Health Tech, Policy + Implementation Multi-Series: Federal Policy 101

Welcome to our multi-series on Health Technology: Policy and Implementation, where we will cover the rules and regulations that make our mission of providing easy and secure access to vital medical data possible. Today, we’re going to cover Federal Policy 101.

Health Tech, Policy + Implementation Multi-Series: Federal Policy 101

Welcome to our multi-series on Health Technology: Policy and Implementation.

Our mission is clear: we believe simple, secure access to vital medical data will catalyze dramatic change in healthcare. Our unofficial mission is also pretty clear: #DestroyTheFaxMachine!

Both missions are possible by understanding the rules and regulations—and staying on the right side of history.

So today, we’re going to cover Federal Policy 101.

There will be several posts, because there’s a lot to cover. We’ll be talking about the interoperability ecosystem, patient matching, and standards and implementation.

Federal Policy: A Quick Overview

So you’ve joined, or started, or are growing a health tech company. You have a mission, a vision and a plan. Awesome. You understand that there are laws that govern exactly what data you can access and what you can do with that data. But you might not know all your key policy terminology—or you have a habit of using terms interchangeably. Well, before we jump in, let’s do a quick rundown so you can hang with the wonks in no time:

Law: A law is legislation passed by the Congress or State Legislature. It’s signed by the president or governor.

Regulation: A regulation is developed by State or Federal agencies under the direction of a law.  This provides details on the specifics of how the law is to be enacted.

Standard: A standard is developed by a governmental agency, non-governmental agency, consensus committee or other body. It can be either public or private and provides details and agreements as to how systems will work together.

Here are some real-time examples in the Healthcare Tech world that impact you everyday:

These are Federal law:

These are Federal regulations:

These are standards:

But wait, what about state law? How does that work with federal law?

As it relates to patient privacy and information sharing, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") gave the federal Department of Health and Human Services ("HHS") the authority to promote regulations containing standards with respect to the privacy of individually identifiable health information. This is regulated at a federal level. Many states have also passed their own laws as it relates to patient data sharing and privacy.

So which law wins?

In general, whichever is more strict tends to be what needs to be followed. For example, there are a few cases where the state laws have set more stringent rules around patient data sharing.  

In these cases HIPAA’s standards do not supersede State law because the state level laws impose even more stringent standards with respect to the privacy of individually identifiable health information.

New York State, for example, has outlined where state law and HIPAA might conflict, and provides details for implementation in each case.

Who are the main players in Federal HIT policy?

Now that we’ve covered the high-level terms, we think you’re ready for the next step: agency acronyms. Here’s what you need to know.

The federal government promotes and enforces HIT policy through the Department of Health and Human Services (HHS).

CMS (Centers for Medicare and Medicaid Services) and ONC (The Office of the National Coordinator for Health Information Technology) are the two main agencies involved.

In addition to these there are several other agencies involved with HIT Policy

  • The Substance Abuse and Mental Health Services Administration (SAMHSA) has very strict privacy policies around data exchange.
  • The HHS Office of Civil Rights (OCR) is charged with enforcement of federal civil rights laws including privacy and security rules.


As we mentioned earlier- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations that would protect the privacy and security of certain health information. We’ll talk about HIPAA a lot in these posts-- it’s pretty important.

So to fulfill this requirement, HHS published the detailed regulations around what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

  • The Privacy Rule establishes national standards for the protection of health information.
  • The Security Rule establishes a national set of standards that protects health information that is held or transferred in electronic form.

Essentially, the Security Rule addresses the technical and non-technical safeguards that organizations (or, “covered entities”) must put in place in order to secure electronic protected health information (e-PHI) for individuals.

Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and... civil money penalties. Quite large penalties.

Before HIPAA, there were no widely accepted set of security standards or even general requirements for the protection of health information in the healthcare industry, which was accustomed to bureaucratic paper processes. Of course, as the industry became more technically advanced and migrated from paper to electronic processes, the potential security risks also increased.

For our purposes, we’ll focus on the privacy rule and how it establishes national standards to protect individuals’ medical records and other personal health information. HIPAA requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

Last but certainly not least, HIPAA gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Who’s covered by the privacy rule?

Covered Entities:

  • Health Plans
  • Health Care Providers
  • Health Care Clearinghouses

Business Associates:

  • Person or organization that provides services to a covered entity involving the use of individually identifiable health information
  • A covered entity can be a business associate of another covered entity

What does the HIPAA Privacy rule cover?

  • The development and implementation of procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared.
  • All forms of PHI, including paper, oral, electronic, etc.
  • Only the minimum health information necessary to treat or conduct business can be shared.

What doesn’t the HIPAA Privacy Rule cover?

  • Information like:
  • healthcare operations
  • treatment purposes
  • payment for healthcare services
  • Deidentified patient data
  • Data disclosed between entities with a Business Associate Relationship that meets all other privacy protections

So what does this mean? Basically, your doctor or health system can, under HIPAA, have access to your information if they are using it to treat you, get payment for services, or improve their internal operations. Otherwise, they are out of luck without your explicit permission. There are exceptions of course, but for most part HIPAA makes it so information is only accessible in specific cases with defined reasons.

What are the patient rights under the HIPAA privacy rule?

Patients have a right to:

  • Ask to see and get a copy of their health records
  • Have corrections added to their health information
  • Receive a notice that tells them how their health information may be used and shared
  • Decide if they want to give permission before their health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why their health information was shared for certain purposes

The problem with HIPAA and its associated regulations though, is that while they defined all the rights a patient has, they provided no good way for a patient to actually do any of these things.  Have you ever tried to correct your medical records? …Exactly.

HIPAA was passed in a time when EHRs were basically non-existent so you might have noticed that nothing in what we talked about with HIPAA specifies anything about the format of your data or how any of this applies to electronic records. Stay tuned for next week where we add even more policy acronyms to your vocabulary and talk about laws and policy that have been put in place to regulate the electronic access to records that we all know and love.