HIPAA's impact goes beyond its wide jurisdiction. The act sets forth wide-ranging and detailed standards for data protection and privacy. IT security standards including encryption may be seen by courts as mapping "best practices" where other laws leave this definition vague. By defining and codifying encryption as a requirement in the heathcare arena, HIPAA sets a clear precedent that may be applied to data protection regulations in all other areas.
For example, in 45 CFR (Code of Federal Regulations) Section 164.304, encryption is defined as the "use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." 45 CFR 164.213 (a)(2)(iv) states, "Implement a mechanism to encrypt and decrypt electronic protected health information."
John Halamka, CIO of Harvard Medical School, illustrated how healthcare compliance is changing in an address earlier this month at Harvard Business School along with Ranch Kimball, president and CEO of Joslin Diabetes Center and former Massachusetts secretary of economic development under Governor Mitt Romney. Halamka also offered his thoughts on how billions of dollars allocated to electronic healthcare under the America Recovery and Reinvestment Act (ARRA), should be spent.
Halamka conveyed just how complex the world of medical computing is now, requiring that he maintain a close watch on activity on Capitol Hill. Halamka sits on two critical HIT policy-making committees established under the Recovery Act: there's the HIT Policy Committee, of which he is a member, and the HIT Standards Committee, of which he is vice chairman.
The federal government has announced it will divide the $19 billion among doctors to go into EHR by 2011. Doctors can qualify for reimbursement if they show certification of the electronic method and software that they select against a technical standard. Halamka said guidance from HHS on that standard is expected to be available by year's end.
Because state law pre-empts HIPAA, however, Halamka noted, there are, in effect, "50 privacy policies." In this vein, the patchwork of individual state policies effectively prevents information-sharing, quite apart from technical challenges. "Privacy has been protected differently in each locality," Halamka said.
Beth Israel Deaconess Medical Center in Boston coordinates with Joslin by sharing medical records, which is still considered a technical feat in the world of healthcare, According to Kimball, Joslin went "all-EMR" seven years ago. Kimball said he believes Joslin was the first Harvard hospital to do so.
Halamka also discussed MA-SHARE, a Regional Health Information Organization, which is proposing a common messaging gateway that healthcare providers in Massachusetts could use to exchange health data. MA-SHARE is open source and provides for a level of data interoperability that enables providers to more easily communicate with each other -- in theory improving the quality of patient care delivery, he said.
This was first published in June 2009