By Prudence L. Gourguechon on 1/29/2009 8:27 PM
Round one of the Stimulus Package passed the U.S. House of Representatives this week. The American Psychoanalytic Association has been lobbying for privacy protections in the bill, since on of its major components is a section that would promote development of a comprehensive health information technology system. APsaA has long been concerned about the potential for violation of confidentiality in electronic medical records and has been fighting for a number of years now to ensure the systems promoted by the government provide the maximum possible protections for patient privacy. Our legislative representative Jim Pyles offered the following analysis of the House bill and where it stands on the issue of protecting confidentiality, the right to consent, and other privacy issues.
Yesterday the House passed the "American Recovery and Reinvestment Act of 2009" (H.R. 1) which contains a Title IV entitled the Health Information Technology for Economic and Clinical Health Act (HITECH Act) that provides for policies and standards as well as incentives and penalties intended to promote a national electronic health information technology system. The HITECH Act has also been approved by two key Senate Committees and is part of the stimulus bill still pending in the Senate (S.1).
The HITECH Act passed by the House has the strongest privacy protections of any bill that has moved in either the House or the Senate to date, however, it does not contain several provisions championed by APsaA and the mental health practitioner community generally. It does not contain recognition of the patient's right to health information privacy, an express right of consent for the routine disclosure of health information or a definition of the term "privacy".
There are important privacy provisions that APsaA and others were able to get included. Perhaps the most important is that the House bill includes a provision stating that nothing in the bill shall constitute a waiver of "any privilege otherwise applicable to an individual with respect to protected health information of such individual." Section 4405(g). This acknowledges in statute the privilege recognized by the Supreme Court in Jaffee v. Redmond . The psychotherapist-patient privilege recognized in that decision, was only based on an interpretation of the Federal Rules of Evidence and could have been eliminated at any time by statute. If this provision remains in the final HITECH Act, the psychotherapist-patient privilege recognized at the federal level only in case law, will likely be preserved. The privilege essentially gives the patient a right of consent because the privilege can only be waived, other than in extraordinary situations, by the patient. Of course, the privilege is broader than the definition of "psychotherapy notes" in the HIPAA Privacy Rule.
Second, the bill includes the interpretation of "minimum necessary" that we were able to get included in the preamble to the HIPAA Privacy Rule. The bill states that the determination of what constitutes the "minimum necessary" information for any purpose is to be determined by the covered entity or business associate disclosing the information. Section 4405(b)(2). This means that a psychotherapist can determine whether a request for patient information by a third party is the "minimum necessary" for the purpose of the request.
Other significant protections and improvements for which APsaA advocated include the following:
- An early provision in the House and Senate bills that would have prevented consumers and patients from having "undue influence" on health information technology policies and standards was deleted. APsaA took the position that patients are the most important "stakeholders".
- Health information technology standards must be published in the Federal Register and made available for public comment before being adopted.
- Enforcement measures for privacy violations were strengthened holding business associates liable for privacy violations and requiring the Secretary to investigate any "possible violation due to willful neglect".
- Covered entities are required to grant requests by patients for restrictions on disclosures of identifiable health information for payment and health care operations purposes if they pay out of pocket. (Unfortunately, disclosures without consent can still be made for treatment even if the individual pays out of pocket.)
- Technologies are to be developed that would protect the privacy of health information by allowing for "segmentation" of specific and sensitive information due to privacy concerns.
- Technologies are to be developed that would allow individually identifiable health information to be rendered unusable or unreadable by unauthorized individuals when transmitted in a nationwide network or outside of the physical perimeter of a health care provider, health plan or clearinghouse. APsaA worked closely with Congress Markey (D-MA) on this provision.
- Covered entities must notify patients of breaches of electronic health information, and report such breaches to the Secretary of Health and Human Services who will publish a list of significant breaches (involving more than 500 individuals) on the agency's website.
We are continuing to work with Senator Snowe (R-ME) to get a broad exception to the definition of "breach" narrowed.
In short, we have achieved many significant victories, and your patients' privacy rights should be much better protected because of APsaA's efforts, but there is still work to be done on the Senate bill and in working with the Obama Administration on implementing regulations.
Jim Pyles |