A relevant example of the evolving regulatory landscape is the extent to which organizations that have electronic medical records or other online health data are allowed to charge for sharing it with someone else, and the circumstances under which any such payments may be constrained by the law. Not only might charging for health records appeal to some third-party providers looking to offer up EHR system usage, patient or provider portals, clinical data repositories, or other health record functionality on a software-as-a-service basis, but some sort of data access or per-record fee might help give covered entities and business associates financial incentives (or just help cover costs) for operating health IT systems and making their data available for exchange with other entities.We've noted before that the absence of such a business model is a significant but typically overlooked obstacle to widespread adoption of health information exchanges.
Section 13405(d) of the HITECH Act specifies new prohibitions on the sale of electronic health records or any protected health information held by covered entities or business associates (the restriction does not apply to other third-party entities, which could make for some interesting legal loopholes for third-party holders of health data who do not have business associate agreements in place with the whatever organizations serve as the source for their data (covered entities, individuals, personal health record systems, etc.) or do not "process" health data in a way that would make them covered entities as clearinghouses under HIPAA. At first read, the text of the law seems very clear and highly restrictive: "a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual a valid authorization that includes a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual." There are, however, quite a few exceptions provided in the law, notably payment for cases including:
- public health activities
- research, where fee reflects the costs of preparing and transmitting the data
- treatment of the individual
- for a health care operation (anything falling within the HIPAA definition of the term)
- for remuneration provided by a covered entity to a business associate involving the exchange of protected health information that the business associate undertakes on behalf of the entity
- to provide an individual with a copy of the individual’s protected health information