Navigating privacy, interoperability in the proposed HIPAA modifications
As proposed HIPAA amendments are finalized this year, there are many implications for better patient privacy, care coordination and data interoperability.
At some point during 2023, it’s expected that the Department of Health and Human Services is going to finalize the “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” a proposed rule issued in January 2021 that would attempt to amend HIPAA’s Privacy Rule.
This proposed rule would not only be the most substantial change to HIPAA’s Privacy Rule since 2013, but it could go a long way in giving covered entities the much-needed guidance to start bridging the gap between patient privacy and interoperability requirements.
Established in December 2000, HIPAA’s privacy rule (as well as other relevant state and federal privacy laws) has been the cornerstone to every electronic data-sharing decision made by any covered entity. While ultimately designed to protect the individual’s right to privacy, the threat of penalties and fines for violating it has had the effect of materially limiting how covered entities exchange data today, even if for the benefit of the individual.
To correct this, we have seen a slew of both finalized and proposed regulatory changes mandating interoperability coming out of other healthcare organizations under HHS, such as the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator (ONC). However, this left covered entities with an even bigger problem of trying to balance the requirements of HIPAA’s privacy rule with those of CMS and ONC’s interoperability regulations.
While the list of proposed changes is quite robust, the three proposed changes that could materially support the interoperability requirements set for the CMS and ONC regulations, respectively, today include the following.
The expansion of the individual’s right of access. This broadened provision would include the individual’s ability to request that covered healthcare providers send electronic copies of protected health information (PHI) in an electronic health record (EHR) to another healthcare provider or health plan. While the request must be “clear, conspicuous, and specific,” it does not need to be in writing.
In addition, if directly instructed by an individual, the receiving healthcare provider or health plan shall be required to submit the request directly to the disclosing healthcare provider on the individual’s behalf, and the disclosing healthcare provider must respond accordingly as if the request came from the individual. While some action on the part of the individual is required, this provides a secondary method, other than the standard treatment, payment, or operations (TPO) exception, in which a covered entity may obtain an electronic copy of PHI from another covered entity without a standard HIPAA-based consent. It also makes the disclosure required rather than just permissible.
Clarification to the definition of healthcare operations. This would ensure that case management and care coordination include individual-level case management and care coordination, and not just population-level activities, conducted by health plans and covered healthcare providers. It would also include the creation of a defined exception to the “minimum necessary” standard for any use or disclosure by a health plan or a covered healthcare provider in furtherance of such individual-level activities, regardless of whether such activities constitute treatment or healthcare operations.
In light of the subjectivity of the minimum necessary standard, a defined exception materially reduces the risks disclosing covered entities can face with respect to how much information is disclosed in response to a certain request.
An addition to the implementation specifications for treatment, payment and healthcare operations. This would expressly permit a covered entity to disclose PHI to social services agencies, home and community-based services providers and other third parties that provide health-related services to specific individuals in furtherance of individual-level care coordination and case management activities, regardless of whether such activities constitute treatment or healthcare operations.
While these organizations are typically heavily involved in the overall health of an individual, since they did not meet the standard definitions of a covered entity or business associate under HIPAA, it was unclear whether the treatment, payment and operations exception applied. This proposed amendment will ensure that they are included within the healthcare operations category for individual-level case management and care coordination activities.
While HHS, ONC and CMS are all discrete agencies with their own separate agendas and goals, it’s clear based on both current and proposed regulations that all three organizations are operating under the same core assumption that providing individuals and their care teams with broader access to their health information will ultimately empower them to make more informed and educated healthcare decisions.
However, despite the alignment with respect to the value of data exchange, there’s still one rather large differentiator across all three regulations – the format in which that data should be made available.
All three of the regulations discuss and identify (either in the proposed regulation text or the related comments) the value of both standard-based APIs and FHIR, but only CMS has gone so far as to actually mandate both. Even though ONC has required organizations seeking certification under its Health IT Program to support certain FHIR APIs for interoperability, in its most recent regulatory update, ONC’s focus with respect to promoting interoperability has shifted quite prominently to incentivizing organizations to participate in its Trusted Exchange Framework and Cooperation Agreement (TEFCA).
While ONC has stated that it fully intends to have FHIR-based APIs as a fundamental part of the future architecture, data exchange via TEFCA today is facilitated by a brokered exchange with CCDA 2.1 documents.
Similarly, while HHS has provided more clarity around the form, format, and manner in which information needs to be made available under an individual’s right of access, and has further clarified that standards-based APIs, especially those mandated by state or federal law, would clearly fit within the definition of “reasonably producible,” it too has not mandated a prescriptive technical methodology or data format for interoperability, other than the prescriptive X12 standards required for certain electronic transactions.
The lack of standardization in form and format is rather similar to the biblical parable of the Tower of Babel. While the story of the Tower of Babel is an etiology designed to explain why people across the world speak different languages, it is hard to miss the secondary takeaway of how important speaking the same language is to accomplishing any task.
Even though there is clear alignment in terms of the desired end goal, the lack of consistency in the form and format is ultimately going to keep us from completing our (interoperability) tower, much like it did for the Babylonians.
Eden Avraham-Katz is vice president of legal and compliance for 1upHealth.