Potential HIPAA Rule Modifications

Potential HIPAA Rule Modifications

On Dec 14, 2018 the Department of Health and Human Services, Office for Civil Rights released a request for information on modifying HIPAA rules to improve coordinated care as more healthcare organizations advance towards value-based care models. Overall, we were happy to see the comments and questions the OCR included as it matches Moxe’s own understanding of the current challenges facing healthcare organizations. We are encouraged that HHS OCR is trying to improve the healthcare ecosystem by asking for public comment on how to improve and thinking deeply about the implications of what is proposed. While this is bound to be somewhat overshadowed by the subsequent data blocking/interoperability proposed rule changes also recently released by HHS, we believe the possible implications are nonetheless extremely important. We submitted comprehensive comments and information in our official response, with a key area of particular interest to us and our partners called out here:

__________________________________________________________________________

Moxe Health is pleased to respond to the Department of Health and Human Services, Office for Civil Rights request for information regarding how the Health Insurance Portability and Accountability Act privacy and security regulations can be updated to better support the transition to value-based care and promote better care coordination, while still appropriately maintaining and guarding patient privacy.

HIPAA is a necessary cornerstone of the healthcare IT industry and with the now deep saturation of electronic health records across all venues of care, and the transition to value-based care models, updates and changes should be considered to bring the rules with current realities. Key among these possible updates should be changes across the board that show an appreciation that electronic data can be shared faster, cheaper, and discretely when compared to manual methods. Additionally, there is a greater expectation by consumers that their data should be shared so that it is accessible where and how it benefits them most, and that technical protocols between systems or vendors should not be a barrier to doing so in a near instantaneous manner. Finally, that data need not be blocked completely to prevent necessary competition, and that data ‘throttling’ or the control of data in a way that shows preference for certain business entities over others may be just as harmful as complete data blocking.

___________________________________________________________________________

HHS Section A:

(4) What burdens would a shortened timeframe for responding to access requests place on covered entities? OCR requests specific examples and cost estimates, where available.

Moxe Comment:

Where possible, HHS OCR should encourage the automation of these processes and thereby should discount feedback that claims it is a necessity that all releases be manually processed by a human, or other manual steps are necessary.

HHS Section A:

(16) What considerations should OCR take into account to ensure that a potential Privacy Rule requirement to disclose PHI is consistent with rulemaking by the Office of the National Coordinator for Health Information Technology (ONC) to prohibit “information blocking,” as defined by the 21st Century Cures Act?

Moxe Comment:

Outcomes vs. intent should be the rule when it comes to information blocking. Information throttling, or the act of releasing information to someone in a restricted way, either based on scope of information or time-delay, are just as competitively crippling as actual full data blocking is. If reality is that a patient cannot easily transfer care due to waiting on records for up to 60 days, not be enrolled in a value based care program because no information can be gathered, or physicians cannot take other action intent should not matter as the patient is not able to get the patient care they otherwise should.

HHS Section C:

[25] Based on public feedback on the RFI that many covered entities’ systems could not distinguish between internal access (a “use” under the Privacy Rule) and external access (a “disclosure”) for TPO, and that providing a full accounting of disclosures for TPO would be overly burdensome to regulated entities, OCR proposed, in addition, to provide individuals with a right to receive an “access report.” The access report would have shown who had accessed the information in an individual’s electronic designated record set (which would include any access, not only access that represented a disclosure outside of the entity for TPO). Commenters on the NPRM overwhelmingly opposed the proposed individual right to obtain an “access report.” Many commenters expressed concern that their then-existing, commonly used EHR systems did not have the technical capability to produce the required access report and updates would be prohibitively costly for covered entities. In addition, some commenters stated that the content and format of the proposed access report would not provide meaningful, usable information to individuals. A virtual hearing conducted by a federal advisory committee in 2013 elicited similar concerns from the public and presenters at the hearing.

Moxe Comment:

Relevant EHR systems should be built to support the rules that are desireable, not the other way around. Disclosures of any type are relevant to the patient, the distinction is lost on the general public and with a rule change to go from BAA to covered entity then there will need to be more close monitoring of how information gets used. We strongly believe that patients be given the right to know how their data is used and by whom. This is essential to allowing greater data sharing in a responsible and transparent way.

HHS Section C:

(32a) Is the system able to distinguish between “uses” and “disclosures” as those terms are defined under the Privacy Rule at 45 CFR 160.103? (Note that the term “disclosure” includes, but is not limited to, the sharing of information between a hospital and physicians who may have staff privileges but who are not members of its workforce).

Moxe Comment:

We believe that technology should be built with auditing built in and regulations should focus on what is desirable and in the best interest of the patient vs. existing capabilities.

__________________________________________________________________________

Interoperability has been hotly discussed in the healthcare IT industry for the past decade, and we’re happy to see it moving in the right direction. By addressing gaps where technology can be utilized, we only stand to improve the healthcare ecosystem. To learn more about Moxe’s role in aligning healthcare with technology visit: www.moxehealth.com or contact us at info@moxehealth.com

Aligning health care for a better tomorrow