Why HIPAA should enable information sharing in the industry
The excuses for health information not freely flowing are numerous, but very often come back to alleged privacy concerns under the Health Insurance Portability and Accountability Act (HIPAA) and its associated regulations.
The excuses often fall back on a position that HIPAA requires all patient-related information to be fully locked down and maintained in “airtight” systems that can only be opened with permissions. While that is the perceived standard, actual systems do not really reflect this position. Despite that, privacy concerns are used as excuses between providers, by providers to patients, between vendors and any number of combinations among these groups.
The end result is data being locked down and not openly shared when or where needed. However, the reality is that information, in many instances, does get shared. That may occur in the ordinary course of business and without those involved knowing that such sharing is allowed directly because of HIPAA.
The prime example of such information sharing would be for payment purposes, since no provider will forego getting paid for services rendered. When information is locked down, though, barriers are erected to prevent it from going from one system to another or between providers. Such restrictions result in frustration, anger or some other similar emotion.
However, while waiting for further regulations through the 21st Century Cures Act, some unknown future law or just modifications to existing regulations, there is hope under HIPAA. A recent blog post from the Office for Civil Rights and Office for the National Coordinator of Health IT emphasized the information portability and encouragement for sharing of data already contained within HIPAA. Those points are very accurate and certainly bear repeating.
Taking the behind-the-scenes side of things first, a very broad swath of actions is permissible under the HIPAA Privacy Rule to enable movement of data. Namely, the permissible actions fall under what are referred to as “TPO” or treatment, payment and healthcare operations. Each of those terms is specifically defined under HIPAA.
Taking treatment first, the term is designed to enable providers to interact with one another and ensure that information gets to where it is needed for the benefit of patients. This means providers can consult with one another or request information from a patient’s prior provider. It does not mean that a prior provider should make access overly difficult.
For instance, a primary care physician may be in the exam room with their patient and wants information from the patient’s OB-GYN’s office. With the patient in the room, the call was placed, but the OB-GYN’s office would not release the information without a signed release from the patient. That is not required and just imposes unnecessary burdens on the ability of the primary care physician to work with the patient. The refusal to provide information was based on not wanting to breach privacy, but done so in an extreme manner.
Information can be shared for purposes of obtaining or verifying payment obligations. Such sharing relates to information going back and forth between providers and insurance companies. It is highly unlikely that providers will not take necessary or appropriate action to be compensated for services provided. Payment can also extend to collections when individuals are not paying obligations that are owed. That may not be expected, but collections are a part of payment.
The definition of healthcare operations is arguably the broadest permissible use of patient information. Many providers and entities are surprised when the breadth of activities is discussed. Operations include utilization review, quality improvement and release of information when pursuing a sale or other fundamental transaction impacting the entity. All of the actions relate to enabling the smooth operation of a business.
Many times, these TPO permissible uses and disclosures are either overlooked or not known. Ultimately, the TPO categories should show that HIPAA does not interfere with the ability to let information go and be where it is needed. Instead, HIPAA encourages the use and disclosure of information. It is also important to remember that there are other uses and disclosures that can occur with authorization or an opportunity to object, though those become more specific.
It is also important to consider the times when a patient or individual can direct or request the use or disclosure of their own health information. This is the second point made by the OCR and ONC post. Individuals are granted significant rights of access and some control over their own information.
Access is certainly a prime area where misconceptions exist. The HIPAA regulations include very limited times as to when access can be denied, which do not apply in the vast majority of circumstances. Assuming that access is granted appropriately, individuals should get almost free access to their information and be able to ensure that it is sent to other providers. Reality is far from this ideal, but it is important to keep what should happen in mind to hopefully spread the correct understandings of what HIPAA permits.
The persistence of information blocking and other impediments to the free flow of health information underscores the deep-rooted nature of HIPAA myths or willful ignorance. Too many organizations quickly move past HIPAA without even attempting to understand what it does and what it allows.
It is important to dispel such misunderstandings about HIPAA. One of the main considerations is to get those in the industry from the provider, payer and vendor communities to understand how HIPAA enables sharing of information and does not align with information blocking or other barriers. Instead, HIPAA is really a facilitator when its actual terms are correctly interpreted. If the correct message continues to be spread, then eventually understanding will catch up with the current state of regulation.