February
2000
Issue:
Privacy
and
Telemedicine
The Department of Health and Human Services
(HHS) is developing important electronic
data standards and privacy regulations.
Under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), the
Secretary of HHS must develop final regulations
by February 2000 because Congress did not
pass health information privacy legislation
by August 1999. HIPAA requires that HHS
adopt national standards for administrative
and financial electronic data transactions
and protect the security and privacy of
transmitted information. How might proposed
regulations affect telemedicine practitioners?
Discussion
In 1999, the Secretary of Health and Human
Services released several Notices of Proposed
Rulemaking (NPRM) pertaining to HIPAA.
The most recent NPRM was released on November
3, 1999, with proposals for standards
for the privacy of individually identifiable
health information. The comment period
for this rulemaking was open until Feb.
17, 2000. Among others things, this NPRM
proposes that health providers must get
written authorization from patients for
the use and disclosure of health information
and must maintain administrative and physical
safeguards to protect electronic health
information. With privacy regulations
pending, telemedicine practitioners may
need to consider important questions,
such as:
Videoconferencing
- Would an interactive videoconferencing
consultation be considered "protected
health information?"
- If so, should videotape of a teleconsultation
be kept as part of the patient record?
If video must be discarded how should
it be discarded? If not, how long should
the tape be stored with authorization
from a patient?
Store and Forward Digital Information
- Should "store and forward"
images be identified using only a patient
code?
- Will de-coupling image and identifier
information create greater problems
rather than resolving them?
Training
In addition to medical practitioners,
how will employers train on confidentiality
other employees with access to patient
data such as video camera operators, etc…
Legal questions
- What kind of protocol would practitioners
need to notify patients about telehealth
privacy authorization?
- When would it be necessary to draw
up privacy contracts with non-medical
providers in a telemedicine consultation?
In addition to these types of questions,
another issue that will most likely affect
telemedicine practitioners are the differences
among state privacy laws. HHS proposes
that Federal laws preempt state laws that
are in conflict with regulatory requirements
or those that provide less stringent privacy
protections. However, for those states
that have more stringent privacy laws,
the state would preempt Federal law and
telemedicine practitioners could be faced
with a patchwork of state privacy standards.
All states have laws governing the use
and disclosure of health information with
a wide variety of protections.
Background
Under the proposed privacy rules, covered
entities must protect identifiable health
information against deliberate or inadvertent
misuse or disclosure. Consequently, health
plans and providers must maintain administrative
and physical safeguards to protect the
confidentiality of health information,
as well as protect against unauthorized
access.
These entities must inform individuals
about how their health information is
used and disclosed and ensure them access
to their information. Written authorization
from patients for the use and disclosure
of health information for most purposes
is also required, with the exception of
health care treatment, payment and operations
(and for certain national priority purposes).
Those entities who misuse personal health
information could be punished. Under HIPAA,
the Secretary can impose civil monetary
penalties and criminal penalties can be
imposed for certain wrongful disclosures
of protected information.
Entities covered by this rule:
- Health care providers who transmit
health information electronically
- Health plans
- Health care clearinghouses
Protected health information:
- Electronic information (either transmitted
or maintained in a computer).
- Information must be identifiable.
If it has any components that could
be used to identify the subject it is
covered.
What you need to know
- Comments on the HHS Privacy NPRM can
be viewed at http://aspe.hhs.gov/admnsimp
- What entities are covered by the
proposed rules?
- What types of Health Information
are covered?
- What are the rights of individuals?
- What are some disclosure rules?
- What are the administrative requirements?
- Will the rules be scalable?
- How long should videotape and electronic
images be maintained?
- What other measures could help limit
breaches of privacy and confidentiality?
Federal Proposed Rulemakings,
etc.
State Privacy Laws
General Information on Safeguarding
Information
Next Steps
The Office for the Advancement of Telehealth
will revisit the Department of Health
and Human Service’s Privacy NPRM
after comments have been filed and the
Privacy rules have been finalized.
For a short summary of OAT’s January
13, 2000 please see the Privacy,
Security and Confidentiality seminar.
|