Will Proposed Federal Legislation Threaten Hospitals’ Transitions to Electronic Medical Records?

Posted on: September 8, 2007  |   Author: Amanda
Filed Under: Health Information, Hospitals & Health Systems   |   Leave a Comment

On July 17, 2007, Senators Edward Kennedy (D-MA) and Patrick Leahy (D-VT) introduced Senate Bill 1814, the Health Information Privacy and Security Act (“HIPSA”). According to Senator Leahy’s statement to the Senate, SB 1814 is intended to protect the confidentiality, security, and privacy of patients’ protected health information. The bill would obligate the Secretary of Health and Human Services to revise the HIPAA Privacy and Security Rules in order to conform with HIPSA’s requirements. It also contains an “opt-out” provision that would require health care entities to permit its patients to choose to have their protected health information excluded from the entity’s electronic systems. Finally, the bill would impose both criminal and civil sanctions on those who violate the privacy rules. A complete summary of SB 1814, along with Senator Leahy’s comments upon its introduction, can be found here: http://leahy.senate.gov/press/200707/071807c.html.

Attorneys and administrators for health care entities may be concerned that these opt-out provisions would require them to give patients the choice to refuse to have their health information maintained in electronic format. As more health care entities transition to or plan to transition to electronic medical records (“EMR”), the prospect of patients’ selective exclusion from EMRs appears to pose a significant threat to complete reliance on EMRs. See, e.g., Milt Freudenheim, Doctors Collaborate to Find a Less Costly Way to Add Electronic Medical Records, The New York Times, Sept. 19, 2005, at 4; Steve Lohr, Smart Care Via a Mouse, But What Will It Cost?, The New York Times, August 20, 2006, at 1.

The proposed HIPSA includes provisions that would permit patients to decide whether their protected health information may be included in an entity’s electronic database. An entity may not access, maintain, retain, modify, store, destroy, or otherwise use or disclose an individual’s protected health information for other than treatment or payment purposes until that individual has been given an opportunity to opt out of that disclosure (2007 S. 1814, §104(d)) [emphasis added]. An individual’s right to opt out of the disclosure of their protected health information to any “local, regional, or nationwide health information network or system” is explicitly articulated by HIPSA (2007 S. 1814, §101(a)(3)).

The entity must provide individuals with a simple description of the information systems used to transmit or disclose PHI, and a statement of the individual’s right to opt out of the entity’s health information network or system (2007 S. 1814, §104(a)(6),(14)). The individual must be given adequate time to exercise that option, and instructions as to how to do so (2007 S. 1814, §104(d)). An entity may not disclose, access, or use an individual’s protected health information until that individual has been given the option to opt out of inclusion in an electronic system (2007 S. 1814, §201(k)). An authorization from an individual to disclose his protected health information must include, inter alia, a description of the nature and probability of harm to the individual resulting from authorization for use of disclosure (2007 S. 1814, §202(b)(12)).Summary of SB 1814, available at http://leahy.senate.gov/press/200707/071807c.html (last visited Sept. 7, 2007).

HIPSA, if passed in its current form, would impose opt-out requirements for inclusion of patients’ protected health information in electronic systems that could impede, but would not completely preclude, hospitals’ transitions to electronic health records. The primary loophole for continued use of electronic health records is found in §104(d) of the bill, stating that an entity may not access, maintain, or otherwise use or disclosure protected health information for other than treatment or payment purposes. While this is the only provision articulating this exception, it is this subsection that essentially creates the opt-out provision, and so that exception presumably applies to all of the other requirements surrounding opt-out. (If, however, the Department of HHS were to construe the other opt-out sections to not include the “for other than treatment or payment purposes” restriction, the right to opt out of inclusion in electronic medical records databases could be significant.) Thus, it seems that patients would not be able to opt out of the use of their protected health information in the form of electronic medical records. Furthermore, if hospitals wanted to disclose protected health information to third parties in order to continue treatment (e.g., send the records to a different health care provider) or ensure payment (e.g., transmit some information to a collection agency), patients would not be able to opt out of such disclosure.

Because it is difficult to find news stories or coverage about HIPSA, it is difficult to evaluate the likelihood of HIPSA’s passage. Still, more patients, patients’ families, and policymakers appear to be recognizing the ways that HIPAA’s Privacy and Security Rules are misinterpreted to preclude the sharing of important information; this trend may encourage Congress to pass HIPSA. See Jane Gross, Keeping Patients’ Details Private, Even From Kin, The New York Times, July 3, 2007, at A12. When making his introductory remarks for the HIPSA bill, Senator Leahy requested that this New York Times article be included in the record in its entirety.

Still, if HIPSA were to pass, major changes to the HIPAA Security and Privacy Rules would be required. Health care entities and lawyers alike will want to monitor the progress and possible passage of this bill. Although the bill does not appear to allow patients to opt out of the use of electronic medical records, it might allow them to opt out of future permutations and applications of health information technology not yet explicitly contemplated.