Stakeholders Divided Over Ideas to Update HIPAA Privacy Rule
In December 2018, the Department of Health & Human Services Office of Civil Rights (OCR) asked stakeholders to help it identify privacy and security provisions in HIPAA that may impede value-based healthcare or that limit or discourage coordinated care among individuals and covered entities. In written responses to OCR, groups representing different stakeholders took contrasting positions. Some are pushing for greater responsiveness to patient data requests, while others seek to avoid any additional burdens on provider groups.
Pinpointing its concerns with HIPAA, the American Medical Informatics Association noted that currently it takes too long for protected health information (PHI) to be shared for permitted purposes; AMIA also said that HIPAA has been misused to restrict sharing of PHI and it has been a barrier to sharing mental health data and information.
AMIA recommends that OCR require timely sharing of information when both the patient consents to it and a treating clinician has requested it. It also recommends that OCR clarify that HIPAA permits the sharing of PHI when the patient requests or instructs that their PHI be shared – regardless of whether the target of this sharing is bound by HIPAA. It suggests OCR “issue guidance or take more binding steps to ensure that lawful requests for PHI under ‘treatment’ be recategorized as obligatory, not simply permissible.”
Finally, the organization proposes that OCR elevate the failure to deliver an individual “right of access” to an enforcement and penalty priority on par with data breaches.
Individuals should be able to access all their information maintained in a covered entity’s “designated record set,” as a “readily producible” function of certified EHR technology (CEHRT) capability, the organization said. AMIA and AHIMA have made a joint recommendation that policymakers modernize HIPAA by either establishing a new term, “Health Data Set,” or by revising the existing HIPAA “Designated Record Set” (DRS) definition and requiring Certified Health IT to provide the amended DRS to patients electronically in a way that enables them to use and reuse their data.
In its response to OCR, the Medical Group Management Association raised concerns about increasing requirements on physician practices. it suggested maintaining the current response times for practices to respond to patient requests for a copy of their PHI. Currently, practices have up to 30 days to provide the patient their PHI (with the potential of a one-time 30-day extension). “As there is tremendous variation in practice technology, medical record formats, and location of medical records, this maximum time is necessary,” the MGMA wrote.
MGMA also suggested that HHS not move forward with a mandate requiring a covered provider to disclose PHI to business associates or another covered entity. “Clinicians should be permitted to use their professional judgement and determine when it is necessary and appropriate to disclose a patient’s health information,” it wrote.
OCR never finalized the 2011 accounting of disclosures rule that would allow patients to see who in a provider organization or its affiliates accessed their data. The MGMA asked that HHS not move forward with implementing the requirement that patients can get an accounting of disclosures for treatment, payment, and healthcare operations (TPO). “Accounting for TPO disclosures would be excessively burdensome and unnecessary. MGMA surveys show that very few patients are asking for these reports, and current EHR technology cannot produce these reports,” the MGMA said.
Deven McGraw, former deputy director for health information privacy at OCR, tweeted several of the recommendations her company Ciitizen Corp. submitted to OCR:
• Change the HIPAA Privacy Rule to require covered entities (and business associates [BAs] acting on their behalf) to respond to requests for access in 10 days for information in paper records and five days for information in electronic records.
• Enable BAs (such as HIEs and clearinghouses) to respond directly to individual access requests, regardless of language in the BA agreement (and provide grace period for BAAs to come into compliance).
• Require entities to implement PHI request processes that ease the burden on individuals (for example, by allowing requests to be submitted by e-mail).
• Further clarify fee limitations, particularly in circumstances where individuals are requesting information be sent to a third-party designee.
• Clarify the scope of the designated record set, including confirming that it includes information captured from patient devices.
• Reconfirm the right of the individual to receive (either directly or to route to a designee) information by unsecure methods, such as e-mail or document upload, if the individual acknowledges a lite security warning.
OCR had asked stakeholders what burdens a shortened timeframe for responding to access requests from patients would place on covered entities. The College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Technology (AEHIT), and the Association for Executives in Healthcare Information Security (AEHIS) submitted comments together. Their response cited the potential for unintended consequences. “Provider are being pushed to perform an increasing number of tasks electronically and to do so more quickly manner, yet we still do not have uniformity in standards for moving information, which presents significant challenges for providers. We also worry that pushing things to happen too quickly electronically can result in mistakes being made. There are already several mandates in place for providers (i.e. Promoting Interoperability) to provide patients with information in less than 30 days. There is also the variance between state laws around release of information. Unless OCR preempts state laws, the baseline will remain state law.”
In its written response, America’s Physician Groups (APG) noted that case managers and care coordinators are often integral in assuring that care amongst various providers is coordinated, expedited, and appropriately delivered to meet patient needs. “Providers, on behalf of their patients, should have timely access to their patients’ records. There currently is no deadline or requirement to disclose records when requested by another provider. Not having such a requirement impedes value-based coordinated care and can be dangerous to patients – especially those with behavioral health needs,” APG wrote. “We recommend that providers (who have already received authorization from the patient) can receive the complete electronic medical records from other providers within 48 hours of request unless a critical situation is present. The current standard of 30 days (both electronic and paper) for a formal request from patient should be modified to five calendar days from providers with electronic medical records (or another acceptable deadline) that are participating in standards-based health information exchange programs for the sole purpose of care coordination.”