News Stay informed about the latest enterprise technology news and product updates.

Medical records privacy: It's not just HIPAA rules anymore

Federal Trade Commission and HIPAA rules, as well as individual states' laws, now govern medical records privacy. Providers must cover all bases, including personal health record (PHR) services.

Medical records privacy compliance, previously limited to the Health Insurance Portability and Accountability Act (HIPAA), is set to evolve over the next few years as additional federal rules, as well as state laws, enter the mix.

Robert Belfort, health care law expert for Manatt Phelps & Phillips LLP, said at last month's Healthcare Stimulus Exchange that the dilemma that personal health record (PHR) services present has made adaptation necessary.

Not all legal experts agree on this point, but such consumer-driven services as Google Health and Microsoft HealthVault most likely are not covered under the HIPAA Privacy Rule -- and, by extension, the provider does not have to strike up a HIPAA-mandated business associate agreement with them. But PHR services are subject to Federal Trade Commission consumer privacy regulations and new HITECH Act data breach notification rules that address consumer-facing PHR providers.

Belfort sees many health care providers contracting with Web service providers to build patient PHR portals. Providers following that path should review their business associate agreements to make sure their contractors comply with HIPAA medical records privacy rules, he said.

"We're about to enter a new era of heightened enforcement of HIPAA, both on the privacy and security side," Belfort said, referring to the HITECH Act's empowerment of state attorneys general to prosecute privacy violations under HIPAA rules.

A new restriction that will go into effect later this year prohibits the sale of a patient's personal health information, even if the purpose of that disclosure is otherwise permitted by HIPAA rules. There are a few exceptions to this rule (for treatment or research, for example), but providers should read HIPAA's fine print before entering an agreement under which they are paid, Belfort said.

Providers should not just end their electronic data protection compliance programs with HIPAA rules, however. State privacy laws, too, can cover patient information. For example, New York law focuses more on identity theft, but it covers two pieces of data that can make their way into a patient record -- Social Security and credit card numbers.

Encryption software can solve some medical records privacy compliance issues, Belfort said. Put another way, the absence of it can cause problems leading to the financial and public-relations nightmare of a data breach notification.

"Encryption is not mandated under HIPAA … [but] my view is, on portable devices, encryption is essentially mandatory at this point," Belfort said. "Even though the regs don't say that it is, unless there's some unusual circumstance, if you've got an unencrypted laptop with protected health information on it and it's lost, you're toast." (Under the new data breach notification laws, breaches of encrypted data need not be reported.)

If you've got an unencrypted laptop with protected health information on it and it's lost, you're toast.

Robert Belfort, health care law expert, Manatt Phelps & Phillips LLP

Belfort raised one more privacy point that speaks, not to a particular regulation but to legal vulnerability: Providers must consider the promises that their privacy policies make, because juries will penalize providers for failing to hold themselves to standards outlined in a privacy policy.

As a result, medical records privacy policies should eschew such open-ended statements as "We will do everything in our power to protect your personal health information," Belfort said, adding that marketing departments tend to insert such statements to show patients what great things the organization is doing for them.

"Don't promote your security program any more than you really have to," Belfort said. "The only person who will ever read [a privacy policy] is a prosecutor or class-action lawyer trying to show that you didn't live up to your standards articulated to the consumer."

Let us know what you think about the story; email Don Fluckinger, Features Writer.

Next Steps

HITECH Act security provisions catching health care providers unaware

Federal data breach laws still on hold as compliance deadline looms

Dig Deeper on Electronic health records privacy compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.