Health IT Provisions Under ARRA:
Section 1: Privacy and Security Requirements
Consumers and clinicians must trust that personal data will be protected if they are to support electronic information-sharing in ways that improve the health and care of individuals and populations. Seen this way, policies to protect the privacy and security of an individual's health information are pre-requisites for meaningful use of health IT.
Strong and enforceable policies for the privacy and security of information are the foundational requirements for everything that Markle Connecting for Health has advocated since its inception in 2002. Our collaborative has developed a broadly endorsed and comprehensive Common Framework with detailed policy and technology resources for electronic health information exchanges (HIEs) and electronic personal health records (PHRs). A critical requirement for the successful execution of any IT effort is the co-development of information policies to protect information with the selection of technology standards and infrastructure solutions that enforce and implement those policies.
The ARRA provisions make clear the critical importance of coupling technology and policy requirements. The new law enacts many of the principles and policies specified in the Connecting for Health Common Framework that had been previously unaddressed in regulation or federal law. HHS is charged with developing regulations and/or guidance for ARRA's new health information privacy provisions and enhanced enforcement, including the following:
- HIPAA security and privacy rules extended to business associates of HIPAA-covered entities.
- New provisions for notification to consumers of information breaches.
- Limitations on sales of protected health information.
- New guidance on "minimum necessary" (i.e., the notion that no more than the necessary information should be disclosed).
- Guidance on implementation specification to de-identify protected health information.
- Individual right to access personal information in electronic format.
- Annual guidance on the most effective technical safeguards for carrying out the HIPAA Security Rule.
- Recommendations on technologies that protect the privacy of health information and promote security.
- Restrictions on use of protected health information for marketing.
- Consumer access required to an accounting of disclosures of information maintained in EHRs.
Clearly, over the course of implementation of ARRA's health IT provisions, the regulations and/or guidance from HHS on these new information policies should drive the functional requirements of technology for compliance. In other words, the requirements of qualified or certified EHR technology should, over time, include capabilities to comply with the law's new privacy and security provisions. These requirements must be sequenced strategically so that they can be implemented in a timely way without creating unrealistic software upgrade and process burdens on clinicians and hospitals.
