AHIC April 2008 Meeting: CPS Relevancy Letter

April 22, 2008

The Honorable Michael O. Leavitt
Chairman
American Health Information Community
200 Independence Avenue, S.W.
Washington, D.C. 20201

Dear Mr. Chairman:

The American Health Information Community (AHIC) has identified and prioritized several health information technology applications, or “breakthroughs” that could produce specific and tangible value to health care consumers. To address these breakthrough areas, the Confidentiality, Privacy, and Security Workgroup (the CPS Workgroup) was formed and given the following broad and specific charges:

Broad Charge for the CPS Workgroup: Make recommendations to the AHIC regarding the protection of personal health information in order to secure trust and support appropriate electronic health information exchange.

Specific Charge for the CPS Workgroup: Make actionable confidentiality, privacy, and security recommendations to the AHIC on specific policies that best balance the needs between appropriate information protection and access to support, and accelerate the implementation of the consumer empowerment, chronic care, and electronic health record related breakthroughs.

Background:

On February 26th, 2008, the AHIC CPS Workgroup presented two sets of recommendations to the AHIC for recommendation to the Secretary of the Department of Health and Human Services. Following the CPS Workgroup’s presentation, and subsequent discussion by the AHIC, the CPS Workgroup was asked to reframe its recommendations. In response to AHIC’s request, we submit the following reframed recommendations as an addendum to our original letter that contains the context and rationale for our recommendations.

As we noted in our February 26th letter, the recommendations below are neither meant to discount or detract from the privacy rights of patients or consumers, nor reduce the type of protections that should be provided in an electronic health information exchange network. Our recommendations are meant to pragmatically exempt HIEs who are merely acting on behalf of another covered entity from HIPAA Privacy Rule provisions that would otherwise require them to provide certain information directly to patients. All rights will continue to apply in full through the entity with whom the consumer or patient has an independent relationship. Moreover, HIEs will continue as they do today to assist these Covered Entities as appropriate in providing individual rights pursuant to existing Business Associate Agreements.

Recommendations:

Recommendation 1.0:
The obligation to provide “individual rights” and a notice of privacy practices under the HIPAA Privacy Rule should remain with the health care provider or health plan who today has an independent relationship with a patient or consumer and not an HIE. The CPS Workgroup recommends that health information exchanges (HIEs) and regional health information organizations (RHIOs) (collectively referred to in this letter as HIEs) that do not have “independent relationships” with patients or consumers be exempt from meeting the following HIPAA Privacy Rule requirements:

§164.520 Notice of privacy practices for protected health information;
§164.522 Rights to request privacy protection for protected health information;
§164.524 Access of individuals to protected health information;
§164.526 Amendment of protected health information; and
§164.528 Accounting of disclosures of protected health information.

Recommendation 1.1: HIEs should make publicly available on their website (or through other means) a document that reasonably and accurately describes in plain language how they use and disclose health information and their privacy policies and practices, as well as how they safeguard patient or consumer information.

Conclusion:

The exemption of these requirements does not mean that HIEs would now be able to use or disclose health information in ways that Covered Entities or Business Associates could not all other HIPAA requirements continue to apply. The exemption merely recognizes that it is impractical to impose these particular “individual rights” requirements on HIEs who do not have independent relationships with patients. If, in the future, HIEs were to establish independent relationships with individuals, the CPS Workgroup would expect HIEs to follow all of the rules that are in place today (e.g., all HIPAA privacy and security requirements including an individual's right to access, amendment, request privacy protection, and accounting of disclosures). Moreover, under our current recommendations, HIEs would still have an obligation consistent with any existing Business Associate Agreements to assist a Covered Entity in complying with these “individual rights” where appropriate. For example, an HIE could be required to assist a Covered Entity in responding to an individual’s request to amend information in the medical record where appropriate (i.e., satisfying the requirement within §164.526(c)(3)).

Thank you for giving us the opportunity to submit these reframed recommendations. We look forward to discussing them with you and the members of the American Health Information Community.

Sincerely yours,

Kirk J. Nahra
Co-Chair
Confidentiality, Privacy, and Security Workgroup

Deven McGraw
Co-Chair
Confidentiality, Privacy, and Security Workgroup