Proposed Stimulus Package Contains Comprehensive Health Privacy Provisions
The proposed American Recovery and Reinvestment Bill of 2009 (”ARRA”), a massive proposal, contains significant provisions concerning the security and privacy of health related information. If passed, the legislation, would result in drastic changes in the US health care system and have a major impact on companies that collect, use, disclose and otherwise process health related information.
Advancing the Use of Health Information Technology:
Within ARRA is a proposal for the Health Information Technology for Economic and Clinical Health Act or “HITECH Act”. The proposed measure would aim to advance the use of health information technology, such as electronic records. To this end, it would require the government to take a leadership role to develop standards by 2010 that allow for the nationwide electronic exchange and use of health information to improve quality and coordination of care. It would also call for the investment of $20 billion in health information technology infrastructure and Medicare and Medicaid incentives to encourage doctors and hospitals to use health information technology to electronically exchange patients’ health information. By improving the quality of care and care coordination and reducing in medical errors and duplicative care, it would aim to save the government $10 billion and to generate additional savings within the heath care industry.
Expanding Privacy and Data Security Protections:
The HITECH ACT would also improves and expands current federal privacy and security protections for health information. Specifically, it would
- Establish a Federal breach notification requirement for health information that is not encrypted or otherwise made indecipherable. This obligation would require data controllers to notify an individual if there is an unauthorized disclosure or use of their health information. As reported here, California recently expanded its breach notification obligations to extend to health information. This would make such an expansion a federal requirement.
- Ensure that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, are subject to the same privacy and security rules as providers and health insurers.
- Provide transparency to patients by allowing them to request an audit trail showing all disclosures of their health information made through an electronic record.
- Prohibiting the sale of an individual’s health information without their authorization.
- Require that providers attain authorization from a patient in order to use their health information for marketing and fundraising activities.
- Strengthen the enforcement of federal privacy and security laws by increasing penalties for violations and providing greater resources for enforcement and oversight activities.
This is proposal that merits close monitoring. The full text of the proposal is available online.
Comments
Leave a Reply
This website, which may be considered advertising under the ethical rules of certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice. The views expressed on this blog are my personal views alone and do not necessarily reflect views of my employer.
-
ABOUT
Jacqueline Klosek, Senior Counsel in the Business Law Department of Goodwin Procter LLP, is a frequent author and commentator on data privacy and security. You can email her at jacquelineklosek@gmail.com -
BOOKS
