Health care industry stakeholders are gathering in Washington, D.C., this week for a three-day summit on changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as the date looms for new health information privacy and security laws to go into effect.
The 18th National HIPAA Summit focuses on the health care privacy and security issues that have resulted from the passage of the American Recovery and Reinvestment Act of 2009 (ARRA). That stimulus law included the HITECH Act, which mandates the meaningful use of health IT.
Under HITECH provisions set to go into effect this month, changes to HIPAA privacy and security controls are coming as well. Previously, organizations that managed personal health information, such as health information exchanges, could operate as business associates in agreements with payers and providers, known as HIPAA-covered entities. When the new privacy laws go into effect Feb. 17, organizations that act as business associates will be required to comply with the same regulations as covered entities.
The summit will discuss the changes in regulations for business associates, among other HIPAA privacy and security issues -- for example, data breaches, compliance,and ensuring security while implementing electronic health records (EHRs) and following meaningful-use criteria under ARRA. In addition, conference speakers will address changes to HIPAA transactions and code sets, as well as the switch from ICD-9 to ICD-10 codes set to go into effect in the next three years. Policymakers also will give presentations about the various laws regarding health IT privacy and discuss pending legislation.
The changes to the ways state and federal governments can enforce the new law for business associates are among the concerns stakeholders have about the HITECH provisions and the changes to HIPAA, said Steve Lazarus, president of Denver-based health IT consulting firm Boundary Information Group. “A lot of business associates don’t even know they’re affected yet,” said Lazarus, who serves as a co-chair of the HIPAA Summit.
Still, there have been several data breaches that have led to “significant” costs for the health care industry, and the new laws help to address those problems, Lazarus said.
Stricter privacy laws too burdensome?
Stakeholders have been questioning the new HIPAA privacy requirements, saying in particular that provisions for disclosing information to patients on request might be too time-consuming and costly for all parties involved.
The National Community Pharmacists Association said last year that smaller, independent pharmacists likely will not have the resources to comply with the new mandates and changes to HIPAA requirements.
A lot of business associates don’t even know they’re affected yet [by new HIPAA regulations].
Steve Lazarus, president, Boundary Information Group
“Although pharmacies have been on the leading edge of adoption of HIT, our members will have to make significant modifications and upgrades to their existing systems to comply with many of the HITECH Act’s privacy provisions, such as the breach notification requirement, the accounting of disclosures requirement and patient-requested restrictions on disclosures,” the organization wrote in its letter to the Office of Civil Rights, which oversees some of the HITECH provisions.
Some of the disclosure provisions might be too burdensome for the patients they try to protect, too, according to a health policy consultant. While the new mandates tighten data privacy for the use of information through electronic health records, they do not provide for the disclosure of information electronically, according to consultant Robert Gellman in a summary of HITECH’s privacy and security regulations. If patients who are dealing with a covered entity want to know what every business associate of that entity is doing with their information, they could be led down a lengthy trail, he said.
The mandate “allows a covered entity to reveal only its own disclosures and to provide the requesting patient with a list of names and addresses of business associates. The patient would then have to make a request of each business associate separately,” Gellman wrote.
To that end, the U.S. Department of Health & Human Services has released health information technology privacy guidelines within the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. That framework was developed by the Office of the National Coordinator to facilitate secure information exchange.
Let us know what you think about the story; email Jean DerGurahian, News Writer.