): 579-620,
based activities relating to improving health or reducing at 593.
health care costs, and case management and care coordina- 23. A health care clearinghouse is “a public or private entity that
tion; (2) reviewing the competence or qualifications of health processes or facilitates the processing of nonstandard data ele-
care professionals, evaluating provider and health plan per- ments of health information into standard data elements.” See
formance, training health care and non-health care profes- Social Security Act § 1171(2), 42. U.S.C. § 1320d (2009).
sionals, accreditation, certification, licensing, or credentialing 24. 45 C.F.R. § 165.504(e)(2) (2007).
activities; (3) underwriting and other activities relating to 25. Id.
the creation, renewal, or replacement of a contract of health 26. Those who meet the definition of a health care clearinghouse
insurance or health benefits, and ceding, securing, or plac- would be covered by HIPAA.
ing a contract for reinsurance of risk relating to health care 27. See The HIPAA Privacy Rule and Health IT, Health Informa-
claims; (4) conducting or arranging for medical review, legal, tion Techonolgy, Department of Health and Human Services,
and auditing services, including fraud and abuse detection and available at <http://healthit.hhs.gov/portal/server.pt> (last
compliance programs; (5) business planning and development, visited June 24, 2009).
such as conducting cost-management and planning analyses 28. Personal health records offered by covered entities would be
related to managing and operating the entity; and (6) business covered by the Privacy Rule.
management and general administrative activities, including 29. National Committee on Vital and Health Statistics (NCVHS)
those related to implementing and complying with the Privacy Reports and Recommendations, Letter to the Secretary of the
Rule and other Administrative Simplification Rules, customer U.S. Department of Health and Human Services: Personal
service, resolution of internal grievances, sale or transfer of Health Record (PHR) Systems, September 9, 2005, available
assets, creating de-identified health information or a limited at <http://ncvhs.hhs.gov/050909lt.htm> (last visited June 24,
data set, and fundraising for the benefit of the covered entity. 2009).
See Appendix A and 45 C.F.R. § 164.501 (2007). 30. S ee Center for Democracy and Technology, Comprehen-
15. Social Security Act § 1178, 42. U.S.C. § 1320d-7 (2009); 45 sive Privacy and Security: Critical for Health Information
C.F.R. § 160.203 (2007). Technology, May 2008, available at <http://www.cdt.org/
16. K. Pollitz, Georgetown University Health Policy Institute, the healthprivacy/20080514HPframe.pdf> (last visited June 24,
Genetics and Public Policy Center at Johns Hopkins University, 2009); see also Promoting the Adoption and Use of Health
Summaries of the Genetic Information Nondiscrimination Act Information Technology: Hearing before the Subcomm. on
of 2008 (GINA), Public Law 110-28, Title 1: Health Insurance Health of the H. Comm. on Ways and Means, 110th Cong.
available at <http://www.dnapolicy.org/resources/GINATitle- (2008) (statement of Deven McGraw, Director, Health Privacy
1summary.pdf>; Public law 110-233, Title II: Employment, Project, Center for Democracy and Technology), available at
available at <http://www.dnapolicy.org/resources/GINATitle- <http://cdt.org/testimony/20080724mcgraw.pdf> (last visited
IIsummary.pdf> (last visited February 3, 2009). June 24, 2009).
17. FERPA applies to health and other records in educational 31. With respect to the leading bill in the Senate, the Wired for
settings; part 2 applies to federally funded substance abuse Health Care Quality Act (S.1693), the version marked up by
treatment facilities; and the Privacy Act applies to federal the Health, Education, Labor and Pensions (HELP) Commit-
facilities. tee included a provision that would have subjected PHRs to
18. See 18 U.S.C. §§ 2702 (a)(1)-(3) (2007). coverage under HIPAA; however, a proposed amendment from
19. See 18 U.S.C. § 2701 (c)(1) (2007); see also 18 U.S.C. § 2702 (a) Senator Leahy that was under serious consideration by bill
(2)(B) (2007). sponsors would have stripped out this provision and replaced
20. See L. L. Dimitropoulos, Agency for Healthcare Research it a provision similar to those in the House bills.
and Quality, Privacy and Security Solutions for Interoper- 32. For an articulation of fair information practices as applied to
able Health Information Exchange: Assessment of Varia- a health information exchange environment, see The Markle
tions and Analysis of Solutions Report, July 2007, 3-8 – Foundation, “Connecting Professionals: Private and Secure
3-9, available at <http://healthit.ahrq.gov/portal/server. Information Exchange,” 2006, available at <http://www.con-
pt/gateway/P TARGS_0_1248_661882_0_0_18/AVAS. nectingforhealth.org/commonframework/index.html> (last
pdf> (last visited June 24, 2009) [hereinafter cited as “Privacy visited June 24, 2009). See also the Organization for Eco-
and Security Solutions”]. For an “Overzealous” interpretation nomic Cooperation and Development (OECD) Data Protection
of HIPAA, see J. Gross, “Keeping Patients’ Details Private, Even Principles (1980) extract from Guidelines on the Protection of
from Kin,” New York Times, July 3, 2007, available at <http:// Privacy and Transborder Flows of Personal Data, available at
www.nytimes.com/2007/07/03/health/policy/03hipaa.html?_ <http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.
r=1> (last visited June 24, 2009); see also S. H. Houser et html> (last visited June 24, 2009).
al., “Assessing the Effects of the HIPAA Privacy Rule on the 33. HIPAA nondiscrimination provisions (Title I) prohibit indi-
Release of Patient Information by Healthcare Facilities,” Per- viduals in group health plans from being denied eligibility for
spectives in Health Information Management 4, no. 1 (spring benefits or charged more for coverage because of any “health
2007), available at <http://www.pubmedcentral.nih.gov/arti- factor,” which includes health status and medical history or
clerender.fcgi?artid=2082070&tool=pmcentrez> (last visited condition. These provisions do not apply to insurance pur-
chased in the individual market. For a summary of these pro- hipaa/enforcement/data/top5issues.html> (last visited June
visions, see Employee Benefits Security Administration, U.S. 24, 2009).
Department of Labor, “FAQs: About the HIPAA Nondiscrimi- 60. 45 C.F.R § 164.524(b)(2) (2007).
nation Requirements,” available at <http://www.dol.gov/ebsa/ 61. 45 C.F.R. § 164.524(c)(4) (2007).
faqs/faq_hipaa_ND.html> (last visited June 24, 2009). 62. See Georgetown University Health Policy Institute, Health
34. The three states are Arkansas, California, and Delaware. For Policy Institute, Center on Medical Record Rights and Privacy,
more information, see D. Gage, “California Data-Breach Law available at <http://hpi.georgetown.edu/privacy/records.html
Now Covers Medical Information,” San Francisco Gate, Janu- for more information> (last visited June 24, 2009).
ary 4, 2008, available at <http://www.sfgate.com/cgi-bin/arti- 63. Standards for Privacy of Individually Identifiable Health Infor-
cle.cgi?f=/c/a/2008/01/04/BUR6U9000.DTL> (last visited mation, 67 Federal Register 53,182 (August 14, 2002) (to be
June 24, 2009). codified at 45 C.F.R pt. 160, 164).
35. A comprehensive analysis of state breach notification laws is 64. U.S. Department of Health and Human Services, HIPAA Fre-
beyond the scope of this paper. quently Asked Questions: About the Privacy Rule, “Why Was
36. 45 C.F.R. § 164.514(b)(1) (2007). the Consent Requirement Eliminated from the HIPAA Privacy
37. 45 C.F.R. § 164.514(b)(2) (2007). Rule, and How Will It Affect Individuals’ Privacy Protections?”
38. 45 C.F.R. § 164.514(a)(b)(2)(ii) (2007). November 9, 2006, available at <www.hhs.gov/hipaafaq/
39. 45 C.F.R. § 164.514(e) (2007). about/193.html> (last visited February 3, 2009).
40. 45 C.F.R. § 164.514(e)(3)-(4) (2007). 65. 45 C.F.R. § 164.508(b)(4) (2007).
41. L. Sweeney, The Identifiability of Data (forthcoming book pub- 66. See, e.g., Discussion Draft of Health Information Technol-
lication); see S. Ocha et al., Massachusetts Institute of Tech- ogy and Privacy Legislation: Hearing before Subcomm. on
nology, “Reidentification of Individuals in Chicago’s Homicide Health of the H. Comm. on Energy and Commerce, 110th
Database, A Technical and Legal Study,” November 2008, Cong. (2008) (written testimony of Dr. Deborah Peel, Founder
available at <http://web.mit.edu/sem083/www/assignments/ & Chair, Patient Privacy Rights) available at <http://www.
reidentification.html> (last visited June 24, 2009). patientprivacyrights.org/site/DocServer/Peel_written_tes-
42. 45 C.F.R. § 164.514(e)(4)(iii)(A) (2007). timony_06.04.08.pdf ?docID=4021> (last visited June 24,
43. See supra note 4. 2009). See also Privacy and Health Information: Hearing
44. 45 C.F.R. § 164.501 (2007). Before Subcomm. on Privacy and Confidentiality of the Nat’l
45. Id. Comm. on Vital and Health Statistics, U.S. Department of
46. The Privacy Rule gives individuals a right to request a restric- Health and Human Services, February 23, 2005 (testimony
tion on uses or disclosures of protected health information for of Sue A. Blevins, Founder and President, Institute for Health
treatment, payment and health care operations (and on disclo- Freedom), available at <http://www.ncvhs.hhs.gov/050224p6.
sures to family or friends who are assisting in the individual’s htm> (last visited June 24, 2009).
care), but the covered entity does not have to comply with the 67. See, e.g., Center for Democracy & Technology, Rethink-
request. See 45 C.F.R. § 164.522(a) (2007). ing the Role of Consent in Protecting Health Information
47. 45 C.F.R. § 164.514(d) (2007). Privacy, January 2009, available at <http://www.cdt.org/
48. See Privacy and Security Solutions, supra note 20, at 3-5, 3-7. healthprivacy/20090126Consent.pdf> (last visited June 24,
49. 45 C.F.R. § 164.506(c)(4) (2007). 2009).
50. For an explanation of the definition of “treatment,” see the Pre- 68. Id., at 14-19 for examples of approaches to consent taken by
amble to the Final HIPAA Privacy Rule, available at <http:// some state electronic exchange networks. For state profiles, see
aspe.hhs.gov/ADMNSIMP/final/PvcPre02.htm> (last visited generally State-Level Health Information Exchange Consensus
June 24, 2009); see also OCR’s clarification of the definition Project, Profiles of Sate-Level HIE Efforts, available at <http://
of “treatment” in its FAQs, available at <http://www.hhs.gov/ www.slhie.org/efforts.asp> (last visited June 24, 2009).
hipaafaq/providers/treatment/481.html> (last visited June 24, 69. See NCVHS Letter to the Secretary (June 22, 2006), supra
2009). note 56.
51. See section (1) in the definition of health care operations, 45 70. T he Markle Foundation, Connecting for Health, “The
C.F.R. § 164.501 (2007). Common Framework: Networked Health Informa-
52. Id. tion,” available at <http://www.connectingforhealth.org/
53. 45 C.F.R. § 164.512(i) (2007). commonframework/#guide> (last visited June 24, 2009).
54. 45 C.F.R. § 164.522(a) (2007). 71. R. Alonso-Zaldivar, “Effectiveness of Medical Privacy Law
55. National Committee on Vital and Health Statistics (NCVHS) Is Questioned,” Los Angeles Times, April 9, 2008, avail-
Reports and Recommendations, Letter to the Secretary of the able at <http://www.latimes.com/business/la-na-privacy-
U.S. Department of Health and Human Services: Privacy and 9apr09,0,5722394.story> (last visited June 24, 2009). In July
Confidentiality in the a Nationwide Health Information Net- 2008, HHS announced that Seattle-based Providence Health
work (NHIN), June 22, 2006, recommending that individuals & Services agreed to pay $100,000 as part of a settlement of
have a choice regarding whether or not their information is multiple violations of the HIPAA regulations. But the press
included in the NHIN. See also NCVHS Reports and Recom- release from HHS made clear that this amount was not a civil
mendations, Report to the Secretary of the U.S. Department monetary penalty. See also U.S. Department of Health and
of Health and Human Services: Individual Control of Sensi- Human Services, HHS, Providence Health & Services Agree on
tive Health Information Accessible via the NHIN for Purposes Corrective Action Plan to Protect Health Information, News
of Treatment, February 20, 2008, recommending individu- Release, July 17, 2008, available at <http://www.hhs.gov/
als be allowed to sequester information in certain sensitive news/press/2008pres/07/20080717a.html> (last visited June
categories. 24, 2009).
56. Id. (NCVHS Report to the Secretary, February 20, 2008). 72. For more information on the OLC memo and consequences,
57. Id. see P. Swire, “Justice Department Opinion Undermines Pro-
58. 45 C.F.R. § 164.524(c)(2) (2007). Such access right is to infor- tection of Medical Privacy,” Center for American Progress, June
mation maintained in a designated record set, and exempts 7, 2005, available at <http://www.americanprogress.org/
psychotherapy notes and a few other categories of information; issues/2005/06/b743281.html> (last visited June 24, 2009).
see also 45 C.F.R. 164.524(a)(1) (2007). 73. Id.
59. U.S. Department of Health and Human Services, Health 74. 45 C.F.R. § 164.504(e)(1)(ii) (2007).
Information Privacy, Compliance and Enforcement, “Top Five 75. 45 C.F.R. § 164.504(e)(1)(ii)(A)-(B) (2007).
Issues in Investigated Cases Closed with Corrective Action, by 76. See 15 U.S.C. § 7706(f ) (Supp. 2004).
Calendar Year,” available at <http://www.hhs.gov/ocr/privacy/