Senior Communications Manager
Kirk Nahra Discusses New Health Privacy Regulations at Chicago Conference
An April 21 presentation by Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice, was the focus of a SearchHealthIT.com article yesterday on the impact of recent changes in health-care privacy regulations.
The updated Health Insurance Portability and Accountability Act (HIPAA) rules will force providers to make significant changes to some of their processes, often without much benefit to patients, Mr. Nahra said at the HealthTech Council meeting in Chicago.
For example, a requirement that providers notify patients of any breaches to their private health data may not be as useful as similar rules aimed at protecting their financial data. Mr. Nahra noted that consumers can take concrete steps to prevent further damage after a financial data breach—such as closing accounts or monitoring their credit reports. But he said there isn’t much patients can do to mitigate potential harm after learning of an inappropriate medical disclosure.
The U.S. Health and Human Services Department (HHS) proposed revised rules that also would give patients the right to obtain from their health provider a list of every employee who has accessed their protected health information. That new provision will create time-consuming paperwork for providers, but few patients are likely to know about it or take advantage of it, Mr. Nahra said.
“Think about all the record-keeping that would be required of that,” he said. “HHS is feeling its way on what it wants to do for patients. The rationale for this was patient empowerment. I don't think they've given up on getting patients more involved in their care.”
The HIPAA regulations don’t do as much to shield private health data as most providers, patients and lawmakers believe, Mr. Nahra said. For example, a medical record submitted to a patient’s health insurance provider after a car accident is subject to HIPAA rules, but that same information isn’t covered by any privacy laws when the patient sends it to the car insurance company.
“HIPAA is not a health care privacy law,” he said. “It protects certain kinds of health information when it's held by certain professionals in certain situations.”
The HIPAA revisions also include a new standard for assessing whether a data security breach leads to harm. While regulators previously used a harm threshold test to determine whether penalties applied and whether patients should be notified, the new rule presumes harm in all breaches, according to the article. When a data breach occurs, providers will have to prove that it is unlikely to cause real harm to patients.
Mr. Nahra said providers should evaluate their next data breach under both criteria. He predicted that the outcome will be mostly the same under both tests, but said it will be a helpful exercise.