This is the fifth article in a series on the digital health revolution.
AS debate continues over the implementation of the My Health Record for Australian patients, perhaps it would be instructive to compare it with the United States’ system. We provide an overview of the US federal laws that govern the privacy and security of electronic health records, including the Health Insurance Portability and Accountability Act (HIPAA), and draws on some comparisons with the Australian My Health Record system.
HIPAA was enacted by the US Congress and signed by President Bill Clinton in 1996. Over a decade later, it was amended by the Health Information Technology for Economic and Clinical Health Act (HITECH) which was enacted in 2009.
A number of regulations were promulgated thereunder including:
- the Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule);
- the Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule); and
- the Notification in the Case of Breach of Unsecured Protected Health Information (HIPAA Breach Notification Rule) — collectively, HIPAA.
HIPAA establishes national standards for safeguarding individually identifiable health information; this applies to “covered entities” – health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which the US Department of Health and Human Services has adopted standards – and their “business associates” that create, receive, maintain or transmit information “protected health information” on their behalf. Patients also have certain rights to their health information, including rights to access their health records and amend such records.
While HIPAA is a federal law, there are similar state privacy laws and regulations that are not necessarily pre-empted by HIPAA, particularly if a state affords greater protection to individuals than HIPAA.
Records are not centralised
The US electronic health record system does not employ a single, centralised cloud database, but supports the use of multiple platforms through incentives schemes to the platform developers, including the Promoting Interoperability Programs, which encourage meaningful use and interoperability. In the US, there are over 600 patient management systems that achieve compliance with the incentive scheme rules.
Since the US electronic health record system is not centralised, patients often have difficulty maintaining all of their health-related information in one place, especially when transitioning from one health care provider to another. Currently, when patients change doctors, many physicians ask patients to sign an authorisation to release their medical records to a new health care provider.
However, in 2018, the White House Office of American Innovation launched the MyHealthEData initiative, which aims to create a patient-centric model for controlling health data. The initiative seeks to enable better care coordination and provide patients with the ability to manage their own health data and maintain control of their medical history.
With MyHealthEData, patients are able to share their data with providers, rather than defer to providers to maintain such data. Likewise, the US Centers for Medicare and Medicaid Services has introduced Medicare Blue Button 2.0, which enables Medicare beneficiaries to connect their Medicare health information to other applications, computer-based programs or research programs.
There is a movement in favour of patient control
Today, patient advocates are leading a movement in the US to provide patients with not only access to but also control over their electronic health records.
A new proposed rule from the US Department of Health and Human Services aims to improve, among other things, interoperability and patient access to data. If finalised, the proposed rule would go into effect on 1 January 2020. In the proposed rule, the Office of the National Coordinator calls on the health care industry to adopt standardised application programming interfaces, in an effort to permit individuals to more easily access their health information by using a smartphone app.
Record ownership is determined at the state level
While HIPAA provides individuals with certain rights with respect to their health information, including the right to access and amend it, it does not specify ownership rights over the information. In the US, state law generally governs whether medical records belong to patients or their providers. For instance, in Florida, the “records owner” is defined as:
“(i) any healthcare practitioner who generates a medical record after treating a patient; (ii) any healthcare practitioner to whom records are transferred by a previous owner; or (iii) any healthcare practitioner’s employer, such as a physician practice.”
In New Hampshire, on the other hand, medical information contained in a patient’s medical record is deemed to be the property of the patient.
Patients in the US generally have to opt in to their health care provider’s electronic health record system.
Another feature is that HIPAA requires health care providers to obtain patient authorisation before disclosing protected health information to the patient’s employer.
Patients may also restrict disclosure of protected health information to their insurer. While HIPAA permits a health care provider to disclose protected health information to a health insurance company for treatment, payment or health care operations purposes without patient authorisation, a patient has the right to request restrictions on the disclosure of protected health information to a health insurance company if the disclosure is for the purpose of carrying out payment or “health care operations” and not otherwise required by law, and the patient has paid out-of-pocket (ie, in full from a source other than the insurance company).
Security breaches have led to million-dollar settlements
The Office for Civil Rights at the US Department of Health and Human Services recently entered into a resolution agreement with Cottage Health – a California-based not-for-profit health system – for US$3 million to settle potential violations of HIPAA resulting from two separate breaches of electronic protected health information.
Comparison of the US system and My Health Record
The key differences between the Australian and US electronic health record systems can be summarised as follows:
- My Health Record is a centralised “cloud” database, whereas the US system does not use a central database;
- the US system promotes conversion of historical paper-based data to electronic format, whereas the Australian My Health Record does not;
- the My Health Record System is now opt-out, whereas the US system is generally opt-in. The opt-in model is consistent with notions of patient-centric care and patient control;
- ownership of health records in the US is determined at the state level. The My Health Record system does not define who owns a My Health Record, and questions of ownership may need to be clarified by Parliament; and
- patient controls over records under the My Health Record System are broader than under the US system. Indeed, federal legislation permits patients to use their My Health information for any purpose. It is worth noting that the term “for any purpose” could be clarified by Parliament to make it clear whether there are any uses by patients of My Health information that would not be permitted, for example, because they would not align with the objects of the legislation as stipulated in Section 3 of the My Health Records Act 2012.
The similarities between the Australian and US systems can be summarised as follows:
- both systems offer protections against employer and insurer access as defined in legislation above and also Section 70A of the My Health Records Act 2012;
- incentives programs are used, albeit with varying rules and requirements;
- there is a movement in favour of increased patient control over health records being advocated at the federal government level, and in Australia such controls have already been included in legislation under Section 67 of the My Health Records Act 2012. There is also the initiative in the US by the organisation Hu-manity, which advocates for increased consumer control over data and a human right to data ownership; and
- interoperability is a significant issue in both jurisdictions, although to varying degrees.
The issue of patient control and the question of ownership over health records are big discussion points in the US; however, these matters receive little attention in Australia despite the broad controls that have been afforded to patients under the My Health Record system, as well as the unclear aspects in relation to data ownership. This comparison of the two systems highlights the need to pay more attention, in particular to these issues and to those pertaining to the use of an opt-in model versus an opt-out approach.
Heather Deixler is a health care regulatory and transactional attorney in the corporate group at Latham and Watkins, with a particular focus on health information privacy and security. She also works with clients to develop and implement compliance programs and respond to security breaches, advise on regulatory compliance matters related to health care privacy and security, and provides counsel on such issues in health care transactions. She is a Certified Information Privacy Professional in US and European privacy laws.
Bianca Phillips is a Victorian academic lawyer conducting medical law research. She completed her Master of Laws at the University of Melbourne with her thesis on telemedicine, and is currently completing a doctoral thesis on the law making of the digital health revolution. She has authored articles on the digitisation of medicine in both legal and medical publications. She can be found on Twitter @biancarphillips.
The statements or opinions expressed in this article reflect the views of the authors and do not represent the official policy of the AMA, the MJA or InSight+ unless so stated.