Here is a brief analysis from my Security Team:
ARRA has a provision that requires covered entities keep a list of all data disclosures to third parties and provide a comprehensive audit log to patients upon request. This tracking of third party data exchange is not currently part of HIPAA requirements and will require significant enhancement to our auditing systems, our patient services reporting tools, and our personal health records which give patient access to their own audit trails.
Based on at least one interpretation of ARRA, the covered entity must take responsibility for patient notification when third parties improperly disclose patient information. There does seem to be some variation in interpretation in this area.
ARRA specifies that disclosure of a record containing a name and medical information (John Smith, Hematocrit 37) is considered a breach. Massachusetts requires the name and at least one other identifiable piece of information (John Smith, 5/23/1962, Hematocrit 37). This could have significant implications since even simple audit logs could be considered restricted/confidential information.
ARRA provides some definition about the actual notification methods required. In breaches where the contact information of more then 10 individuals is not known the covered entity must post the breach on their web site. If the breach is of more the 500 records the covered entity must make a public disclosure to “prominent” media outlets. Prior to this the only obligation was to contact the individuals directly.
ARRA also includes some language that requires covered entities limit the amount and type of information shared with providers to be the minimum required for the business need. It also requires that if patients pay for services out of pocket that covered entities provide a way for the individual to request that no information relative to the treatment be transmitted to any provider.
Privacy is foundational and we certainly cannot argue with the need to keep information confidential per patient preferences. However, some of these provisions, such as the "out of pocket" clause will be extremely challenging to implement.
Over the next few months, HITSP is working on standards which will support these ARRA provisions, including web services using XACML, WS*, and TLS.
As HITSP moves to create a service oriented architecture, we will enhance our existing TN900 Technical Note to include services that could be used to document consent, apply privacy policies and consent to data flows, and transmit the minimum necessary data to authorized clinician via a workflow similar to that I described in a previous blog entry about patient privacy preferences.
The privacy provisions in ARRA will serve as a catalyst to improve the policies and technologies protecting confidentiality. This work, although expensive and time consuming, is required for patients to trust EHRs and Healthcare Information Exchanges.