This article examines the role of the business associate of healthcare providers (BAHP) in the National Health Information Network. Current Health Insurance Portability and Accountability legislation has little to say about BAHPs and their potential impact on medical information privacy. For the good of the business enterprise, managers who are BAHPs or who supervise BAHPs need to be aware of the potential pitfalls of ignoring medical information privacy and take a proactive stance in protecting medical information privacy within the National Health Information Network. Among the approaches that managers can adopt include creating legal contracts between a business and BAHPs, proactively adopting more effective transmission security technologies, and insuring that BAHPs properly dispose of medical information after their use. Such proactive approaches will help to insure that the business is protected against a serious data breach that may result in popular and/or legal challenges to the business.
TopIntroduction
In his 2004 State of the Union address, President George W. Bush stated that, by computerizing health records, it would be possible to avoid dangerous medical mistakes, reduce medical costs, and improve medical care (The White House, 2006). Drawing on a report from the Institute of Medicine (2001) and on the conclusions of a panel of IT experts, Kaushal et al. (2005) reported that the creation of a national system of electronic health records and a National Health Information Network electronically connecting electronic heath records to healthcare providers, insurers, pharmacies, laboratories and claims processors will be possible at a cost of $156 billion. Four companies (Accenture, Computer Science Corporation, IBM and Northrop Grumman) have been selected by the Department of Health and Human Services to develop regional versions of the National Health Information Network with a view toward developing interoperability in the near future. A report from the Office of the National Coordinator for Health IT (Rishel, Riehl & Blanton, 2007) suggests that the National Health Information Network will be a:
“network of networks” that will securely connect consumers, providers and others who have, or use, health-related data and services, while protecting the confidentiality of health information. The NHIN will not include a national data store or centralized systems at the national level. Instead, the NHIN will use shared architecture (services, standards and requirements), processes and procedures to interconnect health information exchanges and the users they support (p. 2).
Electronic health records contain an individual’s medical information that can take many forms such as text, photographs, video, x-ray, sound, etc. One definition of information that is directly relevant to medical information privacy is data that have been evaluated to be relevant and useful for making particular decisions or classes of decisions (King and Epstein, 1976). Though the account was originally provided for the context of business management decision making, it is clearly applicable to the situation of various medical practitioners as well as a business associate of a healthcare provider (BAHP) such as an insurance agent, a billing agent, a consultant, or a transcriptionist. Generally speaking, a BAHP is anyone who works closely with a healthcare provider in non-treatment contexts in both healthcare related businesses as well as non-healthcare related businesses. (The term “private contractor” is also used to describe BAHPs in government, for example, by the Veterans Administration.) For example, a BAHP may be interested in developing patient profiles with a view toward customized marketing aimed at a particular profile or class of related profiles.
Despite government efforts to ensure medical information privacy, no comprehensive national strategy to safeguard medical information privacy has been developed and implemented (Koontz & Melvin, 2007). As such, the National Health Information Network poses a real threat to individuals’ medical information privacy (Szewczak, 2007). This paper considers the role of the BAHP in the context of the National Health Information Network, identifies potential threats to individuals’ medical information privacy, and proposes solutions to management challenges presented by the current and future availability of medical information made possible by the National Health Information Network.