Legal Research: 21st Healthcare privacy

The prominence and role of healthcare information has been elevated by the passage of “The Patient Protection and Affordable Care Act of 2010”i aka “Healthcare Reform”. When fully implemented over 94% of the people in the United States will have some form of health insurance coverage.ii By 2019, the Federal government will either fund coverage directly or through subsidies for over 50% of the US population.iii

Currently, most health insurance companies are in compliance with the data standards required to bill Medicare.iv Going forward many of the reimbursement incentives for providers will be based on reporting of patient information in electronic medical records (EMR) or electronic health records (EHR). EMR is subject to the patient privacy protections under The Health Insurance Portability and Accountability Act (HIPAA) of 1996.v

HIPPA establishes the basic framework for the disclosure of Protected Health Information (PHI).vi PHI can be defined as information held by health care providers and other entities that are in possession of information related to health status, provision of health care, or payment for health care services and items.vii Currently, HIPPA protection applies to health information that reflects a retrospective analysis. HIPPA was approved in 1996, however the bulk of the regulations implementing HIPPA were not finalized until 2003.viii

The HIPPA-compliant data set did not become fully electronic until 2005 due to security and privacy concerns related to nature of electronic recordkeeping. As the use of EMR become more prevalent, the Centers for Medicare and Medicaid Services, which is responsible for the implementing HIPPA safeguards, must react to potential prospective issues related to health records. As is currently stands, the only information included in the HIPPA PHI data set are related to treatments performed on patients as well as the drugs, devices, and supplies necessary for those treatments.

Unlike other payment transactions, such as credit card and bank payments, health care payments will many time require physical manual review to determine if the payment for certain items and services is appropriate. This manual review requires an examination of a patients PHI and potentially the patients entire EMR. The ability of health insurance companies to access a patient EMR poses many privacy concerns. A single PHI data set for a particular office visit or series of treatments may not necessarily provide a snapshot of the patient’s health information. However, the entire EMR may provide some prospective information, such as the results from genetic testing that would have remained private under the old paper system.

As the US government becomes more involved with funding healthcare, the data needs necessary to manage the allocation of limited healthcare resources will continue to grow. For many in the legal community, the HIPPA PHI safeguards are inadequate. The uncertain future of EMR and government healthcare must be addressed by bringing healthcare privacy laws into the 21st century. Many of the protections and safeguards created through HIPPA should be applauded, however Congress must not fall behind in the regulation of EMR and PHI. The regulations that will be promulgated by the Centers for Medicare and Medicaid Services implementing many of the provisions of Healthcare Reform will provide insight into the direction of health care privacy in the 21st century.

i As of March 21, 2010, HR3590 passed by the Senate on December 19, 2009 and HR4872 Reconciliation passed by the House of Representatives on March 21, 2010.

ii H.R. 4872, Reconciliation Act of 2010, Cost estimate for the amendment in the nature of a substitute for H.R. 4872, incorporating a proposed manager's amendment made public on March 20, 2010. Congressional Budget Office.

iii Id. Includes Medicare, Medicaid, Veterans Affairs, Department of Defense, and individual subsidies.

iv 95% of health care providers participate in the Medicare program. Centers for Medicare and Medicaid Services.

v 110 Stat. 1936. Public Law 104–191—Aug. 21, 1996

vi Id.

vii Id.

viii 45 C.F.R. 164