Privacy and Your PHR

Personal Health Records, or PHRs as they are most often referred to by most regulatory entities, are records of an individual’s health status which contain identifiable health information. In the last decade there has been greater focus and regulatory changes in how this information is kept private and secure. This is not only true for health care facilities such as hospitals, nursing homes, home health and more but also for health insurers as well. Changes continue to occur in the legislation and interpretation of these laws that regulate maintaining privacy and security of an individual’s identifiable health information.

Protection of health care information has always been a concern not only for the providers, health plans, clearinghouses but also for the individual. With the increasing rise in identity theft and the consequences, people are more fearful than ever. People are savvier when it comes to protection and security of personal information. They have rights and want to exercise them. This is not only so for identifiable health information but for any information about their medical status as well.

The newest legislation addresses issues such as identifiable health information. A limited data set, one that does not include such information as social security number, medical record number, name, e-mail address, telephone or fax number, is to be included with identifiable health information. What this means is that no information about the individual and/or relatives, household members or even employers that would allow the data to be re-identified by the sender could be included.

Today, more than ever, the exchange of information is faster and simpler than it has ever been. One look at the HITECH Act will quickly verify this. The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as a section of the American Recovery & Reinvestment Act which was signed in on February 2009. The intention of this act is to create an infrastructure for a nationwide health info database that could then be used to quickly and efficiently handle information through electronic means. Now doctors across the country can efficiently access vital info electronically rather than relying on phone conversations or for massive health records to be mailed.

Unfortunately, this rapidly evolving exchange of information also makes it easier to breach an individual’s rights under the Health Insurance Portability & Accountability (HIPAA) laws that were enacted in 1996. This is in part why the HITECH Act was also enacted. It further clarified points that the original HIPAA law neglected or left less than clear. Businesses that would not otherwise fall under HIPAA now find themselves directly affected. Such businesses include any that handle the transmission of protected health data to or from a covered entity as well as any contractors that handle information for businesses that offer EHRs to their employees.

The HITECH Act has been recognized as covering any sort of business that comes into contact with protected health information including data clearinghouses and even third party information disposal companies. A breach involving the leak of protected data requires the upkeep of a log which must be reported on a yearly basis. If the leak involves 500 or more individuals, however, it must be reported to the Department of Health and Human Services immediately and may require the payment of fines and/or sanctions.

On February17, 2010, the final rule passed on Breach Notification for unsecured health information for covered entities and their business associates. The intention of this particular piece of legislature was to help clarify the transmission of what was considered unsecured identifiable health information. This legislation involves the use of technologies and methodologies for the transmission of identifiable health information and what to do when a breach has occurred.

The rule reads that identifiable health information does not have to be encrypted as long as the entity has a security measure in place to protect identifiable health information. Entities that are using accepted encryption technologies when transmitting identifiable health information and that find that a breach had occurred wouldn’t have to notify anyone because it is not considered unsecured identifiable health information.

Two important agencies that produce and regulate these laws are Federal Trade Commission (FTC) and the Office for Civil Rights. The Federal Trade Commission has rules and specific guidelines that have to be followed to protect sensitive information when using P2P software for remote viewing of records. This type of peer-to-peer software is used between health care providers, payer sources and clearinghouses. One of the most important government agencies surrounding the HIPAA laws is the Office for Civil Rights whose job it is to enforce these laws.

Individuals have a right to request a copy of their records for any disclosures, including payment, treatment and medical records. When an individual requests a copy of his medical record, it should be submitted in writing and be clear, conspicuous, and specific as to what they are requesting, who the information is sent to if other than the individual. The electronic record is sent directly to the individual or entity named only. The health care entity must comply with the request with in thirty days as designated by the HIPAA law. There also maybe a reasonable fee that the health care entity can charge for this process.

Health care entities covered under these regulations can include a health care provider, health plan, or a health clearinghouse. Examples of a health care provider include physicians, hospitals, nursing homes and more. Examples of health plans include HMOs, health insurance, and government programs such as Medicare and Medicaid. Health care clearinghouses are those that may take information used for billing services or community health management information system. As one might imagine, there is a lot of concern by the public for the need to protect identifiable health information. Privacy and security are major issues in today’s fast paced electronic world.

References
Health Information Privacy. (n.d.). United States Department of Health and Human Services. Retrieved January 14, 2011, from http://www.hhs.gov/ocr/privacy/

Sebelius, K. (2009). Rules and regulations. Federal Register, 74(162). Retrieved January 14, 2011, from http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

Security 101 for covered entities. (n.d.). HIPAA Security Series. Retrieved January 13, 2011, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf