|
Sounding more like a defensive parent whose child was under attack than a self-described "distant bureaucrat," Sue McAndrew had a message to deliver to the audience of the 14th National HIPAA Summit last week in Washington D.C.
McAndrew, who said she has worked on privacy issues for HHS's Office for Civil Rights (OCR) under the Department of Health and Human Services since 2000, was recently named OCR's deputy director for health information privacy. Her speech, she said, marked the first time she had appeared at a health information technology (HIT) conference. OCR is the agency that enforces the privacy rule.
And she clearly had a bone to pick with the minions serving on the plethora of government advisory committees, and those wonky industry folks who are grappling with privacy implications of the nationwide health information network (NHIN).
"One of the things we hear a lot about, and I would like to take off the table right from the top, is that fact that the HIPAA privacy rule is irrelevant to this effort because it was only designed to operate in a paper system," McAndrew said.
Then, pausing for effect, she added, "I mean, DUH!"
"HIPAA was all about automating and moving the industry into an electronic world," she said, sounding exasperated. "HIPAA is relevant, and HIPAA has a lot of the balances [that] were designed with HIT in mind."
"I mean," McAndrew continued, "we knew electronic medical records existed...maybe not at the time the law was passed, but by the time the rules were written, we knew much about EMRs. And so it is not the building of those systems and the clinical application of the systems that is so new and novel."
Instead, McAndrew said, it is the "sharing of the networking of these electronic environments" that is new. Focus should be placed on "deciding how that electronic networking creates new privacy issues for consumers," she said.
Then she invited the audience to take a piece of paper out of their binders. "So if you can discard one notion, and if you want to pull out a piece of paper from your thing, I am crumpling up the notion that HIPAA is irrelevant to HIT and I am throwing that notion away," McAndrew said, tossing her ball of paper to the rug beside her podium. "Housekeeping - I will pick that up on my way out," she added.
In her remarks, McAndrew acknowledged that, in some respects, HIPAA doesn't go far enough for the NHIN. But she also believes that the NHIN will provide "new opportunities for consumers to get more engaged" and will actually enhance some of the rights codified in the privacy rule.
'Communities' Will Solve Problems
The HIPAA rules, McAndrew contended, "are really going to help facilitate this endeavor" and are "not an obstacle" to the creation of the NHIN. That's because HIPAA was so historic, in setting a national privacy "floor" for standards to protect patient data, she said. And the rules already addressed many of the balances between access and protection that are coming to the fore now, according to McAndrew.
However, she did allow that there are issues — which would seem rather large to some — that must still be addressed in the creation of the NIHN.
Not the least of these is the issue of uniformity. Because HIPAA allowed states to maintain, and create, standards that are more protective of data than HIPAA, many did - and continue to put such measures into place today. McAndrew noted that a report is due in June that will outline where states overlap or conflict with HIPAA, as well as pinpoint possible solutions.
But many of the issues should be hashed out on the local level, according to McAndrew.
"As I said, HIPAA is the floor and not the ceiling; there are variations in state laws that affect privacy practices. Even more significantly there is a tremendous variation in business practices from entity to entity in how these rules applied," she asserted.
"Communities" should come together and decide how to address issues such as varying definitions of minimum necessary, she said by way of example.
HIPAA, McAndrew added, allows communities "to come together and decide if the permission for the information flows embodied in the HIPAA standards seem too broad, or you know, the way one entity defines minimum necessary is not like another entity, and the two entities can come together and agree on how that transmission of information should go pursuant to a common understanding of minimum necessary."
"I think it would be much to your benefit that this conversation continue in the [community] and the consensus to form within the communities that will actually be engaged rather than having some...and I will describe myself...some distant bureaucrat in Washington try to tell you what that consensus should be, what that rule practice should be," she said.
Another issue that McAndrew said can be resolved without alteration to HIPAA is whether the NIHN should have an opt-in or opt-out mechanism, or whether participation should be mandatory.
Despite the fact that the privacy rule does not require patients to give their consent before treatment, McAndrew said policymakers are free to do whatever they want in this regard when it comes to building the NHIN "and HIPAA will be happy whichever way you come out on it."
"HIPAA doesn't resolve the question of should there or should there not be a consent, and, if there is consent, what the form of that consent should be, but HIPAA allows you to have that conversation. HIPAA allows you to decide what is best for the system, and HIPAA allows that consensus to be implemented," she said. "We do not bar consent. We do not require consent."
(After her comments, Marilou King, acting senior advisor for privacy compliance and enforcement at OCR, told RPP that the secretary of HHS would be the one to decide whether to allow an opt-in or out option.)
Could RHIOs Set Standards for Non-CEs?
Another issue that gives policymakers and advisors pause about the NHIN is the fact that new businesses have arisen that are not covered entities and thus not required to comply with HIPAA. They also point out that while some of these businesses could conceivably be considered business associates BAs are not subject to enforcement action.
McAndrew said that most of the "players" involved in the NHIN would probably already be considered CEs or BAs. But she noted that others, particularly those that market personal health records to consumers, are not.
"It is possible there are going to be some uncovered providers who come and want to be players in this system, and there will need to be some way of figuring out what privacy standards to hold those providers to and how you enforce those," she said.
She pointed out that HHS's National Committee on Vital and Health Statistics has been holding hearings on the possibility of expanding the list of CEs.
"It remains to be seen how big a problem it really is," she said.
Short of modifying the HIPAA statute to encompass more CEs, "there are other potential solutions," McAndrew said, "not the least of which would be some sort of Regional Health Information (RHI) network accountability for all players in the system...some rules and obligations that be enforceable for these non-HIPAA-CEs."
However, this could prove to be a problematic solution as RHIOs themselves have a dicey existence. Last month, the Santa Barbara County Care Data Exchange - the nation's oldest RHIO - shut down, amid technical and financial issues. It had been funded with $10 million from the California HealthCare Foundation.
Her office is not sitting idly by as the NHIN is developed, McAndrew assured the audience.
"My office has been deeply involved with the Office of the National Coordinator on these efforts," she said. "We are particiapting on at least two of the work groups in the American Health Information Community, and we are taking charges from those workgroups to help in various ways."
One project, she said, "is mapping the current HIPAA requirements to a variety of scenarios." McAndrew added that "I think the first set we will try to take on is to try to map the HIPAA requirements for personal health records in a variety of settings, because we view that as a good way of jump starting the consumer, and getting the consumer engaged."
When necessary, OCR will "issue guidance" to address problem areas identified by the state-based report of privacy practices, she said, as well as to address other issues relating to HIPAA and the NIHN.
"Ultimately, if there are issues that require some tweaking to the [privacy and security] standards we would certainly work with the Office of the National Coordinator to identify where those needs are and how best to address them," she said.
Reprinted from the April 2007 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.
The HIPAA Flash is an opt-in monthly newsletter. The content is for informational purposes only. Nothing herein constitutes legal advice - if you need legal advice, please consult a competent attorney. To unsubscribe from this monthly newsletter, reply to hipaaflash@hipaarx.net with the word "UNSUBSCRIBE" in the subject line.
HIPAA Solutions Rx is your best source for compliance workbooks, online training, disclosure tracking systems, network scanning tools, backup facilities, certifications, consulting ... HIPAA from A to Z. For the most complete suite of HIPAA compliance products available, visit us at: http://www.hipaarx.netor call us at 1-866-447-2211.
HIPAA Solutions is a BridgeFront Company. For training in OSHA, JCAHO, Nurse CE, Long Term Care, Revenue Cycle Management and much more, visit http://www.bridgefront.com.
|
