HIPAA becoming a standard for data protection regulations

More on healthcare and IT FAQ: What is the impact of HIPAA on IT operations? Biometric security data adds layer of privacy compliance risk

HIPAA applies to healthcare providers, health plans and clearinghouses. Its scope, however, is actually wider. HIPAA applies, for example, to all schools and universities because they have student health services. Due to the practical difficulties and cost of identifying and segregating data, most universities have to apply the HIPAA standard to all data and IT operations. As more and more businesses and organizations provide forms of direct healthcare to employees, the HIPAA jurisdictional umbrella will widen.

HIPAA's impact goes beyond its wide jurisdiction. The act sets forth wide-ranging and detailed standards for data protection and privacy. IT security standards including encryption may be seen by courts as mapping "best practices" where other laws leave this definition vague. By defining and codifying encryption as a requirement in the heathcare arena, HIPAA sets a clear precedent that may be applied to data protection regulations in all other areas.

For example, in 45 CFR (Code of Federal Regulations) Section 164.304, encryption is defined as the "use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." 45 CFR 164.213 (a)(2)(iv) states, "Implement a mechanism to encrypt and decrypt electronic protected health information."

John Halamka, CIO of Harvard Medical School, illustrated how healthcare compliance is changing in an address earlier this month at Harvard Business School along with Ranch Kimball, president and CEO of Joslin Diabetes Center and former Massachusetts secretary of economic development under Governor Mitt Romney. Halamka also offered his thoughts on how billions of dollars allocated to electronic healthcare under the America Recovery and Reinvestment Act (ARRA), should be spent.

Halamka conveyed just how complex the world of medical computing is now, requiring that he maintain a close watch on activity on Capitol Hill. Halamka sits on two critical HIT policy-making committees established under the Recovery Act: there's the HIT Policy Committee, of which he is a member, and the HIT Standards Committee, of which he is vice chairman.

Only 2% of hospitals are currently online with EHRs. These [Recovery Act] funds are intended to encourage and allow the rest to get there as soon as possible. John Halamka CIO, Harvard Medical School

The HIT Policy Committee is focused on further defining the use of electronic records. In some ways, that's an elusive concept to many on Capitol Hill. $19 billion of federal funds lie in the balance, available to spend but awaiting further consensus on how to spend it. As Halamka noted, "Only 2% of hospitals are currently online with EHRs. These funds are intended to encourage and allow the rest to get there as soon as possible." ARRA also contains a Title XIII, also known as the Health Information Technology for Economic and Clinical Health Act, or HITECH, which adds new compliance requirements and penalties to existing data protection regulations.

The federal government has announced it will divide the $19 billion among doctors to go into EHR by 2011. Doctors can qualify for reimbursement if they show certification of the electronic method and software that they select against a technical standard. Halamka said guidance from HHS on that standard is expected to be available by year's end.

Because state law pre-empts HIPAA, however, Halamka noted, there are, in effect, "50 privacy policies." In this vein, the patchwork of individual state policies effectively prevents information-sharing, quite apart from technical challenges. "Privacy has been protected differently in each locality," Halamka said.

Beth Israel Deaconess Medical Center in Boston coordinates with Joslin by sharing medical records, which is still considered a technical feat in the world of healthcare, According to Kimball, Joslin went "all-EMR" seven years ago. Kimball said he believes Joslin was the first Harvard hospital to do so.

Halamka also discussed MA-SHARE, a Regional Health Information Organization, which is proposing a common messaging gateway that healthcare providers in Massachusetts could use to exchange health data. MA-SHARE is open source and provides for a level of data interoperability that enables providers to more easily communicate with each other -- in theory improving the quality of patient care delivery, he said.