Comments to HHS on Modifying HIPAA Rules to Improve Coordinated Care

February 12, 2019

Submitted Electronically Via Federal Rulemaking Portal: www.regulations.gov

Attention: RFI: RIN 0945-AA00
U.S. Department of Health and Human Services
Office for Civil Rights
Hubert Humphrey Building
Room 509F
200 Independence Avenue, SW
Washington, DC 20201

Re: Request for Information on Modifying HIPAA Rules to Improve Coordinate Care

To Whom It May Concern:

The U.S. Chamber of Commerce (the Chamber) submits these comments to the Department of Health and Human Service’s Office for Civil Rights (OCR or the Office) in response to a request for information. The Request for Information published in the Federal Register on December 14, 2018 seeks public input on the regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and modified pursuant to, among other laws, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. The HIPAA Privacy and Security Rules protect individuals’ medical records and other individually identifiable health information created or received by or on behalf of covered entities known as “protected health information” (PHI). The Privacy Rules also gives individuals rights with respect to their PHI including the right to access their PHI and to receive adequate notice of a covered entity’s privacy practices. With this RFI, OCR is seeking public input on ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system.

OVERVIEW

We appreciate the Office’s interest in identifying provisions of the HIPAA Privacy and Security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities without meaningfully contributing to the protection of the privacy or security of individual’s protected health information. We applaud the Office’s specific goals:

• To promote information sharing for treatment and care coordination and/or case management;
• To encourage covered entities to share treatment information with parents, loved ones and caregivers of adults facing health emergencies;
• To implement the HITECH Act in a manner that provides helpful information to individuals while minimizing the regulatory burdens and disincentives to the adoption and use of interoperable EHRs; and
• To eliminate or modify the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgement of receipt of a health care provider’s Notice of Privacy Practices to reduce burden and free up resources without compromising transparency of an individual’s awareness of his/her rights.

The nation’s health care system has evolved significantly with innovation in technology, increased integration of providers and services and an accelerating progression towards value-based care models. To fully leverage the opportunities available with electronic health records and advanced technology and to best treat patients, the regulations issued decades ago should be modified and modernized. We applaud the Office’s attention and interest in updating the regulations in order to incentivize care coordination and improve patient care while ensuring that HIPAA’s promise to protect privacy and security is fulfilled. On behalf of our member companies, many of whom operate in the various health care sectors and others of whom sponsor health care coverage for their employees we look forward to assisting the Office in this endeavor. In response to some of the questions posed in the RFI to advance the first three specific goals, we submit the answers.

Promoting Information Sharing for Treatment and Care Coordination

Question 7(c).Should business associates be subject to a requirement to disclose PHI when requested by another covered entity for treatment purposes? Should the requirement extend to disclosures made for payment and/or health care operations purposes generally, or, alternatively, only for specific payment or health care operations purposes?

We encourage the Office to not impose a new mandate on business associates which would require that they disclose PHI on behalf of a covered entity. The business associate may not have an existing business relationship with the requesting covered entity and additional time would be needed to authenticate the request and agree on a secure means of transmission. Subjecting business associates to required disclosures removes the ability to negotiate these points in a business associate agreement with covered entities where they can be better addressed based on the specific circumstances of the relationship. Moreover, a direct request for PHI from a covered entity to another covered entity should allow for prompt disclosure in appropriate circumstances. If the responding covered entity desires to make that disclosure through one of its business associates, it is free to do so without the need for a regulatory mandate.

Question 10.Should a non-covered health care provider requesting PHI from a HIPAA covered entity provide a verbal or written assurance that the request is for an accepted purpose (e.g., TPO) before a potential disclosure requirement applies to the covered entity receiving the request? If so, what type of assurance would provide the most protection to individuals without imposing undue burdens on covered entities? How much would it cost covered entities to comply with this requirement? Please provide specific cost estimates where available.

The Chamber believes that entities or subsidiaries of a parent company should be allowed greater sharing of an individual’s information across distinct legal entities. In particular, affiliated non-HIPAA covered entities should be permitted to share information between business units, including affiliated HIPAA covered entities that handle HIPAA-governed products and those that do not in order to facilitate efficient care coordination. The freer flow of information within an entity’s organization can serve the objectives the Office is seeking to achieve for the benefit of the individual whose PHI is being shared. This would reduce the administrative burden on the customer and allow benefits to be paid more quickly. From a legal framework, this would mean allowing a HIPAA-covered entity to share PHI so long as that sharing meets the requirement of the Gramm-Leach-Bliley Act’s exceptions for the sharing of information (i.e., to administer other coverage of the insurer purchased by the individual).

Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness

There are two areas where the Office could update HIPAA regulations to help enable appropriate sharing of sensitive PHI for treatment and care coordination. Utilization of HIPAA’s “involved in care” provision is relatively low, which offers a key opportunity to ensure persons who are involved in another individual’s care can access needed PHI for care coordination. Also, inclusion of the word “imminent” in Section 164.512(j) does not account for real health crises that are not-yet-imminent but serious nevertheless – the term imminent is too restrictive.

Question 22.What changes can be made to the Privacy Rule to help address the opioid epidemic? What risks are associated with these changes? For example, is there concern that encouraging more sharing of PHI in these circumstances may discourage individuals from seeking needed health care services? Also is there concern that encouraging more sharing of PHI may interfere withindividuals’ ability to direct and manage their own care? How should OCR balance the risk and the benefit?

Specifically, 42 CFR Part 2 and a myriad of State laws generally prohibit or create significant barriers to sharing sensitive medical information. To address these challenges and help refine the intersections between HIPAA, 42 CFR Part 2, and other State laws governing sensitive PHI, we suggest modifying Sections 164.510(b) and 164.512(j) to clarify that providers are allowed to use professional judgment in the sharing of PHI for the best health interest of an individual. For example:

• OCR could develop a one-time, non-expiring authorization to disclose sensitive PHI to appropriate providers, as agreed to by an individual, to improve quality and enable coordination across clinicians involved in an individual’s care; and
• OCR could educate providers about HIPAA’s “involved in care” provision and clarify that disclosures of sensitive PHI to HIPAA covered entities are permitted without additional consent where there is a “real” or “likely” threat of harm, not only “imminent” harm.

However, the Chamber recognizes that such changes alone are not enough to create alignment between HIPAA, 42 CFR Part 2, and State laws. For example, the variety among State laws make it difficult for covered entities to comply with all of them across the country. For example, some states require obtaining consent before disclosing any information, while others require separate consent for specific types of information, such as HIV/STD status/results and mental health, and may vary in how they define these categories. Additionally, we support aligning/applying the HIPAA framework to types of information covered under 42 CFR Part 2, which would improve the flow of information and treatment for substance abuse disorder and serious mental illness.
The Chamber appreciates the Office’s recognition of the current reluctance to inform and involve the loved ones of individuals facing health crises, such as Substance Use Disorder and Serious Mental Illness (SMI). We also believe that this reluctance results in ineffective care coordination and case management. We appreciate OCR’s plan for a separate rulemaking that would encourage sharing of PHI with family members, caregivers, and others to support the recovery of individuals facing crises. As such, we are hopeful that planned rulemakings will encourage information sharing that is necessary to avert the health crises we see so often.

ACCOUNTING OF DISCLOSURES

Question 31.Should the Department require CEs to account for their BAs' disclosures for TPO, or should a CE be allowed to refer an individual to its BA(s) to obtain this information? What benefits and burdens would CEs and individuals experience under either of these options?

The Department should not require covered entities to account for their business associates’ disclosures. Instead, whether a covered entity may refer a patient to its business associates or not should be negotiated as part of covered entities’ business associate agreements where it can be better addressed based on the specific circumstances of the relationship.

Question 37. What data elements should be provided in an accounting of TPO disclosures, and why? How important is it to individuals to know the specific purpose of a disclosure—i.e., would it be sufficient to describe the purpose generally (e.g., for “for treatment,” “for payment,” or “for health care operations purposes”), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the range of activities that constitute “health care operations?” On what basis do commenters make this assessment?

The Chamber thanks OCR for removing the May 2011 Account of Disclosures Proposed Rule, as the administrative burden associated with the proposals in the Proposed Rule far outweighed the benefits to consumers. The Chamber continues to believe that the burden of such accounting outweighs the potential benefit to consumers, particularly given the very limited number of requests for such accounting each year. Electronic health record (EHR) technology is not yet able to capture the information necessary to perform accountings of disclosures, and even if they could, significant worker hours would be needed to run the audits and convert the results into a usable format.

Instead, the Chamber recommends ensuring covered entities have in place policies and procedures to respond to consumer complaints, such as an inappropriate disclosure of PHI. Such information required to be reported during a complaint investigation should only involve information included in the EHR and the minimum necessary to ensure the individual learns how his or her information is disclosed. Specifically, if OCR were to advance such a proposal, covered entities should only be required to provide the individual the date of the disclosures in the complaint, the name of the entity or person who received the PHI, and a short description of both the PHI disclosed and the purpose for the disclosure. Additional detail would be time-consuming to compile, and it might still leave the patient without a clear understanding of the complex information flows that occur as covered entities work to improve patient care and reduce administrative workloads.

Question 39.If covered entities are unable to modify existing systems or processes to generate a full accounting of disclosures for TPO (e.g., because modification would be prohibitively costly), should OCR instead require covered entities to conduct and document a diligent investigation into disclosures of PHI upon receiving an individual's request for an accounting of disclosure for TPO? If not, are there certain circumstances or allegations that should trigger such an investigation and documentation by a covered entity? How much time should a covered entity be allowed to conduct and provide the results of such an investigation?

The Office could focus on the disclosures in which individuals are most interested as a means of addressing individuals' concerns that covered entity employees who know them may be snooping. For example, the Office could require that entities do periodic audits to identify impermissible disclosures to those within the entity which do not have a need to know the individuals’ PHI.

Instead, the Chamber recommends ensuring covered entities have in place policies and procedures to respond to consumer complaints, such as an inappropriate disclosure of PHI. Such information required to be reported during a complaint investigation should only involve information included in the EHR and the minimum necessary to ensure the individual learns how his or her information is disclosed. Specifically, if OCR were to advance such a proposal, covered entities should only be required to provide the individual the date of the disclosures in the complaint, the name of the entity or person who received the PHI, and a short description of both the PHI disclosed and the purpose for the disclosure. Additional detail would be time-consuming to compile, and it might still leave the patient without a clear understanding of the complex information flows that occur as covered entities work to improve patient care and reduce administrative work loads.

Question 41. The HITECH section 13405(c) only requires the accounting of disclosures for TPO to include disclosures through an EHR. In its rulemaking, should OCR likewise limit the right to obtain an accounting of disclosures for TPO to PHI maintained in, or disclosed through, an EHR? Why or why not? What are the benefits and drawbacks of including TPO disclosures made through paper records or made by some other means such as orally? Would differential treatment between PHI maintained in other media and PHI maintained electronically in EHRs (where only EHR related accounting of disclosures would be required) disincentivize the adoption of, or the conversion to, EHRs?

The right to obtain an accounting of disclosures for TPO purposes should be limited to PHI maintained in or disclosed through an EHR and then only as to disclosures for health care operations purposes, because the effort needed to track disclosures made without EHR involvement would be prohibitive and the number of disclosures made for treatment or payment purposes are so frequent and numerous that an accounting of such disclosures would be overwhelming (and costly). In order to avoid increasing the burden on covered entities without providing real benefits to patients, OCR should clearly state in any Final Rule that disclosures of PHI for TPO purposes continues to be exempt from accounting of disclosures requirements except in cases where those disclosures are made for health care operations purposes through an EHR (and make clarifications as to particular kinds of health care operations).

As discussed above, the Chamber believes the effort required to account for disclosures of PHI maintained or disclosed through an EHR far outweighs the potential benefit to consumers. Thus, expanding such accountings beyond the EHR would be prohibitive.

CONCLUSION

The Chamber commends the Office’s efforts to modernize regulations that were promulgated and implemented decades ago. We urge the Departments to continue to work carefully, pragmatically, and cooperatively with the business community to minimize burdens placed on employers as they work to comply with the law.