ARRA’s New Privacy and Security Requirements

I was all set to write an article Monday morning on the expanded privacy and security requirements in the American Recovery & Reinvestment Act of 2009 (ARRA) when I remembered that I was registered for a webinar presented by FairWarning (a privacy surveillance company) Monday afternoon on just that subject. I am really glad I waited to write, because this webinar provided a wealth of information on the new requirements. [By the way, you will also see this section of ARRA (Title XIII) referred to as the Health Information Technology for Economic and Clinical Health (HITECH) Act. Subtitle D contains the Privacy provisions.]

Many people and organizations have opined that EHRs will not take hold in general medical settings or in behavioral healthcare until consumers and providers trust that the EHR products and the means of transferring data are truly secure and protect the privacy of the patient. Webinar presenter Deven McGraw, of the Center for Democracy & Technology, most articulately presented the aspects of ARRA that will increase the privacy and security requirements that healthcare providers must follow. She indicated changes in four broad areas including substantive modifications to HIPAA statutory requirements, increased enforcement of HIPAA, provisions to address health information held by entitites not covered by HIPAA, and a variety of administrative changes.

The new law incorporates and expands upon the HIPAA requirements.

• There has been an attempt to more clearly define certain terms, like just what a “breach” of privacy is.
• Previously, covered entities where the only ones required to report breaches of privacy; now the same requirement is placed upon Business Associates.
• HITECH strengthens the individual’s right to restrict disclosures of health information to their insurance plan and even allows the individual to “opt out” of electronic recording and sharing of their information if they pay for their services privately and in advance. Mental health services are frequently cited as  sensitive content that an individual may want left out of their electronic record.
• The HIPAA mandate requiring that a provider not release psychotherapy notes to the insurer has been included in this act, and the Secretary of Health and Human Services (HHS) has been ordered to study whether psychological test data should be included in this exception.
• ARRA improves upon the HIPAA “minimum necessary” standard requiring that only the minimum amount of patient information should be disclosed depending upon the specific request for information.
• The legislation places requirements upon companies that provide Personal Health Records (PHR) for the security of the data in those records, and prohibits the sale of protected health information.
• Most importantly, the law provides an ongoing process for setting privacy and security standards and evaluating their effectiveness. 

A brief summary of these changes written by the American Psychological Association was published by Behavioral Healthcare magazine in February.

Perhaps the most important thing behavioral health providers need to realize is that the move toward mental health EHRs is happening. How exactly those records will interface with the rest of the National Health Information Network and exactly what information will be shared with other healthcare providers remains to be seen, but this endeavor is irrevocably marching forward. Where will you be in this process?

To comment on this article, click on the title and insert your comment in the box at the bottom of the page.