Continuing this week’s focus on privacy, today’s guest author Stacie Durkin, RN-C, RHIA, MBA, owner, Durkin & Associates, explains what ARRA’s privacy provisions might mean for health information exchange. Durkin co-chairs an AHIMA/HIMSS collaborative workgroup focused on privacy and security in the HIE/RHIO environment. 

HIPAA has sharper teeth and a wider net due to the American Recovery and Reinvestment Act of 2009 (ARRA).  A section of ARRA called The Health Information Technology for Economic and Clinical Health Act (HITECH Act) is the healthcare portion of the stimulus package that provides $19 billion for health information technology and the Federal financial commitment which supports and promotes the adoption of electronic health records (EHRs) by 2014.  Some of the perceived weaknesses in HIPAA’s privacy and security regulations will be rectified by ARRA, dubbed “HIPAA II.”

There has been much discussion around the privacy and security issues of shared data.   Before the stimulus package, health information exchanges (HIE) were not directly regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The new legislation is loaded with requirements, new enforcement provisions and penalties for covered entities, business associates, vendors and others.

The legislation expands HIPAA’s net to include employees of covered entities and to individual or corporate persons that perform any function or activity involving the use or disclosure of protected health information  (PHI)  on behalf of a covered entity such as “business associates.” HIPAA defines covered entities as “health care providers that conduct certain electronic transactions, health care clearinghouses, and health plans.”

Business associates will be required to implement the same security safeguards and restrictions on uses and disclosures, to protect individually identifiable health information. It also subjects business associates to the same potential civil and criminal liability for breaches as covered entities. All business associate agreements will have to be amended to reflect these changes.  To ensure compliance the Secretary of HHS is required to conduct periodic compliance audits of business associates as well as covered entities.

The HITECH Act is meant to increase the momentum of the development and implementation of the EHR by 2014.  HHS is allocated $2 billion for the Office of the National Coordinator for Health Information Technology.  ARRA has also expanded the duties and authority of this office.  The national coordinator is responsible for:

  • the coordinating development and implementation of HIT standards,
  • strategic planning, including the electronic exchange of health information,
  • certification of HIT as meeting standards,
  • assessment of disparities in the use of HIT,
    evaluate benefits and costs of the use of EHR, and
  • development and updating of EHR technology.

Timelines for the privacy provisions, regulations, and guidance under HITECH Act are listed in the linked table.

The act represents commitment by the federal government to bolster the healthcare industry, particularly in the adoption of EHRs.  At the same time, the lawmakers have put teeth into the enforcement of laws and regulations governing the privacy and security of personal health information.  

The act does not change state law preemption, and covered entities and business associates will continue to have to comply with federal privacy and security standards as well as more restrictive state law requirements.

References

“American Recovery and Reinvestment Act of 2009 — An Analysis.” LexisNexis Emerging Issues Analysis, 2009.

H.R. 1, American Recovery and Reinvestment Act of 2009.

Mills, Tom, and Marion Kristal Goldberg. “The Stimulus Bill’s Effect on the Health Care Industry.” Winston & Strawn, LLP Healthcare Practice Briefing, 2009.

Steinbrook, Robert. “Health Care and the American Recovery and Reinvestment Act.” New England Journal of Medicine, March 12, 2009.