Development of a National Health Information Network (NHIN) — a uniform system of electronic health record architecture and interoperability — has been underway for a year or so under contracts awarded by U.S. HHS (see, e.g., last November’s award), and progress is monitored and reported through the National Committee on Vital and Health Statistics (NCVHS).
As AISHealth.com reports this week:
Mark Rothstein, the influential privacy subcommittee chairman of [NCVHS] which provides guidance to HHS on implementation of the privacy regulation, sees the new [NHIN] as an opportunity to "rethink everything" related to the privacy rule.
In his recent report to HHS Secretary Mike Leavitt, Rothstein summarized testimony received over an 18-month period and made recommendations which confirm that he doesn’t think HIPAA is doing a very good job of maintaining confidentiality of PHI, a concern that is appropriately heightened in the face of the expansion of the use of EHR. I think it’s worth listing all of his recommendations, just to get a sense of the scope of the issues highlighted by NCVHS as we come closer to having nearly ubiquitous EHR systems — whether through the eventual rollout of the NHIN or through the nearer-term development of various private EHR systems:
1. | The method by which personal health information is stored by health care providers should be left to the health care providers. |
2. | Individuals should have the right to decide whether they want to have their personally identifiable electronic health records accessible via the NHIN. This recommendation is not intended to disturb traditional principles of public health reporting or other established legal requirements that might or might not be achieved via NHIN. |
3. | Providers should not be able to condition treatment on an individual’s agreement to have his or her health records accessible via the NHIN. |
4. | HHS should monitor the development of opt-in/opt-out approaches; consider local, regional, and provider variations; collect evidence on the health, economic, social, and other implications; and continue to evaluate in an open, transparent, and public process, whether a national policy on opt-in or opt-out is appropriate. |
5. | HHS should require that individuals be provided with understandable and culturally sensitive information and education to ensure that they realize the implications of their decisions as to whether to participate in the NHIN. |
6. | HHS should assess the desirability and feasibility of allowing individuals to control access to the specific content of their health records via the NHIN, and, if so, by what appropriate means. Decisions about whether individuals should have this right should be based on an open, transparent, and public process. |
7. | If individuals are given the right to control access to the specific content of their health records via the NHIN, the right should be limited, such as by being based on the age of the information, the nature of the condition or treatment, or the type of provider. |
8. | Role-based access should be employed as a means to limit the personal health information accessible via the NHIN and its components. |
9. | HHS should investigate the feasibility of applying contextual access criteria to EHRs and the NHIN, enabling personal information disclosed beyond the health care setting on the basis of an authorization to be limited to the information reasonably necessary to achieve the purpose of the disclosure. |
10. | HHS should support research and technology to develop contextual access criteria appropriate for application to EHRs and inclusion in the architecture of the NHIN. |
11. | HHS should convene or support efforts to convene a diversity of interested parties to design, define, and develop role-based access criteria and contextual access criteria appropriate for application to EHRs and the NHIN. |
12. | HHS should work with other federal agencies and the Congress to ensure that privacy and confidentiality rules apply to all individuals and entities that create, compile, store, transmit, or use personal health information in any form and in any setting, including employers, insurers, financial institutions, commercial data providers, application service providers, and schools. |
13. | HHS should explore ways to preserve some degree of state variation in health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality. |
14. | HHS should harmonize the rules governing the NHIN with the HIPAA Privacy Rule, as well as other relevant federal regulations, including those regulating substance abuse treatment records. |
15. | |
16. | HHS should use an open, transparent, and public process for developing the rules applicable to the NHIN, and it should solicit the active participation of affected individuals, groups, and organizations, including medically vulnerable and minority populations. |
17. | HHS should develop a set of strong enforcement measures that produces high levels of compliance with the rules applicable to the NHIN on the part of custodians of personal health information, but does not impose an excessive level of complexity or cost. |
18. | HHS should ensure that policies requiring a high level of compliance are built into the architecture of the NHIN. |
19. | HHS should adopt a rule providing that continued participation in the NHIN by an organization is contingent on compliance with the NHIN’s privacy, confidentiality, and security rules. |
20. | HHS should ensure that appropriate penalties be imposed for egregious privacy, confidentiality, or security violations committed by any individual or entity. |
21. | HHS should seek to ensure through legislative, regulatory, or other means that individuals whose privacy, confidentiality, or security is breached are entitled to reasonable compensation. |
22. | HHS should support legislative or regulatory measures to eliminate or reduce as much as possible the potential harmful discriminatory effects of personal health information disclosure. |
23. | NCVHS endorses strong enforcement of the HIPAA Privacy Rule with regard to business associates, and, if necessary, HHS should amend the Rule to increase the responsibility of covered entities to control the privacy, confidentiality, and security practices of business associates. |
24. | Public and professional education should be a top priority for HHS and all other entities of the NHIN. |
25. | Meaningful numbers of consumers should be appointed to serve on all national, regional, and local boards governing the NHIN. |
26. | HHS should establish and support ongoing research to assess the effectiveness and public confidence in the privacy, confidentiality, and security of the NHIN and its components. |