- What the HIPSA?!! After HIPAA, the last thing most of us want to hear is another acronym that starts with the letter "H" and makes our heads spin trying to figure out whether the answer to the question is "to disclose" or "not to disclose." But, here it may come….. Covered Entities (and anyone currently handling health information, for that matter) should keep an eye on U.S. Senate Bill 1814, the Health Information Privacy and Security Act ("HIPSA"), currently under consideration by the Committee on Health, Education, Labor, and Pensions. HIPSA could change the current HIPAA landscape by, among other things, aiming to directly govern each individual who and entity that uses personal health information. The potential new law is also looking to create a right of private action (the right to file a private lawsuit), and allow state attorneys generally to sue for privacy and security violations. Each of these elements is more far-reaching than HIPAA, which directly governs only Covered Entities, and does not provide a statutory private right of action.
- New Jersey Health Information Technology Promotion Act (NJ HITPA), Senate Bill 2728. As NJ HITPA inches forward (last updated 11/2007), New Jersey may be one step closer to setting up the infrastructure necessary to support a state-wide RHIO (Regional Health Information Exchange) in 2008. NJ HITPA establishes the New Jersey Health Information Technology Commission to assume primary responsibility within State government for the development, implementation, and oversight of the Statewide health information technology plan. That plan is to be designed to establish a secure, integrated and interoperative, Statewide electronic health information infrastructure for the sharing of electronic health information among health care facilities, health care professionals, public and private payers, and patients, which complies with all State and federal privacy requirements and links all components of the health care delivery system through secure and appropriate exchanges of health information.
- Ban On Data Mining. On December 12, 2007, the Washington D.C. Council voted in favor of restricting access to information about physicians’ prescribing trends. The ban is the result of a much larger debate, namely whether prescription data should be allowed to be mined and sold to pharmaceutical companies and whether such practice drives up the costs of prescription drugs and interferes with physician practices. However, from a HIPAA standpoint, the ban may spur a trend that could restrict access to deidentified information. Under HIPAA, if information is "deidentified" (stripped of all identifying elements) then the federal Privacy Rule does not prohibit its disclosure. Most state laws also limit confidentiality protections to "identifying" personal information. Therefore, "anti-data mining" laws such as the one being considered in D.C. (as well as in 12 other states, including New Hampshire, Maine and Vermont) would, in many instances, result in state laws that are more restrictive than HIPAA and create a new barrier to pharmaceutical companies and others obtaining such information.
- States Amending Privacy Laws. Look for legislation to be introduced in New Jersey and other states that tighten up privacy and security requirements in certain instances, and that clarify restrictions that have become outdated. For example, the Pennsylvania Department of Health ("PA DOH") proposed to amend its regulations relating to the disclosure of patient information under the Pennsylvania Drug and Alcohol Abuse Control Act . The proposed rule, set forth in the Pennsylvania Bulletin at 37 Pa.B. 6529, indicates that the PA DOH determined that the current regulation is outdated and is an impediment to service delivery and the coordination of care for individuals with substance abuse problems. In general, the proposed rule expands the amount of information treatment providers may release to other entities (in accordance with the existing statute), and clarifies what information is subject to the confidentiality and disclosure restrictions.
Identity-Theft Prevention Laws. As the nation moves toward converting from paper to electronic health records and our personal information becomes more accessible, medical identity theft has become pervasive. Many states, including New Jersey, have passed security-breach notification laws that require providers to notify an individual if his/her electronic information has been accessed in an unauthorized manner. Look, however, for states to expand their current laws protecting the security of health information and specifically target medical identity theft.