A Heath and Human Services Department privacy and security tiger team charged with developing practical guidance on health information exchange has a new angle to consider: a federal rule proposed earlier this week that would extend Health Insurance Portability and Accountability Act (HIPAA)requirements further down the chain of health commerce.
Adam Green, senior health IT and privacy specialist with HHS's Office for Civil Rights, today briefed the tiger team on the proposed modifications to HIPAA's privacy and security rules, announced July 8 by HHS Secretary Kathleen Sebelius.
A key provision of the pending rules would make "downstream" healthcare subcontractors subject to HIPAA's privacy and security requirements. HIPAA, as bolstered under the HITECH Act, already considers a health information exchange as a "business associate" of organizations covered by the law. Business associates are required to sign contacts that bind them to HIPAA.
The proposed rule, however, would confer business associate status to subcontractors working with other business associates. Potentially, the requirement could work its way down a number of tiers as subcontractors to newly coined business associates would also fall under HIPAA's scope.
Green said each business associate in the chain is to have a "full-fledged business associate agreement" with its subcontractor.
"No business associate down the chain can do anything that would not be permitted by the covered entity and not permitted by the business associate agreement," he said.
The HHS proposed rule proposes that "downstream entities that work at the direction of or on behalf of a business associate and handle protected health information would also be required to comply with the applicable Privacy and Security Rule provisions in the same manner as the primary business associate, and likewise would incur liability for acts of noncompliance."
Deven McGraw, chair of the tiger team, said she sees the extension of liability under the rule as a significant move that appears to strengthen the business associate agreement as an accountability tool.
Panel tackles HIE nuances
But while the HHS rule addresses enforcement, the tiger team focuses on policy recommendations for information exchange.
During Friday's meeting the panel took up some nuances of HIE privacy policy, including whether the exchange of personal health information for treatment should be limited to the treatment of the individual who is the subject of the health information.
Noting that family members' information could potentially contribute to a patient's treatment, the group discussed obtaining consent from individuals for broader use of their data.
They brought up cases in which consent may be impossible to obtain, as when maternal information is needed to treat a newborn. Panelists also pointed to the difficulty of developing recommendations for different health information exchange models. The tiger team also discussed how to confirm the relationship between provider and patient to facilitate a personal health information request.
Another topic: should providers not covered by HIPAA " such as those who don't bill for services electronically " participate in data exchange? On that question, panelists supported a recommendation for heath information organizations where providers don't have direct control over information disclosure. For those organizations, the panel suggested a contract "to hold all participants to HIPAA, state law and [health information organization] requirements."
During the meeting, the Tiger team addressed six out of nine privacy and security questions regarding information exchange. The group plans to take up those remaining questions on Tuesday, July 13.
