LEGISLATIVE, LEGAL AND POLICY ISSUES IN TELEMEDICINE & TELEHEALTH

Privacy and HIPAA Issue Summary

Privacy of Health Information

by Glenn Wachter, April 4, 2000

Tension Over Patient Privacy

Developments in the regulation of patient information have many in the health sector concerned about the future of electronic transmission of personal health information and data. Research by Goldman and Hudson (1999) indicates that people are truly concerned about their privacy, as one-fifth of their survey respondents believed that their medical information had been improperly used. One-sixth of the respondents reported providing inaccurate information to avoid misuse. In general, privacy advocates support strong protections to keep prying eyes from viewing confidential medical information and then making inappropriate use of it (Otrompke, 1999).

Health care organizations rely upon patient data for a multitude of reasons, such as processing payment claims, analysis of medical benefit use, measurement and quality improvement of health care services (Federal Register, 1999). Health care organizations fear that government imposed regulation will limit these activities. However, patients want to know that their sensitive information is private and will be protected not only during the course of their treatment, but also in the future as the information is maintained and/or transmitted within and outside the health care system (Federal Register, 1999).

Many believe that although online records are arguably more secure than paper records, computers change the scale of the risk involved. This may be due to the fact that electronic medical files can be more easily and quickly copied than large paper-based medical. Physicians and patients are more afraid of someone gaining unauthorized access to online medical records than they are about exchanging personal medical information over a cordless phone--reportedly, a riskier activity (Chin, 2000).

[ to top of page ]

Congress Responds

The Health Insurance Portability and Accountability Act of 1996 (HIPAA, Public Law 104-191) sought to find middle ground amid tensions between privacy advocates and commercial health care interests (Goedert, 2000). Considerable attention is given to the protection of individually identifiable health information. Prior to HIPAA, patients and health organizations relied upon organizational ethics and a patchwork of state laws and regulations, many of which were incomplete and inconsistent. The establishment of national privacy standards is expected to encourage appropriate and increased use of electronic medical information while simultaneously protecting the needs of patients' privacy (Federal Register, 1999).

HIPAA gave Congress the first attempt to develop specific privacy standards (Goedert, 1999), however when their deadline passed, rule promulgation fell to the Secretary of Health Human Services (HHS). The Assistant Secretary for Planning and Evaluation (ASPE) is the principal advisor to the Secretary on policy development and lead the development of HIPAA regulations. ASPE's proposed rule was released in November 1999, and public comment was extended until February 17, 2000. ASPE is expected to release final regulations by June 2000, at which time the tensions between consumer privacy advocates and commercial health care interests will likely arise.

[ to top of page ]

What the Rules Require

Eligible health care organizations must adopt the electronic data interchange (EDI) standards as established by ASPE if they transmit identifiable medical information in connection with certain administrative and financial transactions (Swartz, 2000). Among other protections, HIPAA requires that disclosure of identifiable patient information is approved by the affected patient. For technical definition of these terms, as well as the comments received by ASPE, please visit ASPE online.

[ to top of page ]

The Impact for Telemedicine Practitioners

When telemedicine systems are connected through network or modem hookup, risks for unauthorized data access, interruption, interference and corruption increase. Compromises to data integrity can result in harm to patients and corresponding liability to providers (Belmont and Brown-Beasley, 1997). However, these risks notwithstanding, unless the electronic care that covered health care practitioners deliver includes a financial or administrative transaction, it appears that ASPE's rules do not apply. "Transactions" include exchanges of covered information between two parties to carry out financial or administrative activities related to health care. A typical example of this activity would be the electronic submission of a claim from a health care provider to a payer, either directly or via intermediary billers and claims clearinghouses. Further, these rules also do not apply as long as the identifiable health information is transmitted between parties that are under the same ownership.

[ to top of page ]

Next Step Expected in June 2000

The release of the final rule is expected by the end of June 2000, and will have taken into account the approximately 40,000 comments received on this proposed rule.

HIPAA did not provide statutory authority for Donna E. Shalala, Secretary of Health and Human Services, to propose many of the policies that she believes are necessary for the standards to be optimal. For instance, only those providers who engage in the electronic transmission of identifiable health information are covered under this rule. Organizations that obtain identifiable health information from covered entities are not directly affected by the proposed regulation. Also, providers that maintain only a paper information system also would not be subject to these privacy standards. And while civil and criminal penalties for violations of these standards have established, an individual patient (whose rights are violated) cannot bring a "private right to action" for actual damages and equitable relief. Without further Congressional approval, HIPAA regulations cannot be broadened to include many of the Secretary's recommendations.

[ to top of page ]

References

Belmont, E. and Brown-Beasley, M. (1997) Confidentiality and Security Issues in Telemedicine. NNEHII 2(1).

Chin, T. (2000) Private Lessons. American Medical News, March 27, 2000.

Committee on Enhancing the Internet for Health and Biomedical Applications: Technical Requirements and Implementation Strategies. (2000) Networking Health: Prescriptions for the Internet. National Academy Press: Washington, D.C.

Federal Register: Standards for privacy of individually identifiable health information. Federal Register. Vol. 64, No. 212/ Wednesday, November 3, 1999/ Propose Rules. 45 CFR Parts 160-164.

Goedert, J. (1999) Congress makes little progress as privacy deadline draws near. Health Data Management. 7(8): 12,16.

Goedert, J. (2000) Proposed privacy rule holds some surprises. Health Data Management. 8(2): 12, 20.

Goldman, J. and Hudson, Z. (1999) Promoting Health, Protecting Privacy: A Primer. California Health Care Foundation & Consumer Union: Washington, D.C.

Otrompke, J. (1999) Advocates gear up as privacy deadline draws near. Telehealth Magazine. 5(7): 27-28.

Swartz, D. (Feb 2000) Simplification: Standards for privacy of health information: The implications for telemedicine systems. Telemedicine Today 8(1): 27-31.

[ to top of page ]

Page last updated on Tuesday, May 27, 2003