Privacy Advisor


March 1, 2008

Washington, D.C. KnowledgeNet Gathers to Discuss Electronic Healthcare Records: Are New Rules Necessary?

By Lynn Bunn, CIPP

On January 16, 2008, the IAPP's Washington, D.C. KnowledgeNet kicked off the calendar year with a discussion on Developments with Healthcare E-Records presented by Kirk Nahra. Nahra, a partner with Wiley Rein whose specialties include healthcare, privacy and information security issues, addressed an audience of more than 50 attendees hosted by the offices of Ernst & Young.

As the healthcare system begins to make greater use of electronic records, Nahra provided timely insight into these changes focused primarily on:

  • Describing healthcare records ("e-records"), personal health records, and their uses in the marketplace
  • Identifying key privacy and security issues driving the development and implementation of e-records
  • Highlighting concerns underpinning the e-records debate, including potentially reassessing HIPAA and its applicability to address emerging e-records issues

Nahra described the difference between electronic health records maintained by medical services providers and personal health records maintained by individuals. He discussed how the marketplace has yet to fully identify and understand how e-records may require different rules. He then talked about the healthcare data exchanges that are beginning to emerge to facilitate the sharing of e-records.

The Health Insurance Portability and Accountability Act (HIPAA) is not comprehensive enough to address the issues of the new environment of healthcare data exchanges for which success is largely dependent upon its ability to enforce a set of standardized privacy and security requirements, Nahra said. To date, the marketplace has been slow to apply e-records solutions and new business models for the collection, use, management and sharing of electronic medical records and personal health records.

In particular, the role of Regional Health Information Organizations (RHIOs) as key intermediaries in the infrastructure for the exchange of information was discussed, and Nahra explained that many RHIOs are experiencing serious financial difficulties, and their role in the exchange of e-records in the near-term may not be viable.

Nahra reminded the audience that HIPAA currently does not provide individuals the right to know who has requested access to their personal health records, both because these records typically are not regulated by HIPAA and because there is no comparable provision under HIPAA. The HIPAA "accounting" rule provides a limited range of information about who has been provided personal health information in limited contexts, but this "individual right" has not been utilized much by individuals under HIPAA. Within the new e-records environment, some privacy advocates believe that individuals will seek greater knowledge of and control over who has access to their medical information and for what purposes.

Other topics included the fundamental question of who bears the responsibility for maintaining and securing electronic health records. Balancing the interests of all e-records stakeholders in the healthcare market will continue to be a challenge and one that will require multiple solutions. Among the business needs moving forward is consumer confidence in the system of healthcare data exchange in order to use it, as well as cost considerations and the potential for new privacy laws and regulations to keep pace. One option is Senate bill S.1814, introduced by Senators Kennedy and Leahy, which would seek to revamp HIPAA to address the e-records privacy concerns raised during his presentation. Nahra predicted that S.1814 would not pass in its current form, but is likely to serve as a starting point for legislation.

Some of the comments Nahra offered included:

  • Entities that want to share in the healthcare data exchange system should meet a certain set of criteria for privacy and security
  • HIPAA, as it currently stands, is not a good fit for many of the entities that will be involved in the new systems of electronic health records, and the "business associate" aspects of the HIPAA rules are an inadequate approach to the evolving market
  • Different players need to be covered directly under these requirements (versus depending solely on business and contractual agreements)

Nahra stressed that the legal issues surrounding electronic medical records are not simply a debate about whether the current HIPAA regulations are adequate or not. Rather, he pointed out that the expanding use of e-records impacts the entire healthcare value chain and raises issues that need to be addressed on their own merits independently of one's views of HIPAA. We should expect to see big developments in the future but it may be slow to ensue as the healthcare data exchange system is still relatively in its infancy stage.

A copy of Kirk Nahra's presentation can be found at

Lynn Bunn, Privacy Business Lead, Booz Allen Hamilton; William B. Baker, Partner, Wiley Rein LLP; and Martha Landesberg, Director of Policy & Counsel, TRUSTe, are co-chairs of the IAPP Washington, D.C. KnowledgeNet.