Those looking to promote electronic exchange of healthcare information might benefit from looking to a 20-year-old piece of legislation, according to a Health Affairs op-ed by Lucia Savage, chief privacy and regulatory officer at Omada Health.
HIPAA, a data privacy and security legislation enacted by Congress in 1996, prohibits business associates — such as EHR developers — from using protected health information for their own business operations, according to Ms. Savage.
"Because the protected health information is the legal responsibility of the provider and hospital EHR customers (aka covered entities), EHR developers can only use the protected health information for their customer's healthcare operations," she wrote. She added this limit on monetization means EHR developers should not be able to charge "exorbitant fees" to transmit PHI.
Ms. Savage provided an example of a hospital lung cancer patient who asks to supply their data to a registry hosted by a separate academic medical center. Under HIPAA, the hospital cannot refuse to provide data to the external registry, and the EHR developer cannot refuse to transmit the patient's data, even if the academic medical center is not one of its customers.
"That is because by virtue of the EHR developer's role as a business associate it is bound to cooperate with obligations imposed on its customer, the hospital," Ms. Savage wrote.
She added an understanding of HIPAA would help agencies like HHS' Office of Inspector General strengthen its position on interoperability. "The OIG should make clear that the protected health information in the custody of the EHR developers is not theirs to monetize," she wrote.
Click here to view the full article.