By Kirk J. Nahra, CIPP

Electronic medical records, personal health records and health information exchanges (HIE) create significant opportunities to improve health outcomes and reduce healthcare administrative costs. At the same time, these records—along with some of these benefits—are creating a new debate as to whether the existing healthcare privacy and security rules are reasonable and effective in today's evolving healthcare information environment.

This debate is a critical one for the future of health information technology. While this debate proceeds—with no clear end in sight—the marketplace is moving forward without rules, both with healthcare providers building significant electronic medical records systems and through personal health record vendors developing increasingly broad product offerings. Moreover, regardless of how this debate proceeds, the rules are not likely to catch up with the marketplace any time soon. For healthcare providers, insurers, employers, aspiring PHR vendors and others, it is critical to be aware of this uncertainty, and to understand the need to develop systems that can be effective today, but that also can be sufficiently flexible to adjust to future regulatory requirements.

From a privacy and security perspective, I identify below (in my personal view) the top questions implicated in the development of electronic medical records, personal health records and health information exchanges.

1. Is there a need for new privacy rules that apply to the broad variety of participants in health information exchanges who are not covered by HIPAA today?

The development of health information exchanges and personal health records has highlighted some of the gaps of the existing HIPAA privacy and security structure, because there are significant participants in these efforts who, today, have no regulatory obligations at all under HIPAA. Accordingly, one of the first questions to be addressed will involve whether there needs to be rules created for these entities. Most of the advisory groups that have opined on this topic (including the HHS Advisory Committee that I chair) have recommended that either the HIPAA rules be extended to these participants in health information exchanges and personal health records, or that new rules be created for these entities. Another alternative is for these entities to be required to develop appropriate privacy notices and policies (perhaps under some kind of government certification standard), with the Federal Trade Commission acting as the enforcement agency for violations of these notices. The question of what to do with these "non-HIPAA" entities is a critical one, and one that drives much of the concern about building trust in these electronic networks.
    
2. Are there sufficient differences in the health information exchange environment to justify different privacy rules than exist today?

The current healthcare privacy structure is exceedingly complicated. Obviously, the HIPAA structure is the primary set of rules. In addition, covered entities need to factor into their compliance efforts a wide variety of other federal laws and regulations (e.g., the federal substance abuse rules) and an enormous, often inconsistent and exceedingly confusing array of state laws, that may or may not create "more stringent" obligations than HIPAA. With this extensive set of existing obligations, one of the key issues for the current debate is whether there is a specific reason to justify adding a new set of legal obligations. Many of the entities that have advocated for new rules simply do not like the existing rules; that is a fair position to take, but it does not address the question of whether there should be specific rules for this electronic health exchange environment. Instead, it is critical to evaluate whether there is "something different" about this environment to justify having new rules. It is hard to say—as some have argued—that the electronic nature of this information is different from the HIPAA environment, since electronic information clearly is encompassed within the HIPAA Privacy Rule, and is the clear and exclusive focus of the HIPAA Security Rule.

Nonetheless, there clearly are some differences. For example, the new kinds of participants in these efforts have led several groups to recommend extending the HIPAA rules to these new participants. If this step is taken, then, are there other substantive differences that justify new rules? Phrased differently, why should we create rules for this electronic health exchange environment that are different from the remainder of the healthcare universe?

3. What will be the implications of creating different rules specifically for information exchanged through HIEs?

If a decision is made that there are reasonable bases to justify new rules for this environment, the follow-up question is what the impact will be from a situation where there will be two sets of rules for many entities, particularly healthcare providers—one rule for "HIPAA" information, and a different set of rules for information that flows through the health information exchanges. It is clear that the multiplicity of rules that exist today in the healthcare system on their own lead to confusion and concern, and create—in some situations—adverse consequences simply because of confusion. We can create significant new risks if we create a parallel set of rules, with confusion and complexity on how these rules should be applied. This concern about confusion should serve as a counterweight to the arguments that support new rules based on "differences" in the existing structure, particularly if these "differences" are not significant.

4. If there are going to be new rules created because of HIEs, should these rules extend to the overall healthcare privacy environment?

As a related discussion, the question arises as to whether the "need"—if there is one—to create different rules for the electronic HIE environment justifies altering the rules throughout the healthcare system. As discussed above, having two sets of rules creates a difficult set of complexities. Presumably, having one set of rules creates a cleaner environment—but then the question arises whether all of the healthcare rules should be changed because of the ongoing development of this health exchange environment. The current debate has served to highlight some of the HIPAA gaps, and has created a realistic view of the need for a true health information privacy regime. While a broader set of principles clearly would be beneficial—in terms of the entities subject to these rules—it is far less clear that the principles of HIPAA need to be "fixed," altered or revised in any way. In fact, while there clearly are some areas of concern, there is no widespread evidence that the HIPAA regime isn't working—at least where it is applicable. So, before we embark on a new effort to revise how the healthcare industry handles patient privacy, we should make sure that there is a real need for new rules at all.     

5. What kind of consumer consent should be required for electronic health environments?

One of the key issues for the question of "new rights" involves the question of whether individuals should have additional "consent" rights than they do today under HIPAA. As a refresher, patients and consumers have very limited consent rights in the HIPAA structure today. They essentially have no HIPAA consent rights for uses and disclosures of healthcare information for treatment, payment or healthcare operations purposes—covering an enormous percentage of the typical uses and disclosures of information. They also have no consent rights for the "public policy" purposes established by the rule. The primary "consent" right is the requirement that individuals "authorize" disclosures outside of these "no consent needed" areas.
In the HIE environment, many advocates are promoting additional consumer choice and consent as a means of ensuring that consumers have trust in and participate in the system. That is certainly an appropriate topic for debate. Many of the same concerns were raised at the time of the HIPAA rule implementation. Once the HIPAA decision was made, and amidst much concern about how patients would react, there is virtually no evidence supporting the idea that patients have been withholding information because of a lack of a consent model. Therefore, it is critical to evaluate this question of consumer consent fairly, with both an understanding of the current context (and the experience that stands behind this context) at the same time that we are evaluating the prospective nature of the health information exchange environment.

At the same time, it also is critical to factor in the PHR component of this debate. Virtually all of the primary PHR models are promoted and marketed as "consumer driven" and "consumer controlled." The premise of the PHR is that a consumer can choose (1) what information goes into the PHR and (2) who is given access to or provided information from the PHR. Obviously, there are significant challenges to making this general commitment a reality. There also are significant issues with how information that is disclosed—even with consumer choice—will be treated by the recipient. But, a marketplace that creates and develops PHRs faster and more broadly than can be done within the healthcare industry may reduce the need to debate and decide on the appropriate role of consumer choice in an HIE environment.

6. If consumers are given additional consent rights, how will this affect the overall benefits of the health information exchange system?

Continuing the idea, if there are additional consent rights granted to consumers—which will affect the amount and nature of the information that will be exchanged through these exchange environments—how will this affect the overall benefits of health information exchanges? This is probably the ultimate "big picture" question in this situation. Obviously, there are specific details that need to be addressed—for example, would consent be "opt-in" or "opt-out?" We know that this choice plays a dramatic role in how much "choice" is exercised. Will the choice be "all or nothing" or more granular? If granular, and consumers are given the ability to withhold specific kinds of information, how will this affect the ability of healthcare providers and others to rely on this information? At the end of the day, the key question will be whether the consent model that is selected creates a situation where HIEs or other electronic records have so many gaps that the benefits of these records—in terms of medical errors, improved quality of care and reduction in administrative costs—disappear because of privacy and security concerns.

Where Do We Go From Here?
Clearly, there is a virtually unlimited set of issues arising from this debate. Two key conclusions stand out.

• The market for health information technology is not waiting for final rules to develop; and
• Most of the relevant questions will need to be resolved through legislation, as there is no obvious regulatory vehicle to institute broad changes.

With these clear conclusions, we likely will see an ongoing policy-oriented debate, with many audiences being heard from, without any easy means of synthesizing or implementing these recommendations. It is very likely that the debate on electronic records and health information technology will lead to a broader, overall debate on the future of healthcare privacy.

For healthcare businesses, employers, patients and others, understanding the benefits and risks of these records is critical. Our challenge is to evaluate appropriately how these records can benefit both individual patients and the overall healthcare system, in the course of designing an appropriate set of rules that permits these benefits while still protecting legitimate privacy and security interests.

Kirk J. Nahra is a partner with Wiley Rein LLP in Washington, D.C., where he specializes in privacy and information security litigation and counseling. He is chair of the firm's Privacy Practice. He has served on the IAPP Board of Directors and is the editor of Privacy Advisor. He is the Chair of the American Health Information Community's Confidentiality, Privacy and Security Workgroup. The views expressed in this article are his and his alone, and do not reflect the views of any clients or organizations with which he works. He can be reached at 202.719.7335 or knahra@wileyrein.com.