Protected Patient Information in the Digital Era

Believe it or not, the HIPAA omnibus has not had a major overhaul since the late 1990’s.  The original Health Insurance Portability and Accountability Act was released in 1996.  An updated expansion of the Act is set for official release later this week (the contents of the expansion were unveiled last week).  The Act, which covers the transferability and security of private health information, for all intents and purposes, was written for the “paper” era, prior to the transformation of today’s digital and mobile age.  As such, there were many outdated rules by which the privacy of patient information was not accounted for – such as the dissemination of data via the information “super highway” and mobile communication devices.  However, the recent omnibus rule does not adequately address the complexity of today’s digital ecosystem, but it attempts to piece together parts that make the whole run more proficiently.

The HIPAA Privacy, Security, and Enforcement Rules, provide guidance by which patient information can be shared in a secured environment.  Failure to do so can lead to a range of penalties, thus incentivizing organizations to ensure that proper compliance and IT standards are met.  Today, however, there is a new generation of channels by which information can be shared and delivered.  My HealthFlock colleague Elizabeth Richards covered this in a recent blog post about HIPAA and Electronic Devices.

The most recent omnibus rule “will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age,” said HHS Secretary Kathleen Sebelius in a statement.  Some of the more relevant new rules include:

  • Health Information Organizations, e-Prescribing gateways, and Personal Health Record providers must be business associates with the providing organization.
  • Business associates (BA) now include entities that create, receive, maintain or transmit Personal Health Information on behalf of a covered entity.
  • Family members and caregivers are permitted to access a deceased person’s records unless that person’s prior expression to contrary is known.
  • Whence a covered entity is paid for marketing related activities, it must have: patient authorization; let the patient know they are getting paid for it; let the patient opt out, even if the activity is with respect to treatment or operations.
  • Notice of Privacy Practices – Providers must prominently display these (online) and make copies of these onsite for patients.

While the Omnibus does bring HIPAA regulations fairly current, there are some conspicuous omissions.  The Act falls short with respect to mobile related activities, such as the opportunity to more acutely enforce a mandatory “wipe requirement” when mobile devices are lost and stolen.  In addition, a lack of auditing requirements, especially in today’s pervasive App environment, is present.

None-the-less, the Act does go a long way to making many of the “paper trails” from the last millennium current to today’s digital operating environment.  While the final document is slated to be released later this week, you can be assured that the rapidly evolving network of mobile and digital communication mediums will continue to play a role in the development of a more current and transparent classification of rules that govern the exchange of patient information.

Comments are closed.