Hostname: page-component-8448b6f56d-wq2xx Total loading time: 0 Render date: 2024-04-23T23:29:11.875Z Has data issue: false hasContentIssue false
  • English
  • Français

The Role of Law in Supporting Secondary Uses of Electronic Health Information

Published online by Cambridge University Press:  01 January 2021

Tara Ramanathan ,
Cason Schmit ,
Akshara Menon  and
Chanelle Fox
Get access Rights & Permissions [Opens in a new window]

Extract

For decades, health information has been collected and shared for health care delivery and public health purposes. While the “primary use” of patient data for providing direct health care services is the cornerstone of health care practice, health departments rely on data sharing for research and analysis to support disease prevention and health promotion in the population. As the U.S. health system undergoes a digital revolution, health information that was previously captured in paper form now can be captured electronically. Electronic health information (EHI) has transformed the efficiency, capacity, and functions of the U.S. health system. For this reason, there is increased attention to the “secondary use” of electronic patient data for public health uses, including disease reporting and investigation, syndromic surveillance, and patient-specific or population-level communications about health conditions and their associated risk factors. Secondary uses may also encompass clinical research, licensure, and payment for services.

Type
JLME Supplement
Information
Journal of Law, Medicine & Ethics , Volume 43 , Issue S1 , Spring 2015 , pp. 48 - 51
Copyright
Copyright © American Society of Law, Medicine and Ethics 2015

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

See, e.g., Safran, C. Bloomrosen, M. Hammond, W. E. et al., “Toward a National Framework for the Secondary Use of Health Data: An American Medical Informatics Association White Paper,” Journal of the American Medical Informatics Association 14, no. 1 (2007): 19.Google Scholar
Centers for Disease Control and Prevention (CDC), “Status of State Electronic Disease Surveillance Systems – United States, 2007,” Morbidity & Mortality Weekly Report 58, no. 29 (2009): 804807.Google Scholar
Blumenthal, D. Tavenner, M., “The ‘Meaningful Use’ Regulation for Electronic Health Records,” New England Journal of Medicine 363, no. 6 (2010): 501504; Hoffman, S. Podgurski, A., “Big Bad Data: Law, Public Health, and Biomedical Databases,” Journal of Law, Medicine & Ethics 41, no. 1, Supp. (2013): 56–60.CrossRefGoogle Scholar
See, e.g., Petersen, C. DeMuro, P. Goodman, K. W. et al., “Sorrell v. IMS Health: Issues and Opportunities for Informaticians,” Journal of the American Medical Informatics Association 20, no. 1 (2013): 3537.Google Scholar
See, e.g., Sengupta, S. Calman, N. S. Hripcsak, G., “A Model for Expanded Public Health Reporting in the Context of HIPAA,” Journal of the American Medical Informatics Association 15, no. 5 (2008): 569570.Google Scholar
Pub. L. No. 104–191, 110 Stat. 1936 (allowing stricter state privacy restrictions).Google Scholar
45 C.F.R. § 164.512(a), (b), (i) (2013) (stipulating that the provider must account for these disclosures to the patient when requested); CDC, “HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services,” Morbidity & Mortality Weekly Report 52, no. 1 (April 11, 2003): 112, available at <http://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm> (last visited February 4, 2015).+(last+visited+February+4,+2015).>Google Scholar
See, e.g., 45 C.F.R. § 164.514(e) (2013); see also Sengupta, , supra note 6.Google Scholar
45 C.F.R. § 164.501 (2013) (defining health-care uses of PHI); U.S. Department of Health & Human Services, OCR Privacy Brief: Summary of the HIPAA Privacy Rule 410 (2003) [hereinafter cited as OCR Privacy Brief], available at <http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf> (last visited February 4, 2015).+(last+visited+February+4,+2015).>Google Scholar
Burke, T., The Health Information Technology Provisions in the American Recovery and Reinvestment Act of 2009: Implications for Public Health Policy and Practice, 125 Pub. Health Rep. 141 (2010).CrossRefGoogle Scholar
42 U.S.C.A. § 300jj-31 (2009) (enacted as part of the American Recovery and Reinvestment Act of 2009); 45 C.F.R. 158.151 (2011); 42 C.F.R. 495.6 (2013) (including a variety of health-care quality measures).Google Scholar
HealthIT.gov, “Meaningful Use Criteria and How to Attain Meaningful Use of EHRs,” available at <http://www.healthit.gov/providers-professionals/how-attain-meaningful-use> (last visited February 4, 2015).+(last+visited+February+4,+2015).>Google Scholar
Menon, A. Ramanathan, T. Schmit, C. et al., “Assessing the Impact of Laws Related to Electronic Health Information,” Poster Presentation at the American Public Health Association Annual Meeting (November 18, 2014). These data were collected in January 2014 from WestlawNext® searches using terms such as health, medical, record, database, electronic, digital, computer, internet, web-based, automated, health information exchange, health information technology, and health information organization. Use categories were defined from a PubMed literature review of scholarly articles published since 2009, and provisions were blind-coded with rigorous coding criteria by two or more licensed attorneys according to principal reference or cross-reference for each category.Google Scholar
Id. (from research examining statutes and regulations from Florida, Indiana, Kansas, Maryland, Michigan, Minnesota, New Hampshire, New York, Oregon, Tennessee, Texas, and Virginia).Google Scholar
This analysis does not capture the implementation or enforcement of these provisions or agreements that exist outside state law to facilitate EHI access or use. Therefore, this research cannot be used to infer the extent to which a state is leveraging its legal authority to use EHI.Google Scholar
See, e.g., N.H. Code Admin. R. Ann. He-W 950.06 (2006) (implementing HIPAA rules at 45 C.F.R. § 164.514(e)(1)).Google Scholar
See OCR Privacy Brief, supra note 10, at 9; CDC, “BioSense Background,” available at <http://www.cdc.gov/biosense/background.html> (last visited February 4, 2015).+(last+visited+February+4,+2015).>Google Scholar
45 C.F.R. § 164.514(e)(2) v (2013); Sengupta, , supra note 6, at 569–570.Google Scholar
See, e.g., Or. Admin. R. 943-014-0415 (2014) (implementing the HIPAA Privacy Rule at 45 C.F.R. § 164.502(e)).Google Scholar
45 C.F.R. § 160.103 (2014); see also the American Recovery & Reinvestment Act of 2009, which expanded the regulations on privacy of electronic health records and extended privacy protection to EHRs received and retained by business associates of covered entities (Am. Recovery & Reinvestment Act of 2009, Pub. L. No. 111–5, §§ 13401, 13402, 123 Stat. 115).Google Scholar
Restatement I of the Data Use and Reciprocal Support Agreement (2014), available at <http://healthewayinc.org/images/Content/Documents/Application-Package/restatement_i_of_the_dursa_9.30.14_final.pdf> (last visited February 4, 2015).+(last+visited+February+4,+2015).>Google Scholar
5 U.S.C. § 552a (2010) (amending the Privacy Act of 1974); 32 C.F.R. § 310.53 (2007).Google Scholar
See HealthIT.gov, “Inter-Organizational Agreements,” available at <http://www.healthit.gov/policy-researchers-implementers/inter-organizational-agreements> (last visited February 4, 2015); CDC, Public Health Law Program, “Model Memoranda of Understanding,” available at <http://www.cdc.gov/phlp/publications/type/mmou.html> (last visited February 4, 2015).+(last+visited+February+4,+2015);+CDC,+Public+Health+Law+Program,+“Model+Memoranda+of+Understanding,”+available+at++(last+visited+February+4,+2015).>Google Scholar