ACLU Lawsuit Continues . . . Want Detailed Regulations Surrounding HIE Privacy

by | Nov 9, 2010 | HIE & HIN, Lawsuits

ACLU Lawsuit Continues . . . Want Detailed Regulations Surrounding HIE Privacy

The Rhode Island chapter of the American Civil Liberties Union (ACLU) suit against the Rhode Island Department of Health (RI-DOH) remains in litigation, awaiting completion of discovery. The ACLU alleges that the state’s proposed rules for implementing the state health information exchange (HIE) failed to address certain provisions of the Rhode Island Health Information Exchange Act of 2008 that require protections for patient confidentiality, security and informed consent processes. Instead of adopting formal rules, the RI-DOH instead adopted internal policies, which the ACLU claims was both an unlawful bypass of the Administrative Procedures Act and in violation of the RI-DOH’s obligations under the HIE statute. In addition, the ACLU claims that it was not provided with a written response detailing the reasons why the RI-DOH rejected ACLU’s proffered recommendations.

The ACLU seeks to have the policies declared unenforceable and for the court to order RI-DOH to adopt formal rules addressing the statutory provisions that the ACLU alleges the RI-DOH responded to inadequately. Although the ACLU and its attorney, Frederic Marzilli, recognize the importance of HIEs and why the state approached implementation of the HIE with written policies instead of regulations, such as to better deal with the development and operation of such a new and groundbreaking mechanism, the ACLU’s position remains that the regulatory process must be followed. It argues that the critical privacy issues raised by HIEs require detailed rules as to how the state HIE system will work and protect patient confidentiality, security and informed consent. The State has continued to deny the allegations and is expected to file a motion to dismiss the case.  It remains uncertain whether ACLU will remain in court to fight another day.

For more information regarding the ACLU’s specific comments on the Rhode Island’s proposed rules, click on “Continue Reading” below

This post was prepared with assistance from Krystyna H. Nowik, Esq.

COMMENTS ON PROPOSED RULES AND REGULATIONS PERTAINING TO THE REGIONAL HEALTH INFORMATION ORGANIZATION AND HEALTH INFORMATION EXCHANGE (R5-37.7-HIE)

May 12, 2009

[…]

We have several concerns with these proposed regulations – many of which stem from statutory requirements for regulatory action that are simply not present in the proposed rules. Instead, the proposed regulations, in large part, merely reiterate the language of the statute, without fleshing out the details that the APA regulatory process was expected to address. We urge that more significant work be done on these rules before they are formally adopted.

There are no fewer than seven places within the HIE law that specifically refer to implementation activities to be defined by the Department through the rule-making process. Leaving aside one of them – the creation of an HIE Advisory Commission, about which we express no opinion – the other statutory references are only minimally addressed by the proposed regulations.

We refer specifically to the following (emphasis added):

  1. R.I.G.L. § 5-37.7-4(c) “Patients and health care providers shall have the choice to participate in the HIE, as defined by regulations…” Nothing provided within the draft regulations describes a process for making patients or providers aware of the choice, nor how and when the choice is presented to patients. The proposal does not even appear to explicitly address whether this will be an opt-in or opt-out system. Also missing is any procedure to document the informed consent of those agreeing to participate.
  2. R.I.G.L. § 5-37.7-5(a) “The director of the department of health shall develop regulations regarding the confidentiality of patient participation…” However, Section 4.0 of the regulations titled “Confidentiality Protections” consists almost exclusively of language mirroring the statute. In light of the significance of the confidentiality issue to the implementation of an HIE, the absence of any clarifying regulations is striking and disconcerting.
  3. R.I.G.L. § 5-37.7-6 “The RHIO shall, subject to and consistent with department regulations and contractual obligations it has with the state of Rhode Island, be responsible for…” This is another area that prompted a great deal of discussion during the legislative process. Regulations were expected to cover minimum confidentiality and privacy practices and standards that the RHIO must be held to in accordance with any contractual agreement between the Department and the RHIO.

Also discussed for inclusion through the regulatory process, but not addressed in this proposal, was the inclusion of mechanisms to address contractual violations of these standards by the RHIO. The goal of these mechanisms was to ensure meaningful accountability without leaving the Department with the sole choice of seeking revocation of the contract as the remedy for any violations. We continue to believe that such mechanisms should be included in these regulations.

R.I.G.L. § 5-37.7-7(c) “The content of the authorization form […] shall be prescribed by the RHIO in accordance with applicable department of health regulations…” The proposed regulations (§4.5), for the most part, simply regurgitate the statutory language. It would be both appropriate and useful to include a copy of a proposed authorization form to ensure it adequately addresses the statutory requirements and demonstrates true informed consent. At a minimum, though, some standards regarding the form’s contents should be included.

R.I.G.L. § 5-37.7-8(a) “Authenticate the recipient of any confidential health care information disclosed by the HIE pursuant to rules and regulations promulgated by the agency.” Other than the inclusion of a reference in §5.1 to using “prevailing industry standards and safeguards,” there is absolutely no authentication process spelled out within the proposed regulations.

R.I.G.L. § 5-37.7-10(d) “To terminate his or her participation in the HIE in accordance with rules and regulations promulgated by the agency” This is also something largely absent from the proposed rules, even though it is very important to patient autonomy. Instead, §4.1(e) merely provides that a patient may be able to terminate his or her participation “at any time” in accordance with a RHIO policy to be approved by the Director. This language fails to provide any guidance as to how one goes about terminating participation, and essentially leaves it up to the RHIO, rather than the APA process, to establish that guidance.

 

In addition to standards and procedures missing as outlined above, we have further suggestions based on what is already included in the draft rules.

Proposed Rule §4.1 [Patient’s rights] – This section should be further expanded to include the processes a patient would go through in subsections (a), (c) and (f) to obtain or amend his or her records, or to obtain his or her disclosure report. For example, whom do patients contact and are any forms required?

Proposed Rule §4.1(f) – The language herein is taken directly from statute. However, R.I.G.L. § 5-37.7-4(e) also makes clear that the RHIO must respond to patient requests to amend their health care record directly. The regulations should propose some standards to the RHIO for complying with this obligation.

Proposed Rule §4.5 – The language related to “proposed uses” (§4.5(a)(1)) should be clearly outlined. It is our understanding that the HIE was established primarily, and perhaps exclusively, for the benefit of treatment and care coordination. It is ambiguous to a worrisome degree not to give further definition of what other uses would be allowed and to ensure that patients will know if they are agreeing to sharing of information for non-treatment purposes. In this regard, the regulations should provide for the use of two separate forms: one for treatment situations and a separate form to authorize patient information for other purposes, such as marketing or research. This would help to ensure a patient’s informed consent to participate in the latter to the extent that the Department is agreeing that these uses are permissible.

 If, as has been suggested in other venues, that no uses of the HIE will be allowed other than for treatment purposes – a restriction that the RI ACLU strongly supports – then the regulations should make this clear so as to avoid any confusion.

Proposed Rule §4.5(a) – In order to protect patient privacy, we would urge that the regulations, similar to HIPAA, contain a minimization requirement when it comes to the transfer of information for non-treatment purposes. That is, only the minimum necessary medical records information should be provided to third parties for whom consent authorization has been provided by the patient. Of course, if the regulations are clarified (as suggested immediately above) to specify that the HIE will be used only for health care purposes, this concern would largely be rendered moot.

We believe that health care providers should be prohibited from denying treatment to patients who refuse to participate in the HIE. In this regard, the proposed regulations only contain an ambiguous provision indicating that a health care provider may be subject to “administrative review” for abandoning a client or denying treatment solely on the basis of a patient’s refusal to participate in the HIE. It is unclear to us exactly what this “administrative review” would consist of, how it differs from the statutory disciplinary process currently in place, or even exactly what a provider’s obligation is vis a vis denying treatment to non-participating clients. Is it improper or not? Both patients and providers need more guidance than what these regulations offer.

In addition, to the extent that the regulations do not prohibit the practice of abandoning non-participating patients, we believe that, at a minimum, they should require providers to notify the Department if they mandate patient participation in the HIE and for the Department to maintain a list of those providers for public access. In this way, patients concerned about their privacy will be able to make the most informed decisions about the health care providers whose services they wish to use.

Finally, we believe it is important to note additional changes to the regulations that may be necessary in light of Congress’s recent passage of the HITECH Act. While we have been unable to examine this new law in depth, at least a few aspects of the Act suggest potential conflicts with our state HIE that may require additional consideration. For example:

The HITECH Act has a broader concept of “breach” than the RI Identity Theft Law (RIGL §11-49.2) referenced in the statute and regulations (at §2.3(c)(11)). Both state law and the HITECH act breach provisions apply only to “unsecured information.” The new federal breach provisions apply to unauthorized “access, use or disclosure” not just “access” as in state law, do not require the unauthorized access “pose a significant risk of ID theft” as state law does, and set out more specific notice requirements (and timelines) for breach notifications. Federal regulations implementing this provision of the Act appear imminent.

The national HIT Policy Committee is supposed to make recommendations in several policy areas, and the National Coordinator for HIT is supposed to consider these in developing and implementing a national HIT infrastructure. One policy area concerns the use of limited data sets, i.e., “[t]echnologies that protect the privacy of health information and promote security in a qualified health record, including for the segmentation and disclosure of specific and sensitive individually identifiable health information, with the goal of minimizing reluctance of patients to seek care (or disclose information about a condition) because of privacy concerns” and for the “disclosure of limited data sets of such information.” As the Department is aware, the RI ACLU has expressed concern for some time about the all-or-nothing approach envisioned by the HIE, where sensitive data (e.g., records relating to mental health, drug treatment, or STDs) is not segregated in any way or limited in its release to those with access to the HIE. It is worth noting that, depending on the HIT Policy Committee’s recommendations, Rhode Island’s all or nothing approach may be premature.

In sum, we believe these proposed rules fall short by failing to comply with the statutory mandates contained in the new HIE statute for rule-making, and by failing to adequately provide for the confidentiality, security, due process and informed consent protections to patients that the regulatory process is designed to protect. We urge that these issues be addressed.

We appreciate your attention to our views, and trust that you will give them your careful consideration. If the suggestions we have made are not adopted, we request that, pursuant to R.I.G.L. §42-35-3(a)(2), you provide us with a statement of the principal reasons for and against adoption of these rules, incorporating therein your reasons for overruling the suggestion urged by us. Thank you.

Submitted by: Steven Brown, Executive Director

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives