Privacy Reform in Health Care Began Well Before Obamacare
After three years of preparation, today is “Implementation Day” for a signature piece of the Affordable Care Act – the day that health insurance exchanges or “Marketplaces” will be open for individuals seeking coverage. There has been a lot of attention from Congress – and the American public – regarding the integrity and readiness of these insurance marketplaces, especially in terms of privacy. The good news though is that not only has privacy been a core consideration in the design of the Marketplaces, but also that health care privacy reform has made significant progress over the past four years.
The foundation for health care reform began in 2009 with enactment of the economic stimulus legislation and its provisions advancing the adoption and use of electronic health records systems by health care providers. Through increased collection and sharing of digital health data, the objective is to reduce costs and support the delivery of better care, but increasing the electronic flow of sensitive health information poses risks to privacy. Now with the introduction of health insurance Marketplaces that require eligibility verification using sensitive data, additional privacy concerns around health care reform have been raised.
While the U.S. has a less-than-stellar record on adequately addressing consumer and health privacy, the last four years have brought solid progress, even though privacy provisions are still far from ideal. Some of the highlights include:
The statutory and regulatory framework governing Marketplaces includes strong privacy protections. Those Americans who apply through the Marketplaces will only be asked questions that are necessary for eligibility and enrollment determinations and the applicant data that is collected will only be used for exchange purposes. CDT has also successfully sought the inclusion of Fair Information Practice Principles (FIPs) in the Marketplaces. Additionally, the infrastructure for exchanges uses a routing approach, with minimal (if any) centralized storage of sensitive applicant identifiable information.
The 2009 stimulus act included a number of improvements to federal health privacy rules under HIPAA. Earlier this year, the Department of Health & Human Services (HHS) finalized regulations – the HIPAA “Omnibus” rule, to implement those changes, most of which became subject to enforcement by regulators September 23. Strengthened privacy protections in the Omnibus Rule include: extension of federal privacy and security protections to contractors (and subcontractors) of doctors, hospitals and insurers; improved patient rights to a notification of when their medical records are lost or stolen; clarification that patients have the right to receive an electronic copy of their health data and to have that copy sent at their request to someone else; and strengthened prohibitions against the use of a patient’s medical records without consent for marketing communications. CDT advocated vigorously for these enhanced privacy protections, and our specific recommendations are reflected in many of the provisions.
CDT, through its role as the chair of the Privacy and Security subcommittee of the federal Health IT Policy Committee (known as the “Tiger Team”), helped influence policy for health information exchanges – infrastructure designed to support the exchange of clinical health information among health care providers and patients. The Health IT Policy Committee urged HHS to require such health information exchanges (HIE) to adopt policies to implement fair information practices (similar to those adopted by insurance marketplaces), and recommended that patients be provided with meaningful choice before their information could be shared through certain types of HIE models. The HHS Office of the National Coordinator for Health IT implemented these recommendations as policy for state HIEs receiving federal funds.
While the debate on Obamacare will obviously continue to be overly political and polarized, we should all be feeling much better about improvements in health care privacy, including those about to be implemented as a result of the Affordable Care Act.