CAMBRIDGE, MA — Here at the Protected Health Information (PHI) Protection Network’s first conference — attended by senior health system IT leadership, HIPAA legal authorities and vendor privacy executives — a theme is emerging in healthcare leaders’ message: It’s all about the patients.
Discussions at patient data security conferences usually revolve around hot new technologies, emerging threats, and common-sense technical safeguards and policies to protect healthcare businesses. Up until this security confab, we’ve heard health care leaders list their top reasons for HIPAA compliance as protecting a hospital’s revenue stream, its reputation, and its hard-earned place as a trusted entity in a city or community in the face of these regulations that seemingly set them up for failure.
Patient advocacy — actively protecting patient interests by protecting their data — usually gets mentioned in passing, fourth or fifth on the list of reasons to shore up HIPAA compliance programs.
Here, however, it’s all about the patients. Executive attendees still are talking about business priorities and defending their health systems’ reputations in a world where HIPAA is forcing transparency in disclosing data breaches to the patients, press and government overseers. But those business priorities are dropping down the list, slotted somewhere under protecting the patient.
“We’re in the people business,” said attorney James Pyles, who helped draft the HITECH Act that gave rise to federal EHR incentives and who currently is principal at Powers Pyles Sutter & Verville, PC. “We’re treating patients, not manufacturing widgets.”
HITECH’s tightening of privacy provisions and conferring of new patient rights (such as when a patient pays cash in full for an item or service, they can require it not be disclosed to their insurers), Pyles said, resulted from elected officials “hearing about literally millions” of patient records being improperly disclosed. Pyles said he consulted with several senators’ staffs in late-night, bi-partisan meetings to help craft the patient-centric principles that gave rise to the HIPAA omnibus rule — and the legislators were focused on patients’ rights.
Here, almost four years later, health care privacy officers and IT leaders seem to be getting the message, and Pyles noted and praised the shift from the dais.
“I want to say how gratified I was to hear some of the remarks in the earlier sessions,” Pyles said after a morning’s worth of sessions en route to asking HIPAA questions of the health data security experts. Pyles was referring to several health care executives standing and professing their employers’ “patients above all” philosophies — even though those same organizations might find HIPAA onerous. “I have been involved in health information privacy before we had HIPAA, all through the HIPAA statute and regs, amended rules, HITECH Act and HITECH regs. I’ve been to literally hundreds of meetings in Washington when the patient was not mentioned once. Not one time….When [health care leaders say] that the patient ought to be at the center of the system, boy do I applaud that.”