Kirk J. Nahra, CIPP

While Congress and many others continue to discuss the appropriateness of the current enforcement approach to healthcare privacy, a broader debate is developing as to whether the existing privacy rules are reasonable and effective in today's evolving healthcare information environment. Several key recent developments are making this debate more interesting and more active — leading to the realistic possibility that we may see new privacy rules for the healthcare industry (and the many others who use healthcare information) in the near future. The key questions will be whether any new rules will target unregulated participants in emerging health information exchange systems or whether changes will seek to regulate further the entire healthcare industry.

Electronic Health Information Exchanges Are Driving the Debate
Much of the current debate is being driven by the extensive discussions about the development of local, state, regional and perhaps national health information exchanges. This debate — encouraged by the Bush Administration push to develop a fully inter-operable health information exchange by the year 2014 — is focusing attention on whether this new integrated environment requires a new set of healthcare privacy rules — at least for this environment.

While many groups and entities are examining the privacy and security issues presented by health information exchanges, two groups stand out that have issued important recommendations.

The AHIC Confidentiality, Privacy and Security Workgroup
One of the potentially influential groups dealing with health information exchange privacy and security issues is the Confidentiality, Privacy and Security Workgroup (CPS Workgroup) of the American Health Information Community (AHIC). AHIC is a federal advisory body chartered in 2005 to make recommendations to the Secretary of Health and Human Services on how to accelerate the development and adoption of health information technology. The workgroup was formed in May 2006; its members include representatives of both public and private entities. I chair this workgroup, which is tasked with making recommendations for privacy and security rules in this integrated environment. Recently, the CPS Workgroup issued two key recommendations that relate to how these rules should move forward.

First, a recommendation made to and adopted by AHIC in its June 12, 2007 meeting, would require:

All persons and entities, excluding consumers, that participate directly in, or comprise, an electronic health information exchange network, through which individually identifiable health information is stored, compiled, transmitted, modified, or accessed should be required
to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements.

This recommendation focuses on one of the key differences between this health information exchange environment and the original HIPAA environment, a recognition that there are significant participants in health information exchanges who are not covered, either appropriately or at all, by the current HIPAA rules. Primarily, this recommendation would have an impact on:

• Healthcare providers who are not covered entities because they do not bill electronically for their services;
• Personal health records providers who provide services directly to patients, and therefore typically are not covered by the HIPAA rules at all; and
• Regional Health Information Organizations (RHIOs) and other "networks" that play a central role in these efforts, and typically are, at most, considered "business associates" under the HIPAA rules.

Our workgroup was concerned that these players are central to the operation of health information exchanges, and are important elements of emerging health information technologies. But due to the odd quirks in how the HIPAA rules were passed (focusing on healthcare portability and electronic transactions), they are not subject to the existing privacy and security rules. This recommendation is designed to bring within the regulated community such participants in the exchange of healthcare information.

A second part of our recent recommendation was designed to create a "level playing field" for all participants in these exchanges. The recommendation is as follows:

Furthermore, any person or entity that functions as a Business Associate (as described in 45 CFR §160.103) and participates directly in, or comprises, an electronic health information exchange network should be required to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements, independent of those established by contractual arrangements (such as a Business Associate Agreement as provided for in HIPAA).

This recommendation would turn all of these participants into directly regulated "covered entities." The goal is a "level playing field." Our workgroup believed that different enforcement standards (for example, potential civil and criminal fines vs. breach of contract) were not appropriate, and that all participants in these exchanges should face the same rules and enforcement possibilities. This suggestion clearly is not an attack on the HIPAA requirements themselves (although some workgroup members believe HIPAA doesn't work appropriately). Instead, this recommendation reflects a recognition that neither "industry standards," "best practices" nor voluntary compliance are sufficient. It also is important to recognize that this is not a recommendation to turn all HIPAA business associates into covered entities. Our recommendation relates only to those entities that participate directly in health information exchange networks, and would not affect the multitudes of entities that provide services to healthcare companies without participating in these networks.

This approved CPS Workgroup recommendation also is only a first step — next we will be tackling two important questions. First, we will look at what constitutes a "relevant" HIPAA requirement for particular "direct participants" in a health information exchange network. Clearly, some persons or entities may have an appropriate reason for not needing to meet a particular requirement. The most obvious example involves the information exchange networks themselves, that typically have no relationship with an individual patient and therefore (like healthcare clearinghouses under the current HIPAA rules) have little reason to provide a privacy notice directly to individuals.

Second, we will be looking at what, if any, additional confidentiality, privacy, or security protections may be needed beyond those already contained in the HIPAA Privacy and Security Rules. Simply translated, our question will be, "Is the HIPAA standard ‘good enough' in this context?" We will be focusing our attention on whether today's environment for these information exchanges has material differences from the "HIPAA environment" (recognizing the difficulties in determining exactly what the HIPAA environment is) to justify new rules for these health information exchanges.

National Committee on Vital Health Statistics
Following closely on the heels of the CPS Workgroup recommendations, the National Committee on Vital and Health Statistics (NCVHS) issued its own set of recommendations, on a generally similar topic. The NCVHS recommendations focused on both the HIPAA standards and the scope of coverage under the HIPAA rules.

NCVHS raised "a significant concern… that many of the new entities essential to the operation of the Nationwide Health Information Network (NHIN) fall outside HIPAA's statutory definition of ‘covered entity.' " These include a wide variety of entities that may or may not be business associates (along with a wide range of noncovered healthcare providers). NCVHS concluded that "business associate arrangements are not sufficiently robust to protect the privacy and security of all individually identifiable health information." Accordingly, the NCVHS made the following recommendation (which is entirely consistent with the CPS Workgroup recommendation):

HHS and the Congress should move expeditiously to establish laws and regulations that will ensure that all entities that create, compile, store, transmit or use personally identifiable health information are covered by a federal privacy law. This is necessary to assure the public that the NHIN, and all of its components, are deserving of their trust.

Accordingly, these two recommendations, taken together, raise, for the integrated health information exchange community, the need to develop new privacy and security laws that ensure that the full range of entities participating in these networks all face the same rules concerning their use and disclosure of health information. These recommendations reflect a recognition of certain changes in the healthcare landscape arising from these integrated networks, and the necessity of ensuring that healthcare information is protected by a uniform standard, without some of the artificial lines drawn by the HIPAA rules.

Potential New Legislation
The next key development, however, takes these recommendations to a far broader level. Specifically, Sens. Edward Kennedy, D-Mass., and Patrick Leahy, D-Vt., have introduced new legislation (S. 1814) designed to revamp, almost from scratch, the entire landscape of healthcare privacy laws. The bill responds to the premise that "fear of a loss of privacy cannot be allowed to deter Americans from seeking medical treatment." Without any particular focus on health information exchanges, this proposal virtually tosses out the HIPAA rules, in favor of a far more restrictive environment with significantly enhanced risks and penalties for healthcare companies.

Among the most substantial components of the Kennedy-Leahy bill:

• Abandonment of the Office of Civil Rights as an enforcement agency, in favor of a new Office of Health Information Privacy;
• Creation of an extensive new notice requirement, including a new variety of "opt-out" rights;
• A requirement that companies publicly identify their agents and subcontractors;
• Creation of new "informed consent" procedures, even for treatment and payment uses and disclosures;
• Requirement for authorizations for a wide variety of other disclosures (where none is required today), particularly healthcare operations;
• Expansion of civil and criminal penalties;
• Authorization for enforcement by state attorneys general;
• Creation of a private right of action for individuals.

This proposal faces a significant uphill battle. While questions persist about the current enforcement approach to the healthcare privacy rules, there does not appear to be any pattern of actual events that indicates a need for new regulatory requirements governing the wide range of practices covered by healthcare privacy rules today. In fact, particularly in the private sector, the healthcare privacy rules seem to be working remarkably well. While security breaches are a daily occurrence in many industries, the healthcare industry has faced only modest problems, almost all of them related to "security" rather than privacy, and most on a relatively small scale (other than the prominent breach concerning the Department of Veterans Affairs). Accordingly, the new proposed legislation presents the certainty of disrupting existing operations and creating enormous new costs for the healthcare industry, without any demonstrated basis for forcing such change.

Conclusion
The debate over healthcare privacy is just beginning. Clearly, there is an emerging consensus that there should be some new rules for the health information exchange environment, mainly designed to ensure that all participants are meeting a set of consistent legal requirements. There is no consensus on whether these new rules should be tougher than HIPAA; moreover, there is no consensus whatsoever that the HIPAA rules are not "good enough" for the rest of the healthcare industry. There also is no obvious set of facts demonstrating that companies currently covered by HIPAA are ignoring their responsibilities or that personal privacy in the healthcare environment is not appropriately protected. Accordingly, while the Kennedy-Leahy bill clearly signals the start of an important debate, it seems to be a significant over-reaction designed to create disruption and expense, without any clearly demonstrated need.

Kirk Nahra, CIPP, is a partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He is chair of the firm's Privacy Practice. He serves on the IAPP Board of Directors and is the Editor of The Privacy Advisor. He is the Chair of the Confidentiality, Privacy and Security Workgroup, a panel of government and private sector privacy and security experts advising the American Health Information Community (AHIC). He may be reached at

knahra@wileyrein.com

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

and at +202.719.7335.

© 2007 Wiley Rein LLP. Reprinted with permission, Privacy in Focus, Sept. 2007 ed. This is a publication of Wiley Rein LLP providing general news about recent legal developments and should not be construed as providing legal advice or legal opinions. You should consult an attorney for any specific legal questions.