A registered nurse has filed a class action lawsuit in the Southern District of New York claiming that certain provisions of the American Recovery and Reinvestment Act (“ARRA”) (the new stimulus legislation enacted in February) violate the privacy rules laid out in the Health Insurance Portability and Accountability Act (“HIPAA”) and the federal Privacy Act.The complaint can be found here.
Beatrice Heghmann of Durham, North Carolina claims that, pursuant to ARRA, the White House Office of Health Reform is working with the Department of Health and Human Services (“HHS”) to design a new system that would create electronic health records for millions of Americans by 2014. According to Heghmann’s complaint, this planned system poses a major threat to individual privacy: she claims individuals’ personal health information (“PHI”) could be just a “mouse click away from being accessible to an intruder.”
Heghmann takes issue with ARRA’s provision allowing HHS to determine what constitutes the “minimum necessary” amount of PHI allowed to be disclosed under HIPAA, as well as how best to implement “de-identification” of protected information. According to Heghmann’s complaint, HHS Secretary Kathleen Sebelius is “empowered to totally vitiate the privacy provisions under HIPAA and link medical information contained in Plaintiff’s personal health record directly to Plaintiff and all others similarly situated.” Heghmann argues that the $22 billion earmarked for the electronic registry is merely a vehicle to obtain access to this confidential health care information.
Heghmann is seeking certification for a class of similarly situated individuals and is requesting an injunction to prevent the government from disbursing the $22 billion budgeted for the Electronic Health Records System.
As our readers might remember, we’ve blogged before about the importance placed on the handling of PHI and HIPAA’s privacy provisions (related blog post here). In ARRA, Congress did impose significant new privacy and security requirements on HIPAA-covered entities and their business associates, precisely to protect against the kind of risks Heghmann’s complaint highlights. Whether such a complaint could create a barrier to the Administration’s goals for electronic health records will be an important question; at the very least, the complaint will like cause HHS to lean further toward strict implementation of ARRA’s privacy provisions in its forthcoming regulations.
