Posted on April 25, 2008 by Helen Oscislawski

Federal Law Passed to Protect Use and Disclosure of Genetic Information

ScienceDaily reports today that the U.S. Senate approved the Genetic Information Nondiscrimination Act of 2008 (GINA) yesterday, April 24, 2008, by unanimous consent of an amended version of H.R. 493, which passed the House last April 25, 2007 by a vote of 420-3.  The House is expected to take up the measure again quickly before sending it to President Bush to sign into law.  A copy of amended H.R.493 can be viewed on the Library of Congress’ Thomas website. 

Among other things, GINA directs the Secretary of DHSS to revise the HIPAA privacy regulation, within 60 days after the date of the enactment  of GINA, to include the following:

(a)(1) Genetic information shall be treated as health information described in [HIPAA].

     (2) The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure. . . . .

    (d) Enforcement - In addition to any other sanctions or remedies that may be available under law, a covered entity that is a group health plan, health insurance issuer, or issuer of a medicare supplemental policy and that violates the HIPAA privacy regulation (as revised under subsection (a) or otherwise) with respect to the use or disclosure of genetic information shall be subject to the penalties described in [the HIPAA Statute] in the same manner and to the same extent that such penalties apply to violations of this part. (Emphasis was added).

GINA aims to protect the privacy of all Americans’ genetic information and to establish a national and uniform basic standard necessary to fully protect the public from discrimination based on genetic information.  Until yesterday, genetic information has been protected specifically only by a handful of states.  In New Jersey, the New Jersey Genetic Privacy Act (N.J.S.A. §§10:5-43 et seq.) already provides that no person may disclose or be compelled to disclose the identity of an individual upon whom a genetic test has been performed, or individually identifiable genetic information, except pursuant to a few very limited exceptions. See N.J.S.A. §10:5-47.  However, any entity that or individual who uses or handles DNA in New Jersey should reevaluate its disclosure and consent procedures in light of GINA’s new standards.

Tags: ,
Posted on April 23, 2008 by Helen Oscislawski

RHIO Tech Talk - NY RHIO Selects IT Vendor

Axolotl Corp. of San Jose, California, has been chosen to implement the Interboro Regional Health Information Exchange in order to facilitate data exchange among providers in the Queens area of New York City. The RHIO will use Axolotl's Elysium Community Virtual Health Record and EMR-Lite applications to enable participating physicians to access patient lab reports, radiology reports, medication history, allergies and other clinical data via a secure Web application. The RHIO will also use use Axolotl's Patient Index to ensure correct identification of all patients. 

Elmhurst Hospital Center and Queens Hospital Center are spearheading the development of the RHIO. Other participating organizations are New York Hospital Queens, Woodhull Medical and Mental Health Center, HHC Health and Home Care center and several payers.

Tags:
Posted on April 15, 2008 by Helen Oscislawski

Educating the Educators on Privacy Laws

 

Last October, the United States Department of Education released a policy guidance document to to help educators and parents interpret federal privacy laws in an initiative prompted by the mass shooting at Virginia Tech.  The document was created in response to schools' requests "for guidance on what information can be shared among government agencies and parents under the 1974 Family Educational Rights and Privacy Act” (FERPA).  At that time, Congress was also considering revising FERPA to clearly permit school officials to contact parents if a student is considering suicide or a threat to attack someone.  Currently, FERPA allows officials to share information with parents or other agencies if there is a health or safety emergency, but there was concern - especially after the Virginia Tech incident - that the language is too vague.

On March 24, 2008, almost a year after the shooting rampage at Virginia Tech, the U.S. Department of Education (DOE) proposed regulations to clarify when colleges can release confidential information about students who might be a danger to themselves or others.   The proposed guidelines do not make any substantive changes under FERPA, but attempt to clarify that schools are permitted to report fears about students who might be a danger to themselves or others. Parents are among the parties who can be contacted if a student is at risk.  It is believed that the changes would provide colleges with more flexibility in defining a potentially dangerous situation, and would help ensure that counselors have the tools they need to reach out and build support systems around troubled students. 

HIPAA contains a similar exception for disclosures "to avert a serious threat to health and safety."  Under HIPAA, a covered entity is not prohibited by the federal Privacy Rule from disclosing protected health information if it believes, in good faith, that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and the disclosure is to a person reasonably able to prevent or lessen the treat, including the target of the threat.  State laws may, however, impose additional restrictions and must still be considered.

The deadline for comment on the DOE's proposed regulation is May 8, 2008.

 


Tags:
Posted on April 10, 2008 by Helen Oscislawski

Sanctions May be Imposed Due to Stark-Struck Snoopers

On April 8, 2008, the New York Times & The Los Angeles Times reported that, Dr. Mark Horton, head of the California Department of Public Health, said that "the agency planned to sanction the University of California, Los Angeles, Medical Center after hospital workers improperly viewed the records of more than 60 patients, including the actress Farrah Fawcett and the state's first lady, Maria Shriver.  The medical center's investigation "revealed that records of 61 patients, roughly half celebrities or politicians, had been opened by one unauthorized worker who had since quit."  Governor Arnold Schwarzenegger has been quoted as stating that his administration will push hospitals to implement new safeguards to stop such snooping.  

These types of incidents highlight a prevalent issue that I find many covered entity providers struggling with.  Namely that their employees are either not aware or not taking seriously their responsibility to not access the record of any patient without an authorized purpose.  Authorized purposes include where the employee needs the information in connection to providing health care services to the patient.  Other authorized purposes are limited, but are set forth in the HIPAA Privacy Rule.  In addition, state laws may further restrict which employees can access certain sensitive information, like mental health records. 

HIPAA requires that covered entities implement safeguards to attempt to prevent unauthorized employees from accessing protected health information (PHI).  The first step for a provider is to establish clear policies regarding when employee access is "authorized" (permitted) and when it is "unauthorized" (not permitted).  With respect to electronic-PHI, the HIPAA Security Rule goes one step further by requiring covered entity to implement (1) Access Authorization levels and (2) Access Establishment and Modification.  This may include developing and implementing policies and procedures for assigning access rights (i.e. passwords) to  employees based upon their role at the facility.  Finally, it is imperative that employees are trained on established policies, and applicable sanctions (i.e., from warnings to termination) are carried out for violations.

Tags: ,