In a statement released October 24, the Obama Administration has launched a new interagency “subcommittee” of the National Science and Technology Council to review privacy and Internet policy, which may include review of health care privacy issues. The working group will focus primarily on individual privacy issues associated with the Internet and related online systems, to “develop principles and strategic directions with the goal of fostering consensus in legislative, regulatory, and international Internet policy realms.” Consisting of representatives of eleven Federal agencies, including the Department of Health and Human Services, and eight Executive Organizations, the Subcommittee promises to work closely with private stakeholders to develop a set of core principles to, among other things, facilitate transparency, promote cooperation, empower individual decision-making, and build trust in online environments, while at the same time protecting the rule of law, promoting innovation and economic expansion, and balancing the interests of stakeholders. The identities of the private stakeholders to be invited, the schedule of the group’s meetings, and the transparency of the subcommittee’s deliberations, have yet to be determined or announced by the Obama Administration.
News accounts and criminal convictions involving unauthorized access or theft of electronic health records by health care facility or medical practice employees are raising renewed concerns about the privacy and security implications associated with the surging development and use of electronic health records systems (EHR). While providers who implement EHR systems often feel confident in the security offered by firewalls, passwords and encryption protection imbedded in their EHR systems, a potential threat to patient privacy remains simply in the fact that a large number of a provider’s employees may have broadly-defined access rights to virtually all of a provider’s patient records. Whether such broad access is permissible under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) intended is a question upon which varying views of industry experts and lawmakers can be found. Stakeholder views may differ based on clinical, operational, financial and personal privacy considerations.
Under the HIPAA privacy regulations, with a few limited exceptions, when making disclosures or using PHI outside of treatment, a covered entity must make reasonable efforts to limit PHI disclosures to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request, or otherwise obtain an authorization from the patient. See 45 C.F.R. § 164.502(b). The minimum necessary requirement is to be implemented by identifying “those persons or classes of persons, as appropriate, in [the covered entity’s] workforce who need access to protected health information to carry out their duties” and “for each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.” 45 C.F.R. § 164.514(d)(2)(A) and (B). Thus, a design issue in developing or purchasing a HIPAA-compliant EHR system is whether or not the system includes technology that reasonably and appropriately limits access to patient information to only those members of the workforce who need it, or so-called role-based access capability. While the classification of access rights and limitations on the categories of PHI that can be viewed may add complexity and expense to an EHR system, this HIPAA requirement should not be overlooked. Additionally, among other safeguards, the ability to log information system activity (e.g., record the user’s identity, time, type and extent of data accessed), and to perform security audits and forensic investigations on an EHR system, are important components needed to facilitate a covered entity’s compliance with the HIPAA privacy and security regulations, and to reassure patients that their privacy is indeed being protected during this period of rapid EHR expansion.
A coalition of advertising trade groups launched a new online behavioral advertising (“OBA”) opt-out program on October 4, 2010, to build on the self-regulatory principles they released last summer. The program, which is explained on the group’s website, features an “Advertising Option Icon” that can be placed near online ads that collect data used to conduct behavioral advertising. Users who click on the icon will receive a disclosure statement about the data collection and use practices associated with the ad along with the ability to opt-out of being tracked.
The Self-Regulatory Principles for Online Behavioral Advertising the new icon enhances were released in July 2009 by the online advertising industry to correspond with the guidelines for behavioral advertising issued by the U.S. Federal Trade Commission in February 2009. The seven self-regulatory principles—education, transparency, consumer control, data security, consent before material changes, limiting collection of sensitive data, and accountability—were designed to address growing consumer concern about the collection and use of personal information. According to Network Advertising Initiative spokesperson, Andrew Weinstein, the new icon is designed to provide “consistency to the visual icon, messaging and opt-out process across all of the participants in the online advertising industry.”
OBA and social networks are not easy to regulate, but the self-regulatory approach to this industry has come under fire by privacy advocates who argue that the approach fails to offer consumers meaningful, informed choices and that the new opt-out program is a last-ditch effort to avoid new federal legislation. Although the head of the FTC’s Bureau of Consumer Protection, David Vladeck, has recently expressed his disappointment in the industry’s self-regulatory efforts, he stated that he will continue to support self-regulation. Mr. Vladeck also stated that the FTC is reviewing the viability of a “do-not-track” mechanism following the announcement by Senate Commerce Consumer Protection Subcommittee Chairman Mark Pryor, D-Ark., that he is working on such legislation. The “do-not-track” mechanism would function like the national Do Not Call Registry by allowing consumers to opt-out of having their browsing activities tracked.
HITECH's Federal Health IT Coordinator Completes Nationwide System to Assist Doctors and Hospitals in Switching to Electronic Health Records
On September 28, 2010, David Blumenthal, M.D., National Coordinator for health information technology, announced selection of the final Regional Extension Centers (RECs), completing a national system of 62 organizations that will help physicians, clinics and hospitals to move from paper-based medical records to electronic health records (EHR).
“The selection of these final awardees means that Regional Extension Centers are now in place in every region of our country to help health providers make the switch from paper-based medical practice to electronic health records,” said Dr. Blumenthal. “For primary care physicians and smaller hospitals in particular, the RECs will be an important resource to help meet the challenges of adopting EHRs and using them to deliver better care.”
RECs were created last year under the Health Information Technology Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009. Under the HITECH Act, $677 million is allocated for the next two years to support a nationwide system of RECs. Additionally, the HITECH Act also created the Medicare and Medicaid EHR incentive programs, which will provide incentive payments to eligible professionals and hospitals that adopt and demonstrate meaningful use of certified EHR technology. Incentives totaling as much as $27.4 billion over 10 years could be expended under the program, which is administered by the Centers for Medicare & Medicaid Services.
RECs will target their assistance to eligible primary care providers in smaller practices as well as small and rural hospitals and public health clinics. However, the RECs will also serve as a resource for all providers in an area, giving assistance, as feasible, to any doctor, hospital or clinic making the request. Each REC organization has identified a target number of primary care physicians, based on population needs to be assisted in the first two years of the program.
Link to the complete ONC press release.