The American Recovery and Reinvestment Act of 2009 (popularly referred to as the President’s economic stimulus plan) as engrossed in the House of Representatives (as HR 1), Section 9202 “Investment in Health Information Technology,” provides for the Secretary of Health and Human Services to “invest in the infrastructure necessary to allow for and promote the electronic exchange and use of health information for each individual in the United States consistent with the goals outlined in the Strategic Plan developed by the Office of the National Coordinator for Health Information Technology.”
There follows a non-exclusive list of things that must be covered in this investment (the Secretary being therefore permitted to invest in other, presumably related, things):
(1) Health information technology architecture that will support the nationwide electronic exchange and use of health information in a secure, private, and accurate manner, including connecting health information exchanges…
(2) Integration of health information technology, including electronic medical records, into the initial and ongoing training of health professionals and others in the healthcare industry who would be instrumental to improving the quality of healthcare
(3) Training on and dissemination of information on best practices to integrate health information technology, including electronic records, into a provider’s delivery of care… [to be implemented in coordination with state Medicaid and SCHIP programs]
(4) Infrastructure and tools for the promotion of telemedicine…
(5) Promotion of the interoperability of clinical data repositories or registries
In short, what this tells us is that the federal government would be funding the establishment of what the “Strategic Plan” calls a “Nationwide Health Information Network” that would link state, federal and provider databases into a national exchange of information that is to be used in a “secure, private and accurate” manner.
A limit on the expenditure is added, such that no funds may be expended for software or hardware or electronic health records that are not “certified products” that “would permit the full and accurate electronic exchange and use of health information in a medical record, including standards for security, privacy, and quality improvement functions.” Thus we can expect HHS to embark upon some type of certification program intended to protect consumer privacy and provide for security and accuracy of the information.
As is usually the case in legislation establishing new programs, there must be an annual report to Congress on the use of funds and their impact.
A separate section of the proposed stimulus package (a) permits the Social Security Administration to spend up to $40 million of $500 million in funding allocated to it (for the processing of disability and retirement workloads) for “health information technology research and activities to facilitate the adoption of electronic medical records in disability claims, including the transfer of funds to the Supplemental Security Income Program (“SSI”) and (b) provides $400 million in funding for construction and related costs of a new National Computer Center. The latter provision is not expressly tied to the Health Information Network, however.
The devil is in the details, of course, and the details are not set forth in the legislation, thus giving the executive branch, and in particular the Department of Health and Human Services (“HHS”), a great deal of discretion in carrying out the task at hand. The key to grasping the relevance and potential ramifications of the Health Information Network provisions of the proposed stimulus package to consumers, and the likely “stakeholders” whose interests can expect to be protected or furthered, lies in understanding, among other things:
(1) the various pitfalls in existing privacy statutes (including the Health Insurance Portability and Accountability Act (“HIPAA”), the Privacy Act and the Federal Information Security Management Act);
(2) George H.W. Bush’s April, 2004 Executive Order 13335, which established the position of National Health Information Technology Coordinator within HHS;
(3) the goals, objectives and strategies set forth in the Strategic Plan;
(4) the existing architecture of the National Health Information Network already in development;
(5) the workings of and power structure of the American Health Information Community (AHIC), a federally-chartered advisory committee that “makes recommendations to the Secretary of HHS on how to make health records digital and interoperable, encourage market-led adoption and ensure that the privacy and security of those records are protected at all times;”
(6) existing state laws protecting patient privacy and whether government attorney interpretations, regulations or later-adopted statutes can be expected to provide that federal law will override such state protections;
(7) the identities and trustworthiness of the federal and state contractors and “providers” who will have access to patients’ health information and the specific security measures adopted to limit access and describe permitted uses by government and the private sector; and
(8) all of the technical jargon used in these sources as well as in health care statutes and regulations generally (e.g., the definitions of provider, personal health record (“PHR”), electronic health record (“EHR”), medical record and health information technology (“HIT”)).
Interestingly, the American Civil Liberties Union supports this legislation, having, apparently, received some level of assurance that the relatively general legislative language requiring measures to safeguard privacy and security, or the terms of the Strategic Plan referred to in the legislation, would prohibit use of confidential patient health information for marketing purposes. In a January 6 press release, the ACLU states that the following statement may be attributed to its Senior Legislative Counsel:
“The ACLU commends the House of Representatives for protecting the American public against the sale of their medical records to any willing buyer by including the necessary safeguards in today’s stimulus package. Health IT has the potential to take our healthcare system into the 21st century, but without the proper protections for the individual consumer, it also has the capacity to lead us into an era of ‘medical profiling.’ It could be difficult to obtain insurance or get a job if our family’s medical history was available to anyone willing to pay for this information.
“There was widespread agreement from the ACLU to Microsoft to consumer unions that without prohibitions on the sale of our medical records to profit-driven companies, the adoption and participation by the American public was unlikely. It is encouraging that the calls from patient privacy advocates were met with open ears in the halls of Congress.”