Right now we have the worst of all worlds with regards to patient privacy in healthcare. Patients are frequently subject to sub-standard security and privacy practices AND healthcare innovators are unable to deliver solutions that would be useful to patients because their technical approaches are uncomfortably novel for health care bureaucrats. Patients end up getting poor security and no innovation, the worst of all options. This problem is going to get worse before it gets better, since the new Omnibus HIPAA Rule will make cloud hosting of health care projects untenable very soon.
We need a way to provide meaningful privacy choices to patients, while enabling technical innovators to offer services using modern technical infrastructures. In order to do that, we need to hack the document that dictates the core relationship between patients, clinicians and innovators. That document is the Notice of Privacy Practices (“NPP”) that patients sign when they first start engaging with a particular provider.
The goal of this project is to fund the creation of a universally accepted NPP for health care providers to share with patients — one that recognizes current realities of data storage and transfer, explains these realities to patients, and obtains their consent to use, transmit and store data in a private and secure manner using cloud storage and computing, secure email, email, two-way video systems and text messaging. These are all standard technology approaches that patients use to work with their own health care data every day. But regulatory compliance makes it difficult to work connect with their doctors using these technologies.
HIPAA and the HITECH Act — the Federal health data privacy and security laws — govern the use, transmission and storage of personally identifiable health data, and define the parameters for the NPP. However, there is no standard form NPP in use. This means that technologists have to adapt to a plethora of scenarios created by multiple NPPs, none of which is drafted with technical requirements in mind. The law of unintended consequences yields problems for patients and providers as a result of this technology blind spot.
The Compliance Date for the Omnibus HIPAA Rule (which operationalizes the HITECH Act amendments to the original HIPAA regulations) is September 23, 2013. Unless steps are taken in advance, on that date many health care clinical and research projects that rely on reasonably configured health information technology systems will become non-compliant, and may expose health care providers (“Covered Entities” under HIPAA) and their partners (“Business Associates” under HIPAA) to government investigations and sanctions, including fines.
Many Business Associates under the Omnibus Rule are newly covered (they were not considered Business Associates under the old HIPAA rules) and all Business Associates will soon become primarily liable for full compliance with the HIPAA/HITECH rules with respect to all protected health information (“PHI”) that they touch.
Some cloud hosting providers have announced that they will be signing business associate agreements with Covered Entities and other Business Associates. Others have not. Many Business Associates host their applications with cloud providers that have not indicated a willingness to enter into Business Associate Agreements and provide their customers with needed transparency about their operations. Thus, Business Associates will not be able to satisfy themselves that physical access logging, two-factor authentication and other HIPAA requirements are being adhered to by their cloud hosting contractors. They may continue to feel confident in underlying security features offered by their cloud hosting contractors, but without more they can no longer be considered HIPAA-compliant. (This piece of the puzzle may demand a technical solution or an administrative solution. A technical solution might be encryption of the cloud with keys managed by the Business Associate – not the cloud host. Encrypting data takes it out of the HIPAA crosshairs – if encrypted data is improperly accessed but the key is secure, the data is unreadable, so for HIPAA purposes no breach has occurred. An administrative solution might be a risk analysis of addressable HIPAA standards that concludes – for some data, for some Business Associates – that less than 100% compliance with addressable standards is OK.)
HIPAA compliance does not exist in a vacuum. Since it is intended to benefit patients whose data is kept private and secure, patients (including research subjects) have the right to waive certain HIPAA protections. But asking patients to waive rights that they have under HIPAA is something that should be done only after careful consideration. We are asking for your help to fund that careful consideration.
Business Associates that do not wish to disrupt their current cloud hosting arrangements, that understand the need to limit data transfer to the minimum necessary to discharge their duties, and that contract with clinical care and/or research institutions, will want to be proactive in creating a solution to this looming problem before September 23. Forward-thinking Covered Entities that want to be able to communicate with patients via email and SMS communications, or even two-way video, without deploying costly secure messaging systems and portals (which are often spurned by patients and staff) will want to be involved as well.
Even though the original HIPAA regulations allow for patients to receive text (SMS) messages and emails from their doctors, most HIPAA compliance policies prevent this from happening in practice. As a rule, patients would love to be able to use these technologies to communicate with their health care providers and when they understand the actual risk associated with transferring data in plain-text, they almost always view the risk as either irrelevant or tolerable. In addition, patients now have the option to communicate with their providers through portals and secure email protocols (like the Direct Project) that are rolling out thanks to the Meaningful Use requirements for electronic health records systems. That means that patients who do have a problem with plain-text communications with their health care providers now have a reliable secure communications option.
Patients and providers now have options for electronic communications that will help ensure that communication is easy, and as secure as patients want it to be. With the proposed NPP in place, patients will be empowered to communicate their preference for plain-text email, SMS, Direct or portal communication. This document will explain the risks inherent in SMS and plain-text email to patients. In the context of that explanation, patients who are still comfortable using those communications platforms can just start using them, but if a patient chooses only to use secure protocols or portals, that choice will also be respected.
Lastly, patients should have the right to participate in clinical research more easily. The NPP will enable patients to participate in clinical research (by sharing their data) without having to sign a separate document. It will establish reasonable defaults for research use of patient data. We will be looking to the Open Consent community for options here, but we plan on offering real choices for involvement in clinical research, including not being involved at all.
Since patient data is, or soon will be, exchanged through health information exchanges (“HIEs”), the trust framework the HIEs must develop should take into account the flexible NPPs and the related patient decisions about privacy and security. Fleshing out these concepts sooner rather than later will help influence the development of the trust framework. Documents like the all-important DURSA will be referenced and explained here.
Creation of a standard form NPP — the Common Notice of Privacy Practices (“CNPP”) — for Covered Entities to provide to their patients before September 23, which will permit the use of modern communications and computing technologies while maintaining HIPAA compliance and compliance with key state laws as well (i.e. health data privacy laws from key jurisdictions, e.g., California, Texas, New York).
With your help and full funding, the form CNPP will be developed by David Harlow, a health care attorney and consultant with significant expertise and experience in health care data privacy and security, in consultation with backers of this project at the $1000 level or above.
Wherever possible, components of the CNPP may be made available to backers in a modular fashion, to accommodate the possibility that initially not all Covered Entities will adopt the CNPP in lieu of their own NPP forms.
If backers of the project contribute a total of at least $15,000, then three additional state-specific provisions will be included for states identified by backers at the $1,000 level or above.
We have considered doing a “Common Business Associate Agreement” and if things go really well with this project (hint, hint: tell your friends and neighbors), then that might become an option for us. (We would need more than $20K to even start considering that.) If backers of the project contribute a total of at least $20,000, then additional stretch goals crowdsourced by backers at the $1,000 level or above will be included, subject to budget and feasibility considerations, as determined by David Harlow.
Learn more about their interest in the project by watching the video embedded above.
About David Harlow:
David Harlow JD MPH is Principal of The Harlow Group LLC, a health care law and consulting firm based in Boston, MA. His twenty-five years’ experience in the public and private sectors affords him a unique perspective on legal, policy and business issues facing the health care community. David is adept at assisting clients in developing new paradigms for their business organizations, relationships and processes so as to maximize the realization of organizational goals in a highly regulated environment, in realms ranging from physician-hospital relationships to data privacy and security to facilities development to social media strategies to the avoidance of fraud and abuse. His blog, HealthBlawg, is highly regarded in both the legal and health policy blogging worlds. He is a member of ONC’s Health IT Standards Committee’s Consumer Technology Workgroup. He is a charter member of the external Advisory Board of the Mayo Clinic Center for Social Media and the Public Policy Chair of the Society for Participatory Medicine. He speaks regularly before health care and legal industry groups on business, policy and legal matters. You should follow him on Twitter.
Backers of this project may wish to engage David as their legal counsel or consultant on matters related to the CNPP or other health care matters.
The CNPP will be provided privately to backers of this project upon its completion this Summer. The CNPP will be made available online under a Creative Commons License on November 1, 2013 (i.e., approximately five weeks after the compliance date of the Omnibus HIPAA Rule).
The CNPP will be a legal form. Its development, including without limitation any individual or group discussions will not create an attorney-client relationship between David Harlow or The Harlow Group LLC and any backer of this project.
While we will certainly meet our goal to create this document, you should be aware that contributing at any level does not give you the right to make unreasonable demands (or otherwise act like a child).
Also, while we will do our best to ensure that this document will not cause you to get you sued or in trouble with the Office of Civil Rights, that might not be good enough – we are not your insurance policy. The law and/or the interpretation of the law changes constantly.
You need to have reasonable expectations here, but you should be able to get rock-solid documents at a fraction of the price you would expect to pay a health care lawyer on an individual basis, all while contributing to a good cause.
Receive our eternal thanks and sleep well in the knowledge that you helped change healthcare for the better.
Get the t-shirt that all of the top health care innovators will be wearing this season.
Access to the CNPP before the HIPAA Omnibus Rule compliance date.
All of the stuff at the $100 level plus the amazingly awesome but not-yet-designed backers' t-shirt
Above, plus a telephone consultation with David Harlow regarding the CNPP form after it is complete. This is not a legal consultation.
1. Above, plus a telephone consultation with David Harlow before the CNPP form is complete, so that your particular issues may be considered in the development of the CNPP form. 2. Comment access to the CNPP form (via Google Drive) 3. If $15,000 or more is raised, then above, plus input into selection of three additional states’ laws to be addressed in the CNPP form. 4. If $20,000 or more is raised, above, plus input into determining additional stretch goals.
GET YOUR OWN STATE - For those outside of Texas, New York or California, when you get this package we will drill down and give you an iron-clad version for your state. This level will allow you to add any single state or U.S. jurisdiction to those that we will build out. Great for state-based agencies, EDCs, consortiums, or large companies that want to make sure their state is included in the design of the documentation and systems. Caveats apply, but if this is important to you, this is the level for you.
YOUR OWN SPECIAL VERSION - Designed for your specific technical platform or approach, beyond cloud hosting, plain text email, SMS and two-way video that you would like thought through and developed just for your company. Buy this level to have David consult with Ian and Fred (the technical advisers for the project) about your specific brand of technology goodness.
No updates found .
No comments found .