Video Postcards From #HIMSS19

On site at the HIMSS conference in Orlando I’ll be speaking with a cross-section of folks about trends in health IT. Over the coming weeks, you’ll be able to listen in on these conversations as they are broadcast on HealthcareNOWradio, or dip into the Harlow On Healthcare podcast archive at your leisure and listen — or read some of my blog posts about these conversations.

Meanwhile, to whet your appetite, and to offer some insights about the landscape, I am sending out video postcards from HIMSS. Check back throughout the week as new postcards are added to the collection.

Over the next couple of months, longer-form interviews with some of the people featured in these video postcards will be featured on my HealthcareNOW Radio show and podcast, Harlow on Healthcare.

If you’d like a daily email digest of interesting things found online by me (and the team of 100 chimpanzees typing in the back room trying to reproduce the collected works of William Shakespeare – sometimes they do an excellent job) with a podcast playlist thown in for good measure, please sign up here.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Healthcare data analytics and insurance system reform

The U.S. healthcare system is on a journey – a journey to the future. When we get there, we need to be sure that environmental conditions are right; if they are not, the system — and possibly all of the system’s patients — will be at grave risk.

The uses of healthcare data analytics are often described as having three stages of maturity: descriptive analytics, predictive analytics and prescriptive analytics. Descriptive analytics encompass the clinical recordkeeping with which we are all familiar from implementations of electronic health record systems. All test results, encounters, admissions, procedures, care plans and more are documented, so that — at least within the four walls of a particular system — we have a reasonably accurate historical record which supports clinical care and operations. Predictive analytics require a large volume of descriptive data showing trends or outcomes in order to be able to predict — for example — how a particular patient would respond to a particular therapy. Prescriptive analytics, when they are more broadly ready for prime time in healthcare delivery systems, will generate clinical recommendations for individual patients (if X is found, then do Y); a subset of prescriptive analytics, precision medicine, where algorithms can recommend therapy based on a patient’s sequenced DNA and likely response to therapies, is already yielding positive results.

Most of the healthcare system is still working primarily with descriptive analytics, but advances in the digitization of health data and the broader availability of gene sequencing has resulted in the availability of more and more health data. This, together with data drawn from other sources (both within and without the health care system), run through artificial intelligence algorithms developed with machine learning, has begin to yield more and more personalized medicine. We still have a long way to go before prescriptive analytics will be able to consistently, easily and accurately recommend the health care services needed by each of us, when we need them.

So how does this relate to health insurance reform? First let me take a slight detour into the question of whether health insurance as we know it is really insurance. Short answer: no, it is not. Slightly longer answer: insurance is the bundling of many small risks of a significant loss occurring — like homeowners’ insurance policies purchased by many individuals, only a small number of whom will ever experience a house fire. By contrast, we all know that we will all use our health insurance. We all have check-ups, diagnostic testing, office visits for winter colds and flus and summer sunburns and weekend warrior injuries. Many of us have chronic conditions that require a little — or a lot — of regular services and medications. And we all expect our health plans to pay for all of these regular services — in addition to the “catastrophic” care that we hope we never need. It is really more of a payment plan than insurance.

Some day — not anytime soon, but some day — through genomic and other testing and analytics, and by reviewing and digesting all data in a patient’s electronic health records and elsewhere, we will have greater and greater insights into our individual health, and prescriptive analytics will be able to map out the services we need at a very granular level. (There’s a even a patent application covering something like this filed a couple years ago.) In theory, this will someday be so granular and precise that we will be able to know exactly what health care services each of us will need. (Of course, there are baby steps already being taken in the use of AI and analytics in administering the health care economy.)

When that day comes, what will health insurance look like? As noted above, it’s already not really insurance — but when we have more refined specific understandings about our personal health status and future health care needs, it really won’t be insurance. Will commercial health plans continue to take just a handful of factors into account (community rating, age, etc.) in setting premiums, or will they move even more explicitly in the direction of treating health insurance as a payment plan? Since each of us has different risk profiles, will each of us get a personalized “premium.” Current law would not allow for that to happen, but these laws do change from time to time, and who knows what the Affordable Care Act or related state laws will look like in ten years?

Perhaps the idea of prescriptive analytics becoming mainstream in healthcare — even though that eventuality is still beyond the horizon — is as good a reason as any to begin to think seriously about reforming the country’s approach to financing health care services. (Some would move directly to a discussion of “Medicare for All.” Since that phrase gets tagged with different meanings by each person who uses it, it’s probably a good idea to use different terminology.) Plenty of other countries have different systems, their costs are lower, and their life expectancy figures are better. It stands to reason that we could do something different, eliminate the rampant fraud, abuse and waste in our system, and end up with a far more cost-effective approach to financing health care services. I’m all for using the unending forward march of analytics in healthcare as a prompt to kick off this conversation. If we’re so smart when it comes to devising diagnostics, treatments and cures, let’s be smart about paying for healthcare, too.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Image credit: Mike MacKenzie via www.vpnsrus.com and Flickr CC

Matthew Holt Says: Flip the Stack – Harlow On Healthcare

It’s always a pleasure to speak with Matthew Holt (@boltyboy), co-founder of Health 2.0 — which was acquired by HIMSS, founder of The Health Care Blog, President of SMACK.health, a healthcare startup advisory service, and co-chair of Catalyst at Health 2.0, which runs challenges and code-a-thons. He is also a fellow graybeard / curmudgeon / professional skeptic.

Matthew kicked off our conversation about his recent thinking about “flipping the stack” in healthcare by launching into a description of a Japanese law in effect circa 1990 that gave mom-and-pop stores veto power over development of large retail stores and analogized that situation to the health care landscape in the U.S. today, where entrenched incumbents seek to “delay, deflect and stop” progress.

We talked about the development of new technologies in healthcare — both within and without the entrenched interests — and about the danger of “paving the cowpaths” as federal incentive dollars poured into the healthcare sector, partially underwriting the implementation of new electronic health record systems, often without first reviewing and changing underlying workflows.


Listen live at 8:30 AM, 4:30 PM or 12:30 AM ET, Monday through Friday for the next two weeks at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #HarlowOnHC.


Matthew suggested that the cowpaths are going to have superhighways built around them, like a “bypass” around a British village. This is what he and his co-author and partner Indu Subaiya mean by “flipping the stack.” They are looking to a future where digital tools will drive healthcare in a new direction because “technology can now do a lot more than it used to be able to. . . . Digital health, SMACK health, plus the stuff which hasn’t really gotten out there yet. Artificial intelligence and sensors everywhere and virtual reality . . . to try to detect who’s got what, who’s likely to get what, as soon as possible.” This requires data collection and analysis, tracking at home, while eating, sleeping, in the bathroom, through a web of always-on sensors. “Always monitoring and always messaging and always managing.”

We spoke a little about the convergence of providers and payors, and about whether the digital health will have (or will need) the ability to address healthcare more holistically rather than by picking off individual chronic conditions, but Matthew came back to focusing on the inroads he expects that technology companies will continue to make into the healthcare domain. He did acknowledge the fact that all healthcare organizations begin to work locally (like good old-fashioned TV stations). Just as the TV market has consolidated and become more national over time, Matthew expects consolidation in the payor and provider markets to continue, but also sees a long-term need to effect further cultural change in the healthcare institutional world, in the medical establishment, before technology-based healthcare delivery can be implemented at scale.

In the future, Matthew hopes to live in a world where he can stumble into the bathroom in the morning, step on a scale, have the latest iteration of Alexa or Google shout at him about what he’s doing, he would should back, he would have a lot of easy testing done, perhaps by breathing into a sensor — he hopes that daily health-related routines will be as simple as transportation using self-driving cars. He acknowledges that we need better control of technology companies’ use of our personal data, but while a relatively small percentage of people today (those with chronic illnesses) can truly benefit by health monitoring and messaging and management, in the future, he believes that we will all be able to benefit.

To learn more about Matthew’s perspective on the future of digital health, see the article he co-authored with his Health 2.0 and HIMSS partner Indu Subaiya, Flipping the Stack: Can New Technology Drive Health Care’s Future? in a new AHA Futurescan (ordering info via the link).

I spoke with Matthew as part of my ongoing series of fireside chats with healthcare innovation leaders – Harlow on Healthcare, on HealthcareNOW Radio. Listen to our radio station online, or ask your smart speaker (Amazon Echo or Google Home): “Find Tune In station HealthcareNOW Radio.” You can catch me live weekdays at 8:30 am, 4:30 pm and 12:30 am ET. As each new show goes live, the last one joins the archive, available via SoundCloud or your favorite podcast app (iTunesStitcheriHeartRadio). Your comments are welcome here. Join the conversation on Twitter at #HarlowOnHC.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Can Aetna and Apple Attain Escape Velocity?


Aetna (now “a CVS Health business”) and Apple announced the coming release of their iPhone and Apple Watch “Attain” app at a launch event in Boston yesterday, with some firepower from both companies on hand — and Apple COO Jeff Williams beamed in from the mothership. (It was a cold day and nobody present wanted to think about going outside to exercise.) The idea here is that it’s going to be different this time, really, because the app will deliver nudges and rewards that are truly tailored to the individual – personalized, simple, relevant and value-driven. As the app learns more about each user’s health history, habits and needs, its recommendations and nudges — daily calorie goals, “time for a walk (or bike ride),” etc. — will get more highly personalized. They will also include things like: “time for that flu shot, and by the way you’re around the corner from a CVS Health store with a Minute Clinic where you can get one” or “here are all the labs within a mile of your office where you can get those labs your doctor ordered drawn at lunch – and here’s your net out of pocket cost at each location.” Rewards can include paying off that new Apple Watch (or CVS gift cards, or other premiums), if goals are met.

As the conventional wisdom goes, most of us lose interest in activity trackers and health apps after a few months, so the challenge Apple and Aetna are trying to meet is keeping us interested, and keeping us interested in doing and tracking meaningful things that can have a positive effect on health. That helps Aetna members — and, of course, that helps Aetna’s bottom line, assuming the value of the health improvements of members exceeds the development and operating costs of the program. There is some research linking incentives to sustained increases in physical activity. (See, e.g., the RAND study commissioned by Vitality, Apple and Aetna’s active rewards partner.)

How does this magic happen? Well, through the application of Apple’s healthcare and artificial intelligence knowhow, applied to the PHI shared from Aetna with the member’s authorization. Both companies emphasize that sharing and use of personal health data will be on an opt-in basis only, will be super-secure, and will not be used for any purpose other than the Attain program. Aetna, of course, has a vast store of member PHI, and adds to it constantly. Apple, of course, famously insists that user data (including health data) belongs to the user and that Apple won’t (and, indeed, can’t) peek. To date, that has been the case with respect to encrypted data on user devices, but this partnership creates a new sort of situation: Apple has to ingest user data from Aetna in order to work its magic and deliver the personalized nudges and incentives through the Attain app. Therefore, for the first time that I am aware of, Apple has created a subsidiary for the purpose of ingesting the data, and that subsidiary has entered into a business associate agreement with Aetna/CVS Health.

(By the way, that subsidiary is called Ollopa LLC – Apollo spelled backwards. What is Cupertino trying to tell us? Is this project a moonshot? A backwards moonshot? What does that even mean? This reminds me of the sugar pills available over the counter to cure all ills under the brand name “Obecalp.” But I digress.)

Let’s dive a little deeper in to the privacy and security frameworks that will apply to the Attain application and the member/user data it uses.

Apple’s general privacy principles, as they apply to health data, continue to apply here (data minimization, user control, transparency and consent and security). Bud Tribble, Apple’s VP for software design, presented these principles at the launch event:

He also laid out how they would be applied in the context of the Attain app, stressing users’ voluntary participation, limitations on data use, data security, and de-identification (each record tagged with a random ID code) that would make it impossible for Apple to identify which health data belongs to which Aetna member:

(Of course, if it were impossible, then it seems to me that Apple – or Ollopa – wouldn’t have to sign a BAA. In other contexts, this sort of tagging with a random code is often referred to as anonymization, rather than de-identification. Why? Because the remaining bits of information — which can’t be entirely scrubbed if the data is to be useful at all — may, when pieced together and possibly combined with some other publicly available information, identify an individual.)

I take Apple and Aetna at their word — they intend to respect user/member privacy when it comes to health data, and they do not intend to use the data shared by members/users for anything other than personalizing the Attain app experience and to support and analyze the Attain product efficacy. Apple seems to be breaking new ground in the way it uses health data, and this may be a hint of the shape of things to come from Apple as it delves more deeply into the healthcare vertical. Protecting health data privacy will be a growing challenge as the type and volume of data used, and the manner of use, evolves over time.

CVS Health’s Chief Security Officer, Jim Routh, gave a brief presentation on how Aetna has been working on moving beyond the password and using continuous authentication technology. He offered a fascinating glimpse of the 30 to 60 “benign attributes” his team uses to authenticate users. One example he offered was: how you hold your phone when you use your favorite app. He also noted that the risk engine doesn’t store that information; it just uses it as part of an algorithm.


These security features will be rolled out to the couple hundred thousand Aetna members in the first wave of Attain users this spring, but they are already in production for apps already used by over 4 million Aetna members.

Once Attain is on firm footing on the iOS platform, plans are in the works to roll it out on Android as well.

It remains to be seen whether this new twist on personal health devices and applications can nudge enough people significantly enough to move the needle on health status, cost and satisfaction, and do it in a sustained and cost-effective fashion. The approaches being taken include some new ingredients, so there is great promise — and this experiment bears watching. As John Halamka noted at the launch event, given the silver tsunami and the smaller generations coming up behind, it is imperative that we develop effective and efficient tools for managing health that can work well with fewer financial and human resources.

And, finally, I am always encouraged to see folks taking privacy and security seriously.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

A Framework for Addressing the Opioid Crisis – The “State” of the Art – Harlow On Healthcare

Recently, I had the opportunity to speak with two state health policy leaders about the opioid crisis. Michael Fraser, Ph.D. (@mfraserdc1), is CEO of the Association of State and Territorial Health Officials (ASTHO) (@ASTHO) and Mark Levine, M.D. is the Commissioner of Vermont’s Department of Health (@healthvermont). Dr. Fraser has held senior leadership positions in other healthcare related organizations and has served with the US Department of Health and Human Services. Dr. Levine practiced as an internist and has had a career in academic medicine at UVM as well.

Across the United States there are approximately 130 opioid overdose deaths a day from both prescription and illicit opioids. There are a variety of responses to the opioid epidemic, and our fifty states are, in this field as in many others, “fifty laboratories,” experimenting with different ways to address the crisis. Mike and Mark coauthored a piece published in the Annals of Internal Medicine, laying out a framework for an outcomes-based public health approach to the opioid crisis, articulating a multi-faceted “silver buckshot” approach as opposed to looking for a “silver bullet.”

Substance use disorders and suicide are the two top contributors to the decrease in longevity in the U.S. over the past three years. The prevalence of these “diseases of despair” constitutes a public health crisis, a crisis that demands attention to strategies across the spectrum, from education to prevention to treatment to recovery to harm reduction. And the prevalence of opioid addiction and abuse let Mike and Mark to “put down on paper what we viewed as elements of a comprehensive public health approach to this crisis … spanning the continuum from education and prevention through treatment and recovery and harm reduction and the kinds of operational strategies one needs in terms of using data having great epidemiology and surveillance and leveraging that data to achieve the outcomes that are desired and using traditional public health strategies of engaging leadership and working in partnership and collaboration with a whole variety of sectors. It’s a very complex problem that requires a very complex and comprehensive set of solutions.”

Mike said that the inventory of approaches in the article had its genesis in Mark’s comprehensive program in Vermont, which he presented to an ASTHO meeting. At the federal level, Mike said, “there are some dominant strategies – specifically, prescription reduction and monitoring through PDMP, making medication-assisted treatment more available for folks, and also looking at overdose prevention through the distribution of naloxone. All three of those are pretty significant . . . [but] what’s really driving our opioid epidemic is an epidemic of addiction and we really need to have that conversation in the U.S. and think about what the public health approach [should be], versus the clinical approach, which is just a piece of the response.”

I noted that the federales recently awarded states $1B in grants addressing the opioid crisis, mostly through SAMHSA, and that there was a five-point strategy in issuing these grants which overlaps with the six-point approach described in the Annals piece. I asked my guests to discuss how all these different strategies may need to be prioritized and implemented. They noted initially that the SAMHSA priorities are mostly in the realms of secondary and tertiary prevention and that their piece focused more on primary prevention, on increasing the ability of people in communities around the country to build resilience, to avoid substance abuse in the first place, to seek other approaches to dealing with the stressors than can lead to substance abuse and addiction.

ASTHO has highlighted as a best practice the use of a statewide opioid dashboard to use in tracking key indicators. For example, highlighting the rate of death from unintentional opioid overdose drives certain strategies. Reducing the supply of prescription opioids drives other specific strategies. Tracking treatment program participation is important – how many people in a state are getting medication-assisted treatment in a timely fashion? Is such treatment available to all marginalized populations – including, for example, the incarcerated population? Are there prevention progams? Recovery programs? Prescription drug monitoring programs (PDMP)? Are there opportunities for people to have gainful employment as they proceed through recovery? Are we seeing a reduction in the numbers of children being taken from their homes due to the opioid crisis and put in state custody? “There are all kinds of outcomes [and if you think about them each one lends itself to a whole host of strategies and shows the need for such a comprehensive program in every state.”

Mark noted: “One of the things we wanted to make sure we highlighted in the article were those social determinants of health because as we look at recent history in America we’ve always had a problem with drugs and addiction [and we don’t want to deal with this] substance by substance or molecule by molecule. [We have] this real siloed approach. Part of what we wanted to do with the paper was talk about a comprehensive approach for substance misuse and addiction really focusing on opioids because that’s where there’s so much attention, but there’s plenty of [opportunity for] application of the elements to work to prevent alcohol addiction or meth use and some of the other substances that we see people using …. We see a cycle of these issues over the years as public health issues and as public safety issues as well …. Most of what we do in substance abuse prevention doesn’t have to single out one [substance] or another.”

We also spoke a bit about the contribution that health IT can make to addressing the opioid epidemic.

Communication between state PDMPs is starting to happen so that tracking across state lines is more readily accomplished (Vermont has systems in place now to communicate with PDMPs in the neighboring states of New Hampshire, New York and Massachusetts), though of course the truism is that “if you’ve seen one PDMP, you’ve seen … one PDMP.” There is a lack of standardization, and there are no standards coming from SAMHSA or the DEA on this front.

Mike said: “One of the things we’ve really been pushing nationally is a common definition of overdose and how that’s reported.” There are differences both within states and across states. There is also variation in timeliness of reporting, which can be delayed a year or more, and “a year ago the epidemic was different.” There is a need and an increasing ability to look at proxy markers that may be available closer to real time. There is also a need to link PDMPs to EHR systems, and a need to permit physician surveillance data inputs into the PDMP or into other systems.

We spoke about how the clinical and public health dimensions of the responses to the crisis intersect with law enforcement, and how law enforcement needs to tread with a light step in this realm, and to coordinate with the public health and clinical efforts, in order to be as effective as possible.

Many health care systems are exploring the idea of stepping away from the use of opioids entirely, though many chronic pain patient advocates have spoken out against this trend. Mark shared: “There’s more and more compelling data coming to light that indicates that perhaps opioids are not the solution to every pain problem.” For example, ibuprofen plus acetaminophen can be as effective as opioids for pain management in trauma in the emergency setting, and in the surgical setting, “even orthopedists who operate on joints are finding that when they offer their patients alternative pharmacologic medications that are not opioids they’re actually able to find that they can relieve their pain and are studying that now to try to create new protocols.” Mark also promoted the idea of looking to integrative medicine, to mind-body techniques, to address pain without drugs or with fewer drugs.

We then concluded our conversation with my “lightning round” final question: If you were to wake up five years in the future what is one thing in health care that you would hope or expect to be different?

Mark noted that “other developed nations that seem to have much better health outcomes than we do, no matter what metric you care to choose, whether it’s life expectancy, maternal death in pregnancy, infant mortality — you name it…. Perhaps if we could begin to spend a greater share of our healthcare dollars on public health, prevention and social services — much like these other developed nations do — rather than on health care itself we would have less of a problem…. With the opioid crisis we’ve emphasized … that so much of that emanates from the so-called social determinants of health and [it’s] remediable by addressing the circumstances that people live in.” Mike added: “I’d love to see a health system that pays for prevention rather than sick care … and certainly look at incentives [that need to change].… Social change is needed to move us there … the system we have isn’t sustainable now and we’re not getting the outcomes that we want.”

I spoke with Mike and Mark as part of my ongoing series of fireside chats with healthcare innovation leaders – Harlow on Healthcare, on HealthcareNOW Radio. Listen to our radio station online, or ask your smart speaker (Amazon Echo or Google Home): “Find Tune In station HealthcareNOW Radio.” You can catch me live weekdays at 8:30 am, 4:30 pm and 12:30 am ET. As each new show goes live, the last one joins the archive, available via SoundCloud or your favorite podcast app (iTunesStitcheriHeartRadio). Your comments are welcome here. Join the conversation on Twitter at #HarlowOnHC.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

How would you like to change HIPAA?

HIPAA, everyone’s favorite scapegoat for all (OK, most) of the ills of the modern healthcare-industrial complex, is perpetually called out as being in dire need of a rewrite. Well, that moment has arrived (maybe). There’s an RFI out right now, published as part of the federales’ “Regulatory Sprint to Coordinated Care,” announced by HHS Secretary Alex Azar in mid-2018. (Remember, this is the federal government, so getting almost halfway through the throat-clearing phase of fleshing out an idea in about six months or so really is a sprint.) Hey, coordinated care is a good idea. We can all agree on that. The first RFI to issue was the one seeking input on the regulations implementing the Stark law and the federal anti-kickback statute (See: Stark and AKS RFI and public comments). The HIPAA RFI came next. (Comments are due February 12, 2019.) The final piece of this trifecta is the privacy rule applicable to substance abuse service providers, aka 42 CFR Part 2. Recently, Part 2 got a pretty significant overhaul, but many folks have been hoping that Part 2 and HIPAA could be better harmonized. (Speaking from personal experience, the regulated community tends to look at those of us steeped in this stuff like we have two heads when we explain how Part 2 is different from HIPAA, and how records with respect to the same patient must be handled differently due to this distinction.)

Sprinting towards coordinated care sounds like something we should all encourage, but it is important to keep in mind that the current Administration is particularly interested in deregulation, and that is not always the sort of thing that can go well for all parts of the extremely heterogeneous regulated community, or for those whoa re supposed to be protected by these regulations (patients, i.e., all of us) particularly when deregulation is being carried out on a piecemeal basis, at the regulatory level. It is also important to keep in mind that legislation forms the boundaries of the playing field, so to speak — a regulatory sprint to coordinated care can’t run down the sidelines and across the parking lot even if that would let us get to an ideal future state sooner and more efficiently.

A digression: As the health wonks and policy nerds reading this are already aware, HIPAA is a horse of a different color. The original HIPAA regulations were drafted by HHS in the absence of any particular statutory framework. In the 1996 HIPAA statute (which covered a lot of other ground), Congress gave itself one year to legislate standards for health data privacy and security, and decreed that if it were to fail to meet that deadline, HHS would have to create regulations from whole cloth. And that’s what happened: Congress did not act, and HHS went to town on its own. (The regs were finalized in 2003.) Then, in 2009, as part of the Recovery Act, Congress passed the HITECH Act, one title of which is a statute that amended the HIPAA regulations — regulations that were drafted in the absence of a specific statute. The reason I bring up this legal-historical anomaly is to point out that while ordinarily a federal agency issuing an RFI seeking input on potential changes to its regulations is limited by the underlying statute, in this case much of the regulation has no underlying statute, so the agency will ultimately have greater flexibility. This is both a good thing and a bad thing: On the one hand, HHS can be more creative in revising HIPAA regulations in order to advance its policy agenda, and on the other hand … HHS can be more creative in revising HIPAA regulations in order to advance its policy agenda.

The RFI lists over 50 specific questions on which the agency is seeking feedback, plus a catch-all “anything else?” question, but it is first and foremost a request for information regarding revisions to the HIPAA regulations that may be needed to promote care coordination. (“Encouraging information-sharing for treatment and care coordination” — part of the sprint). As in the case of the RFI regarding Stark and AKS, this is prompted in large part by the move from volume to value, and the widespread belief that value-based payment systems will right the listing ship of the U.S. healthcare “system.” (Let’s just say here that the jury is still out. It’s a topic for a longer discussion.) On the Stark and AKS front, it is important to re-thread the needle of regulating monetary incentives in healthcare: After all, the fundamental notion that savings may be shared by a hospital with a referring physician in a “shared savings” environment, for example, is anathema to regulators in an orthodox fraud and abuse enforcement environment.

Other issues highlighted in the presser accompanying the HIPAA RFI include:

  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

So here’s the thing: Do the HIPAA regulations in their current form stand in the way of “encouraging information sharing for care coordination”? Do they stand in the way of any of the other goals articulated by the federales?

I would argue that they do not.

The HIPAA regulations are, for the most part, an extraordinarily flexible set of standards that have managed to remain relevant and useful even as the nature of the generation, storage, use and transmission of health information has undergone a sea change in the years since they were first promulgated. Could they use a nip and tuck, a little freshening up around the edges? Sure. But not a wholesale revision. In fact, certain technical security standards within the HIPAA regs are incorporated by reference from NIST guidance, and that guidance can be — and has been — updated from time to time without the need for regulatory amendment.

Let’s start with the care coordination question. Why is HHS trying to solve care coordination issues through the HIPAA regulations? It seems to me that revising health data privacy and security rules is not the best means to achieve this goal. Access to data should be covered by the agreements among health care provider organizations that are engaged in value-based care arrangements, be they ACOs, CMMI pilots or demonstrations, or other government-funded or commercially-funded efforts. True, HIPAA permits rather than requires data sharing among covered entities that serve the same patients, but if health care providers can’t share patient data between them when it not only benefits the patient but potentially benefits their own bottom lines, tinkering with the HIPAA regulations is not the answer.

A great deal of the perceived need for change in the HIPAA regulations stems from misconceptions about what the rules require. OCR has done a bang-up job elucidating the regs through a series of sub-regulatory guidance documents, and I would urge both regulators and the regulated community to start with the regs and those guidance documents and see whether any changes are really needed, or whether the problem is with communication and education. I suspect that the preponderance of the issues lie in the latter category. If staff at all levels within the regulated community were more fully educated, were better trained, about the meaning of the HIPAA regulations and how they affect their individual job functions, we would quite likely see fewer situations where staff succumb to phishing attacks, fail to conduct required risk assessments, fail to limit access to PHI in accordance with sensible guidelines, and engage in unfortunate “information blocking” behavior like refusing to give health records to a patient who is the subject of those records or to a consulting clinician — because of HIPAA.

The guidance offered by OCR is far-ranging, addressing everything from copying charges to information sharing in the context of the opioid crisis and natural disasters to cloud computing to a suggested format for a “layered” Notice of Privacy Practices (highlights up front in an easy-to-read one-pager, human-readable details in back). The guidance documents are not comprehensive and it would be nice if OCR would continue its work in filling the shelves of this virtual library with more guidance grounded in the existing regulations rather than seeking to make changes to the regs in the name of care coordination.

Thus far, I’ve argued against making changes, bet there are certainly some improvements I’d like to see. For example:

  • Adopting the HITECH Act time limits for responses to requests for records — say, two or three days, rather than 30 to 60 days, seems eminently reasonable in our digital age.
  • Limiting the charge for copies of records to $6.50 per record — the alternative cost-based approach seems unnecessary now that virtually all covered entities are wired and should be able to easily share copies in the format requested by patients. (Or considering elimination of the reimbursement entirely, since providers received significant incentive payments to underwrite their EHRs in the first place.)
  • Designing an accounting of disclosures rule that doesn’t mandate reporting a lot of truly useless information and that doesn’t mandate reporting that is not currently technically available through COTS products currently in use.
  • Revising the requirement for distribution and obtaining acknowledgment of receipt of an NPP from each provider. (These are almost universally available from providers on line, and virtually nobody reads them anyway because they are, well unreadable. See my note about layered NPPs, above. Collecting a receipt seems like some of the retired meaningful use measures — if virtually everyone’s doing it, why bother measuring any more?)
  • Harmonizing rules with other applicable rules (HIPAA and Part 2, HIPAA and FTC rules related to PHRs, etc.), though as noted below, this is a Sisyphean task and might not be achievable.

It must be said that the HIPAA regulations are not the be-all and end-all when it comes to articulating a framework for health data privacy and security. There are other federal and state standards — some overlapping and sometimes conflicting, some stricter, some less strict — and an elaborate analysis (including a preemption analysis) is sometimes required in order to determine which rule covers a particular set of facts. Even to the extent that HIPAA regulations form the basic law of health data privacy and security, it is imperative to recognize that this law is the floor, not the ceiling, of what needs to be done in order to adequately protect health data privacy and security while ensuring appropriate access by patients and other authorized persons. For example, changing the HIPAA regulations will not change the maze of state laws regarding limitations on parents’ rights to access their children’s medical records.

At about the same time that the HIPAA RFI has been released into the wild, a number of notable proposed privacy laws have been released as discussion drafts or otherwise. It is worth taking a look at the proposed Data Care Act, cosponsored by 15 U.S. Senators, the Intel proposal (complete with expert commentary and public comments) (see also: Intel presser) and the Center for Democracy and Technology proposal as well. In addition, we need to consider the new California privacy law, referred to as some as a “mini-GDPR,” because this will become a new de facto national standard if no supervening federal law is passed and if the California law and its implementing regulations are not struck down or limited in the courts. All of these are in the public consciousness due in part to massive breaches and concerns about the use and misuse of personal data — whether health data or otherwise.

In sum, it is important to note that, to paraphrase the poet, no regulation is an island entire unto itself. The HIPAA regulations have aged well, despite the unyielding march of technological progress and evolving sensibilities around patients’ rights.

If it were up to me (and these things rarely are), I would spend more time and effort on implementing the rules we have, and educating the healthcare workforce and the public about these rules, than on changing the HIPAA regulations.

David Harlow
The Harlow Group LLC
Health Care Law and Consulting

Image credit: Fresco Tours via Flickr CC