A Brief Overview of Health Informatics Law
Understanding the general legal principles and rudimentary laws which govern health care information, all information systems, troubleshooting systems, care communications, dispositions, policies and procedures, etc., in order for health information professional to be able to critically and objectively read, write, discuss and understand the issues, problems, settlements, changes, additions, deletions to laws, etc., and implications therein, will make for a more effective health information professional who is able to meet the demands of the health care field, the profession, the health care institutions, quasi governmental agencies, legislative bodies, etc.
Health information law is a combination of public and private law, both of which are applicable to health care. Health law is a specialty practiced by attorneys who counsel health care institutions and practitioners on their legal responsibilities and rights. It also encompasses law regulating the finance and delivery aspects of health care at the local, state and federal levels. Health law also includes the legal rights of patients and physicians, hospitals and other health care providers, and is applicable to diseases and other physical and mental conditions.
Most health care professionals lack training and education in both the healthcare delivery systems and in the legal aspects of those systems.
Privacy, confidentiality, and related legal concepts, and specifically, the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal laws and regulations , motivate staff and are technically complex, with a multitude of policies and procedures to accommodate patient requests for privacy and confidentiality.
HIPAA was enacted to improve and protect the portability, availability, and sustainability of healthcare coverage in the individual and group market; and the efficiency and effectiveness of the health care system through the establishment of a national agenda for electronic health care systems. HIPAA regulates the privacy and security of protected health information, and contains standards for security and electronic health care transactions and code sets. HIPAA primarily focuses on the privacy of individuals in the electronic transmission of health information, and provides a clear set of rules for what can and cannot be done with that information. HIPAA provides for administrative simplification, health care fraud and abuse, and tax-related health provisions, and includes various applications in the areas of: health care access; data collection; insurance portability; health care fraud; abuse; under-writing; taxes; privacy and security.
The American Health Information Management Association (AHIMA) has developed a series of resources that provide background and is a central point for news and information for code professionals who work with information systems in health care organizations. The recent HIPAA privacy regulations have made it obvious that access to and use of health care information is governed by multiple federal and state laws that authorize or limit access and use of such information.
Essential Legal Concepts Related to Health Informatics
Privacy, confidentiality, security, and the principles of trust are foundational to the legal obligations for operating health information systems. This section will discuss each of these principles and the related legal doctrines, their application in the context of health informatics, and how these principles and doctrines fit into the overall picture of legal compliance for health information systems.
Privacy can be thought of as the right to freedom from intrusion. Every individual has the right to protect and control their personal information and prevent access to it by other individuals. Privacy law protects an individual’s interest in preventing the disclosure of personal knowledge or information possessed by another if the knowledge or information was intended to be confidential or secretive.
By defining specific rules that limit disclosure for certain types of information, law creates safe havens for these certain types of information. Disclosure of protected health information (PHI) requires consent of the individual, or, if not requiring consent, is limited to disclosure only as permitted or required by law. Unauthorized disclosures of private information usually result in civil liability, including significant award of punitive damages.
Confidentiality can be thought of as the obligation of an individual having access to information to protect the information from unauthorized disclosure. Often, confidentiality can be imposed by contract or by the professional responsibilities of those working in health care organizations. For example, confidentiality would prevent disclosure of information entrusted to a physician or therapist, unless authorization is provided by the subject individual.
Security protects personal information such that the information is not disclosed to unauthorized parties.
Consent, authorization, and minimum necessary disclosure, among others, are discussed in detail in later sections of this website. The legal requirements for these processes vary by jurisdiction, but generally every jurisdiction recognizes the individual’s right to control the disclosure of their health information, and most jurisdictions require consent, authorization, and sometimes minimum necessary disclosure to govern disclosure of PHI.
The concept of minimum necessary disclosure, as developed and expressed by the United States Department of Health and Human Services, is to limit disclosure of a health care patient’s health information to the minimum necessary information needed to carry out the purpose of the disclosure. For medical record requests, the rule essentially applies the common law "privileged communication" rules to require a level of judicial scrutiny that would apply to requests for disclosure of patient’s confidential communications.
When legislation allows for health information systems that are capable of electronically storing much more information than needed, the "minimum necessary" rule becomes an important one. The best practice is to only store the minimum necessary information. What constitutes "the minimum necessary" is determined retrospectively, by the courts.
Having a basis upon which to conclude there is no viable tort liability for productivity software in the workplace is desirable. In the context of health care information systems, such indemnifying protections may need to be in the form of legislation.
How HIPAA Affects Health Information Management
In the realm of health informatics, the operational, policy, and legal underpinnings of governing privacy and data protection are grounded in legislation and regulation – of which the Health Insurance Portability and Accountability Act (HIPAA) is one of the primary ones. HIPAA affords certain rights to individuals, while imposing on covered entities like hospitals, doctors, and other health care professionals significant responsibilities, notably to protect the confidentiality of medical information. With its jurisdiction covering electronic, paper, and oral information, the Department of Health and Human Services has a wide reach, so much so that this Act has garnered the nickname "the first-generation health care information technology law." Of note is a provision that requires electronic handling of any electronic health information that passes between them, a function that can be (and is) outsourced to third parties. Acknowledging that fact, a central tenet of HIPAA is that business associates need to comply with the privacy and security rules as well. A 2016 study conducted by the Ponemon Institute, called The Fifth Annual Study on the Privacy, Data Protection and Security of Healthcare Data in the U.S., found that 70 percent of healthcare organizations experienced one or more data breaches in the past year. As a result, the Institute argues, patient privacy lacks the protection it requires. Another finding from the study is that fewer than one-third of organizations limit patient data access to only those employees who require it to perform their job duties. Enacted back in 1996, the HIPAA law provided for the development of national standards for protecting sensitive information that can be used to individually identify a patient. In 2003, implementation regulations for standards relating to the privacy and security of that information were enacted. The subsequent passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 enhanced the privacy and security protections established by HIPAA and provided the Federal Trade Commission with statutory authority to enforce compliance. Healthcare entities that do not comply with HIPAA can incur substantial financial penalties; the law provides for civil and criminal punitive fines ranging anywhere from $100 up to $50,000 per violation, with maximum violations per person being $25,000. Its breadth extends to all the HIPAA rules, including those containing standards of privacy of individually identifiable health information, security standards for the protection of health information, notification, enforcement, and recordkeeping, as well as the enforcement rule.
Data Security and Cyberlaw Regulations
Data protection and cybersecurity laws and regulations also interface significantly with the practice of health informatics and information management. In fact, a chief goal of such laws is the protection against external infiltration of information systems and the safe storage of such information within those systems. In the United States, the Health Insurance Portability and Accountability Act (HIPAA), while not a cybersecurity law in itself, establishes security requirements that many healthcare industry stakeholders must satisfy with respect to protected health information, including administrative, physical, and technical safeguards.
While regulatory enforcement mechanisms for HIPAA, like other healthcare laws, may not have the most cutting edge pursuant to the Federal Trade Commission Act, HIPAA still carries substantial penalties for noncompliance. Additionally, as the industry recognizes the almost constant threat posed to the security of recorded patient information, industry stakeholders have continued to push the government to adopt more robust cybersecurity laws.
For example, in 2015, the Health Care Industry Cybersecurity Task Force, tasked by the Secretary of the Department of Health and Human Services with addressing health care cybersecurity, published a report containing several recommendations for making healthcare systems more secure, including :"(1) improve baseline security practices; (2) continuously monitor and improve network defenses; (3) plan and test an incident response plan to address persistent cyberthreats; and (4) improve information sharing through enhanced public-private collaboration." The report further indicated that "[b]y safer choice in hardware and software, thoughtful processes, risk assessments, and comprehensive data and system auditing, organizations can protect the information on the systems they use and own." The Internet of Things (IoT) is also a point of security focus. For example, the FDA has issued cybersecurity guidance for IoT medical devices, many health IT vendors are focusing on IoT, and the Federal Trade Commission has addressed IoT cybersecurity in its consumer privacy and security-related law enforcement actions. Finally, industry stakeholders are primarily supportive of the Health Care Cybersecurity Act (S.2196) introduced in March 2016, which would "encourage setting security standards for electronic health records and other health IT."
There are other important cybersecurity and data protection legislative priorities and initiatives at state and EU levels as well. For example, the roll-out of the General Data Protection Regulation in the EU, effective May 25, 2018, is likely to have a significant impact on the exchange, storage and use of health information given the regulation’s broad definition of personal data. In addition, there are several efforts related to cybersecurity at the federal level. Industry stakeholders should continue to watch for new developments as well as for legislative initiatives that will impact the collection, storage and use of personal health information broadly.
Legal and Ethical Implications for Health Informatics
The field of health informatics and information management sits at the confluence of healthcare, technology, data management, and legal frameworks. As a result, the ethical implications of its growth and evolution are vast and complex. The management and application of electronic health records (EHR), health information exchange (HIE), and mHealth apps, all pose potential risks to patient privacy, and raise questions about who "owns" data generated through or accessed by these digital platforms.
Informed consent is perhaps the most critical ethical issue in this area. Patients must understand what information they are sharing, with whom it is being shared, and how it will be used, in order to fully consent to any information sharing. Consent must be documented and stored, to protect the provider or HIE should the need arise to defend release of information to third parties or third-parties who may request such information .
Another common ethical concern is whether biometrics—particularly related to genetic testing—should be shared, and if providers who incorporate this data into the treatment process should be required to compensate patients for the access. In this scenario, the ethics of consent is further complicated—by the ability to consent on behalf of a patient, the lapse of time from testing to treatment in which new information may be revealed about the test result, and the fact that a new tissue or sample may be required to validate test result findings. There is no clear guideline in the medical community on how these challenges should be resolved.
As the field of health informatics and information management continues to grow, and the push towards greater patient involvement in their own care continues, the ethical issues associated with storage and access to health data will only become more complex.
Health Information Technology and the Role of Legal Compliance
Health information technology (health IT) professionals bear the significant responsibility of designing and implementing health IT systems and software that meet an extensive number of legal and regulatory requirements. Adherence to legal standards is foundational to the development and deployment of any health IT system. Taking into account the applicable legal and regulatory requirements and standards throughout the life cycle of health IT may help reduce costly redesigns; increase systems safety, security, quality and interoperability; establish trust with end-users; and support the optimal use of health IT. Moreover, the public policy implications of how health IT is designed and deployed dictate the need for developers to implement legal and regulatory compliance into health IT. The need for health IT that is thoughtfully designed and implemented in a way that builds trust and maximizes its potential benefits should drive lawmakers to develop laws that encourage and require health IT developers and implementers to fulfill this essential obligation as they consider the scope and coverage of health IT laws and regulations. Health IT that does not adhere to requisite legal and regulatory standards can have direct costs, indirect costs, and unintended consequences, such as safety risks (i.e., patient safety and quality issues) and the loss of important healthcare information. Such impacts ultimately undermine the numerous promised benefits of health IT.
Evolving Legal Issues in Health Informatics
Future trends in legal frameworks consider the rapid evolution of technological capabilities in various fields including AI, big-data analytics and computing power. Previously established frameworks must be continually revisited and updated to reflect the current state of technology and its use in the collection, use and sharing of health information. While new and often innovative technologies show great promise to enhance opportunities for using health data in research, quality management and various clinical practices, they also pose new risks to the confidentiality, privacy and security of sensitive health information. Some trends that will likely shape the future of health informatics and information management include: 1. Data ownership. To date, legal frameworks for health information have focused on the concept of access, use and disclosure as opposed to ownership of health information. As the practical benefits of data-sharing and analytics continue to expand, there will be an ongoing need to address ownership of electronic health information. 2. Control over data analytics. Whatever the issue of data ownership, the providers of health services and professionals may begin to give up some level of control over the data they record one way or another. For example, a provider may agree to share his or her patient data, with any value whether personal or financial , with other healthcare partners in exchange for something of perceived greater value. 3. Obligation to share data. With the growth of data-sharing, health providers will see a shift in the relationship, becoming more of a partner in a data ecosystem. As a result, he or she may have an obligation to share his or her data not just with individuals who are seeking it for treatment or payment purposes, but also with healthcare entities that seek to use it for their legitimate business purposes, such as analyses and clinical research. 4. Data security. Concerns about data privacy as well as emerging regulations pertaining to cybersecurity standards will continue to pose issues and challenges to all organizations involved in collecting and maintaining health information. For example, the need for a thorough understanding of the obligations under HIPAA, as well as data security best practices will increasingly be paramount for covered entities that outsource functions involving access to and use of third-party services such as cloud vendors. 5. Liability. With broader uses of health information, questions may arise about the liability of health information custodians when health information has been misused or misappropriated by third-parties. There is a question whether the growing data-sharing and analytics environment will soften legal protections for third-party service providers that may limit their potential liability.