VCBeat VB Think Tank Session III
Subject: HIPAA and HIT
Time: Afternoon, Saturday, February 7, 2015
Location: Sanlitun SOHO ARTS Lounge
Speaker: Zhao Xinyuan
I. Origin of the Salon
II. HIPAA and HIT
1. “Homeland” and Cardiac Pacemakers
2、HIPAA、HITECH ACT、HIPAA Omnibus Rule
3、ARRA、HITECH、MU
4. From HIPAA to the HIPAA Omnibus Rule
5、BA(business associate)
6. What Does HIPAA Protect?
7、Patient Rights
8、Privacy Rule
9、security rule
10、Required/Addressable standards
11、notification requirements
12、HIPAA Is Not a Barrier to Good Care
13. Violations and Penalties
14、meaningful use
III. Questions
III. Acknowledgements
Guest Profile
Zhao Xinyuan:
Graduated from Tsinghua University.
Currently serving as the CEO of Beijing InTechLong Technology Co., Ltd. and as a member of the Technical Guidance Committee of HL7 China. With over a decade of entrepreneurial experience, he has been dedicated to healthcare software offshore development (HSOD) and mobile app development (iOS and Android applications). His clients are primarily from Japan, the United States, Europe, and Australia, including several world-renowned multinational corporations. Over the past ten years, the company has successfully completed and delivered approximately 110 healthcare software development projects, encompassing PACS, health examination systems, medical equipment maintenance and repair service systems, LIS, EMR/EHR, and PMS (Practice Management System).
Possesses a comprehensive understanding of healthcare and health IT development, laws and regulations, and technical standards in developed countries such as the United States. Demonstrates in-depth and detailed knowledge of U.S. healthcare reform trends, progress, and their impact on the HIT industry; the Meaningful Use of Certified EHR program and its associated knowledge framework; and the U.S. Managed Care system.
This salon was initiated in response to Dr. 2’s critique of Xingshulin’s claim of HIPAA compliance, an article that drew significant attention to data security concerns among internet healthcare software startups, particularly regarding the proper understanding of U.S. HIPAA regulations.
According to the 2014 Healthcare Data Breach Report by Bitglass, there were more than 200 healthcare data breaches annually over the past three years. The number of stolen medical records was six times higher than that of stolen credit card numbers. Healthcare data breaches pose a significant and costly problem for healthcare consumers: each HIPAA violation incurs a fine of $50,000, which can escalate to $1.5 million if the same error persists throughout a 365-day period. In a well-known case, Massachusetts General Hospital was fined $1 million after an employee accidentally left a folder containing personal health information of 192 patients on a light rail train.
Originating in 1991, the HIPAA Act, fully named the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-19), is generally referred to directly as the HIPAA Act in Chinese literature. Some refer to it as the “Health Insurance Portability and Accountability Act,” while others use the descriptive term “Medical Electronic Exchange Act.”
HIPAA brings information security to cutting-edge healthcare organizations, while also establishing privacy and security standards for electronic information related to individuals. Complex policies and detailed procedures have made HIPAA compliance a challenge for most businesses.
The 3rd VCBeat Think Tank Offline Salon, in collaboration with the People's Medical Publishing House Longtan Salon, invited Zhao Xinyuan, an expert with in-depth research on U.S. healthcare policy, to provide a comprehensive analysis of the HIPAA Act. He also offered insights into the evolution of relevant regulatory policies in China and provided recommendations for entrepreneurs and investors on key considerations regarding data privacy and security.
Everyone involved in e-health or electronic medical records is working in the field of healthcare information technology, and HIPAA is closely related to what most professionals are currently doing.
I have just participated in a research project on the “13th Five-Year Plan” commissioned by the National Health and Family Planning Commission, which explores how to safeguard the security of medical information and personal privacy amidst the rapid rise of the internet. This demonstrates that our health authorities have already placed this issue on their agenda.
From another perspective, the fact that Xingshulin invokes HIPAA demonstrates that it at least possesses the awareness that patient privacy and other medical information involved in internet healthcare services, such as its “Medical Record Folder” product, must be protected. Such awareness deserves commendation in today’s context. To date, awareness in this area remains quite weak within the healthcare industry, with many considering it premature. I believe that Xingshulin’s emphasis on HIPAA compliance is itself praiseworthy. This is my assessment of the matter.
Let me begin with this: Who recognizes the elderly man in the photo? It is former U.S. Vice President Dick Cheney. Since leaving office, Cheney has been actively involved in numerous public welfare initiatives. A popular American TV series, Homeland, aired an episode last June featuring a plotline in which the U.S. Vice President had a cardiac pacemaker implanted. Hackers then remotely disabled the device, effectively assassinating the Vice President. The broadcast of this episode sparked widespread outrage across the United States. Why? Because approximately 3.2 million Americans have implanted cardiac pacemakers. Ultimately, the U.S. Food and Drug Administration (FDA) and the Department of Health and Human Services were compelled to issue public statements addressing these concerns.
Although such incidents may not have occurred in reality, why did the U.S. Food and Drug Administration (FDA) and the Department of Health and Human Services issue explanations? This footage is from an interview with Dick Cheney on CBS’s “60 Minutes.” He stated that after watching a television drama series, he had his doctor deactivate the wireless functionality of his device. He explained that the purpose of disabling it was to prevent potential cyberattacks. This is not alarmist rhetoric; beyond cardiac pacemakers, many modern medical devices are highly vulnerable to exploitation.
Approximately four months ago, the U.S. Federal Bureau of Investigation (FBI) conducted a survey across various industries in the United States. The report submitted to Congress and the President highlighted that, among all sectors, the healthcare industry is the most vulnerable, has the most vulnerabilities, and is the most frequently targeted by cyberattacks. Therefore, I find this story quite intriguing and believe it serves as a significant reminder for us to pay close attention to information security in the healthcare sector.
In addition, healthcare systems, including clinical decision support systems that leverage medical data, generate vast amounts of data on a daily basis. What should be done with these data after their initial use? In fact, if these data are only utilized once without subsequent review, their value would be significantly diminished. The data reuse and analytical mining discussed today both represent forms of data utilization.
These data analysis requirements have also necessitated strengthened and enhanced protection of personal health information security. Many nurses and doctors connect their personal mobile phones to hospital networks, using their own smartphones or iPads for clinical care activities. However, many hospitals currently lack awareness of this issue, and developing countermeasures has not yet been placed on the agenda.
The medical internet, composed of the Internet of Things (IoT), Body Area Networks (BANs), and other technologies, necessitates that issues such as healthcare information security, personal privacy protection, and medical data safeguarding be placed high on the agenda. This reflects both a global trend and an urgent need.
I believe it is highly necessary for us to gather here today to discuss and reflect on these issues. Those present today are perhaps among the earliest in the industry to have given thoughtful consideration to this matter.
The United States is a country with an extensive and complex legal framework. The PowerPoint presentation highlights laws related to personal privacy, information protection, and security. Today, we will primarily discuss HIPAA and the laws associated with it.
Before delving into the discussion, let us first distinguish among HIPAA, the HITECH Act, and the HIPAA Omnibus Rule. Many people currently conflate these terms, failing to understand the relationships among them; indeed, even some Juris Doctors have not fully grasped how they interrelate. To discuss HIPAA effectively, we must first clarify the connections between these three frameworks.
First is HIPAA, the Health Insurance Portability and Accountability Act; second is the HITECH Act. At a conference previously held in Beijing, an American speaker discussed HITECH, and the simultaneous interpreter translated it as the “High-Tech Act.” Some health and medical media outlets subsequently referred to it as the “High-Tech Act.” Although HITECH shares the same abbreviation as “high-tech,” this is not its actual meaning. Its full name is the Health Information Technology for Economic and Clinical Health Act.
Let's first look at the history of HIPAA.
HIPAA was originally enacted in 1996 under President Clinton. The second is HITECH, which was part of the American Recovery and Reinvestment Act enacted after President Obama took office following the 2008 financial crisis; Chapter 13 of this act is known as the HITECH Act. The HIPAA Privacy Rule became effective in 2013.
We clarify the sequence of events, identify who accommodates whom, explain why this is the case, and delineate the relationships among them.
In 1996, President Clinton signed this law. Why was HIPAA enacted? U.S. legislation is problem-oriented, aiming to address issues arising in American society through legal means. HIPAA was designed to tackle two main challenges: first, issues related to health insurance and coverage; second, concerns regarding the security of medical information. The privacy regulations within HIPAA took effect in 2003. Although HIPAA constitutes a comprehensive law, the effective dates for its various provisions differ.
When HIPAA is mentioned, many people equate it with healthcare information security, but this is not accurate; it is, in fact, a comprehensive legal framework. As the saying goes, “a picture is worth a thousand words,” so let us examine this diagram. In 1996, President Clinton signed the HIPAA Act into law, which is structured into five subtitles or Titles. Our discussion primarily focuses on Title II.
The first one is portable. Why is it calledHealth Insurance Portability and Accountability Act? Actually, it boils down to two issues: one is the portability of health insurance, and the other is liability. What does “portability of health insurance” mean? Let me give a brief explanation. In the United States, when you enroll in an employer-sponsored health insurance plan and then change jobs, you cannot take that coverage with you. For example, suppose I worked at a company for 20 years, enrolling in the plan at age 30. After 20 years, I am 50 years old and decide to change jobs. The insurance coverage cannot be continued or transferred. If I move from Company A to Company B, I must enroll in a new insurance plan. At Company A, I was insured at age 30; now, at age 50, how do you think the insurer will treat me? The underwriting terms will be extremely stringent. In China, individuals aged 50 are often denied coverage altogether. Why? Because people tend to develop illnesses in their 50s and 60s. In fact, approximately 80% of medical expenses are incurred after age 65, and 80% of that 80% is spent in the last three months of life. Therefore, the older you are, the more restrictive the insurance conditions become. Due to the lack of portability and continuity of coverage, if I stay with my current employer, my insurance policy remains unchanged. However, if I switch jobs, I must undergo new underwriting, which would result in significantly higher premiums. Consequently, I choose not to change jobs.
This issue pertains to the mobility of talent. The U.S. Congress and the U.S. government are well aware that any factor hindering the flow of talent in the United States would inflict a heavy blow on the U.S. economy. As a nation founded on freedom, the United States upholds liberties including the free choice of occupation and the fluid movement of talent; any attempt to restrict such freedoms is untenable in the U.S. context. Consequently, Congress introduced the concept of health insurance portability. When certain factors impede this broader objective—specifically, when they hinder U.S. economic development—Congress and the American public will weigh the consequences and firmly reject such obstacles by enacting legislation to remove these restrictions. This was the original intent behind establishing health insurance portability.
Today, we will primarily discuss the Administrative Simplification (AS) provisions. Often referred to as administrative management or simplification of administration, this domain typically encompasses privacy protection and information exchange related to healthcare information security; in essence, these fall under the AS umbrella, specifically concerning Electronic Data Interchange (EDI). While this area certainly involves specific technical issues, we will touch upon them only briefly today. Instead, our focus will be predominantly on Privacy and Security to provide clarity, as it is widely recognized that HIPAA indeed pertains to information security. Our discussion, including references to Xingshulin and Dr. 2’s presentation, centers more on privacy and security, with limited coverage of EDI. EDI is merely a tool; its earliest adopters were in foreign trade, where it was used for settlements and electronic data interchange. The healthcare sector has lagged behind in this regard, and our own adoption of EDI has similarly trailed, largely following others’ lead. Consequently, we will likely delve little into code-level details, including identifiers, today.
This figure is presented to simplify the concept for everyone; the law is also known as the Health Insurance Portability and Accountability Act.
We just discussed ARRA and HITECH, followed by MU (Meaningful Use).
ARRA, the American Recovery and Reinvestment Act, along with HITECH, Meaningful Use (MU), CMS, and certified Electronic Health Records (EHRs) for Meaningful Use. ARRA serves as a broad framework, with HITECH constituting Title XIII of ARRA. MU is a program launched in 2011 under HIPAA regulations, through which the U.S. federal government allocated nearly $35 billion over five years to incentivize physicians and hospitals nationwide to adopt EHRs. The incentives amounted to $44,000 per eligible professional under Medicare and $63,750 under Medicaid, calculated on a per-provider basis. This initiative has had a profound impact. Whether you are an entrepreneur, hospital administrator, or physician, I believe it is essential to understand MU. In my view, MU represents the distilled essence and hard-won lessons from fifty years of challenges in U.S. healthcare and health IT. Gaining a thorough understanding of MU clarifies future directions for entrepreneurship, health IT development, healthcare management, and healthcare reform. I strongly advocate that everyone become proficient in MU. Given sufficient time, MU alone warrants a dedicated three-hour session.
Why did HIPAA ultimately evolve into the HIPAA Omnibus Rule? This progression reflects a historical trajectory: first came HIPAA, followed by HITECH, and finally the HIPAA Omnibus Rule. The Omnibus Rule was issued in 2013 as a comprehensive 546-page document. HIPAA was signed into law by President Clinton in 1996; nearly two decades have passed since then. Laws cannot remain static; they must keep pace with the times, or else they become obsolete and consigned to the dustbin of history. Precisely because profound and significant changes occurred over those nearly 20 years, there has been an even greater imperative to strengthen information security.
With technological advancements, patients who would have died in the past without a cardiac pacemaker can now receive devices with wireless capabilities. This raises concerns that such features could be exploited for remote homicide. Why did Cheney disable the wireless function? Because an attack remotely deactivated his pacemaker.
It is precisely these technological changes, such as mobile internet and apps, that have strengthened the protection of our privacy and data security. However, back in 1996, he did not anticipate the current situation, so amendments were necessary. How were these amendments made? Ultimately, the Omnibus Rule was introduced, which I translate as the “Comprehensive Regulations.” Spanning 546 pages, it is available for those interested in further study after the conference; I can share the original text with you.
From HIPAA to the Omnibus Rule: What Changes Have Occurred? I’ve summarized the five most significant ones.
First, BA liability was added; previously, HIPAA did not include provisions for Business Associates.
HIPAA has three covered entities, one of which isprovider, we can understand it asHealthcare Service ProvidersHospitals, clinics, physicians, including hospice care facilities and long-term care institutions, are all referred to as providers. The second category is insurance companies, as they also have access to patient data. The third category is clearinghouses, because medical billing settlement in the United States is a highly complex process. Let me provide a simple example: A Chinese expert once stated that the U.S. uses ICD-9 (procedure coding), whereas we currently use ICD-10, implying that the U.S. lags behind China. I asked him whether he knew how many codes are included in ICD-10. He said he did not. I then asked how he utilized ICD-9, and he replied that they reported data to the medical insurance system by categorizing patients into ten disease groups. I remarked that this approach was overly simplistic. In fact, ICD-9 contains 18,000 codes, while ICD-10 comprises 180,000 codes. Why is it so difficult? Because these codes are intertwined with numerous other factors. Through bundled payments and linked medical services, when codes are submitted, payers can verify their accuracy, determine whether they represent upcoding or downcoding, and detect potential billing fraud, among other issues.
The Omnibus Rule has incorporated Business Associates (BAs). When China enacts similar legislation in the future, it will undoubtedly include BAs as well. Therefore, our discussion today highlights that those who gain early awareness and take proactive measures will be better positioned for the future.
The second change involves updating medical information and medical data.
Third, fines for violators have been increased to strengthen penalties, with the aim of prompting the entire U.S. society and American healthcare institutions to prioritize the security and privacy protection of medical information.
The fourth change is the addition of a mandatory breach notification requirement, meaning that any breach must be reported to the U.S. Department of Health and Human Services Office for Civil Rights.
Fifth, incorporate certain provisions of the Genetic Information Nondiscrimination Act (GINA) into this framework, explicitly stipulating that patients’ genetic information constitutes protected data. GINA, signed into law by President George W. Bush in 2008, primarily prohibits health insurers and employers from using genetic testing as a basis or pretext to deny employment, create barriers to hiring, or engage in discriminatory practices in insurance underwriting.
Who handles and oversees violations? Primarily, it is the Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services (HHS). For instance, if electronic health records (EHRs) from a healthcare institution are stolen, or if a laptop containing thousands of patients’ EHRs is stolen, such incidents must be reported to the OCR immediately. Furthermore, reviews in this area have been conducted since September 23, 2013. There is also ASSET (Audit Simplification Enforcement Support Tool), a program developed by the U.S. HHS to streamline enforcement. It serves as a complaint mechanism for the American public: if individuals discover that a hospital or physician has violated HIPAA regulations, they can file a complaint directly online. This tool has been implemented very effectively. Although tensions are high in the United States regarding these matters, there is no alternative but to pay the fines, which can amount to millions of dollars.
Let us now clarify several key terms and their definitions.
The first definition is privacy. Privacy is somewhat notorious because it is overly vague and rife with ambiguity. The requirement that personal health information must not be disclosed or leaked is what constitutes privacy.
The second is Confidentiality, or a non-disclosure agreement, which is essentially an attribute of data or information. It means that information must not be disclosed to individuals or entities unauthorized to access it. When entrepreneurs develop information systems in the future, they must design safeguards against unauthorized Access, Uses, and Disclosures.
The third principle is Availability, which refers to the accessibility of information. It is an attribute of data and information, meaning that authorized individuals can access, obtain, and use such information according to their needs. This is known as availability or accessibility. This concept encompasses several layers of meaning: first, authorized personnel must be able to access the information; second, the information must be protected against threats and hazards; third, backups must be maintained; and fourth, when dealing with Electronic Protected Health Information (EPHI), appropriate disaster recovery measures must be in place to ensure the continuity of healthcare operations. Regarding healthcare continuity, current medical services are often fragmented; therefore, it is essential to provide disaster recovery mechanisms and ensure the continuous delivery of healthcare services.
The latter two terms are “security” and “safety.” These concepts are often confused, which can lead to difficulties when reading the literature. Security refers to a range of measures, including rules, policies, standards, procedures, and methods, designed to protect privacy and information confidentiality (Protection of privacy and confidentiality through policies, procedures and safeguards).
Safety, typically referring to patient safety, actually pertains more broadly to medical standards and protocols. These protocols are designed to ensure the reporting, analysis, and prevention of medical errors and mistakes during the healthcare process. Everyone is familiar with the concept of medical error: in the United States, 400,000 people die annually due to medical errors, with 40% of these deaths attributed to medication errors. Level 6 and Level 7 certifications require closed-loop medication management. The U.S. places particular emphasis on healthcare information security, focusing on how health information can serve healthcare quality or what health information technologies can be employed to reduce medical errors and save lives.
As I mentioned earlier, HIPAA regulates four types of entities:
One is "provider," which some media outlets have translated as "supplier." However, this is a specialized term in the medical field. In our context, it refers to a healthcare service provider. Since describing it as a "supplier" sounds awkward in Chinese, I suggest translating it asHealthcare-Related InstitutionsOr it can refer to a doctor; sometimes, it specifically denotes a single physician.
The second concept is "health plan." Some translate it as "health program," which is incorrect. This is a specific term in English referring to health insurance. In the United States, individuals aged 65 and older have four types of plans, which essentially represent different categories of insurance coverage. HMO (Health Maintenance Organization) was the earliest form of health insurance in the U.S. Currently, U.S. health insurance has evolved into managed care. Why is it called managed care? The average profit margin for U.S. health insurance companies is only 4%. So who is being managed? Doctors, patients, and hospitals are all subject to management. How is this achieved? There are two primary approaches: procedural measures and financial incentives.
Category III institutions—in fact, as we have just discussed, the healthcare ecosystem comprises all of these elements as part of its ecosystem.
The fourth category is business associates, which was not included in the original HIPAA legislation of 1996 but was added later. This inclusion brought all of us in this industry under regulatory oversight; previously, we were exempt, but now we are subject to regulation. Currently, major U.S. Health Information Technology (HIT) companies are treading on thin ice, facing the constant risk of financial penalties.
To provide some examples, the following entities are all subject to HIPAA jurisdiction: software developers providing IT support, IT equipment vendors, leasing companies, telephone CPE vendors, and shredding vendors. Shredding vendors assist healthcare institutions in document disposal; for instance, discarded documents cannot be disposed of arbitrarily, and certain hard drives require degaussing. These companies handle such tasks. In the United States, electronic medical records are openly sold for $50 in the market. I have also heard that they are available for sale in southern China. All these activities fall under the jurisdiction of HIPAA regulations.
Answering services for physician offices and medical clinics encompass tasks such as medical transcription and revenue cycle management. In the United States, stringent regulatory requirements make comprehensive documentation indispensable; without it, physicians cannot secure reimbursement. Since physician compensation is closely tied to documented clinical activities, thorough record-keeping is essential not only for billing but also for demonstrating the care provided to patients. Typically, U.S. physicians dictate their notes after patient encounters and transmit the audio files overnight to outsourcing companies in India. These firms transcribe the recordings and return the completed documents by the following morning. The physicians then review and integrate the transcribed notes into their electronic health records (EHRs). Such companies are subject to compliance with the Health Insurance Portability and Accountability Act (HIPAA).
There are also temporary employment agencies. In U.S. hospitals, when many doctors, including numerous nurses and other healthcare professionals, take leave, such agencies deploy other qualified medical personnel to fill in.
Medical collection agencies are debt collection firms. In the United States, medical coding is critical because reimbursement under systems such as CPD and DRG varies depending on the codes assigned. Many physicians aim to accelerate payment by selecting higher-valued codes—for instance, choosing a code reimbursed at $60 instead of one at $50. However, inflating codes increases the risk of claim denials by insurers. Consequently, approximately 80% of these coding-related ventures have shut down due to persistent cash flow problems. Some startups have emerged to address this issue by optimizing code selection to ensure appropriate reimbursement levels, earning revenue through profit-sharing arrangements. The range of services offered by such startups is often surprising.
Prior to the HITECH Act, Business Associates (BAs) were not directly regulated. For instance, when providing services to hospitals, they were bound by a business associate agreement with the hospital but were not subject to HIPAA regulations. However, following the enactment of the HITECH Act, both Business Associates and their subcontractors became subject to HIPAA’s jurisdiction and requirements. This represents the key change before and after the legislation.
"A senior physician from Peking Union Medical College Hospital went to the United States for advanced training. He was surprised to find that the first course consisted of several days of HIPAA training. I remarked that their primary concern is not whether you acquire knowledge, but rather how much in fines—measured in tens of thousands of dollars—you might incur for them; therefore, they provide HIPAA instruction upfront."
What Exactly Does HIPAA Protect? Not Everything Is Covered; the Core Protection Is for PHI.PHIThis refers to Protected Health Information (PHI). Americans approach tasks differently from us; rather than issuing vague, unfocused guidelines, they have specified 18 categories of information that can be used to identify an individual. Although these 18 categories are highly specific, the 18th category remains open-ended.
Let us review this again. The concept of PHI must be clearly defined, encompassing verbal information, paper-based records, audio recordings, and other electronic information such as faxes and emails. Today, our discussion focuses primarily on ePHI, which pertains to the protection of electronic data rather than paper-based information.
These 18 types of information include names, addresses, dates of birth, telephone numbers, fax numbers, driver’s license numbers, vehicle license plate numbers, serial numbers of other devices, URLs, etc. These data elements can be used to locate or identify an individual. The eighteenth category encompasses any other numbers, digits, or similar identifiers capable of identifying an individual.
HIPAA provides a pathway whereby de-identified data is not subject to HIPAA regulations. Information can be de-identified, for example, by removing the 18 specified identifiers or by encryption, thereby preventing others from determining to whom the information belongs. However, although de-identification is currently feasible, re-identification remains possible through various technical means. The U.S. Department of Health and Human Services holds that there is no foolproof solution; therefore, it is essential to implement more robust technical measures to prevent re-identification.
What Are Patients' Rights Under HIPAA?
First, he has the right to request amendments and modifications to his medical record, including his phone number and date of birth.
Second, he has the right to access PHI.
Third, patients have the right to informed consent and may request that the hospital disclose a list of all parties to whom their medical information has been disclosed within the past six years. Even if such disclosures were lawful, the hospital is obligated to provide this list in either printed or electronic format upon the patient’s request.
Patients may request the use of alternative communication methods, even for information that is not considered confidential. For instance, a physician may send an email containing a patient’s private information only if the patient provides written consent or electronic authorization; otherwise, if a physician sends an unencrypted email containing the patient’s Protected Health Information (PHI), the patient may file a lawsuit against the physician at any time.
HIPAA regulations mandate the signing of an informed consent form during patient interactions. The form clearly stipulates that patients acknowledge and understand the purposes for which the hospital collects their information and how such data will be used. The final section confirms that the patient has read the Notice of Privacy Practices, which outlines the hospital’s privacy policies, including measures for protecting patient privacy, the specific uses of patient information, and the permissible scopes of such use that remain compliant with the law. Hospitals are required to provide the Notice of Privacy Practices to patients, and patients must sign it.
Electronic medical records contain 18 essential data elements; therefore, robust privacy protections must be implemented for electronic medical records, with strict adherence to the Health Insurance Portability and Accountability Act (HIPAA). Informed consent forms help build patient trust in physicians by demonstrating that doctors and hospitals respect patient privacy. Consequently, regulations governing electronic medical records constitute a critical component in establishing patient trust in healthcare providers and institutions, as well as in fostering sound physician-patient relationships, warranting particular emphasis. As previously mentioned, genetic information is also incorporated into the category of personal information.
Another is to further restrict the disclosure of PHI.
Lastly, if a patient discovers that a physician or healthcare institution has violated privacy and security regulations or related provisions, they may file a complaint against the physician or institution. There are multiple channels for filing complaints: patients can complain directly to the hospital, or submit complaints through the online portal developed by the Ministry of Health.
The Administrative Simplification section comprises three components: Privacy, Security, and Breach Notification. The first pertains to privacy regulations, the second to security regulations, and the third to requirements for breach notification. Specifically, the Privacy Rule restricts the use and disclosure of Protected Health Information (PHI). The Security Rule mandates the implementation of appropriate and reasonable administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). The Breach Notification Rule outlines the procedures for notification in the event of a breach.
Let's first look at the Privacy Rule:
1. A series of standards and provisions have been established regarding the use and disclosure of Protected Health Information (PHI). The “minimum necessary” requirement, which mandates that only the minimum amount of PHI needed to accomplish the intended purpose should be used or disclosed, was incorporated into these standards; this principle emphasizes “less is more” rather than “the more, the better.”
2. Patients can access their electronic medical records.
3. Patients must sign a consent form, which specifies that their information and insurance numbers may be used for purposes related to their treatment, including insurance billing, payment processing, and healthcare operations; otherwise, such use is prohibited. This establishes clear guidelines. Furthermore, any uses not covered in the consent form, such as scientific research, require separate patient authorization; failing to obtain this additional consent constitutes a violation of the law.
Regarding the "minimum necessary" standard, it can be simply explained as the "need-to-know" principle: information that needs to be known is equivalent to the minimum necessary information. What constitutes "need-to-know"? First, physicians require it to document patient treatment and create electronic medical records for patients. Second, physicians need it to communicate with patients or other healthcare professionals to provide better care. Third, to ensure continuity of care, even after a patient is discharged, physicians may need to communicate with community doctors, general practitioners, primary care providers, or home health aides, thereby requiring access to information such as the patient’s home telephone number. Fourth, it is necessary for the analysis, research, and evaluation of patient treatment. Fifth, clinical data are required to conduct scientific research that has already been consented to and approved by the patient. Finally, legitimate business purposes also fall under the category of "need-to-know."
What Constitutes a Legitimate Business Purpose? First, statistical data are required for clinical decision support and for developing treatment plans. Second, third parties specifically mandated by law require this information, such as in cases involving infectious diseases, autopsies, and cancer reporting. Third, documentation containing Protected Health Information (PHI) is necessary for insurance billing and reimbursement processes. Fourth, information is required to meet certain certification, licensing, or credentialing requirements.
Security Rule: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
Administrative safeguards refer to the establishment of secure management procedures and processes that enable the identification and analysis of risks. This is precisely the area addressed by DataTao’s infographics, which focus on risk identification and analysis, as well as the implementation of risk prevention or security measures to ensure or mitigate these risks.
In addition, staff training must be conducted for both physicians and employees to ensure they are familiar with the Health Insurance Portability and Accountability Act (HIPAA), understand hospital management policies, and know the procedures to follow in the event of a violation.
These measures must also encompass the management of information access, with clear regulations specifying who is authorized or prohibited from accessing data, as well as when and how such access may be granted.
Finally, there is the contingency plan, which outlines how to respond in the event of an emergency. Additionally, procedures for restoring lost data are also considered part of emergency protocols.
HIPAA regulations are categorized into two types: mandatory and addressable. Addressable specifications allow for a certain degree of flexibility, requiring organizations to develop implementation policies based on their specific environments and circumstances, rather than being strictly required. HIPAA administrative rules are detailed; for instance, the law explicitly mandates that healthcare organizations must designate a Security Officer, which is a legal requirement. Regarding security safeguards for employees, measures must include authorization and monitoring. Procedures must be established to immediately terminate violations upon detection, distinguishing between intentional and unintentional breaches.
The previous points pertained to administrative safeguards; at the physical level, we have facility access controls, meaning that facilities must enforce entry restrictions—a data center cannot simply be left with its doors open. Second, workstations must be equipped with security measures. For instance, to monitor who accesses physician workstations, privacy filters should be installed on doctors’ monitors. Furthermore, data backup and storage require corresponding management protocols. The next phase of electronic health records (EHRs) in the United States emphasizes patient-generated data, necessitating protection for all related devices. These device and media controls mandate that destruction be handled by specialized disposal companies, which are also bound by HIPAA regulations. This layer involves numerous specific technical measures, which constitute the core substantive content.
Third, at the technical level: First, access control must be implemented. Access to Protected Health Information (PHI) should be restricted as much as possible, granted only to authorized personnel, and limited to the minimum necessary. Second, audit controls must be in place to monitor activities across all software systems or components that contain electronic PHI (ePHI). Furthermore, data integrity must be ensured by implementing measures to prevent unauthorized alteration or destruction of ePHI, including security safeguards during transmission. For instance, regarding access control, unique user identification codes should be provided for accessing electronic health records (EHRs). Additionally, an emergency access procedure must be established; while certain data may generally be inaccessible to physicians, life-threatening emergencies necessitate a mechanism for emergency access, with such actions logged for subsequent review. Automatic logoff functionality is also required; for example, if a physician remains inactive for a few minutes, the system must automatically log them out. This feature is a standard certification requirement for EHR vendors.
The Notification Rule requires covered entities to provide notification in the event of a HIPAA violation. Notification is generally required under several circumstances:
If the first electronic medical record is stolen by others, the hospital must notify each affected individual/patient.
Second, the U.S. Department of Health and Human Services’ Office for Civil Rights must be notified; in certain circumstances, the media must also be informed. This is extremely serious, which is why U.S. healthcare institutions are particularly apprehensive.
Additionally, the first notice is a general regulation: if an electronic medical record (EMR) breach affects more than 500 individuals, it must be reported to the Ministry of Health and patients must be notified. If fewer than 500 individuals are affected, the incident may be recorded and reported annually, rather than on a case-by-case basis.
Additionally, a tiered notification protocol is required. Business Associates (BAs), Covered Entities (CEs), and subcontractors must adhere to this hierarchy. As previously mentioned, a CE refers to a covered entity (such as a healthcare provider or health plan) that bears responsibility for its BAs. Since subcontractors engage with BAs, notifications must escalate level by level. For instance, if a subcontractor experiences a HIPAA breach, it must notify its BA; if the BA commits a HIPAA violation, it must notify the CE (e.g., the hospital) with which it contracts. This layered notification process culminates with the CE reporting to the Department of Health and Human Services (HHS).Furthermore, there are strict temporal requirements: the aforementioned parties and entities must be notified within 60 days of the breach's occurrence. No extensions are permitted except in one specific circumstance: notification may be delayed if law enforcement authorities determine that immediate notice would impede an ongoing investigation.
Does this mean that none of these confidential information can be used? Not all confidentiality agreements prohibit disclosure; when national laws require disclosure, the information cannot remain confidential. The HIPAA law also includes such provisions, allowing disclosure for public interest purposes.
The first category involves disclosures mandated by law. The second pertains to disclosures necessary for public health, such as in cases of infectious diseases. Additionally, occupational health surveillance and medical monitoring fall under the legally defined concept of "Public Good."
Of course, the intent of HIPAA and all its provisions must not become an obstacle to Good Care; in other words, HIPAA is designed to serve healthcare rather than hinder it. For instance, while the FDA currently monitors apps, Congress has stated that monitoring is not an end in itself and should not impede innovation and application if it does so. This logical distinction must be clearly understood. Our interpretation of the law should be multidimensional and multifaceted. For example, the Privacy Rule does not prohibit doctors and nurses from communicating with each other for the purpose of treating patients. Additionally, incidental disclosures—such as communications that are overheard unintentionally and accidentally—are inevitable and not malicious. In such cases, leniency is granted for these accidental, non-intentional disclosures, and the Department of Health and Human Services retains discretion in handling them.
What Constitutes a HIPAA Violation: ExamplesFirst, discussing patients in public areas or lobbies, or sharing information with unauthorized individuals.Second, theft, loss, or improper disposal of documents, emails, films, or notebooks containing protected health information.Third, theft of laptops, PDAs, mobile phones, or other media storing sensitive patient data; additionally, failing to adequately secure computer systems against hacker attacks is also a violation.Fourth, sending emails or faxes to incorrect recipients or phone numbers due to addressing errors.Finally, failing to use the system log-out function, thereby allowing unauthorized individuals to access confidential information, constitutes a violation.
What are the consequences of non-compliance? The HIPAA Act and related laws provide detailed provisions, generally categorized into four tiers. The first tier involves violations where the entity did not know and could not have discovered the violation through reasonable diligence. Penalties for this tier range from $100 to $50,000 per violation. Under the original 1996 HIPAA Act, the maximum penalty was $25,000, with a minimum of $100; this has now been increased to $50,000. The second tier covers violations due to reasonable cause but not willful neglect, with penalties ranging from $1,000 to $50,000 per violation. The third tier involves willful neglect that is corrected within 30 days, carrying penalties of $10,000 to $50,000 per violation. The fourth tier applies to cases of willful neglect not corrected within 30 days, with a penalty of $50,000 per violation, up to a maximum of $1.5 million.Penalties are calculated based on identical provisions, meaning each violated provision is counted separately. An entity may violate multiple provisions; the annual cap is $1.5 million per provision. For example, violating four provisions simultaneously would result in a potential penalty of $6 million ($1.5 million multiplied by four). Furthermore, amendments to the 1996 law now calculate penalties based on the number of individuals affected and the duration of the violation. A breach affecting 2,000 individuals differs significantly from one affecting 5,000 or 50,000 individuals. Similarly, a violation lasting ten days is penalized differently than one lasting eight days. This calculation method is particularly severe. The substantial increase in fines in recent years is attributed to three factors: first, penalties are calculated per provision; second, per individual affected; and third, per day of violation. These metrics were not present in the original 1996 regulations.
In addition to civil fines, there are also criminal liabilities, with a maximum sentence of up to ten years’ imprisonment. Life behind bars is hardly pleasant. Furthermore, for medical institutions or related entities, the loss of patient and public trust is devastating. If your compliance record is compromised, who would still sign contracts with you? Hospitals would no longer retain your services. Thus, the repercussions extend far beyond mere financial penalties.
Regarding Meaningful Use, in brief, the U.S. healthcare system has progressed through three stages: Stage 1 focused on establishing electronic health records (EHRs); Stage 2 aimed at achieving health information exchange and coordinated care; and Stage 3 targeted improving clinical outcomes. The United States has already invested over $20 billion, driving EHR adoption rates from just over 20% to more than 80%. EHRs will form the foundational content of national healthcare information systems, with clinical data serving as the core information—rather than billing, administrative, or pharmacy dispensing data within hospitals. Currently, what are termed “electronic medical records” in China are essentially text editors rather than true EHR systems. I believe that China’s EHR landscape will undergo a revolutionary transformation in the coming years. I will not elaborate further on the specific requirements driving this change.
Meaningful Use also involves certification, with specific requirements for electronic health records (EHRs). For instance, EHRs must support emergency access, automatic logoff, and automated logging. Every access to a patient’s medical record must be logged daily, and these logs serve as the basis for future audits and reviews. EHRs require data integrity. How is data integrity ensured? First, message digests are required; a digest must be generated each time information is transmitted. Second, verification mechanisms must be in place. Third, detection capabilities are necessary to identify whether data or audit logs have been tampered with during transmission. EHRs must also incorporate authorization mechanisms to verify whether an individual has the right to access specific data, along with encryption protocols. Any disclosure or leakage of information must be recorded, including lawful disclosures made for treatment, payment, and healthcare operations. Every instance of a physician accessing Protected Health Information (PHI) must be documented. In the future, China will undoubtedly adopt similar requirements.
Stage 2: These are some new requirements introduced in 2014. First, electronic messages sent from outpatient systems must be encrypted, a requirement that was not explicitly stipulated previously. Second, under the amendments, patients are allowed to modify and update their Protected Health Information (PHI), while systems must incorporate anti-tampering and encryption features. Furthermore, data at rest—data stored on hard drives rather than being transmitted—must also be encrypted. Stage 1 only mandated encryption during transmission; now, static data stored locally is also required to be encrypted. Third, all actions must be logged. Specifically, records must be kept of who disabled the logging function and when, as well as who disabled the encryption feature and when. Additionally, information must be transmitted securely; unencrypted email must not be used, and the use of hashing algorithms for encryption is recommended. HIPAA recommends two encryption methods for data at rest: one approach, such as in electronic health record systems, ensures that sensitive information is not stored on the client side; the other involves encrypting data before storing it locally.
The U.S. Department of Health and Human Services provides a tool comprising ten steps to assess an organization’s compliance with HIPAA regulations, allowing enterprises to conduct checks sequentially. I have always emphasized the importance of “standing on the shoulders of giants” by learning from advanced countries; adopting this approach enables us to achieve twice the results with half the effort. We simply need to thoroughly understand these resources, including their entrepreneurial histories. The United States offers excellent examples in healthcare IT entrepreneurship. I have compiled a list of 18 accelerators and incubators in this sector; by carefully studying their incubated projects, we can identify suitable models to emulate. I often remind my team that methodology determines efficiency: an inappropriate approach leads to half the results with twice the effort, whereas the right method yields twice the results with half the effort.
The U.S. HIPAA regulations also face numerous challenges. First, privacy becomes difficult to define; “privacy” is a notoriously vague, ambiguous, and contentious term that lacks a clear definition, contributing to contemporary confusion. It encompasses issues that are easily conflated today, such as interpretation, authority, and accountability. In healthcare information exchange, we emphasize its uniqueness—whether it is self-funded or state-mandated—which further complicates matters related to information, privacy, confidentiality, security, and data usage. Another critical issue is data standards. Our most pressing pain point is the lack of data standards. Without them, future efforts in data exchange, analysis, mining, and decision support will be severely hindered. Thus, data standards will become the bottleneck going forward. Additional challenges include communication models and other related issues. This situation is even more pronounced in China, which faces similar challenges.
Li Datao: HIPAA seems particularly complex. We previously published two articles about two U.S. startups that help entrepreneurs ensure their apps or services comply with HIPAA requirements.
Zhao Xinyuan: In the past two years, numerous startups have entered this space. Given the stringent requirements of HIPAA compliance, healthcare institutions are facing significant challenges and are therefore willing to outsource these tasks and pay for such services. Many entrepreneurs have recognized this opportunity, which indeed represents a promising avenue for startup ventures.
Q: Can I pass by following the ten steps you mentioned one by one?
Zhao Xinyuan: This is a misunderstanding; the matter was not approved. There is no such concept as “certification” in law. As long as you do not violate the law, that suffices. Ensuring compliance in processes, personnel training, and medical practice activities is all that is required; there is no issue of certification. It is incorrect to speak of “certification” in this context, as many of these requirements are simply matters of common sense.
Li Datao: I have been in continuous communication with Professor Zhao over the past two days. Two points he raised deeply moved me. First, he stated that Apricot Forest has accomplished something none of us had done before: raising awareness about HIPAA and its associated importance. We should offer our support and encouragement to Apricot Forest. Second, Professor Zhao shared today that entrepreneurship is exceptionally challenging within the Chinese context. He remarked that all entrepreneurs are warriors; in a social environment that does not actively encourage innovation, they courageously overcome personal and societal barriers, striving to bring forth something better. All entrepreneurs deserve respect and admiration.
Question: Thank you, Professor Zhao, for your insightful presentation. This is my first time engaging with this topic. I am from a U.S. pharmaceutical company that conducts clinical trials and handles patient information. If our clinical trial patient information system includes such functionalities, would it also need to comply with HIPAA regulations?
Zhao Xinyuan: Yes, it is necessary. In such cases, you must sign relevant agreements with the patient, whether they are an organization or an individual. To protect yourself, it is essential to have a signed agreement; otherwise, they may turn against you and file a claim someday, as many lawyers in the United States are constantly seeking cases. If the counterparty is a healthcare institution and you qualify as a Business Associate (BA), you must execute a Business Associate Agreement (BAA) with them.
Question: Thank you, Professor Zhao, for your insightful presentation. I am a graduate student in Industrial Hygiene at Peking University Health Science Center. I have been engaged in health management within China, focusing on high-end individual and corporate health management, specifically employee wellness programs. I have a question: For instance, if my client is a multinational corporation and I need to collect health information from its overseas employees through our system, does this involve any policy-related issues? Furthermore, am I required to comply with these regulations when collecting data from overseas employees?
Zhao Xinyuan: If it involves information about overseas employees, exercise caution. To put it simply, individuals in overseas markets, particularly Americans, have a very strong awareness of privacy protection. Therefore, when dealing with such matters, you must be cautious and may even need to consult or engage legal counsel for assistance.
Q: I am currently working on a mobile health project that involves emergency care systems and electronic medical records (EMRs). My question is: regardless of whether it refers to the digitization of medical records or EMRs themselves, does the ownership belong to the healthcare institution or to the patient?
Zhao Xinyuan: This is actually a rather sensitive issue. Recently, while working on projects under the National Health and Family Planning Commission’s “13th Five-Year Plan,” we have been discussing this topic. The Health Insurance Portability and Accountability Act (HIPAA) does not explicitly specify who owns the information. Do Americans not consider this question? Why do they not dwell on it? In the United States, patient information can be modified or even destroyed by hospitals at the patient’s request. The U.S. emphasizes individual autonomy and rights, without fixating on ownership. To this day, there is no clear stipulation regarding who owns electronic health records. Yesterday, I reviewed the regulations concerning the sensitivity of Protected Health Information (PHI), specifically how long confidentiality must be maintained—50 years after death. I believe that patient autonomy comes first: “My life, my choice.” This principle applies even to medical treatment in hospitals. Upon admission, patients can sign an advance directive specifying who will make decisions if they become incapacitated, such as whether to withdraw life support, withhold treatment, or forgo resuscitation. Patients can delegate this authority to relatives, children, or any trusted individual, and hospitals are obligated to follow that person’s instructions. Your information is stored with the healthcare provider; national regulations grant you the right to improve management and specify permissible uses. Attempting to define ownership complicates matters. Therefore, it suffices to stipulate what rights each party holds, ensuring that all actions remain within the bounds defined by law.
Question: I work for a U.S.-based company specializing in medical information and consulting management, currently overseeing the operations of the Data Department in China. I have encountered an issue: our company collects extensive market-based medical information, and there are particularly sensitive concerns in China. Insured individuals’ information is often transmitted to us via email. I am unsure how to handle this data initially—should it be deleted or processed differently? The mere receipt of such data by our company already constitutes a compliance violation, as our company policy prohibits storing this type of data.Secondly, this issue does not arise at our U.S. headquarters, which has robust systems compliant with HIPAA regulations. However, data handling practices at our Chinese branch are inadequate. I would like to understand the regulatory landscape in China (as well as relevant considerations from the U.S.) regarding cloud-based and third-party services. Specifically, if we engage such service providers, who is responsible for obtaining necessary certifications—the provider or our company? In the event of a data breach or incident, where does liability lie—with them or with us? Additionally, could you recommend any trustworthy domestic service providers in China?
Zhao Xinyuan: In the United States, the law is very clear. First, identify your role. As mentioned in Stage 1, if you are a subcontractor (or more accurately, a Business Associate), you must follow the regulations applicable to Business Associates. You need to clarify who you are accountable to. You are responsible to your Covered Entity (CE). The CE then reports up the chain. It is a hierarchical relationship. First, determine your identity and whether you are subject to this jurisdiction. This will clarify the relationship between us, including who is responsible for whom. This is very clear. Hierarchical reporting is also explicitly stipulated by law; you cannot bypass levels. As a Business Associate, you cannot directly report to the U.S. Department of Health and Human Services claiming a violation. Instead, you must first report to the Covered Entity, which then reports upward. For example, if the CE is a hospital, the hospital will handle the subsequent reporting. The law stipulates that under HIPAA, the Covered Entity bears responsibility for the Business Associate.Second, the situation in China is similar. Our country has long been helpless regarding personal privacy, lacking even the basic concept of it. When you buy a car here, your information is sold off immediately; when you buy a house, you start receiving countless calls. These are two major issues: we are in a nation that understands neither intellectual property nor privacy. Today, I am here to discuss this with you. I believe those of us present are quite progressive, as many people question the necessity of discussing such topics in a country where the concept of privacy is virtually nonexistent. Therefore, when dealing with foreign entities, you must adhere to their standards and exercise caution.
Q: If we were to partner with domestic cloud service providers, which ones do you consider trustworthy? Regarding responsibility, is it their obligation to comply with HIPAA, or ours, or what is the typical process?
Zhao Xinyuan: As there are numerous cloud service providers in China, I have limited interaction with them, making it difficult to determine which one performs the best. However, large corporations with substantial financial resources and a strong desire for reputation are generally more reliable. First, they possess the capital and capability to excel in this area; second, they value their public image. When choosing a partner, it is always advisable to work with those who care about maintaining their reputation.
Q: So, in fact, the responsibility still lies with us; we need to take the initiative to drive them to act.
Zhao Xinyuan: You push him on this. Since the data is stored with him, the liability rests with him. The assets are in his custody, yet he lacks the necessary awareness and doesn’t know how to address the issue. Therefore, when you bring up HIPAA compliance, I believe that even large cloud service providers may not fully understand HIPAA regulations. So when you raise this with him, he may respond, “I don’t know how to handle it; U.S. companies deal with this in the United States, but we don’t have such requirements here.” In that case, you should explain how U.S. companies manage this—there are standardized contracts available. Ask him whether his organization can comply with these clauses. Once he sees that it’s feasible, he might agree, and later potentially use such a contract to mislead others.
Q: You just mentioned that HIPAA is not a certification. I have seen some logos on certain U.S. healthcare service websites. In the Chinese context, how can I display such a logo on my website?
Zhao Xinyuan: The U.S. Department of Health and Human Services website stipulates that if an enterprise meets the relevant regulations, it may state on its own website that it is HIPAA-compliant; careful attention must be paid to the wording used. As I have elaborated at length, if an enterprise implements technical and administrative safeguards in accordance with the ten steps, establishes its own written policies and procedures, and fully aligns with HIPAA requirements, it can claim HIPAA compliance.
Question: Thank you, Professor Zhao, for today’s insights. My research focuses on mobile health. You mentioned that China is now placing greater emphasis on the security of patient data systems. I would therefore like to ask a policy-oriented question: In your view, what trajectory will China follow in this area? Will we eventually see legislation similar to HIPAA to protect patient data or mandate corporate compliance with such regulations?
Zhao Xinyuan: From a trend perspective, it is certain that the era of neglecting personal privacy and information security protection will gradually fade away and cannot continue. However, it is difficult to predict exactly when this will happen. First, it depends on us—the grassroots forces. Today, I can say that at least more than 40 of us have embraced this concept. This is why, when I speak in various places, I hope we can first spread awareness and help people develop this consciousness. Second, I believe it is crucial for government departments to attach great importance to this issue. Last time, when I discussed HIPAA, I was particularly pleased to see that a director-level official from the National Health and Family Planning Commission (NHFPC) was in attendance. Third, the fact that the NHFPC has initiated research projects on medical information security in the internet era demonstrates that leadership has already placed high priority on this matter. Therefore, relevant provisions will be included in the “13th Five-Year Plan,” which represents progress. As for when we will reach that desired level, only heaven knows.
Question: Hello, Professor Zhao. I am from the Information Center of Peking University People's Hospital. We are currently implementing an OD project to enable physicians to access applications for electronic medical records (EMR) on their mobile devices. Your presentation has helped resolve some of our concerns; however, I remain uncertain about a question raised by our clinicians. They asked, "Since this is my personal phone, can I take it home to review medical records and enter medical orders?" Should we support or restrict this functionality? Does it raise privacy protection concerns?
Zhao Xinyuan: This issue has become urgent. Mobile healthcare and mobile nursing systems are being implemented within hospitals. Telecommunications companies are even subsidizing Wi-Fi infrastructure and hospital local area networks to gain market presence, which indicates that mobile healthcare within hospitals is an inevitable trend. It is unrealistic for hospitals to provide additional devices to physicians. Instead, doctors will use their own iPads and smartphones, and hospitals need only focus on ensuring data security.
Question: Suppose a patient in the United States has been receiving medical care, and thus a healthcare provider holds their medical records. If this patient is enrolled with a health management company or an insurance provider, they may need to provide their medical records or treatment history to such entities. As the patient, should one directly mandate Johns Hopkins to release these records, or what is the current standard practice in the U.S.?
Second, how do health management or health service startups currently emerging in the United States obtain basic medical record data? As a representative of Taikang Life Insurance Company, primarily engaged in investment and strategic cooperation within the healthcare sector, I pay close attention to this issue.
Zhao Xinyuan: The first question. Under HIPAA and related laws, the requirement is clear: if a patient requests their information, you must provide it within three days. Patients have the right to request the data in various media formats; for example, you can provide a copy on a CD or USB drive.
Question: Can the patient's information only be provided directly to the patient, or can it be provided directly to the insurance company with my authorization?
Zhao Xinyuan: No, you must follow proper procedures; you cannot provide it casually. If an insurance company handles medical insurance, it will have access to the patient’s PHI (Protected Health Information). The patient themselves can request this information from the healthcare institution, which is required to provide it within a specified timeframe. Failure to do so constitutes a violation of the law.
Question: Many health management companies in the United States can sign such agreements with their users, which are provided by the companies. Is this understanding correct?
Zhao Xinyuan: The law stipulates that startups need to comply with these requirements, so you are in compliance. Additionally, for those developing electronic health records (EHR) or cloud-based solutions, adherence to HIPAA is mandatory; as long as this is met, there are no issues. A physician at Johns Hopkins told me that they received a $30,000 government incentive for using certified EHR systems.
III. Acknowledgements
1. We extend our gratitude to Professor Zhao for his keynote presentation. Over the course of nearly three hours, he provided a detailed interpretation of the origins, logic, structure, and framework of HIPAA. Even more valuable insights emerged from the post-session sharing, where Professor Zhao shared his learning methodology with entrepreneurs, offering practical guidance on how to rapidly gain expertise in a new field and leverage existing knowledge to accelerate growth, which proved highly beneficial to all attendees.
2. This salon was co-hosted by VCBeat VB Think Tank and the Longtan Salon of People's Medical Publishing House. We extend our gratitude to Mr. Zhang Yang, founder of the Longtan Salon, for his support; he provided several classic books published by People's Medical Publishing House as prizes for this event.
3. Special thanks to Mr. Ji Yan, Chairman of Beijing Kaichen Capital, for his gracious sponsorship of the venue, which is imbued with an artistic atmosphere.ARTS LoungeMr. Ji began focusing on healthcare and real estate in 2013, and has also been investing in the elderly care sector. Currently, data on home-based elderly care services for 50,000 individuals across four districts in Shenyang has been collected. By 2015, eight health management centers will be established in Beijing, Tianjin, and Hebei Province, accumulating data on approximately 300,000 individuals receiving home-based elderly care. The focus will be on chronic disease management and related home-based elderly care service projects.
4. We extend our gratitude to Wang Jianfei of Legend Capital and Dr. 2 of Zhenlipai for recommending this themed salon, and to Shen Yiqing, founder of Jianmeng, for his support.
5. Thanks to all the supporters of VCBeat.
6. Thanks to the stenographer, Qian Le.