The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just health care organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services. Since 1996, HIPAA has mandated the privacy of patients and the security of medical records, also known as protected health information (PHI).
Legal compliance requirements around EPHRs, however, have applied only to entities like health care providers, health care insurers and health care clearinghouses. The new framework released by the Department of Health and Human Services (HHS) suggests that HIPAA may be soon be extended to other organizations that handle or host EPHRs, such as Microsoft's HealthVault and Google Health.
Securing digital prescriptions
This New Year's Day, Medicare will launch an "e-prescribing incentive plan," offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper.
The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challenges for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF].
HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific health care compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama's incoming administration passes.
Health care CIOs who want to stay ahead of potential HIPAA compliance requirements applicable to EPHRs would do well to consider the following suggestions from the health care Information and Management Systems Society:HHS intends the new framework
to provide guidance
medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network.
- Where are the servers storing PHI located? If they are hosted in an external data center, is health data sent outside a hospital encrypted?
- If a hospital allows patients and doctors to use and exchange PHI online, what access controls are in place for authentication?
- If access controls are in place, is multifactor authentication used?
- Content standards that allow interoperability with Google Health or HealthVault are important. Have you chosen a "transport standard" or Continuity of Care Record?
Life as a health care CIO, a blog written Dr. John Halamka, CIO at Harvard Medical School and CareGroup Inc., tracks EPHR developments and asks questions about use and implementation. Halamka commented on the HHS privacy framework on the day of its release, noting with approval that "Secretary Leavitt [had] released the nation's first national privacy framework for personal health records."
2009 is fast approaching. Enjoy celebrating the new year. And then, if you haven't already, start determining how, where and when electronic health records enter, leave and are stored in your network. If you have doctors who might be sending and storing e-prescriptions over a network you administrate, your compliance may depend upon it.
This was first published in December 2008