Thursday, September 30, 2010

Our Dysfunctional Health Care System: A Different Kind of Information Problem

I don't just work on health care from an IT angle; I also sometimes work on payment issues. And in this context it has occurred to me that we have also have information problems. They're a little different from the kind you get in IT, but some day, when we have resolved all our problems in building out IT infrastructure (yeah, right), it will be all about the content. That's the real point of IT anyway, isn't it?

Well, whatever. But I recently had what I thought was some interesting correspondence about the problem of information asymmetry in health care. The presenting problem was, what are reasonable health insurance administrative costs?

This is one of the areas in which analysts often tell us we may be able to save some money. After all, what is it that health insurers contribute, and why should we pay for them?

However, you can't figure out what the reasonable cost of anything might be, unless you can figure out what you're paying for. This question which immediately brings up a whole set of deeply embedded, problematic issues of long standing.

- There are a lot of variables and interactions in complex interaction, making it difficult for even the experts to accurately assess and predict the implications of policy changes, or for that matter the implications of continuing the status quo;

- The average person, even the average educated person who’s trying to pay attention in good faith, and definitely including the average policymaker, including those trying to act in good faith, probably doesn’t have the background or experience to know what the facts and issues are in any depth;

- There are very strong, well-organized financial interests playing an ultimately zero-sum game (healthcare expenditures cannot actually go up forever);

- Healthcare issues are valuable partisan footballs, perhaps especially when they are distorted; and

- The mainstream media hasn’t, with a very few exceptions, sufficient expertise to clarify the issues.

This makes it, ahem, difficult to get agreement on exactly what any data show. But here are a few thoughts, anyway.

In the first place, I personally don’t believe it’s possible to have a genuine free market for healthcare goods and services, if by that is intended a marketplace in which individuals consumers purchase goods and services, and their purchasing decisions set a price which is accepted as politically legitimate. The healthcare market is subject to too many information asymmetries – individuals don’t and frequently can’t know what they need or the factors they ought to consider – and motivational asymmetries – how much are you really going to haggle over the price of treatment for that cancer that will kill you if you don’t get it? How about if it’s your daughter?

I also don’t think culturally the US is ready to simply state that in healthcare you get what you can pay for, and if you can’t afford it that’s your own problem, period. (Personally, I’m rather glad of that.) Nor do we have anything like an adequate charity safety net – I’m not sure we could, without charitable institutions becoming a much larger sector of the economy. Unless we are willing to live with the political, social and moral consequences of trying to enforce a consumer-based healthcare marketplace, we need some other mechanism to set healthcare prices.

(Editorial comment: The only reason markets in anything important are allowed to exist is because their pricing results are accepted as politically legitimate. Whenever they are not, for important goods or services, for a material portion of the population, for a material period of time, political intervention is inevitable. You can argue it *shouldn’t*, but I would argue that that is an ideological position, and history shows this happening time and again.)

This is why we have health insurance: To set healthcare prices by negotiating (in the larger sense) with providers. You could do this differently, of course; single payer is the obvious alternative, with a single entity to do all the purchasing negotiation. Or you could simply set prices by government fiat. Whatever the possible merits of such approaches, the US doesn’t do it that way, and clearly isn’t going to go there in the current round of reforms.

The core administrative functions of health insurance companies are all related to healthcare price negotiations. Claims management is ultimately a set of processes for making sure the “right” price is paid for a given set of products and services; prior approval is a process for negotiating the purchase of specific products and services; underwriting is a process for making sure the insurance company takes in enough funding to pay for predicted payments; and so on. In all of these activities, the insurance company is negotiating from a position of lower information and motivational asymmetry than individuals would; it may not know as much as the provider does but it knows a lot more than an individual, and for better or worse it certainly doesn’t care the same way the individual does. (This is probably the main reason people hate insurance companies – they will deny care that individuals are motivated to want.) Of course, the same is true for a single—payer or government fiat solution.

In this context one of the valid arguments against private insurance companies is that they have additional non-core administrative functions, such as marketing, that don’t (or aren’t seen to) support their core functions. Conversely, one of the valid arguments against single-payer and government fiat is that they tend to inflexibility: This is what we do, take it or leave it. Personally (that word again), that is the reason I tend to favor continuing private insurance: The companies are likely to adapt more flexibly and may be more likely to support valuable new approaches, e.g. better case management and wellness programs, which reduce claims by creating incentives for healthcare strategies which may actually be *experienced* as better by individuals, and contribute to their actual health.

Having said all that, of course in practice actual markets are often dysfunctional for many reasons, and it’s not as if there’s much of a competitive health insurance market. Dysfunctional markets tend to receive political intervention (see above), and maybe in the final analysis this market is so concentrated that only governmental intervention (or the threat) can bring about key features which serve individual consumers better . . .

So, I think the data show that managed care and health insurance are part of the health care pricing problem (due to their own market concentration) *and* part of the solution (due to the dysfunctionality of the healthcare products and services).

What's my solution? Hey, if you've got a good one, let me know!

Thursday, July 8, 2010

Preliminary Thoughts on the HITECH/HIPAA NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under the Health Information Technology for Economic and Clinical Health Act

The Notice of Proposed Rule Making (“NPRM”) for the proposed new regulations amending the HIPAA regulations as required by HITECH have just been informally published here. The formal publication date in the Federal Register is probably going to be July 14, 2010. This is a brief heads-up on a few issues the NPRM seems to present.

At this point I think the following are the key points:

• The most significant innovation is that the NPRM proposes comprehensive regulation of all entities which obtain or use PHI to perform activities or functions serving Covered Entities, whether they are Business Associates or Subcontractors (a newly defined term) of Business Associates. It no longer matters where the entity falls on a chain of contracts, or even if there is a contract in place, any entity which fits this description will be regulated and subject to penalties for failure to comply. Of course, failure to have a required Business Associate Contract in place would create a lot of HIPAA violations.

• Business Associates – including Subcontractors now, so this means all entities which obtain or use PHI to perform activities or functions serving Covered Entities, regardless of their contract status – will have to be in compliance with the Security Rule, as well as the other Business Associate compliance obligations HITECH imposes, by the date which is 180 days from the date the final rule is published. However, I believe (subject to further analysis) that all Business Associates including Subcontractors will be subject to the breach notification rules as of the date the final rule is effective.

• Business Associate Contracts which are compliant with the existing rules and in effect before the date the final rule is published will be grandfathered and “deemed compliant” for the next year and 240 days from the date the final rule is published. Business Associate Contracts which are entered into or renewed or modified after the date the final rule is published will have to be compliant with the new standards. “Evergreen” Business Associate Contracts, which renew automatically without changing, are not considered to be “renewed” for this purpose.

• My impression is that there will be a number of good reasons to want to come up with new Business Associate Contract forms to deal with the new standards and arrangements.

• Business arrangements where revenues or other remuneration are tied to PHI use or disclosure will be subject to closer scrutiny and will have to comply with some new limitations. While this shouldn’t disallow most such arrangements – though it probably will do so for some – most such arrangements should be reviewed to ensure compliance, and appropriately documented.

• We have some potentially useful new enforcement standards proposed, which clarify how violations will be classed. The upshot is, as is typical in compliance matters, that documentation of decisions and policies will be important to avoiding liability.

The NPRM also proposes regulations in a few other areas which may be important to some organizations or in some contexts.

Because this is a NPRM these proposed rules are not actually the provisions which will be required for compliance. The proposed rules are being published for comment, and final rules will published after review of the comments. Comments may be submitted for sixty days after official publication, through September 12, 2010. There is no set date for publication of final rules after that.

The effective date for compliance for the HITECH provisions to be clarified by these rules was February 18, 2010 under the legislation, which obviously has passed. In order to allow for a reasonably orderly transition DHHS has provided an extension of the compliance date through the date 180 days from publication of the final rules, for most of the regulations requiring action by Covered Entities or Business Associates. I think this probably won’t apply, however, to compliance with the breach notification regulations which were effective last September; Covered Entities and Business Associates are already subject to those.

Business Associates and Subcontractors.

The most significant changes, as expected, apply to Business Associates and “Subcontractors.” As expected, the NPRM clarifies a number of points around HITECH’s extension of HIPAA regulatory jurisdiction to Business Associates. However, the NPRM also proposes to extend the same requirements to Subcontractors of Business Associates as well. This is a potentially very significant additional extension of jurisdiction. Understanding why requires a bit of review of the “Business Associate” concept.

A Business Associate is a concept created under the initial HIPAA regulations intended to extend HIPAA’s PHI protections to information obtained by non-Covered Entities to perform activities on the Covered Entities’ behalf. The regulatory definition is therefore that a Business Associate is any “person” performs any function or activity on behalf of a Covered Entity involving the use or disclosure of PHI. Because HIPAA did not provide for jurisdiction over entities other than the statutorily established Covered Entities, the initial HIPAA regulations extended protections indirectly by requiring Covered Entities to have a specific form of contract, the Business Associate Contract, in place before allowing their Business Associates access to PHI. If the Business Associate violated the contract and did something improper with the PHI the Covered Entity was required to take actions up to and including contract termination, and the Covered Entity (but not the Business Associate) could be penalized for failure to do so.

Of course, sometimes Business Associates also need additional parties to perform functions or activities involving PHI they have on behalf of a Covered Entity, and under the initial HIPAA regulations a Business Associate Contract could include a provision allowing them to do so if they “ensure that any [such] agent, including a subcontractor” agrees to the same “conditions and restrictions” as apply to the Business Associate under its Business Associate Contract. This has generally been interpreted as a much looser standard than the Business Associate Contract requirements, and practices in this area have often been fairly relaxed.
Under the NPRM this will change, because the NPRM proposes to extend jurisdiction to Subcontractors of Business Associate, by defining them also as Business Associates and requiring Business Associates to have Business Associate Contracts with their Subcontractors. (Yes, this will be confusing to figure out, and take some analysis of the NPRM to see how it works and if there are any strange logical loops, etc.)

“Subcontractor” is now proposed to be defined as a “person who acts on behalf of a business associate, other than in the capacity of a member of the workforce of such business associate.” The definition of Business Associate is also now proposed to be modified to add Subcontractors, even though they do not have a direct relationship to the Covered Entity. Since a Subcontractor is now defined as a Business Associate, it logically seems that any person which acts on its behalf performing a function or activity involving PHI is also a Subcontractor, and therefore a Business Associate.

In other words, in any activity or function involving a chain of relationships among entities, there will need to be a chain of Business Associate Contracts. One effect of this change would therefore seem to be a broad expansion of the use of Business Associate Contracts throughout the health care sector, probably to many types of entity which never had to have them before. Less visibly, acting as a Subcontractor (even without a Business Associate Contract in place) will automatically bring an entity under HITECH/HIPAA jurisdiction, including required compliance with all the rules applicable to Business Associates.
Grandfathered Business Associate Contracts.

It will likely take some work to develop good Business Associate Contract forms for this purpose, and my impression is that due to these and some other changes it will be desirable for Covered Entities also to revise their forms. The good news, however, is that most Covered Entities and Business Associates should currently be in compliance if they have appropriate Business Associate Contract forms in place, and will have some time to implement new forms.

The NPRM proposes Business Associate Contract transition provisions which would “grandfather” Business Associate Contracts which are in place as of the date of publication of the final rules, as long as the contract is not renewed or modified during the period from sixty days from the date of publication of the final rules through the date 240 days from that date. Grandfathered contracts will then be considered compliant until the earlier of (1) their “renewal or modification” after the 240 day period, or (2) the date one year and 240 days from the date of publication of the final rules.

This is a bit confusing, but looks like it would work as follows. Assume a final rule publication date of October 1, 2010:
• Any Business Associate Contract in place before October 1, 2010 is deemed compliant (as long as it is compliant with the initial rules, of course).
• If the Business Associate Contract is “renewed or modified” at any time after October 1, 2010, the new rules will apply.
• If the Business Associate contract is not “renewed or modified,” it will have to be reviewed and possibly amended to ensure compliance with the new rules no later than May 29, 2011.

The same transition rules do not apply to other compliance obligations. In particular, Business Associates (including Subcontractors, of course) will have to be compliant with the Security Rule 180 days from the date of publication of the final rules – e.g., for a publication date of October 1, 2010, by March 30, 2011.

Business Associate Security Compliance.

There is some good news for Business Associates around Security Rule compliance, however. Business Associates will be fully required to comply with the Security Rule, as required by HITECH. However, the NPRM clarifies that Business Associates are to determine the safeguards they implement based on the “flexible factors” and “addressable specifications” applicable under 164.306 of the Security Rule. This was not clear under HITECH.

This is a helpful clarification, but does mean that Business Associates will need to document their security decision-making in more depth than they may be used to. My suspicion is that many Business Associates – especially Subcontractors which have been able to operate outside the sphere of HIPAA. This kind of Subcontractor may also not be ready to deal with the security breach notification regulations, which will kick in only 60 days after the final rules are published.

Business Arrangement Implications.

The extension of regulatory jurisdiction to every entity which uses PHI for some activity or function which serves a Covered Entity is likely to cause some entities to take a serious look at how they do business. This may become even more significant for those which are involved in processes such as data mining and other secondary uses of PHI and PHI-derived data.

Some entities may even wind up becoming regulated without knowing it, if they are far enough down a contract chain and don’t have controls to identify the sources of information they receive. This can be shown by an example given in the Preamble to the rule, where a third party administrator (“TPA”) acting as a Business Associate to a health plan contracts with a document and media shredding company to destroy records including PHI. The shredding company is a Subcontractor, and therefore a Business Associate, and therefore regulated – but won’t know that unless the TPA tells it so, or it reviews the information it is shredding and can ascertain that it is PHI from a Covered Entity which has contracted with the TPA (something the shredding company shouldn’t be doing in the first place).

A wider range of entities providing services to the health care sector than those which already know they are Business Associates should probably consider their business models, and if they involve PHI consider whether they can modify their model to avoid regulation (by avoiding PHI), or if not how they will have to adapt it to the new rules. In this connection many will also need to look at financial models, if they are at all tied to PHI (e.g. per-records processing fees, etc.), since these too are proposed to be more tightly regulated.
HITECH included a directive for regulations tightening up the sale of PHI and its use PHI for marketing, and the NPRM makes some helpful clarifications in this area.

Part of this clarification, however, is to propose standards in an area which has to date been fairly loose. The rule is now clear that individual authorization is required for the disclosure of PHI in a “sale,” unless it fits one of several specific exceptions. This rule applies whenever PHI is disclosed in return for “remuneration,” a very broad term which covers any kind of compensation. While the exceptions are intended to allow for ordinary and legitimate transactions, there are likely to be some existing arrangements which don’t fit.


The NPRM presents a few other issues, and from a lawyer’s point of view some of the clarifications around enforcement standards are also helpful. Other issues not yet identified are bound to crop up, especially as we begin working through the implications. While these are not final regulations and compliance is not required, my recommendation is that entities in the health care sector – especially Business Associates, under its expanded meaning – take a careful look at possible implications for their own activities. They may find undesirable implications and want to comment, and hope their concerns will be resolved; and in some cases they may want to start planning a reorganization to change their business model or begin planning to adapt to the new reality.

Overall, my impression is that the NPRM is very consistent with the agenda of increased regulation of secondary players in the health care sector, to enable increased use of electronic health records and health information exchange. In legal terms I think it is a significant step toward that goal. I am sure there will be some changes based on comments, but I frankly would not expect important additions or deletions. I expect the final rule, which I would guess will issue some time this Fall (but it is only a guess) will be very consistent with the NPRM, so this is the shape of things to come.

Thursday, December 17, 2009

HITECH Incorporation by Law: A Painful Conundrum

Okay, here’s yet another HITECH question: What does it actually *mean* if HITECH BA requirements are both applicable as a matter of law, and required to be incorporated into BACs? Do we have any discretion to vary the BAC language from the legally incorporated language?

We’ve all (well, many of of us) read the argument about why HITECH’s “shall be incorporated” language can properly be interpreted to the effect that the included requirements are incorporated in BACs as a matter of law. In fact, HIMSS sent comments to OCR to that effect, which were essentially a well-reasoned legal argument. I haven’t confirmed the legal research or checked for alternative legal theories – I do have to do paying work too – but knowing the folks who prepared and reviewed it I expect it’s sound. I think the language is at least ambiguous, in that it “shall be incorporated” can also be interpreted as a command (“the parties shall incorporate”), but the other position clearly has good support.

Automatic incorporation is a helpful position for one significant problem, that of BAC amendment. CEs with a lot of BAs (and BAs with a lot of CEs) already face a burdensome and annoying project in identifying and updating existing contracts, no matter what the timeline. If they have to do it by February 17 this burdensome project will become very difficult and perhaps in some cases impossible within the allotted time. If existing BACs are considered compliant without amendment because new HITECH requirements are incorporated by law as of their effective date, however, this problem is alleviated. Given this useful result and well-reasoned arguments for the automatic incorporation position, OCR could well adopt it.

If so, however, what happens to BAC provisions which deviate from the language of the automatically incorporated requirements? There may be a number of situations where this makes sense – certainly my own view is that it is preferable to write BAC requirements in terms consistent with contract interpretation and enforcement and the parties’ actual operations, because statutory and regulatory language is not necessarily well-adapted to the kinds of interaction and services standards and definitions and dispute resolution needs contracts are intended to serve.

But if we are under a regime where statutory or regulatory requirements are automatically incorporated, in the statutory or regulatory language, does that mean that differing contractual language is:

1. Per se invalid?

2. Invalid to the extent it changes a material aspect of the incorporated requirement? If so, what might be material?

3. A violation of HIPAA/HITECH because it is in whole or in part invalid? If so it would be a continuing violation . . .

4. Valid, but creating an overlapping additional or supplementary requirement to the extent it is materially different from the incorporated requirement?

5. Something else that hasn’t occurred to me?

I don’t know but I think I better try to figure it out.

In fact, I think I better figure it out *even if OCR guidance states that automatic incorporation is not the rule.* In another HITECH strange loop, this problem also affects *existing* BACs, to the extent the language of those provisions deviates from the language used to define the BAC provision requirements in the Privacy Rule. And the language used does not seem ambiguous, the way the “incorporation” language from 13401 and 13404 does.

Here’s the problem. HITECH sec. 13404 states:
In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, *the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title[.]*

The last clause appears to me to make the “applicable requirements of section 164.504(e)” legal obligations of the BA, *independent of the BAC.* These obligations are the established BAC requirements – which therefore now are independent statutory requirements which parallel, overlap or perhaps override the same requirements in *all BACs*, to the extent the language in the BAC may vary from the regulatory language of the BAC requirements. (Though I’m not actually sure we’ve got the potential variation invalidity problem, since we don’t have the “incorporation” language – but I do think organizations could face a “deviation = additional obligations” problem.)

Tuesday, November 24, 2009

Upcoming HIPAA Business Associate Presentations

I will be presenting as follows:

December 4 audioconference, HIPAA Ethics Update: Lawyers in the Compliance Crosshairs

December 15 audioconference with Alan Goldberg and Alan Freivogel, Attorney Business Associates:
February 17, 2010 Is Almost Here – Are You Ready Now?

Requesting Copies of Presentations and Articles

I've had a couple of folks mentioning an interest in copies of presentations or articles I've done. I'm often happy to make them available, but don't really have a way to get them to you if I don't have your email address. Understandably, nobody wants (or should want) to leave their email address in blog comments, so if you also don't publish one as part of your profile and would like to request something here's a suggestion: Go to the Christiansen IT Law website and email me via the "Email John" button.


Friday, November 20, 2009

How to Eliminate the Barriers to Health Information Exchange

I know how to eliminate the principal barriers to health information exchange (HIE): A clear code of safety standards and insurance.

The real barriers aren’t really technical any more. We do have challenges in terms of electronic health record (EHR) interoperability and in some other areas, and they are not trivial. But there is a lot of work going into standards and other requirements to achieve interoperability, and in any case this is more a question of data standards than data exchange. These problems of information content are not really barriers to the technical exchange – the transmission and receipt – of information.

The real barrier to HIE is risk aversion: Health care providers, in particular, are often reluctant to buy EHRs and participate in HIE because they fear they will be held liable if the information they hold, transmit and receive goes astray or is misused. This risk aversion is usually expressed in terms of a lack of legal standards – I’ve been through seemingly endless analyses of federal and state laws potentially applicable to HIE, to try to reconcile them and find a way to assure clients that they can do HIE safely, or at least that we can roughly quantify their legal exposures associated with it. This is a difficult task because the laws are neither written nor organized in ways which tell you the rules for legally-compliant HIE – that is, they don’t describe how a provider can conduct HIE with at least a reasonable assurance that they won’t face legal liability.

The situation is rather as if we had built our existing road system backwards, starting with superhighways and then asking people used to horses and buggies to start driving on it in Corvettes and 18-wheelers. Worse, it’s as if we had partially built our interstate highway system, but hadn’t bothered to figure out things like stop and yield signs, and what speed limits are safe for curves and hills. Drivers who aren’t particularly risk-averse – they don’t recognize the risks, or don’t care about them much – might happily hop into their Corvettes or big rigs and start cruising. After a few crashes, maybe we begin to learn that we need some kinds of road signs and some speed limits, and start putting them up. We might even decide that driver’s education is a good idea, and that drunk driving is to be seriously discouraged.

Over time we’d evolve safety standards for our superhighway. We’d probably put up some useful signs, and they would get more useful over time. Curves where a lot of crashes occur would probably get straightened out, and drivers would learn how to handle their vehicles better. But during the evolution of these safety standards, a lot of prospective drivers would probably figure, I’ll stick with my horse and the back roads until they work out the bugs.

For the truly risk-averse, even a well-designed superhighway with good signage and licensed drivers might still be too daunting. Driving is an inherently risky business, even if you have good safety standards and are diligent about their enforcement; road conditions can vary, even good drivers are sometimes negligent, and unanticipated conditions can crop up. Accidents and intentional malfeasance happen, and the only way to avoid the risk altogether is by avoiding the highway.

This is why every state requires all drivers to have insurance: To pay the costs associated with the statistically inevitable harmful incidents associated with driving. This includes costs of repairs to your vehicle – and you yourself – as well as covering harm to as third parties. The system is no-fault in the sense that coverage does not depend on who is or may have been at fault, so drivers and third parties don’t have to worry about payments being delayed while insurers squabble over who have to pay what amount. Of course, the system isn’t perfect, and insurers still do dispute fault, but at that point it’s really about how the insurers split coverage, not about whether coverage exists. And, usefully for the determination of such disputes, safety standards help decide who, if anyone, was actually at fault.

Safety standards and insurance will not work for the extremely risk-averse, of course. For some, the advantages of swift movement from place to place will not outweigh their fear of a crash – or of the unknown – and they will want to stick with their horse and buggy. But clear safety standards and insurance are likely to be enough to overcome risk aversion in most individuals.

So how would this work for HIE? Well, we’ve already built an Information Superhighway (thank you for the metaphor, Al Gore) – the Internet – which, frankly, does not have a lot of built-in safety features. So we need to come up with standards for its safe usage for HIE (which could and probably should apply to proprietary networks used for HIE too, of course). These standards need to be clear enough to translate into policies and procedures healthcare organizations can understand, implement and explain to users. Users need to be trained in these standards – and maybe we should consider whether users should be qualified in some way as a condition to engaging in HIE. (They already should be by any organization which authorizes them to participate in HIE on its behalf, but perhaps we need broader requirements.)

Standards need to be enforced, and we need mechanisms for learning from accidents, mistakes and deliberate malfeasance. At the same time, organizations need assurance that if they comply with standards they will be safe against penalties and damages – that they will be considered compliant with the law, and with applicable standards of care. Safe harbors and standards maintenance and evolution will be essential.

We should also look into insurance to cover the statistically inevitable. Part of this is coverage for the organizations themselves, for matters such as incident response and breach notification, and remediation. But the really valuable insurance would be against third-party harms – harm to individuals whose personal health information is misused or improperly disclosed in the course of HIE (or EHR usage).

This kind of insurance will take some work to develop. We already have insurance available for misuse of personal financial information. The most commonly known covers credit monitoring and in some cases cure of misinformation, but this kind of insurance is in fact less important than the “hidden” insurance provided by payment card issuers’ guarantees to consumers against credit card fraud. This risk transfer in fact enabled electronic commerce in general, by limiting consumers’ exposure to fraudulently created debts to fifty dollars (and usually not even that). Even risk-averse consumers could, and did, use the Information Superhighway to start buying online, because the issuers assumed their risks of doing so. Of course, over time even massively well-capitalized companies like the payment card issuers want to limit their exposure, and they have in turn started requiring vendors using payment cards to implement specific security requirements – in effect, private safety standards for ecommerce, not an uncommon role for insurers to play.

So, I have the solution for the principal barrier to HIE: We need clear safety standards, and we need insurance.

Now all we need is a good standards body with clear legal standing, and a well-capitalized organization to fund coverage . . .

(Thanks to Peter Winn for the conversation and Kirk Bailey for the tilting at the windmills which inspired this piece.)

Saturday, November 14, 2009

More HIPAA/HITECH and Joint IT Environments: Multiple Account Access

I've had some interesting follow-up from my previous posting about HIPAA/HITECH and cloud computing. One question was about my statement that users authorized by one Covered Entity whose Protected Health Information and applications are hosted in a joint IT environment shouldn't have access to the Protected Health Information and applications of other Covered Entities hosted by the same services provider. A question of particular interest was whether that statement also applied if the access was for purposes of treatment, payment or healthcare operations, or if the two Covered Entities were part of an organized health care arrangement (OHCA).

This is an issue I’ve gone around several times with ASPs and RHIOs, and I don’t think it would be either prudent or permitted by HIPAA for different Covered Entities to simply “leave the door open” for external users to access data. “Access” from the user’s side is “disclosure” from the Covered Entity's side (the HIPAA/HITECH definition of “disclosure” specifically includes “access to information outside the entity holding the information”). So the Covered Entity needs to comply with HIPAA’s disclosure requirements in allowing users from different Covered Entities to access its Protected Health Information.

If the external user is a provider who needs access for treatment purposes, patient authorization is not needed and the minimum necessary rule does not apply. If the external user needs access for payment or health care operations, patient authorization is still not needed, but the minimum necessary rule does apply. That’s all good as far as it goes; you can structure policies and controls to make the appropriate information available (though minimum necessary compliance may be more of a challenge than it appears), but it begs the question, how does the Covered Entity know the purpose of the access, and that the external user is authorized to have it?

The security rule requires Covered Entities to have policies and procedures for granting access to ePHI, including documenting, review and modification of a user’s right of access. Users also have to have unique IDs and the Covered Entity has to have a method of authenticating the user. The security rule also requires security incident identification and response, while HITECH requires notification procedures for security breaches; in both cases the definition of a trigger event includes unauthorized access.

Uncontrolled access would mean that the Covered Entity would be unable to document and review an external user’s right of access, and might not be able to identify and authenticate the user. It certainly wouldn’t be able to identify unauthorized access – i.e., security incidents and breaches. So we’ve got some likely HIPAA violations, and also a lack of controls which is really inappropriate for access to sensitive information as a matter of ordinary prudence. (And I do mean that in the sense that I think it would be actionable negligence.)

When you’ve got an IT environment in which one organization is responsible for user access control, which you can have with ASPs, SaaS or cloud computing environments, that organization can be responsible for user identification and authentication and access control administration. What it probably can’t do is authorize users to have access to ePHI – it has to be told about this by the Covered Entities, who know the roles of the users, etc.

What you need then is a mechanism to make authorization transitive – to allow Covered Entity A to accept the authorization of an external user by Covered Entity B, to access ePHI owned by A on B’s behalf. This is where it often gets sticky, and RHIOs have fallen apart, because generally speaking A won’t (and probably shouldn’t) accept an authorization from B without B assuming liabilities for error and indemnifying A. This can be overcome – I’ve set up a number of arrangements which make it happen – but it can cause serious conflicts between A and B.

I don’t think an OHCA helps with this issue. The real issues are under the security rule, which does not work in those terms. But that doesn’t mean that entities within an OHCA can’t agree to manage data access appropriately under the security rule – e.g. a health system might manage identification and authentication functions on systems it supports, which allow users from associated clinics access to its systems, and in turn the clinics could use the same I&A solution to control access for hospital users accessing theirs. (There are also a few third-party I&A services which can be helpful.)