Privacy Update

Congress and GAO have been pressuring the Health and Human Services Department (HHS) to create privacy milestones for the National Health Information Network. At these Congressional hearings, Mark Rothstein, a law professor who is a member of the National Committee on Vital and Health Statistics, has been demanding that HHS Secretary Leavitt respond to NCVHS’s June 2006 letter of recommendations. (Of course, as NCVHS is a unit of HHS, it strikes me that silence is a form of response.)

The Report on Patient Privacy reports that last month NCVHS sent new sets of recommendations to Secretary Leavitt. What’s more, AHIC’s Confidentiality, Privacy and Security Group sent its own recommendations to Secretary Leavitt and held a meeting on “relevant HIPAA requirements,” at which Prof. Rothstein testified on the need for privacy protection beyond the HIPAA Privacy Rule.

The upshot of the Report’s article is that both advisory groups are coalescing around an approach that would scrap that the business associate provisions of the HIPAA Privacy and Security Rules in favor of Congress extending those rules directly to business associates and all health care providers and vendors who handle protected health information. However, according to the Report, HHS HIT National Coordinator Robert Kolodner may not be on board with this approach.

As previously noted in the FEHBlog, the Senate Health Education Labor and Pensions Committee approved the Wired for Health Care Act of 2007 on June 27. At the markup, according to Government HIT News:

During committee consideration, it was amended to require that AHIC recommend policies and methods “to preserve the individual’s ability to control the acquisition, uses and disclosures of individually identifiable information.”

The bill also would extend the privacy rules of the Health Insurance Portability and Accountability Act of 1996 to health records banks and exchanges.

This change does not go so far as the approach described in the Report on Patient Privacy. The NCHVS approach would impose quite an administrative burden on small businesses and government agencies.