Comparing Nations: A look at health information privacy

Comparing Nations: A look at health information privacy Samuel Warren IS472: IT Compliance Professor Steve O’Brien 09-November-2012 Comparing Nations: A look at health information privacy Executive Summary There are many factors to consider when discussing the parallels and variations associated with Canada and the United States of America with respect to healthcare. Electronic protected health information (ePHI) is the driving force behind HITECH expansion of the US’ Health Insurance Portability and Accountability Act (HIPAA). While both discuss the standards, the penalties, and both intervene in the ecosystem of the Healthcare industries they serve. The differences highlighted are mostly related to costs and the context for which each health care system operates. Introduction With the recent trending towards making more and more information available to the owners of said information. Due to this fact, serious strides towards protecting the information from falling into the wrong hands are occurring. The United States Government Department of Health and Human Services (HHS) passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 with the goals of “making health care delivery more efficient and increasing the number of Americans with health insurance coverage” (National Academy of Sciences, 2009). After being passed into law, the creators of the bill allowed it to be put to public scrutiny in 1999. Because of the volume of comments in response to the bill, it went through several revisions (National Academy of Sciences, 2009). By way of comparison, the nation of Canada will be compared to discern the similarities and the differences. Similarities At its heart, the two countries share many similarities from a privacy standpoint. They both desire to protect the personal health information they store and transmit. They are also built with forethought towards electronic access. The “HITECH” portion of HIPAA provides incentives to move more in the realm of electronic records and expands the scope of HIPAA beyond the original legislation. The HITECH Act is transformational legislation that anticipates a massive expansion in the exchange of electronic protected health information (ePHI). The HITECH Act widens the scope of privacy and security protections available under HIPAA; increases potential legal liability for non-compliance; and provides more enforcement of HIPAA rules. (Leyva & Leyva) While the exchange of electronic information is already taking place in many health care providers’ offices, there is an additional need to be more forward thinking and aware of potential trends in data management within the scope of protected health information. Canada’s Health Information Protection Act (HIPA) has built in some terminology to assist in this change. In the event that a comprehensive electronic health record is created, The Health Information Protection Amendment Act ensures that patients will have the power to block access to their personal health information once that system is in place. (Gooliaff Beaupre, 2009) The idea of making a data warehouse of ePHI controlled and secured by HIPA experts may be appealing, but the Ministry of Health also has its eye on keeping their customers happy. Another similarity in the two laws is the great pains each act goes through to detail punishment for not meeting compliance. HIPAA violations, depending on the situation, can cause a punishment of up to 10 years imprisonment and a $250,000 USD fine. These acts are very similar across many areas, where they differ is what brings a certain amount of clarity around these two prominent health care systems. Differences One of the biggest differences noted is the cost. While the US has some of the highest cost of any country, Canada’s problems with cost are equally problematic. All care is “free” for insured services —those provided by physicians and hospitals. No premiums, deductibles or co-payments are imposed. (Other services such as dental care and prescription drugs must be paid for either through private insurance or out-of-pocket.) When no one is faced with any charge for services, demand is unrestrained and costs surge. (O’Neill & O’Neill, 2007, p. 2) The costs themselves are not directly related specifically to HIPA’s equivalent of HITECH, but when one considers the staggering costs of Information Technology (IT). Whether it is software that is HIPA/HIPAA compliant, hardware that stores the ePHI, networking equipment that transfers it, the costs go up for each of the companies in direct proportion to how compliant the healthcare provider has to be to prevent inadvertent data loss. Another major point to consider is the artificial demand created due to the decrease of cost health insurance. In 1966, Canada implemented a single-payer health care system, which is also known as Medicare. Since then, as a country, Canadians have made a conscious decision to hold down costs. One of the ways they do that is by limiting supply, mostly for elective things, which can create wait times. Their outcomes are otherwise comparable to ours. (Carroll, 2012) This is significant in and of itself, because of how frequently the system, especially IT-related portions, is utilized. As a result, both US and Canada’s systems are constantly in need of change. However, Canada’s IT infrastructure is much more difficult to continue expanding, because of the low cost and the driving need to help patients without additional undue wait from updating IT systems. If the costs were comparable, it is reasonable to assume the US would also have an increased service time, lower cost, and similar demand for healthcare as its neighbor to the north. But would the costs allow ePHI to be considered? Will the costs associated with the technology necessary decrease at a reasonable pace? Time will tell, but for Canada, the way they spend their money should primarily focus on the protection of the ePHI and the infrastructure used to transport it. References Carroll, A. (2012, April 16). 5 Myths About Canada’s Health Care System The truth may surprise you about international health care. Retrieved November 9, 2012, from AARP website: http://www.aarp.org/politics-society/government-elections/info-03-2012/myths-canada-health-care.html Gooliaff Beaupre, V. (2003, May 8). CONFIDENTIALITY OF HEALTH INFORMATION BETTER PROTECTED. Retrieved November 9, 2012, from The Government of Saskatchewan website: http://www.gov.sk.ca/news?newsId=79cc2a04-d0f5-4dc1-a145-e1bb5c067e17 Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 1, Introduction. Available from: http://www.ncbi.nlm.nih.gov/books/NBK9576/ Leyva, C., & Leyva, D. (n.d.). HIPAA Survival Guide. Retrieved November 9, 2012, from HIPAA Survival Guide website: http://www.hipaasurvivalguide.com/ O'Neill, D. M., & O'Neill, J. E. (2007, September). HEALTH STATUS, HEALTH CARE AND INEQUALITY: CANADA VS. THE U.S. [PDF]. Retrieved from http://www.nber.org/papers/w13429.pdf Penalties Under HIPAA. (n.d.). Retrieved November 9, 2012, from UC Davis Health System website: http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html