Manage Learn to apply best practices and optimize your operations.

Health care compliance gets boost from national HHS privacy framework

A new Health and Human Services framework provides privacy principles that can be applied to all organizations that create platforms or products that process electronic personal health records.

The growth of 'e-health' infrastructure is likely to leave health care CIOs with a host of potential compliance headaches that will last longer than the normal New Year's Day hangover.

New Medicare provisions for digital prescriptions and expanded HIPAA influence, quietly put forth in a Health and Human Services framework earlier this month, mean more organizations will need to grapple with health care compliance issues protecting patient information in 2009. The e-prescription program will include incentives in 2009 and begin including disincentives for continued paper use in 2012.

The Health Insurance Portability and Accountability Act (HIPAA) may soon cover not just health care organizations but also providers of electronic personal health records (EPHRs), which belong to the patient rather than the medical establishment and are hosted by a number of commercial services. Since 1996, HIPAA has mandated the privacy of patients and the security of medical records, also known as protected health information (PHI).

Legal compliance requirements around EPHRs, however, have applied only to entities like health care providers, health care insurers and health care clearinghouses. The new framework released by the Department of Health and Human Services (HHS) suggests that HIPAA may be soon be extended to other organizations that handle or host EPHRs, such as Microsoft's HealthVault and Google Health.

Securing digital prescriptions

This New Year's Day, Medicare will launch an "e-prescribing incentive plan," offering doctors bonus payments for prescribing medicine electronically. And starting in 2012, Medicare will penalize doctors who continue to write prescriptions on paper.

The program, defined by Section 132 of the Medicare Improvements for Patients and Providers Act of 2008 (MIPPA), and MIPPA itself mean challenges for CIOs. In an effort to provide guidance, the HHS released on Dec. 15 the National Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF].

HHS intends the new framework to provide guidance to both medical and IT professionals addressing privacy and security concerns related to EPHRs exchanged in a network, regardless of the specific health care compliance requirements applicable to a particular organization. The framework provides policy guidelines and a set of principles but does not enshrine them in a legal directive. Congress may adopt the principles in a codified form if proposed e-health legislation from President-elect Barack Obama's incoming administration passes.

Health care CIOs who want to stay ahead of potential HIPAA compliance requirements applicable to EPHRs would do well to consider the following suggestions from the health care Information and Management Systems Society:

  • Where are the servers storing PHI located? If they are hosted in an external data center, is health data sent outside a hospital encrypted?
  • If a hospital allows patients and doctors to use and exchange PHI online, what access controls are in place for authentication?
  • If access controls are in place, is multifactor authentication used?
  • Content standards that allow interoperability with Google Health or HealthVault are important. Have you chosen a "transport standard" or Continuity of Care Record?

Life as a health care CIO, a blog written Dr. John Halamka, CIO at Harvard Medical School and CareGroup Inc., tracks EPHR developments and asks questions about use and implementation. Halamka commented on the HHS privacy framework on the day of its release, noting with approval that "Secretary Leavitt [had] released the nation's first national privacy framework for personal health records."

2009 is fast approaching. Enjoy celebrating the new year. And then, if you haven't already, start determining how, where and when electronic health records enter, leave and are stored in your network. If you have doctors who might be sending and storing e-prescriptions over a network you administrate, your compliance may depend upon it.

Let us know what you think about the story; email: Become a member of

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.