Leavitt’s Framework Shoehorns the HIPAA Privacy Rule onto Your Personal Health Information

Shoehorn3

by Vince Kuraitis and David C. Kibbe MD, MBA

Have you ever heard anyone tell a happy story of how easy it is to get a copy of their paper medical records?

Departing Health and Human Services Secretary Mike Leavitt is laying the groundwork for this same story to apply to access to YOUR electronic personal health information.

Here’s an overview to what evolved into a long posting:

  1. Analysis: The Leavitt Framework Uses the HIPAA Privacy Rule as a Baseline for Electronic Access to Personal Health Information
  2. Implication: Extending the HIPAA Privacy Rule Could Restrict Your Electronic Access to Your Personal Health Information
    • A.The HIPAA Privacy Rule Should Not Be the Baseline for Governing Access to Your Personal Health Information
    • B. Examples: Extending the HIPAA Privacy Rule Creates Barriers and Confusion
  3. Implication: Extending the HIPAA Privacy Rule Protects Incumbents at the Expense of Innovators Like Microsoft and Google
  4. Conclusion: The Leavitt Framework Creates Bad Public Policy

1) Analysis: The Leavitt Framework Uses the HIPAA Privacy Rule as a Baseline for Electronic Access to Personal Health Information

On Monday, HHS issued a press release:  Secretary Leavitt announces New Principles, Tools to Protect Privacy, Encourage More Effective Use of Patient Information to Improve Care .  There are multiple supporting documents, including:

Warning: these documents make for long and confusing reading; they require interpretation and judgment, and we welcome other points of view. We’ll refer to the collection of documents as “Leavitt’s Framework”.  Health care attorney Bob Coffield also provides a map and summary of the press release and Leavitt’s Framework.

Leavitt’s Framework is intended to:

establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. [NPS Framework , p.1]

Today, your right to access your health information is governed by the HIPAA Privacy Rule:

The Privacy Rule applies to health plans, health care clearinghouses, and those health care providers who conduct electronically certain financial and administrative transactions that are subject to the transactions standards adopted by HHS. See 45 C.F.R. § 160.103 (definition of “covered entity”). The Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information by requiring appropriate safeguards to protect privacy, and by setting limits and conditions on the uses and disclosures that may be made of such information. The Privacy Rule also gives individuals certain rights with respect to their health information. [Privacy and Security Framework: Introduction , p. 2]

Leavitt’s Framework attempts to extend the HIPAA Privacy Rule to become the baseline for electronic access to your personal health information:

The Privacy Rule provides a strong foundation for developing electronic health information exchange relationships and business models. Its underlying policies and provisions reflect the careful balance between protecting the privacy of individuals’ PHI and assuring that such health information is available to those who need access to it to provide health care, payment for care, and for other important purposes. The Privacy Rule’s provisions also provide considerable flexibility to accommodate covered entities’ utilization of HIOs (Health Information Organizations) and networked environments. [Privacy and Security Framework: Introduction , p. 2]

2) Implication: Extending the HIPAA Privacy Rule Could Restrict Your Electronic Access to Your Personal Health Information

Timely access to your personal health information can be a matter of life and death.

Today, accessing your personal health information (or medical records) from hospitals, health plans or doctors can be time consuming and frustrating.   You must submit a request in writing. You’ll receive a paper copy of your records, perhaps weeks later.  You and your health care providers will struggle to distill essential information from the stacks of paper.

We intuitively understand that access to personal health information could be greatly enhanced by the use of health information technology (HIT).

A) The HIPAA Privacy Rule Should Not Be the Baseline for Governing Electronic Access to Your Personal Health Information

Leavitt’s Framework tries to retrofit HIPAA Privacy Rule right of access “protections” onto a digital world.

There’s no question we need a new regulatory framework to clarify access and privacy for personal health information in a digital environment…but HIPAA isn’t it.

HIPAA standards predate the Internet. The effect of using the HIPAA Privacy Rule to clarify electronic access protects the interests of health care incumbents (hospitals, doctors, health plans). These incumbents do not have appropriate economic incentives to provide you with timely and complete access to your personal health information.

There are much better articulations of principles that should govern appropriate access and privacy protections for personal health information in a digital world. For example, there’s the Markle Framework for Networked Personal Health Information and the eHealth Initiative Blueprint . Both of these documents were developed through consensus processes with representation from a wide range of industry constituencies.

B) Examples: Extending the HIPAA Privacy Rule Creates Barriers and Confusion

Here are some specific examples where Leavitt’s approach of using the HIPAA Privacy Rule as a baseline is problematic:

1) What defines “timely” access?

Leavitt’s Framework does not adequately specify criteria for timely access to your personal health information.  The fallback point is the HIPAA Privacy rule:

The Privacy Rule requires covered entities to respond to requests for access in a timely manner. Except as otherwise specified, the Privacy Rule requires the individual be notified of the decision within 30 days of the covered entity’s receipt of the request. See 45 C.F.R. § 164.524(b)(2)(i). While the Privacy Rule establishes the 30 days as an outside limit, it does not preclude covered entities from responding sooner. [HIPAA Privacy Rule’s Right of Access and HIT , p.2]

Should 30 days be the baseline (default expectation) for accessing your personal health information in a digital world? The Leavitt principles don’t say otherwise.

The eHealth Initiative Blueprint recommends more realistic guidelines for electronic access to personal health information:

6. Where electronically available, consumers should be able to acquire historical data from providers, payers and other entities to generate a more complete longitudinal record.

6.2 Congress should require digitization of an agreed upon core set of health data (such as the CCD or CCR) beginning in 2017.

6.3 Congress should require those who hold digital health data about a patient (providers, insurers, labs, etc.) to make it available to him/her in digital form upon request.  [eHealth Initiative Blueprint , p. 18]

“Upon request” is a clearer standard to work toward in a digital environment.  The burden of justifying exceptions should be placed on entities possessing personal health information.

2) Why Isn’t Portability Guaranteed?

Leavitt’s Framework does not guarantee portability for your personal health information:

In addition, a PHR offered by a covered entity may not be portable, so individuals may not be able to take their PHR with them when they switch health care providers or health plans. In these cases, as above, individuals who want comprehensive records may have to retrieve information from their prior PHR or directly from their health care provider or health plan and input the information directly into any new PHR. [PHRs and HIPAA Privacy Rule , p.3]

Your personal health information should be portable, period.

Markle’s principles are much clearer: “Consumer Access Services should provide mechanisms for the consumer to export information from her account in standard formats.  The ideal state is that consumers would have a menu of output formats that are both human-usable and machine-readable.” [Markle Consumer Technology 5 —  Portability of Information, p.1]

3) Why Doesn’t Leavitt’s Framework Promote Electronic Access?

By defaulting to the HIPAA Privacy Rule, Leavitt’s Framework does not provide for staged transition from paper to electronic records.

The Privacy Rule requires covered entities to provide access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format. …Electronic access may provide individuals with more timely access to more information in a more convenient manner. For example:  Electronic copies of PHI may be downloaded to USB thumb-drives or copied to compact discs relatively quickly and may provide individuals with a more convenient means of transporting and maintaining the information. [HIPAA Privacy Rule’s Right of Access and HIT , p.4]

Markle’s principles state that “Consumers should have a convenient means to request electronic copies of their information from health data sources.” [ Markle Consumer Policy 8 — Consumer Obtainment and Control of Information, p.2].  The eHealthInitiative principles called for digitization of an agreed upon core set of health data by 2017.

Download your data to a USB thumb drive?  Get real.  When’s the last time you went to a bank and said “Please transfer a copy of last month’s banking statement to my thumb drive”?  Anyone at HHS heard of the Internet? Even George Bush is aware of The Google.

4) Why Doesn’t Leavitt’s Framework Guarantee an Audit Trail?

Here’s Leavitt’s idea of procedures to find out who’s seen your data:

Persons and entities, that participate in a network for the purpose of electronic exchange of individually identifiable health information, should provide reasonable opportunities for individuals to review who has accessed their individually identifiable health information or to whom it has been disclosed, in a readable form and format. [NPS Framework , p.7]

Compare this to Markle’s language for review: “Immutable Audit Trails”  [Markle Consumer Technology 3 — Immutable Audit Trails].  Which makes you feel more protected — “reasonable opportunities…to review” or an immutable audit trail?

3) Implication: Extending the HIPAA Privacy Rule Protects Incumbents at the Expense of Innovators Like Google and Microsoft

Let’s remember that Leavitt’s Framework is intended to:

establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. [NPS Framework , p.1]

Microsoft and Google have been pioneers in creating modern personal health information platforms designed to bring health care information flow into the digital age.

Microsoft HealthVault and Google Health have (understandably) maintained that they are not subject to HIPAA. Here’s Microsoft’s interpretation :

HIPAA was designed to regulate the flow of health information when it is out of the patient’s direct control—for example, when it is forwarded to third-party billing services by a healthcare provider. At the same time, the HIPAA authors clearly recognized that patients have a right to a copy of their own health information, and built into the legislation an explicit mechanism that allows for patients to request and receive that copy.

The obligations that HIPAA places on covered entities and business associates do not apply to the copy under the patient’s control, because patients are in the best position to decide which parts of their information they want to share, and with whom they share it.

Leavitt’s Framework appears to create a broad definition of a Health Information Organization (HIO) that would be covered under HIPAA “business associate” language.

Q1: Is a health information organization (HIO) covered by the HIPAA Privacy Rule?
A1: Generally, no. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct covered transactions. The functions a HIO typically performs do not make it a health plan, health care clearinghouse, or covered health care provider. Thus, a HIO is generally not a HIPAA covered entity. However, a HIO that performs certain functions or activities on behalf of, or provides certain services to, a covered entity which require access to PHI would be a business associate under the Privacy Rule. See 45 C.F.R. § 160.103 (definition of “business associate”). HIPAA covered entities must enter into contracts or other agreements with their business associates that require the business associates to safeguard and appropriately protect the privacy of protected health information. [Privacy and Security Framework: Introduction , p.3]

Thus, Leavitt’s Framework appears to interpret HIPAA differently than would Microsoft,  Google and almost all proponents of patient-controlled personal health records.

Leavitt’s logic seems that when a HIPAA covered entity places ANY of your personal health information into HealthVault’s or Google Health’s data repository, that information remains controlled by the covered entity (not you) under HIPAA’s business associate restrictions.

Google and Microsoft might well view being regulated under HIPAA this way as a deal killer for their personal health information platforms.

But there’s one more twist.  Leavitt’s Framework also creates fear, uncertainty and doubt (FUD) for doctors, hospitals and health plans that want to receive information FROM HealthVault or Google Health:

Covered entities should be aware, however, that whatever information they import into their electronic records via a network may become an integrated part of their designated record set(s). [HIPAA Privacy Rule’s Right of Access and HIT , p.7]

The implications here are also staggering.  It suggests that any information that a doctor, hospital or health plan receives FROM HealthVault or Google becomes part of the provider’s official electronic health record.  Providers will think twice before importing information that raises questions such as “How do I know the information from a patient’s PHR is accurate or valid? How do we assess volumes of new patient information that we’ve never dealt with before? Is there anything in here that creates an obligation for me to provide care?”

It’s another possible deal killer for these innovative personal health information platforms.

Thus, both coming and going, Leavitt’s Framework risks stifling appropriate liquidity (flow) of your personal health information.  Again, we recognize the need for a new regulatory framework to govern personal health platforms, but extending HIPAA isn’t it.

Is the Leavitt Framework legally defensible?  It strikes us as being a stretch, but we really don’t know. If Microsoft and Google don’t fold up their tents, the answer might come only after a lengthy court battle.

4) Conclusion: The Leavitt Framework Creates Bad Public Policy

Leavitt’s Framework conjures a vision of Leavitt saying to his legal staff  “Here’s the public policy we want to create.  Write a document justifying an interpretation of HIPAA that is consistent with this policy”.

Leavitt’s Framework creates bad public policy.  Rethinking this framework should be at the top of the list for Obama’s health care staff.

One thought on “Leavitt’s Framework Shoehorns the HIPAA Privacy Rule onto Your Personal Health Information

  1. Pingback: Dave Hammond

Comments are closed.