HIPAA, everyone’s favorite scapegoat for all (OK, most) of the ills of the modern healthcare-industrial complex, is perpetually called out as being in dire need of a rewrite. Well, that moment has arrived (maybe). There’s an RFI out right now, published as part of the federales’ “Regulatory Sprint to Coordinated Care,” announced by HHS Secretary Alex Azar in mid-2018. (Remember, this is the federal government, so getting almost halfway through the throat-clearing phase of fleshing out an idea in about six months or so really is a sprint.) Hey, coordinated care is a good idea. We can all agree on that. The first RFI to issue was the one seeking input on the regulations implementing the Stark law and the federal anti-kickback statute (See: Stark and AKS RFI and public comments). The HIPAA RFI came next. (Comments are due February 12, 2019.) The final piece of this trifecta is the privacy rule applicable to substance abuse service providers, aka 42 CFR Part 2. Recently, Part 2 got a pretty significant overhaul, but many folks have been hoping that Part 2 and HIPAA could be better harmonized. (Speaking from personal experience, the regulated community tends to look at those of us steeped in this stuff like we have two heads when we explain how Part 2 is different from HIPAA, and how records with respect to the same patient must be handled differently due to this distinction.)
Sprinting towards coordinated care sounds like something we should all encourage, but it is important to keep in mind that the current Administration is particularly interested in deregulation, and that is not always the sort of thing that can go well for all parts of the extremely heterogeneous regulated community, or for those whoa re supposed to be protected by these regulations (patients, i.e., all of us) particularly when deregulation is being carried out on a piecemeal basis, at the regulatory level. It is also important to keep in mind that legislation forms the boundaries of the playing field, so to speak — a regulatory sprint to coordinated care can’t run down the sidelines and across the parking lot even if that would let us get to an ideal future state sooner and more efficiently.
A digression: As the health wonks and policy nerds reading this are already aware, HIPAA is a horse of a different color. The original HIPAA regulations were drafted by HHS in the absence of any particular statutory framework. In the 1996 HIPAA statute (which covered a lot of other ground), Congress gave itself one year to legislate standards for health data privacy and security, and decreed that if it were to fail to meet that deadline, HHS would have to create regulations from whole cloth. And that’s what happened: Congress did not act, and HHS went to town on its own. (The regs were finalized in 2003.) Then, in 2009, as part of the Recovery Act, Congress passed the HITECH Act, one title of which is a statute that amended the HIPAA regulations — regulations that were drafted in the absence of a specific statute. The reason I bring up this legal-historical anomaly is to point out that while ordinarily a federal agency issuing an RFI seeking input on potential changes to its regulations is limited by the underlying statute, in this case much of the regulation has no underlying statute, so the agency will ultimately have greater flexibility. This is both a good thing and a bad thing: On the one hand, HHS can be more creative in revising HIPAA regulations in order to advance its policy agenda, and on the other hand … HHS can be more creative in revising HIPAA regulations in order to advance its policy agenda.
The RFI lists over 50 specific questions on which the agency is seeking feedback, plus a catch-all “anything else?” question, but it is first and foremost a request for information regarding revisions to the HIPAA regulations that may be needed to promote care coordination. (“Encouraging information-sharing for treatment and care coordination” — part of the sprint). As in the case of the RFI regarding Stark and AKS, this is prompted in large part by the move from volume to value, and the widespread belief that value-based payment systems will right the listing ship of the U.S. healthcare “system.” (Let’s just say here that the jury is still out. It’s a topic for a longer discussion.) On the Stark and AKS front, it is important to re-thread the needle of regulating monetary incentives in healthcare: After all, the fundamental notion that savings may be shared by a hospital with a referring physician in a “shared savings” environment, for example, is anathema to regulators in an orthodox fraud and abuse enforcement environment.
Other issues highlighted in the presser accompanying the HIPAA RFI include:
- Facilitating parental involvement in care
- Addressing the opioid crisis and serious mental illness
- Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices
So here’s the thing: Do the HIPAA regulations in their current form stand in the way of “encouraging information sharing for care coordination”? Do they stand in the way of any of the other goals articulated by the federales?
I would argue that they do not.
The HIPAA regulations are, for the most part, an extraordinarily flexible set of standards that have managed to remain relevant and useful even as the nature of the generation, storage, use and transmission of health information has undergone a sea change in the years since they were first promulgated. Could they use a nip and tuck, a little freshening up around the edges? Sure. But not a wholesale revision. In fact, certain technical security standards within the HIPAA regs are incorporated by reference from NIST guidance, and that guidance can be — and has been — updated from time to time without the need for regulatory amendment.
Let’s start with the care coordination question. Why is HHS trying to solve care coordination issues through the HIPAA regulations? It seems to me that revising health data privacy and security rules is not the best means to achieve this goal. Access to data should be covered by the agreements among health care provider organizations that are engaged in value-based care arrangements, be they ACOs, CMMI pilots or demonstrations, or other government-funded or commercially-funded efforts. True, HIPAA permits rather than requires data sharing among covered entities that serve the same patients, but if health care providers can’t share patient data between them when it not only benefits the patient but potentially benefits their own bottom lines, tinkering with the HIPAA regulations is not the answer.
A great deal of the perceived need for change in the HIPAA regulations stems from misconceptions about what the rules require. OCR has done a bang-up job elucidating the regs through a series of sub-regulatory guidance documents, and I would urge both regulators and the regulated community to start with the regs and those guidance documents and see whether any changes are really needed, or whether the problem is with communication and education. I suspect that the preponderance of the issues lie in the latter category. If staff at all levels within the regulated community were more fully educated, were better trained, about the meaning of the HIPAA regulations and how they affect their individual job functions, we would quite likely see fewer situations where staff succumb to phishing attacks, fail to conduct required risk assessments, fail to limit access to PHI in accordance with sensible guidelines, and engage in unfortunate “information blocking” behavior like refusing to give health records to a patient who is the subject of those records or to a consulting clinician — because of HIPAA.
The guidance offered by OCR is far-ranging, addressing everything from copying charges to information sharing in the context of the opioid crisis and natural disasters to cloud computing to a suggested format for a “layered” Notice of Privacy Practices (highlights up front in an easy-to-read one-pager, human-readable details in back). The guidance documents are not comprehensive and it would be nice if OCR would continue its work in filling the shelves of this virtual library with more guidance grounded in the existing regulations rather than seeking to make changes to the regs in the name of care coordination.
Thus far, I’ve argued against making changes, bet there are certainly some improvements I’d like to see. For example:
- Adopting the HITECH Act time limits for responses to requests for records — say, two or three days, rather than 30 to 60 days, seems eminently reasonable in our digital age.
- Limiting the charge for copies of records to $6.50 per record — the alternative cost-based approach seems unnecessary now that virtually all covered entities are wired and should be able to easily share copies in the format requested by patients. (Or considering elimination of the reimbursement entirely, since providers received significant incentive payments to underwrite their EHRs in the first place.)
- Designing an accounting of disclosures rule that doesn’t mandate reporting a lot of truly useless information and that doesn’t mandate reporting that is not currently technically available through COTS products currently in use.
- Revising the requirement for distribution and obtaining acknowledgment of receipt of an NPP from each provider. (These are almost universally available from providers on line, and virtually nobody reads them anyway because they are, well unreadable. See my note about layered NPPs, above. Collecting a receipt seems like some of the retired meaningful use measures — if virtually everyone’s doing it, why bother measuring any more?)
- Harmonizing rules with other applicable rules (HIPAA and Part 2, HIPAA and FTC rules related to PHRs, etc.), though as noted below, this is a Sisyphean task and might not be achievable.
It must be said that the HIPAA regulations are not the be-all and end-all when it comes to articulating a framework for health data privacy and security. There are other federal and state standards — some overlapping and sometimes conflicting, some stricter, some less strict — and an elaborate analysis (including a preemption analysis) is sometimes required in order to determine which rule covers a particular set of facts. Even to the extent that HIPAA regulations form the basic law of health data privacy and security, it is imperative to recognize that this law is the floor, not the ceiling, of what needs to be done in order to adequately protect health data privacy and security while ensuring appropriate access by patients and other authorized persons. For example, changing the HIPAA regulations will not change the maze of state laws regarding limitations on parents’ rights to access their children’s medical records.
At about the same time that the HIPAA RFI has been released into the wild, a number of notable proposed privacy laws have been released as discussion drafts or otherwise. It is worth taking a look at the proposed Data Care Act, cosponsored by 15 U.S. Senators, the Intel proposal (complete with expert commentary and public comments) (see also: Intel presser) and the Center for Democracy and Technology proposal as well. In addition, we need to consider the new California privacy law, referred to as some as a “mini-GDPR,” because this will become a new de facto national standard if no supervening federal law is passed and if the California law and its implementing regulations are not struck down or limited in the courts. All of these are in the public consciousness due in part to massive breaches and concerns about the use and misuse of personal data — whether health data or otherwise.
In sum, it is important to note that, to paraphrase the poet, no regulation is an island entire unto itself. The HIPAA regulations have aged well, despite the unyielding march of technological progress and evolving sensibilities around patients’ rights.
If it were up to me (and these things rarely are), I would spend more time and effort on implementing the rules we have, and educating the healthcare workforce and the public about these rules, than on changing the HIPAA regulations.
David Harlow
The Harlow Group LLC
Health Care Law and Consulting
Image credit: Fresco Tours via Flickr CC
From Paul Dattoli:
I agree with you. My expertise is in IT DR in Healthcare. If it weren’t for HIPAA and Hi-Tech, there is little doubt in my mind that most healthcare organizations would do little to nothing in this space. That would leave us more vulnerable and PHI would be an even easier target for criminals. HIPAA forces our healthcare organizations to be resilient with respect to IT wether they like it or not. That is extremely important when you are in the business of saving lives and improving the quality of life for all people.
Good points. Without HIPAA, healthcare organizations would have no strict standards to adhere to in terms of PHI security. A change in HIPAA regulations are most certainly welcome but we need to make sure the current rules are enforced more closely.
HI David:
HIPAA exempts an authorization to discuss “payment, treatment and operations.” Revisiting this issue with hospitals and other providers is paramount.
Doug Aldeen