Hi Chris, Privacy is a major 'topic'. Others include 'security' onsite, in transmission, retention, archiving, copies, modifications and signatures.
Some jurisdictions have well-developed laws (and model code as well) covering electronic records in eCommerce (includes the US and Clinton's eSign bill). It is easy to see the parallel between the EHRs and the ERs in eCommerce, e.g., an ER is an ER is an ER regardless. Spring 2003 HIPAA summary: http://www.dicksteinshapiro.com/seeninprint/publications/pdf/HLBSpring03.pdf Reviewing the 'Security Rule' is interesting. Swiss Cheese! 'de-identified' information as an exclusion should be a joke. Compare with the model code for eCommerce. Use of words like 'may' in legislation translates into a 'wish' that the tooth fairy is coming tonight. Electronic eCommerce has moved ahead in many areas with contracting being a significant area: http://library.lp.findlaw.com/articles/file/00053/002195/title/subject/topic/computers%20%20technology%20law_digital%20signatures/filename/computerstechnologylaw_1_72 Electronic eCommerce already covers a major part of the globe. EHR systems need to get the 'regional' environment working before the national and global. But coming up with something unique to OpenEHR will likely doom the project. SUGGESTION: What is good for electronic eEcommerce can be modified to suit EHRs. Having said that I am back to the model codes. HIPAA just doesn't hack it. What does? A model code is needed for the world. ONE REASON: HIPAA places emphasis on the responsibility of Providers for security. That doesn't compute in a single-Provider office. Why? The Patient-single-Provider environment has more security leaks that one can easily describe. Add a Payer and it becomes impossible. Put it in front of a court and you are asking for major complications. COMMENT: No more HIPAA-type legislative acts. Do the global model code somebody; do it once. If a set of global Healthcare applications are to be built to service EHRs it cannot be dependent upon daily legislative changes and court rulings (at all levels). This will not work without the ability to excise one or more areas, e.g., regions, to avoid complications, e.g., jurisdictional-oriented changes. Globally Patients, Providers and Payers may buy into this in a big way. It is their governments, judicial systems and administratin of justice organizations that are complications here. They need to buy into a model code for global EHRs. COMMENT: Retrieve some laws still on the books in various states in the US. They constitute a legal joke. Some codes give mules the right-of-way requiring motor vehicles to stop at the side of the road. Others require a chain to be drawn across the road at sundown and on weekends. Others prohibit many things that are taken for granted by the current populace. Why haven't they been removed? Because things change constantly and one never knows when it might be a good idea to run mules down main street. A model code-based legislative act needs to supercede and eliminate all conflicting laws. Change must be necessary and properly integrated. -Thomas Clark Christopher Feahr wrote: > Tom, > Are your remarks here concerned only about *privacy* laws with respect > to EHR... i.e., patient and provider rights with respect to access and > disclosure? I can't think of any other general aspect of law that > would apply to EHR... at least not one that would benefit from the > "uniform model code" that you describe. > > In the US, the conflict and overlap between state laws and HIPAA is > actually part of the motivation for writing the HIPAA Privacy Rule. > It is expected the state laws will be eventually become aligned with > and "modeled" after HIPAA in the privacy area, although there is no > mechanism to ensure that. Incidentally, there are also areas of > state-federal conflict like "prompt pay" laws, with respect to the > HIPAA Transaction Rule... with no help in sight. > > Personally, I don't think legislatures should be making ANY rules that > are specifically about electronic records and information sharing... > at least, not until we have some sort of information authority or > technical review board to pass these proposals by. Well-meaning > politicians have written the Transaction Rule with the intent of > helping patients and providers. But the ill-conceived rule ends up > increasing everyone's cost and helping no one. > > -Chris > > At 06:11 PM 8/26/2003 -0700, lakewood at copper.net wrote: > >> Hi Bill, >> >> Thanks for the post. I did intend to use HIPAA as an example of a >> legislative act that is poorly written without the assistance of a >> uniform model code. It was enacted to keep the payers happy and not >> the Patients. >> >> Poor results occur when things are not grounded on solid >> fundamentals. There is a Uniform Commercial Code that has evolved >> over many years and has been modified and improved over these years. >> It has been adopted in whole by many states and modified by others. >> The 51+ jurisdictions are sufficiently different to cause one to look >> for an attorney to resolve specific problems. >> >> Patients do not have the same rights as Patients in the UK or other >> EU countries within the US. TheHIPAA Privacy Rule should have >> 'required' consent initially and finally. It doesn't! It is a problem >> that has to be fixed or a work-around developed and enacted as a >> modification or a new law. >> >> BTW: Findlaw is used as a reference, however bad, for the current >> state of the interpreted law within the US. >> >> Your response is right on and should illustrate the need for a >> Uniform Model Code for ElHRs especially since this scenario will be >> repeated in many countries across the globe. >> >> If the US can have national and international model codes for >> Commerce it should have the same for Healthcare and EHRs. In essence >> the governments need a guiding light lest they visit another one like >> HIPAA on the populace! >> >> -Thomas Clark >> >> Bill Walton wrote: >> >>> Thomas Clark wrote: >>> >>> >>> >>>> Hi All, >>>> >>>> The following link is to a FindLaw reference regarding what HIPAA >>>> means >>>> to Patients: >>>> >>>> >>>> >>> http://articles.corporate.findlaw.com/articles/file/00081/002452/title/Subje >>> >>> >>> ct/topic/Health%20Law_HIPAA/filename/healthlaw_1_335 >>> >>> >>> >>> <soap box> >>> This article contains an egregious error. >>> >>> Under the section headed "Patient Rights Obligations" the author >>> states that >>> "HHS had initially proposed allowing routine disclosures without >>> advance >>> patient consent for treatment, payment and administrative >>> operations, but >>> the final rule requires informed patient consent for even these routine >>> disclosures." >>> >>> This is not true. The final Privacy Rule *PERMITS* covered entities >>> (providers, payers, clearinghouses) to obtain consent for use and >>> disclosure of protected information in treatment, payment, and >>> operations >>> (there is some restriction in psychotherapy notes). It does NOT >>> require >>> consent for these uses. At best the author did not read the >>> Preamble where >>> this modification was clearly articulated to provide an option for >>> those >>> providers who were fearful of missteps and preferred to err on the >>> side of >>> caution. Unforunately I find it hard to give the author the benefit >>> of the >>> doubt and have written to the editors of FindLaw.com complaining >>> about this >>> article. HIPAA, like Y2K, has been the focus of far too many bottom >>> feeding >>> lawyers creating self-serving FUD among the US healthcare community. >>> >>> The US healthcare system has a bad enough rep without "help" like this. >>> </soap box> >>> >>> Best regards, >>> Bill >>> >>> - >>> If you have any questions about using this list, >>> please send a message to d.lloyd at openehr.org >>> >>> >> >> >> >> - >> If you have any questions about using this list, >> please send a message to d.lloyd at openehr.org > > > Christopher J. Feahr, O.D. > Optiserv Consulting (Vision Industry) > http://Optiserv.com > http://VisionDataStandard.org > Office (707) 579-4984 > Cell (707) 529-2268 > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
