Healthcare Information Technology and Its Impact on the Health Insurance Portability and Accountability Act

By October 21, 2015Articles, Health

Healthcare Information Technology: A Primer

HIT is a far reaching phenomenon responsible for integrating the flow of health information across consumers, service providers and regulatory entities, improving the coordination of safe and efficient outcomes within the healthcare delivery system[1].The physical implementations of these include computerized systems that perform acquisition, storage and retrieval of healthcare information for decision making.[2]

While the successful adoption of healthcare information technology culminates in benefits on the patient care front such as improved healthcare quality and promises public benefits to the extent of early detection of pandemics, it has resulted in concomitant threats to patient privacy. The ease of accessing electronic health information for studies has compromised information privacy through information exchanges[3].

HIPAA

HIPAA was enacted August 21, 1996 [4]as part of a wider body of legislature with the express mandate of extending healthcare insurance coverage to workers in the midst of structural or cyclical unemployment and establishing operating guidelines and standardized health plan identifiers for electronic healthcare transactions between service providers, healthcare plans and employers[5].

The legislative spirit of Title II in HIPAA lends itself to the morass of complications introduced by HIT. It fosters a conducive environment for the enforcement of legislation maintaining the privacy of health information that can be tied to specific individuals through the timely institution of punitive measures that accompany violations. Five core rules incorporated within Title II are germane to the topic of our consideration – the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. These promote greater administrative efficacy through holding the applications of HIT to certain universal standards of quality.

HIPAA Privacy Rule

The Privacy Rule mounts a direct response to the manifold opportunities for compromising privacy that emerge from the incremental prevalence of HIT[6]. As the central pillar of the privacy security framework that HIPAA relies upon to manage HIT, the Privacy Rule negotiates between the competing priorities of safeguarding health information privacy for patients and the necessity of providing key health information required for the smooth execution of prediction, treatment and payment consolidation purposes within an integrated healthcare system.

Key Stakeholders

The Privacy Rule maintains jurisdiction over health plans, clearinghouses and healthcare providers which facilitate electronically certain financial and administrative transactions subject to standards adopted by HHS[7]. By extension, the Department of Health and Human Services is also expanding coverage to include independent contractors of the covered entities who adhere to the definition of business associates, which perform functions on behalf of the aforementioned covered entities that utilize PHI. While impossible to exhaustively discuss all the applications of the Privacy Rule in governing HIT, we attempt to categorize applications under the umbrella of a number guiding principles that have shaped the legislation.

Principal Tenet: Right to Access

In principle, the Privacy Rule identifies information that falls under the category of Protected Health Information (PHI) and controls the circumstances in which this can be used or disclosed. PHI is defined as information held by covered entities[8] that concern health status, provision of health care, or payment for health care that can be linked to an individual, often encompassing components of the patient’s medical records and history. In regulation, the privacy rule requires covered entities to eschew disclosure of PHI unless specifically requested to do so by the concerned individual or a personal representative through a written authorization, or when the HHS embarks on a compliance investigation, review or enforcement action[9].

The imposition of time limits on responding to health information requests underscores the need to provide data accurately and minimize turnaround time, marshalling adequate resources and incentives toward electronic system developments that permit a more streamlined request response. In addition, the integration of HIT provides a viable platform of electronic channels that allow requests from users to be funnelled to the relevant service providers at minimal cost. On the front of providing information, HIT and electronic access converge on a more convenient mode of distribution. Vast amounts of PHI can be converted to storage devices such as thumb drives in readily producible format for more data rich reports.

A caveat persists in that an extensive network does not guarantee provision of immediate access; response time frames will ultimately depend on the interaction between system bandwidth and incoming load. In the same vein, HIT also introduces multiple possible vulnerabilities that are ripe for exploitation. In an electronic exchange environment, forms of oral or written verification can be duplicated or bypassed easily. Furthermore, the appointment of personal representatives in these circumstances generates additional uncertainty in the identification process. Covered entities have to ensure that they have the capacity to authenticate and verify the identities of users with reasonable confidence. We look to the other core tenets of the Privacy Rule as a means for navigating between the diametrically opposed demands of accurate identification and privacy protection.

Core Tenet: Correction

An inherent necessity of an information system that relies on self-declaration of important data fields pertinent to the user’s personal particulars often introduces the real possibility of human error. The desire to rectify erroneous information which could prove critical in an emergency is hence a perfectly legitimate rationale for providing users with access and modification rights to their own healthcare information. The Privacy Rule acknowledges the need for participation of users in accessing such data, and is bound to act within 60 days to either correct the record or notify the individual that the request has been denied on the grounds that existing entries are more accurate or already complete.

Core Tenet: Openness and Transparency

The principal thrust of the Privacy Rule is to inculcate a relationship between entities and users that operates on mutual faith – users give up critical information in the hope that their quality of care will be enhanced. The surest way to forge this is through cultivating greater openness and transparency in regard to policies and procedures orchestrating HIT. The Privacy Rule thus includes provisions for notice of privacy practices (NPPs) when a provider first engages targeted individuals electronically. This provides targeted individuals with notices detailing how a covered entity may use and disclose their PHI, their rights with respect to that information, as well as the covered entity’s obligations to protect the information.

Core Tenet: Safeguards & Accountability

Furthering the notion of fostering greater trust, the safeguards principle advocates the origination of a holistic system of administrative, physical and technical checks and balances to guard against breaches in PHI dissemination[10]. These include practices as securing locations and equipment, password security and executive training. While no specific measures have been identified, the breadth of the legislation’s scope encourages the extension of security to participants who fall beyond the jurisdiction of covered entities.

The yardstick in evaluating the efficacy of safeguards lies within their implementation – safeguards should be enacted through contractual devices which involve penalties for violations. Hence, enforcing adherence through control measures such as monitoring and reporting occupies a role of paramount importance. The toolbox of punitive measures dictates that liabilities for civil money penalties are ascribed to covered entities, thus placing the onus on them to keep their employees and business associates in line.

Core Tenet: Individual Choice

As a statute designed to shield users from the adverse impacts of privacy abrogation, the Privacy Rule conversely confers upon users the right to become more engaged in manipulating their personal records. These are granted on the basis of optional consent, where covered entities can exercise their judgment in how they go about soliciting user consent to use or disclose PHI, as well as in implementing more rigorous policies in requesting for consent prior to any information disclosure. Equivalently, the Rule also endows individuals with the right to submit additional requests for covered entities to curtail the usage and disclosure of healthcare information for treatment, payment, or health care operations purposes[11]. Electronic platforms can calibrate the granularity of options allowing entry and exit from information disclosure schemes,[12] according to the scale and magnitude of the requests initiated by certain users.

Core Tenet: Collection, Use and Disclosure

In the usage and aggregation of health information, processes must be directed toward a pre-defined, specific objective,[13] with boundaries present to preclude usage for discriminatory purposes. These are articulated succinctly in the minimum necessary standard, which stipulates that covered entities restrict requests for PHI to the minimum necessary from other covered entities. Entities are obliged to conceive of unequivocally precise procedures for recurring transactions and a reasonable set of criteria for non-routine requests.[14] These should be consistent across all partner agencies in the network, exist in alignment with state legislature, and support the core healthcare functions of operations, treatment or payment.

[1] Chaudhry, B. Wang, J., & Wu, S. et al., (2006). Systematic review: Impact of health information technology on quality, efficiency, and costs of medical care, Annals of Internal Medicine, 144(10), 742–752.

[2] 42 U.S. Code § 1320a–7c – Fraud and abuse control program. (n.d.). Cornell Legal Information Institute, 42(7).

[3] Perera, Gihan; Holbrook, Anne; Thabane,Lehana; Foster, Gary; Willison, Donald J. (February 2011). “Views on health information sharing and privacy from primary care practices using electronic medical records”. Internal Journal of Medical Information 80 (2): 94–101.

[4] Atchinson, Brian K.; Fox, Daniel M. (May–June 1997). “The Politics Of The Health Insurance Portability And Accountability Act” (PDF). Health Affairs 16 (3): 146–150.

[5] Centers for Medicare & Medicaid Services, Http://www.cms.gov/HIPAAGenInfo/. (n.d.). Retrieved October 1, 2015.

[6] Summary of the HIPAA Privacy Rule. (n.d.). http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html Retrieved October 1, 2015.

[7] HHS Adminstrative Standards (n.d.). http://www.physicianspractice.com/index/fuseaction/articles.details/articleID/1299/page/1.htm Retrieved October 1, 2015

[8] Title 45 – Public Welfare. (n.d.). Code of Federal Regulations.

[9] Enforcement Highlights”. OCR Home, Health Information Privacy, Enforcement Activities & Results, Enforcement Highlights. U.S. Department of Health & Human Services. Retrieved 3 March 2014.

[10] “Breaches Affecting 500 or more Individuals”. OCR Home, Health Information Privacy, HIPAA Administrative Simplification Statute and Rules, Breach Notification Rule. U.S. Department of Health & Human Services. Retrieved 3 March 2014.

[11] Wolf M, Bennett C (2006). “Local perspective of the impact of the HIPAA privacy rule on research”. Cancer 106 (2): 474–9.

[12] “How the Lack of Prescriptive Technical Granularity in HIPAA Has Compromised Patient Privacy”. Northern Illinois University Law Review, Volume 30, Number 3, Summer 2010.

[13] “Encouraging the Use of, and Rethinking Protections for De-Identified (and “Anonymized”) Health Data” (PDF). Center for Democracy and Technology. June 2009. Retrieved June 12, 2014.

[14] “HIPAA: What? De-identification of Protected Health Information (PHI)”. HIPAA Research Guide. University of Wisconsin-Madison. August 26, 2003. Retrieved June 12, 2014.