Health Information Compliance

There have always been rules about patient privacy. throughout history, solutions to patient privacy challenges were often informal. With the advent of the electronic patient chart and privacy technology in the 1990s, new regulations in the US needed to be enforced for healthcare organizations. From the late 2000s until today, as technology quickly advanced after its introduction into healthcare, organizations struggled to keep patient privacy safe. They also worked to meet the basic regulatory standards. Those impacted by unlawful patient healthcare data sharing are the stakeholders of healthcare organizations. New legal, political, ethical, and cultural climates risk endangering patient safety for the most marginalized populations. Advances in regulations also provide the possibility to improve patient health information security.

Regulations historically have yet to simultaneously improve fast enough with the advances in organizational structures and healthcare data sharing. Substantial governmental financing promoted more involvement in this expansive threat to patient information security. Previously, regulations were a loose framework of small fines to disincentivize illegal data sharing. Regulations are becoming more legally consequential with higher fines and prosecution of at-fault parties, entities, or organizations. The future of preventing unlawful patient information and data dissemination offers improvements to technology and regulations.

HIPAA

Solutions eventually were developed formally as the Health Insurance Portability and Accountability Act, also known as Public Law 104–191, referred to as HIPAA, in 1996. HIPAA has five main components or titles I-V: Health Insurance Reform, Administrative Simplification, Tax-related Health Provisions, Application and Enforcement of Group Health Plan Requirements, and Revenue Offsets. The focus of this research under Title II: Administrative Simplification is Transaction and Code Sets Standards, Privacy Rules, Security Rules, and Enforcement Rules. This can be identified under the umbrella term health privacy.

HITECH

In addition, the Health Information Technology for Economic and Clinical Health Act, HITECH, was created in 2009 to ensure that healthcare organizations were compliant and encouraged to implement electronic health records (EHR) and electronic personal health information (ePHI). The Department of Health and Human Services (HHS) worked with Congress to provide $25 billion in funding to enact HITECH. The act ensures that business associates and enforcement agencies report breach notifications for third-party apps and other organizations not covered by HIPAA. This is an advancement since HIPAA was created years before when it involved fewer technological loopholes to sharing ePHI. It requires a response at different tiers from the organizations.

HITECH requires Medicare-eligible organizations to comply with standards or be penalized 1% of Medicare reimbursement since 2017. It also needs adopting certified EHR or being punished by 3% of Medicare reimbursement. Before HITECH was fully implemented in 2010, the HHS Office for Civil Rights could face $100 per violation penalizations and a maximum per annum of $25,000. [i]

2. IMPACT ON STAKEHOLDERS

Stakeholders Overview

Stakeholders impacted by regulations and their changes are generally the patients and the organization’s employees/providers, investors, boards of directors, and payors of the supply chain. Secondary stakeholders are patients’ families, involved community members, and governmental policymakers. Tertiary stakeholders are community members not involved with the activities of regulatory practices and their changes.

Current Patient Marginalization

Currently and historically, regulatory legal limitations and changes for electronic personal health information (ePHI) have impacted communities differently, acutely marginalizing specific populations more than others. Abortion-related personal health information is particularly vulnerable to regulation. “While most states explicitly shield those who have had, or are seeking, an abortion from prosecution, confusion abounds in states with abortion bans. For example, in April 2022, a hospital in Texas reported to law enforcement a woman for ending her pregnancy. She was charged with murder and put in jail for three days.”[ii]

· Law enforcement and prosecutors increase requests for patient information to aid in investigative evidence. This is a continuation of pre-Roe activities in general.

· Current post-Roe abortion bans create penalties for providers and healthcare workers who aid in providing abortion care. This a culture of fear surrounding the subject and reinforces the idea that these medical professionals to work more willingly than before with law enforcement to disclose HIPAA information to avoid criminal punishment for hiding known information.

· Select healthcare workers may choose to enact the state’s abortion ban regulation through vigilante acts. [iii]

Other communities currently face marginalization, including harassment and mistreatment, due to health information vulnerability to regulation. These include transgender people seeking gender affirmative or general care, underaged adolescents seeking care for sexual health, and undocumented immigrants, among other at-risk population scenarios.

3. PROPOSED CHANGES TO HIPAA & HITECH

It has been over eight years since relevant updates to HIPAA have been implemented. HHS prioritizes appropriate changes to these laws through a Request for Information.[iv] Current solutions provide limited protection dependent on the implementation enforcement by governing forces. There are three main proposed changes to HIPAA this past year, 2021, detailed in a 90+ paged document. These regulations have been impacted by public pressure, continued legal cases, and external environments. They are:

· “The expansion of a patient’s right to access their medical information

· A shortening of the federal requirement for fulfilling medical records requests

· An increased focus on coordination of care initiatives between health systems[.]”[v]

2022 HITECH Improvements Penalties for HIPAA Violations[vi]

*(see appendix, figure i)

HITECH responds to 4 levels of culpability for organizations, entities, or individuals involved in regulatory HIPAA violations. It is in the interest of those at fault to consistently perform as minimal culpability as possible. While these figures are disincentivizing, it is still a reality that these regulations are difficult to enforce unless someone is caught in violation.

4. REGULATORY CHALLENGES

While fines through HIPAA and HITECH discourage and punish violations, the ability to fine those parties that are not identified is impossible and an ongoing challenge to these regulations. Challenges to accessing health privacy today happen on two sides of EHR software: the patient and the employee perspectives. Health Level 7 (HL7) is an international standards organization that works with healthcare systems to address present challenges and future solutions implementing interoperability. They identify silos between systems that challenge accessing care at critical moments.[vii] These moments are identified as when the patient enters the hospital, a clinic, or a related care facility and requires pertinent chart information to be readily available from a disparate system.

Often, patients and their medical and legal caretakers are left between the business decisions of healthcare organizations and everyone else’s needs. Business needs include preserving the silos between EHR systems so that businesses can effectively own (e)PHI. This challenge raises difficult ethical questions that HIPAA or other health regulations have been unable to address fully.

Health regulations currently and historically have faced rapid technological changes. Laws have had to keep up with app development and data sharing. This increasingly easy access to health data from what is supposed to be secure sources has become more at risk of being attained by undesired recipients through intentional breaches, fraud, neglect, and accidental loss.

5. FUTURE OF HEALTH PRIVACY

Recommendations: Possibilities of Tech Advancements and Regulatory Standardization

HIPAA and HITECH will advance to require healthcare organizations to share patient information between systems. Interoperability allows improving access, use, and privacy of patient health information. This involves breaking silos that exist currently from providers, organizations, and public assistance programs. [viii] This would mean that a patient in a private ambulance would have immediate access to their Medicaid chart, health monitor app software data, and data from their previous provider at a large hospital in another state that closed several years ago. The future of health privacy will continue integrating the prioritization of ethical EHR use. This continuous move to electronic integration allows careful control over where information is being delivered and who is accessing it. It will require all entities and developing entities sharing ePHI to become more closely interconnected by mandatory law.[ix]

Regulating corporations would require laws to work in favor of PHI security. This works by requiring corporations to make patient information easily accessible. This means that conflicts of interest for politicians regarding big healthcare entities would no longer be permissible when patient information sharing is involved. The benefits of creating large corporations would also be disincentivized so that smaller organizations in a shared market fluidly share patient information in its healthcare ecosystem. This improvement toward the patient information security-centered experience through legal and regulatory advancement would reduce many of the challenges patients face navigating health and privacy in the healthcare system today.

Continued Inherent Risks

With electronic standardization, the risk of breach and misuse still occurs. The scope of what violations are trackable is questionable. Advances in technology allow the collection of data, in general, to be quickly processed by anyone anywhere, even when in the hands of the wrong person or party. Authority surveillance will provide the protection of patient safety but at the risk of allowing authorities access to personal devices and their information. To what extent is authority surveillance too much when protecting anyone’s personal information?

To what extent will technological progress aid in prosecuting those who deviate from abiding by questionable, hidden, or unethical laws? Regulatory and technological advancements could expand state-sponsored persecution of large populations if environmental conditions continue to radicalize in the US to an unforeseeable climax. In the case of marginalized and wrongfully criminalized communities, they are the most at risk when confronted with the complicated, intricate web of regulations and punitive legal criminalization through access to private healthcare information. With the advent of more changes in regulations, laws, and cultural norms, people like this are most at risk, as a continuation of the unethical history of the US, of losing their patient privacy, autonomy, and legal rights to live free from stigmatization, prosecution, and further persecution.

Endnotes

[i] HIPAA Journal. What is the Hitech Act? 2022 update. (2022, November 27).

[ii] Buchanan, M. J., & Stovicek, N. (2022, June 24). Using HIPAA to protect patient privacy and fight abortion criminalization. Center for American Progress.

[iii] Buchanan, M. J., & Stovicek, N. (2022, June 24). Using HIPAA to protect patient privacy and fight abortion criminalization. Center for American Progress.

[iv] HIPAA Journal. (2022, November 22). New HIPAA regulations in 2022.

[v] Good Rx. Understanding the proposed changes to the HIPAA Privacy Rule. (n.d.).

[vi] What is the Hitech Act? 2022 update. HIPAA Journal. (2022, November 27).

[vii] AHIMA. (2022, April 7). The future of interoperability. Journal of AHIMA.

[viii] AHIMA. (2022, April 7). The future of interoperability. Journal of AHIMA.

[ix] National Archives and Records. The Federal Register. (n.d.). Retrieved November 7, 2022

References

AHIMA. (2022, April 7). The future of interoperability. Journal of AHIMA. Retrieved November 28, 2022, from https://journal.ahima.org/page/the-future-of-interoperability

Buchanan, M. J., & Stovicek, N. (2022, June 24). Using HIPAA to protect patient privacy and fight abortion criminalization. Center for American Progress. Retrieved November 23, 2022, from https://www.americanprogress.org/article/using-hipaa-to-protect-patient-privacy-and-fight-abortion-criminalization/

Good Rx. Understanding the proposed changes to the HIPAA Privacy Rule. (n.d.). Retrieved November 29, 2022, from https://www.goodrx.com/hcp/providers/proposed-hipaa-amendments

HIPAA Journal. (2022, November 22). New HIPAA regulations in 2022. Retrieved November 23, 2022, from https://www.hipaajournal.com/new-hipaa-regulations/

HIPAA Journal. (2022, November 27). What is the HITECH Act? 2022 update. Retrieved November 23, 2022, from https://www.hipaajournal.com/what-is-the-hitech-act/

National Archives and Records. The Federal Register. (n.d.). Retrieved November 7, 2022, from https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care