Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Tuesday, May 18, 2010

HITECH restrictions on sale of health record data constrain some EHR plans

As the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act continue to be implemented, many health care organizations are beginning to understand that changes to security and privacy requirements originally promulgated under HIPAA and now strengthened under HITECH are not the only considerations. While one significant change under HITECH (Title XIII of the American Recovery and Reinvestment Act of 2009) made business associates directly accountable for most HIPAA requirements, there are changes in the rules, and in the penalties for non-compliance, that will have an impact on HIPAA-covered entities and business associates that may have thought they had HIPAA compliance well under control. Newer entrants to the health IT market such as personal health record vendors have a potentially confusing path to navigate, as some prominent features of HITECH like health data breach notification rules apply to PHR vendors and other non-covered entities, but many of the other provisions do not.

A relevant example of the evolving regulatory landscape is the extent to which organizations that have electronic medical records or other online health data are allowed to charge for sharing it with someone else, and the circumstances under which any such payments may be constrained by the law. Not only might charging for health records appeal to some third-party providers looking to offer up EHR system usage, patient or provider portals, clinical data repositories, or other health record functionality on a software-as-a-service basis, but some sort of data access or per-record fee might help give covered entities and business associates financial incentives (or just help cover costs) for operating health IT systems and making their data available for exchange with other entities.We've noted before that the absence of such a business model is a significant but typically overlooked obstacle to widespread adoption of health information exchanges.

Section 13405(d) of the HITECH Act specifies new prohibitions on the sale of electronic health records or any protected health information held by covered entities or business associates (the restriction does not apply to other third-party entities, which could make for some interesting legal loopholes for third-party holders of health data who do not have business associate agreements in place with the whatever organizations serve as the source for their data (covered entities, individuals, personal health record systems, etc.) or do not "process" health data in a way that would make them covered entities as clearinghouses under HIPAA. At first read, the text of the law seems very clear and highly restrictive:  "a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual a valid authorization that includes a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual." There are, however, quite a few exceptions provided in the law, notably payment for cases including:
  • public health activities
  • research, where fee reflects the costs of preparing and transmitting the data
  • treatment of the individual
  • for a health care operation (anything falling within the HIPAA definition of the term)
  • for remuneration provided by a covered entity to a business associate involving the exchange of protected health information that the business associate undertakes on behalf of the entity
  • to provide an individual with a copy of the individual’s protected health information
This means that a covered entity is allowed under the law to charge for providing or processing health records for a variety of purposes, including charging individuals for their own records (although an existing requirement under HIPAA specifies that the charge to an individual cannot exceed the actual labor cost to furnish the record). The exception for health care operations would seem to pave the way for some enterprising third party data management services to provide outsourced health IT to providers, and would also allow for covered entities to charge each other for sharing the records they hold. The rules prohibiting sales of health data would, however, appear to make illegal some of the creative business models being proposed in the market, including ones where providers receive free or discounted access to shared EHR services in exchange for the service providers selling some of the data to third parties such as drug manufacturers. The HITECH rules would seem to prohibit this sort of approach even where the data being sold is de-identified.

1 comment:

  1. Thanks for the interesting and informative post. I enjoyed reading it and look forward to more in the future.

    ReplyDelete