Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21, 2008 Gerry Hinkley Sixteenth HIPAA Summit/The Privacy Symposium August 21, 2008 Gerry Hinkley
Davis Wright Tremaine LLP About the Speaker 30+ years in health law practice Current Activities: Steering Committee, Connecting for Health Co-Chair, eHealth Initiative Consensus Legislation Task Force - Engaging Consumers and Protecting Privacy HIMSS HIE Steering Committee and Legal Aspects of the Enterprise Task Force 30+ years in health law practice Current Activities: Steering Committee, Connecting for Health Co-Chair, eHealth Initiative Consensus Legislation Task Force - Engaging Consumers and Protecting Privacy HIMSS HIE Steering Committee and Legal Aspects of the Enterprise Task Force
Davis Wright Tremaine LLP Overview What HIPAA does not do What government has historically regulated Forces at work to drive protection of health information beyond HIPAA What we can expect What HIPAA does not do What government has historically regulated Forces at work to drive protection of health information beyond HIPAA What we can expect
Davis Wright Tremaine LLP What HIPAA does not do Doesn’t create a comprehensive right of patient privacy Doesn’t regulate entities other than providers, payers and clearinghouses, such as PHRs and non-covered recipients of data Doesn’t require patient consent for exchange of information for treatment, payment and healthcare operations (TPO) Doesn’t create a private right of action to enforce/remediate violations Doesn’t over-ride more stringent state laws Doesn’t create a comprehensive right of patient privacy Doesn’t regulate entities other than providers, payers and clearinghouses, such as PHRs and non-covered recipients of data Doesn’t require patient consent for exchange of information for treatment, payment and healthcare operations (TPO) Doesn’t create a private right of action to enforce/remediate violations Doesn’t over-ride more stringent state laws
Davis Wright Tremaine LLP What government has historically regulated – sensitive information Federal – consent required for disclosure of Alcohol and drug treatment School health records Medicaid data States – consent required for disclosure of HIV/AIDS, STDs Mental health Substance abuse Genetic testing Cancer Birth defects Federal – consent required for disclosure of Alcohol and drug treatment School health records Medicaid data States – consent required for disclosure of HIV/AIDS, STDs Mental health Substance abuse Genetic testing Cancer Birth defects
Davis Wright Tremaine LLP What government has historically regulated – data breaches 44 States have legislation focused on non-health information – identity theft Most get to health records only if an SSN is included California, Minnesota, Rhode Island have medical records specific requirements This appears to be the beginning of a trend 44 States have legislation focused on non-health information – identity theft Most get to health records only if an SSN is included California, Minnesota, Rhode Island have medical records specific requirements This appears to be the beginning of a trend
Davis Wright Tremaine LLP What government has historically regulated – disclosures A generally recognized right to healthcare information privacy Access by patients By providers to insurers is limited Commercial uses by insurers, HMOs restricted Psychotherapy notes protected Private rights of action by patients A generally recognized right to healthcare information privacy Access by patients By providers to insurers is limited Commercial uses by insurers, HMOs restricted Psychotherapy notes protected Private rights of action by patients
Davis Wright Tremaine LLP Forces at work to drive protection of health information beyond HIPAA Public opinion in response to headlines State legislatures addressing HIT generally Privacy and Security Solutions Project Multi-state collaborations Consent options Harmonizing state privacy laws Legislative template Common taxonomy to permit cross- boundaries analysis In-state initiatives State privacy boards Devising state mandates Public opinion in response to headlines State legislatures addressing HIT generally Privacy and Security Solutions Project Multi-state collaborations Consent options Harmonizing state privacy laws Legislative template Common taxonomy to permit cross- boundaries analysis In-state initiatives State privacy boards Devising state mandates
Davis Wright Tremaine LLP What we can expect - federal Continued federal efforts to create true privacy legislation Government studies of privacy and security issues and making of policy recommendations: Creation of HIT Policy Committee within HHS GAO study regarding protection of health information by parties not subject to HIPAA "Qualified HIT Systems" and "Qualified Personal Health Records" Qualification standards will include privacy and security requirements Promotion of those systems to increasing consumer awareness of privacy protections and rights Continued federal efforts to create true privacy legislation Government studies of privacy and security issues and making of policy recommendations: Creation of HIT Policy Committee within HHS GAO study regarding protection of health information by parties not subject to HIPAA "Qualified HIT Systems" and "Qualified Personal Health Records" Qualification standards will include privacy and security requirements Promotion of those systems to increasing consumer awareness of privacy protections and rights
Davis Wright Tremaine LLP What we can expect - federal Government engaging and educating the consumer on privacy issues Development of loan programs for HIE to include programs to engage consumers in the development of privacy and security policies Secretary of HHS is to develop and implement a national education initiative that enhances public understanding of privacy and security issues Enhanced regulation of HIPAA covered entities, i.e., the FTC is to develop a model notice of privacy practices for use by HIPAA covered entities Government engaging and educating the consumer on privacy issues Development of loan programs for HIE to include programs to engage consumers in the development of privacy and security policies Secretary of HHS is to develop and implement a national education initiative that enhances public understanding of privacy and security issues Enhanced regulation of HIPAA covered entities, i.e., the FTC is to develop a model notice of privacy practices for use by HIPAA covered entities
Davis Wright Tremaine LLP What we can expect - federal Regulation of non-HIPAA covered entities with respect to privacy and security issues HIE organizations that are not covered entities will be required to develop and publicize a description of their privacy and security policies (i.e., a notice of privacy practices by another name) The FTC will monitor privacy and security practices by organizations that collect health information but are not subject to HIPAA Regulation of non-HIPAA covered entities with respect to privacy and security issues HIE organizations that are not covered entities will be required to develop and publicize a description of their privacy and security policies (i.e., a notice of privacy practices by another name) The FTC will monitor privacy and security practices by organizations that collect health information but are not subject to HIPAA
Davis Wright Tremaine LLP What we can expect - states Organized efforts within states to identify legislatable topics around privacy and security State legislation focused on Expansion of existing laws to encompass electronic storage and transmission Consumer access and rights with respect to records Increased requirements and specificity for patient consent for HIE Organized efforts within states to identify legislatable topics around privacy and security State legislation focused on Expansion of existing laws to encompass electronic storage and transmission Consumer access and rights with respect to records Increased requirements and specificity for patient consent for HIE
Davis Wright Tremaine LLP What we can expect - states State legislation focused on Expansion of HIPAA “covered entities” States allowing HIPAA to pre-empt more stringent state laws Imposition of privacy and security principles through government grant- making Increased enforcement mechanisms Consistency of terms Accreditation of HIEs as a means for policies to cross state lines State legislation focused on Expansion of HIPAA “covered entities” States allowing HIPAA to pre-empt more stringent state laws Imposition of privacy and security principles through government grant- making Increased enforcement mechanisms Consistency of terms Accreditation of HIEs as a means for policies to cross state lines
Davis Wright Tremaine LLP What we need Consistent elements across state lines for Accountability, enforcement Purpose of disclosure Consent process Data quality Individual rights Security safeguards Notification Openness Limitations on use Consistent elements across state lines for Accountability, enforcement Purpose of disclosure Consent process Data quality Individual rights Security safeguards Notification Openness Limitations on use
Davis Wright Tremaine LLP This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted) This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)