Electronic Healthcare Records , Healthcare Information Exchange (HIE) , Legislation

Draft Bill Tackles EHR Privacy, Security Issues

Senate Committee's Proposal Addresses Interoperability, Secure Data Exchange
Draft Bill Tackles EHR Privacy, Security Issues

With more than $30 billion spent on the HITECH Act's "meaningful use" electronic health records incentive program, Congress has been scrutinizing EHR interoperability, secure health data exchange and a number of other issues related to security and privacy.

See Also: Managing Identity, Security and Device Compliance in an IT World

Now those issues and others are being addressed in draft legislation.

The draft, unveiled Jan. 20 by the Senate Committee on Health, Education, Labor and Pensions, aims to tackle a variety of important health IT issues. But while some privacy and security experts say the bill is a good first step, others question whether it will gain enough momentum to earn passage.

The proposal is part of the Senate's overall response to the 21st Century Cures Act, which the House passed last year aiming to speed up medical innovation, notes privacy attorney Kirk Nahra of law firm Wiley Rein. That bill calls for, among other things, revamping the HIPAA Privacy Rule to allow the use and disclosure protected health information for research purposes without patient authorization if covered entities or business associates are involved in the use or exchange of the data.

"Rather than putting everything in one huge bill, like the House did, the Senate is breaking this into smaller pieces, with this [health IT draft bill] being one of the pieces," he says. "This particular bill tries to focus on a variety of health IT topics that have gotten bogged down in bureaucratic and technical details over the past few years."

Key Provisions

The Senate draft recommends that steps be taken to:

  • Create an unbiased rating system for health IT products to help healthcare providers choose them based on security, usability and interoperability, among other issues;
  • Address EHR interoperability, including working with data sharing networks to develop a model framework and common agreement for the secure exchange of health information to help foster a "network of networks";
  • Develop a digital provider directory to facilitate exchange and enable users to verify the correct recipient;
  • Create a way of certifying that EHR systems are capable of trusted data exchange;
  • Require that HHS consider standards developed in the private sector;
  • Empower patients to access their electronic health information through secure and user-friendly software;
  • Give HHS' Office of Inspector General the authority to investigate and establish deterrents to information blocking practices that interfere with appropriate sharing of electronic health information;
  • Direct the Governmental Accountability Office to conduct a study to review methods for securely matching patient records to the correct patient.

Step in Right Direction?

Samantha Burch, senior director of Congressional affairs at the Healthcare Information and Management Systems Society, says the draft bill is a big step in the right direction in addressing secure exchange of patient information, information blocking and patient ID matching.

Burch says she's also pleased that the draft bill asks GAO to study patient identity matching issues. HIMSS, as well as some other high-profile industry groups, including the College of Healthcare Information Management Executives - have been urging Congress to lift a ban on HHS financially supporting the development of a national patient ID system (see Making A Case for a National Patient ID).

When Congress passed HIPAA in 1996, the law called for the creation of a unique health identifier for individuals. In response to concerns about privacy and other issues, Congress in 1999 passed a law prohibiting federal funding for the identifier.

Earlier this week, CHIME launched a $1 million competition to attract innovators to address patient ID matching (see A Jump Start for National Patient IDs?).

If Congress were to lift the funding ban on HHS related to patient IDs, that wouldn't necessarily give HHS the license to issue all Americans a new national patient ID number, Burch notes. Rather, it could give HHS "the ability to work on a strategy to improve patient ID matching." Mistakes in matching patients to the correct data lead to patient privacy and safety problems at many healthcare entities across the country, according to 2012 study by CHIME.

In a statement, CHIME says it supports the draft bill's "call for greater transparency" on certified health information technology and the proposals related to addressing accurate patient identification.

Sizing Up the Proposal

Nahra says elements of the bill, including the information sharing blocking component, "target specific identified problems and could be useful. But other parts of the draft, he argues, have the potential of "creating new and different - but not necessarily better - rules and standards and processes for developing standards."

He acknowledges, however, that the bill spotlights some important issues.

"There is a recognition that health IT is really important ... but the complexity of the political, regulatory and technical debate is making everything really hard. This bill could help somewhat, but the problems aren't going away."

The Senate health committee is directly seeking public comments on the draft by Jan. 29.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network