Our colleague John Halamka, MD, MS, CIO of Beth Israel Hospital and chair of the American National Standards Institute/The Healthcare Information Technology Standards Panel (ANSI/HITSP) activities, was the first person to introduce me to the concept of “quilted patchwork” to describe the odd and disjointed collage of state and federal regulations that affect health care IT. In particular, he was referring to widely disparate local, state, and federal interpretations of privacy and confidentiality that have emerged post-1996’s HIPAA regulations.

As most of you probably know, CMS [Centers for Medicare & Medicaid Services] interpreted HIPAA’s security aspects to cover CIA—confidentiality, integrity, and availability. To date, most of the emphasis has been on confidentiality to reduce citizens’ fears that employers, insurers, or governmental agencies could use their personal health data against them. The working framework has been that “my health data is mine to access and control access, and I have a right to ensure only parties that I designate (or my direct health care providers) may see it.”

The federal government left the implementation details surrounding HIPAA up to the states to oversee, however, because the states themselves manage the Medicare reimbursements, typically through third-party insurance companies. The result, unfortunately, really does look like a quilted patchwork of confusing and conflicting regulations.

A few simple examples can illustrate the challenges for health care IT managers and vendors.

Take minors’ sexually transmitted disease information: In Massachusetts, a parent my not receive information about their child’s chlamydia testing/treatment without the child’s permission unless the physician believes the problem will endanger the minor’s life. In Pennsylvania, the parents may not have information about HIV testing/treatment without the child’s written permission, but it is up to the physician to determine whether to share information regarding testing/treatment for a disease such as syphilis.

The 2009 ANSI/HITSP Common Device Connectivity standards project may help address the regulatory and legal gaps that exist between states.

A second example is the medical records retention requirement. In Pennsylvania, medical records generally have to be retained only 7 years past the most recent treatment date, but for minors, the records must be saved for the longer of 7 years, or 1 year after the child turns 18. For example, if the last record of treatment happened when the child was 9 years old, those documents would need to be kept until the child’s 19th birthday. In Massachusetts, the same basic 7-year retention exists for physician records about adult patients, but, for children, records must be retained for the longer of 7 years, or until the ninth birthday (ie, if the last care was when the child was 1, the records do not need to be kept after the child becomes 9; if the last care was at 3 years, the records must be kept until the 10th birthday). In Massachusetts, retention of children’s records is essentially treated like the retention of an adult’s record after a child’s second birthday. Hospitals in Massachusetts are under a different, more restrictive regulation, which requires them to retain records for 30 years!

Some cities have also added their own separate privacy restrictions, such as preventing any sharing of HIV-related test or medication records.

In many of the situations above, critically important patient care records regarding prior diseases, medication allergies, or even ongoing treatments may have been deleted or may be legally restricted from disclosure. Physicians or hospitals that request records from other providers to support current care needs may therefore be completely unaware of missing records, unless the patient recalls and relates the information voluntarily (and accurately). For small children, patients with cognitive impairments, or unconscious emergency patients, the gaps—and risks—can obviously be quite significant.

Taking a look back at prior topics covered in this column, readers may wish to consider the challenges that this quilted patchwork of privacy and record-retention regulations will impose on the Nationwide Healthcare Information Network (NHIN) and the ANSI/HITSP standards that support the NHIN. The entire national architecture is based on the general concept that all available patient health data may be reconstructed into a fairly complete electronic health record (EHR) on an as-needed basis from other care providers in the moment of need. As an example, if someone is in an auto accident in California, their records can be requested from all of their care providers within a few minutes through the NHIN.

The disparate state and local health care record-retention and sharing regulations could deliver an apparently correct EHR that actually is quite incomplete. A relatively healthy person with infrequent medical visits may be presented with a record that is missing childhood or young-adult diseases or congenital problems, drug allergies, or other relevant information. On the other hand, a person with frequent or chronic illnesses may, in fact, wind up with a fairly complete EHR, unless, that is, local regulations suppresses certain HIV, depression, or other medications.

More Steps Needed

There is not too much more to say about this situation other than the obvious: It may lead to new medical errors or injuries unless other steps are taken. One, if the patient is coherent and cooperative, they may offer the relevant information if properly questioned. The physician would have to assume there might be gaps in the EHR and would have to carefully cover diagnostic or therapeutic gaps before making assumptions about appropriate care.

Alternately, the NHIN architecture does describe a role for a personal health record (PHR), which citizens could compile and retain in their own possession throughout their life. They could offer their PHR to the clinician on a memory stick or other device if the circumstances allowed. Of course, the individual could intentionally or accidentally edit or delete information they wish to hide, or embellish information they wish to enhance, but at least the clinician would not be solely dependent on the health provider NHIN EHR information.

Eventually, all of this will probably need to be sorted out in state legislation and courtroom debate. The prior Secretary of Health and Human Services (HHS), Michael Leavitt, attempted to provide some clearer EHR and PHR guidelines for the nation that he labeled a “Privacy and Security Framework and Toolkit” in the final months of his tenure in late 2008. Although the guidelines Leavitt proposed have merit, they do not yet bear the weight of regulations; whether they do influence this field remains to be seen.

Of course, the above discussion addresses only the confidentiality elements, not the integrity or availability issues of health care IT, which are extremely important and not well understood in the rapidly unfolding “economic stimulus” context.

Once a Secretary of HHS is vetted and approved, she/he will pick up the mandate of spending the $20 to $30 billion dollars to accelerate adoption of the NHIN’s goals. Those funds are intended to help the industry realize the benefits of shared EHRs as quickly as possible. However, the integrity and availability aspects—and challenges—of health care IT in that context are not so fully or clearly understood or articulated. Broadly, the past decade’s HIPAA CIA constructs articulated the importance of a provider ensuring that patient medical records were not lost or damaged (integrity), and that those records were “available” for other providers and patients to use.

The soft underbelly of the prior CIA interpretations is they predated our industry’s intention to actively use the data for immediate patient care, which is supposedly the cause of most medical error and medical care waste and is the “value proposition” for the NHIN and nationwide, near-real-time EHRs.

Most of the present ANSI/HITSP standards move data to/from the hospital’s electronic medical record and to the synthesized EHR and/or PHR. Those constructs do not themselves have any time or urgency factors built in, and they do not have any way to address the regulatory and legal patchwork gaps mentioned above.

Read previous Networking articles in the Archives section.

The 2009 ANSI/HITSP Common Device Connectivity standards project may well be the first effort in that direction. That task force, which includes manufacturers and providers, has begun that effort, and all interested parties are welcome to join the discussion by joining HITSP. Active weekly participation in 2 or so hours of conference calls/WebEx meetings with the consumer perspectives technical committee is all that is needed to ensure that you have a voice in the outcomes.

As General Patton supposedly said, “Lead, follow, or get out of the way!” I know I am preaching to the choir, but, after all, this is our chosen career and profession, friends. Your voice and active engagement right now are important to ensure that the emerging regulations get the job done right, because we may never get a chance like this again. As we all know, getting it done right now will be a lot easier than cleaning up the mess later (eg, today’s banking and auto industries). We sure hope to hear from more of you on these important calls soon!

Elliot B. Sloane, PhD, CCE, is assistant professor, Villanova University; Villanova, Pa, cochair of the HIMSS/RSNA/ACC IHE Strategic Planning Committee; cochair of the ACCE/HIMSS IHE patient care device domain; and a member of 24×7’s editorial advisory board. For more information, contact .

Link It

Read in-depth information on the organizations, programs, and initiatives discussed in the article on the Web at the following sites: