Drawing on your area of expertise, can you share some background into healthcare privacy regulation in the United States and the key laws and statutes that govern the use of healthcare information today? In the early 1970s, Congress enacted a federal privacy law to protect the confidentiality of patient records originating from certain providers providing treatment for substance use disorders (SUD). That law and its related regulations are often referred to as ‘Part 2’. However, Part 2’s privacy protections did not extend to protecting information created by other types of healthcare providers. Additionally, although states were addressing health data privacy rights on an individual basis, the result was an uneven patchwork of standards that often fell short of guaranteeing individuals with meaningful privacy rights. On 21 August 1996, Congress finally passed the first comprehensive federal healthcare privacy law in the United States – the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (‘HIPAA’). Four years later, the Secretary of Health and Human Services (HHS) published the ‘HIPAA Privacy Rule’ and required full compliance by 14 April 2003. Other rules implementing HIPAA followed, including the HIPAA Security Rule, which aims to safeguard electronic health information, and the Breach Notification Rule, which requires individuals and HHS to be notified when certain unencrypted health information has been compromised. Together, Part 2 and HIPAA formed the predominant legal foundation for health data privacy in the United States. However, as technology and data sharing models continued to rapidly evolve, these federal laws started to become disconnected from what was actually happening in the ‘real world’. As a result, over the last few years, privacy attorneys and health information technology minefields. A typical work week for me might include assisting clients with responding to OCR HIPAA investigations, managing a data breach impacting health information, negotiating a complex data-sharing arrangement with a technology vendor or other types of third parties seeking access to health data for a variety of reasons, reviewing and updating consent forms, policies and other documents for compliance with federal and state data privacy requirements, completing compliance audits and developing mitigation strategies, all while keeping up with a rapidly changing data privacy and technology landscape which I cover in article posts on my blog (www.legalhie.com). Every day, I have the pleasure of working closely with in-house general counsels, CEOs, CIOs, IS Directors, Privacy Officers and many other incredible individuals who are dedicated to striking the right balance between data privacy and allowing technology to improve and drive healthcare forward into the future. I look forward to hopefully many more years of doing the same things that I have been doing for the last 23. FEATURE OF THE MONTH 17
RkJQdWJsaXNoZXIy Mjk3Mzkz