Hostname: page-component-848d4c4894-m9kch Total loading time: 0 Render date: 2024-06-02T04:13:08.027Z Has data issue: false hasContentIssue false
  • English
  • Français

Privacy Risks of Interoperable Electronic Health Records: Segmentation of Sensitive Information Will Help

Published online by Cambridge University Press:  01 January 2021

Mark A. Rothstein  and
Stacey A. Tovino
Get access Rights & Permissions [Opens in a new window]

Abstract

An abstract is not available for this content so a preview has been provided. Please use the Get access link above for information on how to access this content.
Image of the first page of this content. For PDF version, please use the ‘Save PDF’ preceeding this image.'
Type
Columns: Currents in Contemporary Bioethics
Information
Journal of Law, Medicine & Ethics , Volume 47 , Issue 4: Symposium 1 - The Promise and Challenges of Microbiome-based Therapies. Symposium 2 - Regulation on International Direct-to-Participant Genomic Research , Winter 2019 , pp. 771 - 777
Copyright
Copyright © American Society of Law, Medicine and Ethics 2019

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

See generally Institute of Medicine, Crossing the Quality Chasm: A New Health System for the 21st Century (Washington, DC: National Academy Press, 2001); Merritt, D., ed., Paper Kills: Transforming Health and Health Care with Information Technology (Washington, DC: CHT Press, 2007).Google Scholar
Markle Foundation, Connecting Americans to their Healthcare: A Common Framework for Networked Personal Health Information (2006), available at <http://www.connectingforhealth.org/commonframework/docs/p9_networkedphrs.pdf> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
Pub. L. 111-5 (February 17, 2009), 42 U.S.C. § 300jj et seq.Google Scholar
Office of the National Coordinator for Health Information Technology, Health IT Dashboard, “Office-based Physician Health IT Adoption: State Rates of Physician EHR Adoption, Health Information Exchange and Interoperability, and Patient Engagement (2015),” available at <https://dashboard.healthit.gov/apps/physician-health-it-adoption.php> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
Office of the National Coordinator for Health Information Technology, Health IT Dashboard, “Non-federal Acute Care Hospital Health IT Adoption and Use: State Rates of Non-federal Acute Care Hospital EHR Adoption, Health Information Exchange and Interoperability, and Patient Engagement (2015), available at <https://dashboard.healthit.gov/apps/hospital-health-it-adoption.php> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
Centers for Medicare and Medicaid Services, Department of Health and Human Services, Proposed Rule, 84 Fed. Reg. 7610-7680 (March 4, 2019).Google Scholar
Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans in the Federally-Facilitated Exchanges and Health Care Providers, 84 Fed. Reg. 7610, 7610-7680 (proposed Mar. 4, 2019) (to be codified at 42 C.F.R. Parts 406, 407, 422, 423, 431, 438, 457, 482, and 485; and 45 C.F.R. Part 156) [hereinafter Proposed Rule].Google Scholar
84 Fed. Reg.. at 7618-7639 (preamble discussion of the proposed API requirement).Google Scholar
Id. at 7642-7643 (preamble discussion of the proposed trust network participation requirement).Google Scholar
Id. at 7643-7645 (preamble discussion regarding the frequency of federal-state data exchanges).Google Scholar
Id. at 7645-7648 (preamble discussion of the proposed public reporting of providers' negative attestations to the prevention of information blocking); id. at 7647 (“We believe … the Affordable Care Act provides the statutory authority to publicly report certain data about the prevention of information blocking attestation statements as an assessment of care coordination …”; id. at 7618 (“[W]e are proposing to publicly post information about negative attestations on appropriate CMS websites.”).Google Scholar
Id. at 7648-7649 (preamble discussion of the proposed public reporting of missing provider digital contact information).Google Scholar
Id. at 7650 (“Electronic patient event notifications from hospitals, or clinical event notifications, are one type of health information exchange intervention that has been increasingly recognized as an effective and scalable tool for improving care coordination across settings, especially for patients at discharge”).Google Scholar
Id. at 7649-7653 (preamble discussion of the proposed revisions to the Medicare Conditions of Participation applicable to hospitals, psychiatric hospitals, and critical access hospitals relating to electronic patient event notifications of a patient's admission, discharge, and/or transfer to another health care facility or another health care provider).Google Scholar
Id. at 7653-7655 (preamble discussion of, and solicitation of comments regarding, the advance of interoper-ability between and among post-acute care (PAC), long term, behavioral health, and home and community-based service providers).Google Scholar
Id. at 7655-7656 (preamble discussion of, and solicitation of comments regarding, the advance of interoper-ability through innovative models).Google Scholar
Id. at 7656-7657 (preamble request for information regarding how CMS can leverage its authority to improve patient identification through improved patient matching).Google Scholar
Id. at 7626 (discussing the 2010 Medicare Blue Button initiative).Google Scholar
Centers for Medicare and Medicaid Services, Blue Button 2.0, available at <https://bluebutton.cms.gov/> (last visited November 18, 2019) [hereinafter Blue Button 2.0].+(last+visited+November+18,+2019)+[hereinafter+Blue+Button+2.0].>Google Scholar
Proposed Rule, supra note 7, at 7626.Google Scholar
Id (“One benefit of making records available via an API is that it enables a beneficiary to pull Medicare health information along with other heath information into a single application not dictated by any specific health plan, provider, or portal.”).Google Scholar
Id.Google Scholar
Id. at 7674-7680 (proposing new API regulations to be codified within 42 C.F.R. Parts 422, 431, and 457 as well as within 45 C.F.R. Part 156).Google Scholar
45 C.F.R. § 164.524(a)(1) (2018) (“[A] n individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set …”).Google Scholar
Proposed Rule, supra note 7, at 7627-7628 (“The API would allow enrollees and beneficiaries … to exercise electronically their HIPAA right of access to certain health information specific to their plan, through the use of common technologies and without special effort.”).Google Scholar
See, e.g., id. at 7628 (preamble discussion thereof); id. at 7675 (proposing new 42 C.F.R. § 431.60(b)) (listing these required content elements).Google Scholar
See, e.g., id. at 7642-7643 (preamble discussion of the proposed trust network participation requirement); id. at 7675 (proposing new 42 C.F.R. § 422.119(f)(2) applicable to MA plans); id. at 7676 (proposing new 42 C.F.R. § 438.242(b)(5) applicable to Medicaid and CHIP managed care plans); id. at 7680 (proposing new 45 C.F.R. § 156.221(f)(2) applicable to QHPs in FFEs).Google Scholar
Id. at 7642.Google Scholar
Id. at 7675 (proposing new 42 C.F.R. § 422.119(f)(2)(i)-(iii)); id. at 7676 (proposing new 42 C.F.R. § 438.242(b)(5) (i)-(iii)); and id. at 7680 (proposing new 45 C.F.R. § 156.221(f)(2)(i)-(iii)).Google Scholar
Id. at 7643.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id. at 7618 (explaining that “buy-in” data are data showing who is enrolled in Medicare and who is liable for paying for a dual eligible beneficiary's Medicare Part A and Part B premiums; further explaining that buy-in data exchanges support state, CMS, and Social Security Administration premium accounting, collections, and enrollment functions).Google Scholar
Id. at 7643.Google Scholar
Id.Google Scholar
The Medicare Conditions of Participation applicable to hospitals, psychiatric hospitals, and critical access hospitals are codified at 42 C.F.R. Parts 482 and 485.Google Scholar
See, e.g., 42 C.F.R. § 482.43 (regulating Medicare-participating hospital discharge planning).Google Scholar
Id. at 7618 (discussing electronic patient event notifications).Google Scholar
Proposed Rule, supra note 7, at 7678 (proposing new 42 C.F.R. §§ 482.24(d) and 482.61(f)); id. at 7679 (proposing new 42 C.F.R. § 485.638(d)).Google Scholar
Id.Google Scholar
Id. at 7615.Google Scholar
Id.Google Scholar
Id. at 7654.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id.Google Scholar
Id. at 7655.Google Scholar
“Access control” refers to policies and procedures that allow ePHI access only to those persons or software programs that have been granted access rights. See, e.g., 45 C.F.R. § 164.312(a).Google Scholar
Proposed Rule, supra note 7, at 7615.Google Scholar
Id. at 7635.Google Scholar
See, e.g., id. at 7674 (proposing new 42 C.F.R. § 422.119(c)(2)).Google Scholar
Id. at 7635.Google Scholar
HITECH Act § 3002(b)(2)(B)(i), 42 U.S.C. § 300jj-12.Google Scholar
Office of the National Coordinator for Health Information Technology, 2015 Edition of Final Rule: Data Segmentation for Privacy (DS4P), HealthIT.gov, available at <https://www.healthit.gov/sites/default/files/2015editionehrcertificationcriteriads4p10615.pdf> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
National Committee on Vital and Health Statistics, available at <www.ncvhs.hhs.gov> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
Co-author Mark A. Rothstein was a member of the NCVHS from 1999-2008 and chaired its Subcommittee on Privacy and Confidentiality, which conducted the hearings and wrote the initial drafts of the letters described. Because his term ended in 2008, he did not take part in drafting the 2010 letter.Google Scholar
National Committee on Vital and Health Statistics, Letter to Michael O. Levitt, Secretary of Health and Human Services, February 20, 2008, at 3, available at <https://ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
Id.Google Scholar
Pub. L. 110-223 (2008).CrossRefGoogle Scholar
45 C.F.R. § 164.508(a)(2).Google Scholar
42 U.S.C. § 290dd-2; 42 C.F.R. Part 2.Google Scholar
National Committee on Vital and Health Statistics, Letter to Kathleen Sebelius, Secretary of DHHS, November 10, 2010, at 714, available at <https://ncvhs.hhs.gov/wp-content/uploads/2014/05/101110lt.pdf> (last visited November 18, 2019).+(last+visited+November+18,+2019).>Google Scholar
NCVHS Letter of February 20, 2008, supra note 10. See generally Rothstein, M.A., “Access to Sensitive Information in Segmented Electronic Health Records,” Journal of Law, Medicine & Ethics 40, no. 2 (2012): 394400; Rothstein, M.A., “Health Privacy in the Electronic Age,” Journal of Legal Medicine 28, no. 2 (2007): 487-501, 496-497.CrossRefGoogle Scholar
See Rothstein, M.A. et al., “Unregulated Health Research Using Mobile Devices: Ethical Considerations and Policy Recommendations,” Journal of Law, Medicine & Ethics 48, no. 1 (Supp.) (2020): forthcoming.Google Scholar