Welcome to our multi-series on Health Technology: Policy and Implementation, where we will cover the rules and regulations that make our mission of providing easy and secure access to vital medical data possible. Today, we’re going to cover Federal Policy 101.
Welcome to our multi-series on Health Technology: Policy and Implementation.
Our mission is clear: we believe simple, secure access to vital medical data will catalyze dramatic change in healthcare. Our unofficial mission is also pretty clear: #DestroyTheFaxMachine!
Both missions are possible by understanding the rules and regulations—and staying on the right side of history.
So today, we’re going to cover Federal Policy 101.
There will be several posts, because there’s a lot to cover. We’ll be talking about the interoperability ecosystem, patient matching, and standards and implementation.
So you’ve joined, or started, or are growing a health tech company. You have a mission, a vision and a plan. Awesome. You understand that there are laws that govern exactly what data you can access and what you can do with that data. But you might not know all your key policy terminology—or you have a habit of using terms interchangeably. Well, before we jump in, let’s do a quick rundown so you can hang with the wonks in no time:
Law: A law is legislation passed by the Congress or State Legislature. It’s signed by the president or governor.
Regulation: A regulation is developed by State or Federal agencies under the direction of a law. This provides details on the specifics of how the law is to be enacted.
Standard: A standard is developed by a governmental agency, non-governmental agency, consensus committee or other body. It can be either public or private and provides details and agreements as to how systems will work together.
Here are some real-time examples in the Healthcare Tech world that impact you everyday:
These are Federal law:
These are Federal regulations:
These are standards:
But wait, what about state law? How does that work with federal law?
As it relates to patient privacy and information sharing, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") gave the federal Department of Health and Human Services ("HHS") the authority to promote regulations containing standards with respect to the privacy of individually identifiable health information. This is regulated at a federal level. Many states have also passed their own laws as it relates to patient data sharing and privacy.
So which law wins?
In general, whichever is more strict tends to be what needs to be followed. For example, there are a few cases where the state laws have set more stringent rules around patient data sharing.
In these cases HIPAA’s standards do not supersede State law because the state level laws impose even more stringent standards with respect to the privacy of individually identifiable health information.
New York State, for example, has outlined where state law and HIPAA might conflict, and provides details for implementation in each case.
Who are the main players in Federal HIT policy?
Now that we’ve covered the high-level terms, we think you’re ready for the next step: agency acronyms. Here’s what you need to know.
The federal government promotes and enforces HIT policy through the Department of Health and Human Services (HHS).
In addition to these there are several other agencies involved with HIT Policy
HIPAA, HIPAA, Hooray
As we mentioned earlier- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations that would protect the privacy and security of certain health information. We’ll talk about HIPAA a lot in these posts-- it’s pretty important.
So to fulfill this requirement, HHS published the detailed regulations around what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.
Essentially, the Security Rule addresses the technical and non-technical safeguards that organizations (or, “covered entities”) must put in place in order to secure electronic protected health information (e-PHI) for individuals.
Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and... civil money penalties. Quite large penalties.
Before HIPAA, there were no widely accepted set of security standards or even general requirements for the protection of health information in the healthcare industry, which was accustomed to bureaucratic paper processes. Of course, as the industry became more technically advanced and migrated from paper to electronic processes, the potential security risks also increased.
For our purposes, we’ll focus on the privacy rule and how it establishes national standards to protect individuals’ medical records and other personal health information. HIPAA requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
Last but certainly not least, HIPAA gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
Who’s covered by the privacy rule?
What does the HIPAA Privacy rule cover?
What doesn’t the HIPAA Privacy Rule cover?
So what does this mean? Basically, your doctor or health system can, under HIPAA, have access to your information if they are using it to treat you, get payment for services, or improve their internal operations. Otherwise, they are out of luck without your explicit permission. There are exceptions of course, but for most part HIPAA makes it so information is only accessible in specific cases with defined reasons.
What are the patient rights under the HIPAA privacy rule?
Patients have a right to:
The problem with HIPAA and its associated regulations though, is that while they defined all the rights a patient has, they provided no good way for a patient to actually do any of these things. Have you ever tried to correct your medical records? …Exactly.
HIPAA was passed in a time when EHRs were basically non-existent so you might have noticed that nothing in what we talked about with HIPAA specifies anything about the format of your data or how any of this applies to electronic records. Stay tuned for next week where we add even more policy acronyms to your vocabulary and talk about laws and policy that have been put in place to regulate the electronic access to records that we all know and love.