Health Tech, Policy + Implementation Multi-Series: Federal Policy 101

Welcome to our multi-series on Health Technology: Policy and Implementation, where we will cover the rules and regulations that make our mission of providing easy and secure access to vital medical data possible. Today, we’re going to cover Federal Policy 101.

Welcome to our multi-series on Health Technology: Policy and Implementation.

Our mission is clear: we believe simple, secure access to vital medical data will catalyze dramatic change in healthcare. Our unofficial mission is also pretty clear: #DestroyTheFaxMachine!

Both missions are possible by understanding the rules and regulations—and staying on the right side of history.

So today, we’re going to cover Federal Policy 101.

There will be several posts, because there’s a lot to cover. We’ll be talking about the interoperability ecosystem, patient matching, and standards and implementation.

Federal Policy: A Quick Overview

So you’ve joined, or started, or are growing a health tech company. You have a mission, a vision and a plan. Awesome. You understand that there are laws that govern exactly what data you can access and what you can do with that data. But you might not know all your key policy terminology—or you have a habit of using terms interchangeably. Well, before we jump in, let’s do a quick rundown so you can hang with the wonks in no time:

Law: A law is legislation passed by the Congress or State Legislature. It’s signed by the president or governor.

Regulation: A regulation is developed by State or Federal agencies under the direction of a law.  This provides details on the specifics of how the law is to be enacted.

Standard: A standard is developed by a governmental agency, non-governmental agency, consensus committee or other body. It can be either public or private and provides details and agreements as to how systems will work together.

Here are some real-time examples in the Healthcare Tech world that impact you everyday:

These are Federal law:

These are Federal regulations:

These are standards:

But wait, what about state law? How does that work with federal law?

HIPAA gave the federal Department of Health and Human Services (HHS) the authority to promote regulations containing standards with respect to the privacy of individually identifiable health information - meaning that there is an information sharing law at the federal level. But many states have also passed their own laws as it relates to patient data sharing and privacy.

So which law wins?

In general, whichever is more strict tends to be what needs to be followed. There are a few cases where the state laws have set more stringent rules around patient data sharing. New York State, for example, has outlined where state law and HIPAA might conflict, and provides details for implementation in each case.

Who are the main players in Federal HIT policy?

Now that we’ve covered the high-level terms, we think you’re ready for the next step: agency acronyms. Here’s what you need to know.

The federal government promotes and enforces HIT policy through HHS. CMS (Centers for Medicare and Medicaid Services) and ONC (The Office of the National Coordinator for Health Information Technology) are the two main healthcare interoperability oversight agencies, but there are other entities involved as well.

Getting hip to HIPAA

We talk about HIPAA a lot in these posts - it’s pretty important. HIPAA established a lot of different rules for the healthcare sector when it was passed in 1996. For our purposes, we're focused on how it established standards for both information privacy and sharing. HIPAA gives patients the right to obtain their health records (although they don't have to be digital - that's where the Cures Act comes in). Clinicians, meanwhile, have to provide those records and keep them secret from other parties.

HIPAA was passed before EHRs were in widespread use. Later, HHS created even more policy acronyms for your vocabulary that regulate the electronic access to records that we all know and love.