 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
|
 |
Michael F. Chiang, M.D., and Justin Starren, M.D., Ph.D.
Introduction
The volume of patient medical data has grown exponentially as a result of new medical technologies, advances in research, and the increasing tendency for health care to be provided by multiple sub specialists rather than a single family doctor. Electronic medical record systems have evolved to manage this tremendous volume of data, but this has raised important questions regarding the privacy and confidentiality of patient data. The regulation of these issues has traditionally fallen under state jurisdiction, but state laws differ significantly in their degree of coverage and protection of privacy [1]. To address the need for establishing national standards regarding patient data privacy and security, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) of 1996 [2]. An additional goal of HIPAA was to reduce the administrative overhead of health care organizations by providing standardized regulations for electronic medical transactions. This chapter will provide an overview of data confidentiality and HIPAA, emphasizing those aspects that are most relevant to telemedicine.
The precise nature of the HIPAA regulations continues to evolve, and the application of these regulations to projects in telemedicine may be subject to future interpretation. Therefore, the contents of this chapter must be considered to be the opinions of the authors, rather than the official policies of the federal government, Columbia University, or New York Presbyterian Hospital.
Entities and Information Affected by HIPAA
HIPAA regulations define covered entities to be all health plans, health care clearinghouses, and health care providers who conduct electronic health care transactions. All personal health care information is covered by these regulations, regardless of whether it is maintained in an electronic, paper, or oral format [3]. Telemedical care clearly meets these criteria. Finally, the HIPAA federal regulations are intended to preempt state laws that either conflict with its requirements or provide less stringent privacy and security protections. However, HIPAA would not preempt state laws that are more stringent [4]. This raises a compliance issue which may be unique to telemedicine practitioners: if a specialist in one state performs telemedical consultations in another state with different local privacy laws, then there will be several situations in which it is unclear whether federal privacy regulations, the first state’s laws, or the second state’s laws should apply. This issue is not specifically addressed by HIPAA.
Timetable of HIPAA Regulations
The HIPAA regulations may be divided into three broad categories: (1) Standards for electronic transactions ("HIPAA Transaction rule"). (2) Standards for privacy of individually identifiable health information ("HIPAA Privacy rule"). (3) Standards for security ("HIPAA Security rule").
Specific legislation regarding each of these categories is in a different stage of development, and the legal requirements are continuing to evolve. In general, an iterative process results in the publication of legislative requirements as a "Final Rule," which may be modified after further solicitation of comments from the public. The required date of compliance with a regulation is typically 26 months after publication of the final rule. This information is summarized in Table 1 [5]:
|
||||||||||||||||||||||||
HIPAA Provisions: Electronic Health Care Transactions
The HIPAA transaction rule is primarily directed toward electronic financial transactions, rather than the actual process of health care delivery through telemedicine or other mechanisms. Therefore, we do not anticipate that the HIPAA transaction requirements will affect the ability of telemedical providers continue performing medical evaluations in a custom-tailored format. Of course, the process of electronic billing for telemedical services will need to comply with HIPAA transaction standards.
HIPAA Provisions: Data Privacy
The HIPAA privacy rule creates standards for maintaining the privacy and integrity of protected health information, which is defined as individually identifiable health data that is transmitted or maintained in any form. This is applied very broadly and applies to information that is transmitted for health care operations, as well as financial or administrative purposes. Furthermore, covered entities are responsible for ensuring HIPAA compliance from their business associates who receive protected health information in the process of providing services to the covered entity.
- Unique Aspects of Telemedicine Privacy
- The practice of telemedicine inherently requires the electronic transmission of protected health information. Applications of telemedicine for business, military, correctional, or other purposes will need to meet the HIPAA privacy requirements. In particular, telemedical consultations will raise several privacy issues that are not typically encountered during conventional medical practice:
- Telemedicine could reasonably be regarded as a health care operation and therefore fall under the "treatment, payment, or health care operations" (TPO) categorization, which permits the use and disclosure of protected health information without patient consent. To date, DHHS has not directly addressed the issue of telemedicine in the privacy regulations.
- Telemedical consultations may require additional non-clinical personnel, such as technicians and camera operators, who do not participate in traditional medical care but will need to comply with all HIPAA regulations.
- In traditional medical care, providers typically have existing relationships with the medical specialists whom they consult. However, in telemedical consultations, patients and their on-site medical providers often will not know which clinical and non-clinical personnel will be involved at the distant site. HIPAA does not directly address this situation.
HIPAA Provisions: Data Security
Whereas the privacy regulations are intended to protect health data from improper disclosure, the main purposes of the security regulations are to guard against unauthorized access to electronic information and to prevent unauthorized alteration or loss of health data. The HIPAA proposed security rule was published in August 1998; however, the final rule has not yet been released.
The proposed HIPAA security requirements will have important implications for telemedicine. Care must be taken to ensure that health information used at all of the sites involved in a telemedical encounter will be stored and protected according to the same security standards required for information used in on-site encounters. Authentication systems will be required to determine that health information is sent only to proper destinations and reviewed only by legitimate caretakers [6]. Most existing telemedical systems provide password authentication, but very few implement audit trails to review system activity. Furthermore, the proposed technical security requirements suggest that video signals used during telemedical examinations must be encrypted if these data are sent over public networks such as the Internet. Video signals that are transmitted over dedicated connections or phone lines will not need to be encrypted.
Federal Penalties for Noncompliance with HIPAA
HIPAA establishes two categories of penalties for entities that misuse personal health information: (1) civil penalties. Health plans, providers, and clearinghouses that violate standards will be subject to civil liability of $100 per incident, up to $25,000 per person, per year, per standard. (2) Federal criminal penalties. Health plans, providers, and clearinghouses that knowingly and improperly disclose or obtain information will be subject to criminal liability. This will be up to $50,000 and one year in prison for disclosing or obtaining protected health information; up to $100,000 and five years in prison for obtaining protected health information under false pretenses; and up to $250,000 and 10 years in prison for disclosing or obtaining protected health information with the intent to use it for commercial advantage, personal gain, or malicious harm [3].
Summary: Implications of HIPAA for the Future of Telemedicine
The practice of telemedicine fundamentally requires electronic transmission of protected health information, and will therefore be significantly impacted by HIPAA. As discussed above, the specific requirements of HIPAA are evolving, and are likely to continue to change based on new technologies and new threats to data privacy and security. The precise interpretation of these rules for telemedicine will affect the design, and possibly the cost-effectiveness, of telemedical networks. Therefore, it will be critical for practitioners of telemedicine to become familiar with ongoing issues involving HIPAA regulations.
References
1. Pritts J, Goldman J, Hudson Z, Berenson A, Hadley E. The state of health privacy: An uneven terrain. Washington, DC: Institute for Health Care Research and Policy at Georgetown University, 1999.
2. Health Insurance Portability and Accountability Act of 1996 (HIPAA) Page.
http://www.jcfa.gov/hipaa/hipaahm.htm
3. DHHS. Protecting the privacy of patients’ health information: Summary of the final regulation.
http://aspe.hhs.gov/admnsimp/final/pvcfact1.htm
4. Office for the Advancement of Telehealth. Telehealth Update: Final HIPAA Privacy Rules.
http://telehealth.hrsa.gov/pubs/hipaatxt.htm
5. HIPAAdvisory. Status of HIPAA Regulations: Compliance Calendar.
http://www.hipaadvisory.com/regs/compliancecal.htm
6. Wachter G. HIPAA’s privacy rule summarized: What does it mean for telemedicine?
http://tie.telemed.org/legal/issues/HIPAA2001.asp
7. DHHS. Standards for privacy of individually identifiable health information – Proposed rule modification.
http://www.hhs.gov/news/press/2002pres/20020321.html
8. Coalition of Voluntary Mental Health Agencies. Proposed modifications to HIPAA privacy rule (March 2002).
http://www.cvmha.org/policy/2002/HIPAAmodifications.pdf
9. NEMA. Security and privacy: An introduction to HIPAA.
http://www.nema.org/index_nema.cfm/704/
10. DHHS. Office for civil rights homepage.
http://www.hhs.gov/ocr/
Second-Level Links
HIPAA Transaction Rule
The HIPAA transaction requirements are intended to reduce the amount and cost of administrative burden associated with health care by implementing uniform national standards for electronic health care transactions. These "administrative simplification" regulations will apply only to health care providers who transmit protected health information electronically, either directly or indirectly through contractual arrangements. Covered electronic transactions will include computer-to-computer transmission of health care claims, payment and remittance, benefits information, enrollment and disenrollment in a health plan, health plan eligibility information, and referral certification and authorization. For example, a single health care claims form, which is similar to the current UB-92 and HCFA 1500 forms, will be mandated for all payers. Finally, the HIPAA transaction regulations call for the use of unique identifiers for providers, employers, and health plans, in order to reduce both errors and costs. HIPAA guidelines had initially called for unique identifiers for patients, but this requirement has been deferred because of privacy concerns [5].
HIPAA Privacy Rule
The initial HIPAA privacy rule required that health care providers obtain written informed consent from patients before any routine disclosures of personal health information, and that providers obtain additional patient authorization for non-routine disclosures of information. However, numerous physicians, consultants, health plans, and medical organizations commented that this regulation would interfere with the efficient delivery of health care during scenarios in which providers would use or disclose protected health information before physically encountering a patient. Examples of these situations include surgical scheduling, filling of prescriptions by pharmacists, referrals to specialists, medical treatment over the telephone, and emergency medical care.
After considering these comments, DHHS published Proposed Modifications to the privacy rule in March 2002 [7, Table 1]. It appears likely that these modifications will be implemented without significant changes, although they are the subject of ongoing debate. Currently, the Proposed Modifications state that providers are no longer required to obtain an individual’s consent to use or disclose protected health information for "treatment, payment, or health care operations" (TPO). Instead of obtaining consent, providers must make a "good faith effort" to obtain the patient’s written acknowledgement of the provider’s notice of privacy rights and practices. The definition of TPO is fairly broad and includes health care operations such as quality assurance, case management, accreditation, population-based activities relating to improving health or reducing health care costs, and fraud detection [8]. For non-TPO activities, the Proposed Modifications will continue to require patient authorization before the use or disclosure of protected health information.
Disclosure of health data must be restricted to the "minimum necessary" for the intended purpose, and patients will be given rights to access their medical records and to know who else has accessed them. Based on the Proposed Modifications, incidental uses or disclosures of information during an authorized exchange are permissible. For example, provider would be allowed to discuss a patient’s care with other providers without fear of being overheard by other patients, as long as providers employed "reasonable safeguards to protect personal health information." Furthermore, the HIPAA privacy rule includes provisions that would allow specific disclosures of health information without prior individual authorization in cases where such actions would be consistent with "national priority activities" (DHHS). These particular disclosures are generally permitted under existing laws, and include areas of public health interest, research activities which have been approved by an Institutional Review Board (IRB), judicial proceedings, emergency circumstances, and activities related to national defense and security.
HIPAA Proposed Security Rule
Based on the proposed rule, there will be five components to the security regulations: (1) Administrative procedures to manage the development and execution of security measures. (2) Physical safeguards to protect computer systems and related facilities from environmental hazards and intrusion. (3) Technical security services to protect data. Entity authentication must be performed with user passwords, biometrics, identity cards, or other mechanisms. Other requirements include authorization controls to limit data access based on the particular role of health care workers, as well as audit controls to record and review system activity. (4) Technical security mechanisms to prevent unauthorized access to data transmitted over a communications network. This requires access control, system alarms, and processes for reporting security breaches. In addition, data encryption must be performed when information is transmitted over the Internet or other public networks, but encryption is optional when data is transmitted over private networks. (5) Electronic signature standards. This regulation is intended to provide non-refutable proof of data integrity and authentication, which allows recipients of health care documents to confirm that the information has not been altered and that it originated from the claimed sender [9]. Digital signatures are the only existing technology that can satisfy these critera; therefore, if electronic signatures are to be required by the final HIPAA security rule, DHHS will require that digital signature technology be used.
Covered Entity
HIPAA defines covered entities to include all health plans, health care clearinghouses, and health care providers who conduct electronic health care transactions.
Business Associate
HIPAA defines a business associate as a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the user and/or disclosure of protected health information. A business associate is not a member of the health care provider, health plan, or other covered entity’s workforce. The HIPAA business associate requirements do not apply to covered entities who disclose protected health information to providers for treatment purposes.
Protected Health Information
HIPAA defines protected health information as individually identifiable health data that is transmitted or maintained in any form. Identifiable refers not only to data that is explicitly linked to a particular individual, but also to health information with data items that reasonably could be expected to allow individual identification. HIPAA specifies 18 categories of unique identifiers [10]:
Under HIPAA's "safe harbor" standard, information is considered de-identified if all of the above have been removed, and there is no reasonable basis to believe that the remaining information could be used to identify a person.
| Top |