This post was written by Adam Snukal.
Kathleen Sebelius, Secretary of the Department of Health and Human Services (“HHS”), hadn’t been on the job even two months when she found herself a defendant in a class-action lawsuit brought in the Southern District of New York. A registered nurse had brought the action against Ms. Sebelius, as well as the White House Office of Health Reform Director and the Administrator of the Centers for Medicare & Medicaid Services, alleging that certain provisions of the American Recovery and Reinvestment Act (“ARRA”) violate privacy rules central to the Health Insurance Portability and Accountability Act (“HIPAA”) and the federal Privacy Act.
The suit claims that pursuant to the ARRA, the development and implementation of a new health care information technology system that will create an electronic medical records database by 2014 will include Americans who are not covered by either Medicare or Medicaid (according to the lawsuit, Medicare and Medicaid only cover approximately 23 percent of the American population). This system, according to the complaint, poses a major threat to individual privacy, placing individuals’ personal health information “just a mouse click away from being accessible to an intruder.”
The action takes issue with ARRA’s provision allowing HHS to determine what constitutes the “minimum necessary” amount of personal health information allowed to be disclosed under HIPAA. According to the suit, "This technology will be used to deprive the Plaintiff and others of their fundamental right to privacy by requiring that their medical records be released by their health care providers and upon entry into the Health Information Technology maintained under the supervision of the Secretary will be made available without the permission of the Plaintiff to an unknown and potentially unlimited number of persons.” The action seeks an injunction to prevent distribution of payments for the purchasing of the electronic health care systems.
The standard of “minimum necessary” is a central tenet of the HIPAA laws, which require that when a health care provider uses or discloses personal health information, or requests personal health information from others, the provider must undertake reasonable efforts to limit itself to “the minimum necessary amount of PHI to accomplish the intended purpose of the use, disclosure, or request.” Under this standard, providers must develop policies and procedures that limit information uses, disclosures and requests to those necessary to carry out the organization's work. That includes identification of those within the provider’s workforce that need access to carry out their duties, and reasonable efforts to limit access accordingly. HHS has been clear that the minimum necessary standard that health care providers are required to follow calls for the employment of a "reasonableness" analysis, so that a provider’s functions are not unduly restricted.
Few elements of HIPAA have generated more controversy than this standard, but if this court elects to embrace that standard, the likelihood of the success of this action on its merits may seem remote. HIPAA places a heavy emphasis on maintaining the privacy of an individual’s personal health information, and if the ARRA regulations applicable to the manner by which health information electronic systems are permitted to collect and share personal health information are consistent with HIPAA’s standard of reasonableness, there will be a substantial burden of proof for the plaintiffs to overcome.