A significant part of President Obama's health care reform agenda is the push for implementing more health care technology. In the health care field privacy is always a major concern, and was the impetus of the Health Insurance Portability and Accountability Act of 1996 - protecting the privacy of individually identifiable health information in all formats, and the confidentiality provisions of the Patient Safety Act - protecting identifiable information being used to analyze patient safety events.

So those in the health care industry now wonder will the Administration's focus on health IT (HIT) present more challenges to privacy concerns? As part of a continuing focus on HIT issues, DOTmed interviewed industry expert Kirk J. Nahra, a partner in the Washington D.C. legal firm of Wiley Rein LLP, specializing in privacy and information security for the health care and insurance industries, and named an expert practitioner by the Guide to the Leading U.S. Healthcare Lawyers. DOTmed also interviewed Lise Rauzi, Vice President, Training Development, for Health Care Compliance Strategies (HCCS). HCCS provides online training compliance for employees.

Nahra notes that regardless of the rising concern over privacy and the new HIT legislation, there have already been formal HIPAA security rules on electronic information in place for several years--the health care industry compliance has just been inconsistent. The problem -- to the extent there is one -- is that HIPAA rules are process-oriented, Nahra explained. The rules don't tell an entity what to do, but rather what to evaluate--a standard set of questions, but without a standard set of answers. For example, a covered entity has to have an internal audit, but the rules do not tell the entity how best to carry out that internal audit.

Not surprisingly, different businesses have different ideas on how to implement their HIPAA evaluations. In addition, various groups in the industry have dissimilar opinions on what constitutes best practices, ranging from trade associations to "public interest" groups that participate in the overall health information technology debate. There is no universal agreement on HIPAA compliance implementation. "There is a cacophony of ideas," Nahra says, "and a company will say we will look at all ideas and decide what's best for us."

Dissemination Concerns

Problems also develop because electronic information goes more places than paper-based information. More health care entities are making their information electronic, and that information is getting exchanged among providers. "One of the challenges has been to develop best practices and standards evolving with the industry as it changes," Nahra observes.

More Industry Headlines