Posts

Important Legislative Updates On Protected Health Information (PHI) in Pennsylvania and New Jersey

The rapid movement of information across digital systems has prompted an equal response from the country’s medical community to the federal legislation. This process is often seen as being a reactive model to the ever moving target that is the nature of technological advancement and the transfer of digital information. The protection of personal information has at the same time become an issue that most consumers are not only aware of, but also demand greater degrees of control. This dichotomy of cross-purposes has presented a unique situation for healthcare providers to ensure they meet both consumer demands for efficient handling of data and the protection of their information.

New Jersey’s Stance

Possibly one of the most progressive moves at the state level towards the enhancement of Protected Health Information (PHI) is a move made by the state legislature of New Jersey to go beyond even the national regulation of the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA was enacted in 1996 at a time when the Internet was new but the collection, digitization and transfer of information was performed on a wholesale basis electronically. HIPAA has been updated as recently as January 2013, where even information gathered by business associates of healthcare providers also falls under the privacy regulations of the HIPAA. Read more about HIPAA compliance made easy here.

The HIPAA and the follow up Health Information Technology for Economic and Clinical Health Act (HITECH), enacted in 2009 and updated in 2013, were created to ensure that PHI first and foremost is protected by regulating that all healthcare providers, their vendors and business associates take appropriate measures to secure and prevent data breaches of consumer personal information. Yet these acts were also designed to speed up the use of electronic record keeping by healthcare institutions to facilitate more efficient lines of communication between organizations where necessary.

New Jersey has gone further in the direction of protecting consumer information by specifically requiring healthcare organizations to encrypt sensitive data and institute more stringent security measures including more complex passwords. All in the pursuit that should passwords become known; even the information contained in the file being accessed is “unreadable, undecipherable, or otherwise unusable by someone who can bypass the password protection.” This new legislation by the state of New Jersey will take effect in August 2015 giving organizations just eight months to institute a new standard of privacy.

Pennsylvania Moving in that Direction

Many other states are in the process of considering stricter protocols for PHI in light of the major data breaches and setbacks of major corporations in the last year, which included Target and Wal-Mart. It has become evident that corporations and organizations of any size can be targeted by criminal activity to recover sensitive information.

The Pennsylvania eHealth Initiative’s (PAeHI) purpose is to ensure privacy and security of health information and its exchange in an ever moving world of cloud technology and consumer awareness. This initiative led directly to the state legislated creation of the Pennsylvania eHealth Partnership Authority (PAeHPA) in July 2012. This authority is responsible for the improvement of healthcare delivery by securely delivering information exchange across health organizations. The authority has created a Trust Community to better represent those organizations that are actively involved in the pursuit of best practices regarding the safe and secure transfer of PHI for the betterment of their patients.

Although the state does not directly manage and operate the Health Information Exchange (HIE) process, the PAeHPA is a state legislated authority to assess, collaborate with stakeholders, and manage the exchange of PHI.