[ Friday, January 30, 2009 ]
Detroit Receiving Hospital: An interesting medical record access case is brewing in Detroit. A patient in a psych unit died, and a federally-funded state-appointed advocacy group has sued for access to peer review and other records. The hospital refused, citing privacy restrictions. Apparently, the hospital has already provided the records to state regulators. I guess it will depend on whether the advocacy group has the power of the state behind them; disclosures that are required by law, such as those to a State Department of Health or similar agency with oversight of hospitals, are allowed under HIPAA.
The hospital claims that there is no state law that compells the disclosure of the records to the advocacy group. The advocacy group claims that their federal funding means that federal law applies, and that federal law requires the disclosure. But HIPAA explicitly holds that state laws that are more protective of privacy are not preempted by HIPAA. If Michigan law allows the hospital not to disclose, will that law override the federal law the advocacy group is relying upon?
Jeff [11:53 AM]
Making BAs into CEs: The sausage is still being made in Washington, DC, but it's looking like the so-called stimulus bill will increase at least some of the existing health information privacy requirements. According to this article, the House version of the bill contains provisions that will impose the same HIPAA privacy requirements that are already applicable to health plans, providers and clearinghouses ("Covered Entities" in HIPAA parlance) on their vendors and contractors ("Business Associates" under HIPAA).
Currently, HIPAA only applies to covered entities. If a company is a business associate of a covered entity, the CE is required by HIPAA to enter into a "business associate agreement" with the BA. The BAA pushes down the HIPAA privacy requirements by contract, rather than by law, onto the BA, but the BA isn't directly obligated under HIPAA. Basically, the BAA must contractually obligate the BA to treat the health information as safely and privately as the CE does. But while the BA then must provide privacy protections, it is not required to take all of the administrative steps HIPAA imposes on CEs.
It looks like that may change, adding administrative costs to vendors in the healthcare business.
Jeff [11:22 AM]
[ Tuesday, January 27, 2009 ]
Finally, A Reasonable Approach: Or at least that's what it seems at first blush. The Center for Democracy and Technology has issued a paper that proposes a new framework for thinking about patient consent and medical record privacy. I've only glanced over it, but they seem to have hit the nail on the head: the system should assume consent for normal/usual/proper uses, so the delivery, performance, and payment for healthcare isn't impeded, but should require meaningful consent for other purposes.
Of course, in my opinion that's what the HIPAA regulation-drafters were shooting for, in a less-than-explicit way.
Jeff [10:46 AM]
[ Wednesday, January 14, 2009 ]
HIPAA FAQs for SG's FPHR site (huh?): I
mentioned a couple of weeks ago that the Surgeon General is promoting a government-sponsored site for individuals to compile their personal family health histories, sort of a family personal health record (FPHR). Now, OCR has posted a few "
frequently asked questions" to assuage fears of people who might use the site.
Oh, I should also note that the site is now up, and can be accessed
here. If you're using it and don't mind sharing your experiences with the class, let me know.
Jeff [9:40 AM]
[ Thursday, January 08, 2009 ]
Am I influential? Someone thinks this blog is one of the
top 100 health care policy blogs. Who am I to disagree?
Jeff [10:08 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
