Do the HIPAA Rules Hamper Coordinated Patient Care?HHS to Seek Comments on Whether the Rules Create Barriers to Sharing Patient Information
Federal regulators plan to seek public comments on whether the HIPAA rules create barriers to sharing patient information among healthcare providers, hampering the ability to coordinate care.
But some regulatory experts argue the problem is not the rules, but misunderstandings about what they allow.
In a "pre-rule" entry added this week to the Office of Management and Budget regulatory agenda website, the Department of Health and Human Services' Office for Civil Rights indicates that it will issue this fall a request for information that "would solicit the public's views on whether there are provisions of the HIPAA rules which present barriers that limit or discourage coordinated care and case management."
"The barrier is more a matter of interpretation than the actual regulations."
—Adam Greene, Davis Wright Tremaine
OCR will ask for feedback on whether HIPAA poses barriers in patient information sharing among hospitals, physicians, payers and patients. It will ask whether HIPAA imposes regulatory burdens that may impede the transformation to value-based healthcare, in which providers are paid based on patient outcomes.
What Will Be Examined?
OCR plans to seek comments on:
- The creation of a safe harbor for "good faith disclosures" of PHI for purposes of care coordination or case management;
- Disclosures of PHI without a patient's authorization for treatment, payment and healthcare operations, as HIPAA already allows;
- The HIPAA "minimum necessary" requirement, which requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the least amount necessary to accomplish an intended purpose;
- Methods of accounting for all disclosures of a patient's protected health information;
- Patients' acknowledgment of receipt of a providers' notice of privacy practices.
The upcoming request for information is being produced to support a recently launched HHS initiative called the Regulatory Sprint to Coordinated Care, which has a goal of removing "regulatory barriers that impede coordinated, value-based healthcare, according to the entry on the OMB site.
Are Changes Needed?
Although HIPAA already allows for the disclosure of patient PHI to other healthcare providers for care coordination, some regulatory experts assert that many healthcare organizations are confused about the circumstances when it's OK to share data.
"Even after more than a decade, there continues to be confusion and misunderstanding about the HIPAA Privacy Rule," says Kate Borten, president of privacy and security consulting firm The Marblehead Group. "The rule was written with patient care foremost and intends to permit unfettered data sharing when it is for direct patient care."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine, who formerly worked at OCR, notes: "The barrier is more a matter of interpretation than the actual regulations. HIPAA treats care coordination as either treatment or healthcare operations, depending on the circumstance, and allows any covered entity to disclose PHI for its own treatment and healthcare operations. It also allows disclosures for another covered entity's care coordination if for treatment or if that entity has a relationship with the patient."
Privacy attorney Kirk Nahra offers a similar assessment: "My view is that the HIPAA rules are not the barrier; providers may be confused or may be reluctant to share or may be unwilling to share in these situations. I believe the rules give them sufficient flexibility in most situations."
Nahra doesn't think a new safe harbor for patient information disclosures is needed to encourage care coordination. "This would be easy to accomplish through OCR enforcement policy in general - which certainly could be easily disseminated by OCR to reassure providers. I encourage more guidance more than a broader change to the rules."
Nahra adds that beyond coordination of care, there appear to be other "competing goals" at HHS - including addressing the opioid crisis - at the center of pushing for more patient information sharing.
"Making providers share - or even encouraging them - may be helpful in general from a public health perspective, but may not be what the patient wants in a particular situation."
Regarding plans to solicit feedback about patients acknowledging that they have received their healthcare providers' notices of privacy practices, Borten says she hopes the current HIPAA requirements do not get watered down.
"Healthcare providers are back-sliding on the mandated privacy notices," she says. While there was an intense compliance effort when the HIPAA Privacy Rule was first enforced, that has tapered off at many organizations, she contends.
"For example, for new patients, it's become common to be handed a clipboard of forms, including an acknowledgement of privacy notice receipt, when no privacy notice is provided or even posted," she says. "Smaller practices, particularly groups formed in more recent years, may copy another organization's privacy notice without any understanding of the underlying processes they must have in place to back up the commitments. And staff often are unable to answer questions about their privacy practices."
Borten argues that it makes little sense to drop providers' requirement to obtain an acknowledgement of receipt from new patients. "When this requirement was new, it may have been somewhat burdensome. However, today's electronic health records have the ability to easily capture and store the information."
It's important to remember the fundamental purpose for a privacy notice, Borten says. "This notice should clearly inform the public about their rights over their personal information and how to exercise them, as well as the organization's obligation to protect that PHI. Five years ago, HHS published sample privacy notices that are simple and easily understood. Yet very few providers have adopted these models." As a result, the notices are rarely read by anyone, she contends.
Greene, the attorney, says he's "not too concerned about expanded or clarified regulations on data sharing leading to more privacy or security incidents. As with any existing data arrangements, it will be important to have appropriate safeguards in place."
Although the agenda posted on the OMB website provides insight into regulatory plans being considered by HHS, such entries don't guarantee that HHS will take action.
"When a federal agency issues an RFI, it's very difficult to forecast if it will result in a proposal to create new regulations or modify an existing standard," notes former OCR staff member David Holtzman, vice president of security consultancy CynergisTek.
The question, he says, is whether this plays into the agency's efforts to look for ways to join the administration's push to deregulate industries or whether it's a part of a broader effort to ease up on privacy protections of consumers at a time when the public is "looking to ramp up their ability to have control on who collects their personally identifiable information and how it is used."
OCR leaders have said that HHS is looking for ways to loosen the HIPAA Privacy Rule protections on when healthcare providers can disclose PHI without the authorization of the patient, Holtzman says.
"The devil will be in the details, but my sense is that HHS is responding to a significant push from the healthcare and tech industries to lighten up on one of the few areas in which consumers have a federally protected right to privacy and control over their personal information," he adds.
An example of HHS plans that have gotten stalled in the past: The statutory deadline under the HITECH Act to issue a rule on accounting of patient information disclosures was June 2010, but the rule is still pending.
In the fall of 2011, the OMB agenda site listed that HHS was in the process of issuing an accounting of disclosures final rule.
HHS's previous proposal for revamping accounting of disclosures was published in May 2011, but feedback from the healthcare sector was mostly negative. HHS indicated last spring that is was considering starting over with new accounting of disclosures ideas (see OCR Plans a Do-Over For Accounting of Disclosures Proposal).