Healthcare providers: change HIPAA rules to prevent healthcare coordination

After the Interoperability and Patient Access Rule (submitted Sept. 21), which should be revised by the White House’s Office of Management and Budget this month, the CMS also wants to be advised on how it can reduce HIPAA burdens that limit care coordination. The OMB received the RFI in November and has 90 days to review it. CMS wants  to find out whether HIPAA regulations are impending on coordinated care and case management in between all sorts of healthcare providers: physicians, hospitals, insurers, pharmacists etc.

What are the limits of HIPAA rules?

The goal that all parts of the healthcare system are striving to achieve is full digitalization, an aim which seems difficult to achieve, because many healthcare deciding factors are still slow in introducing change. Red-tape in healthcare remains a big issue and HIPAA is only part of the problem.  In 1996, when HIPAA was introduced, the vast majority of healthcare organizations was using paper records.

HIPAA has, of course, been updated to face the introduction of Electronic Health Records, but  adopting some health-related technologies that were simply not there to be used in 1996 has created some gaps that now put patient privacy at risk.

The introduction of the Privacy Rule has made some changes to the HIPAA and has ensured that patients can access their health data and have greater control over what is done with that information. What is now required are similar rights and protections for consumers.

HIPAA does allow healthcare providers to share patients’ PHI with other healthcare providers in order to make possible treatments or healthcare operations without a patient’s expressed authorization. There is some confusion, however, about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is allowed to share PHI with health-related organizations other than healthcare providers. Better case management and care coordination will be possible with the simplification of HIPAA Rules, by creating a safe harbor for good faith disclosures of PHI.

The issue of regulation impending care coordination is getting old

The issue of regulation impending care coordination isn’t by any means a new one where CMS is concerned, nor is it the only institution expressing concern on the topic.

The Centers for Medicare and Medicaid Services (CMS) announced on September 17th 2018, their proposed rule to relieve burdens on healthcare providers by removing unnecessary, obsolete or excessively burdensome Medicare compliance requirements for healthcare facilities. Collectively, these updates would save healthcare providers an estimated $1.12 billion annually. By corroborating all implications of rules finalized in 2017 and 2018, along with this and other proposed rules, savings are estimated at $5.2 billion.

CMS is not the only organization asking for change. Groups such as the American Hospital Association have complained that HIPAA has impeded providers’ ability to come together and create care management teams.

The HHS has drafted a Request for Information (RFI), its aim being to find out how HIPAA Rules are hampering patient information sharing, making it difficult for healthcare providers to coordinate patient care.

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, which proposes to remove barriers preventing healthcare organizations from sharing patient information, while still having safe practices to ensure patient and data privacy are protected.

When it comes to any provisions of HIPAA Rules that  are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payers, HHS expects comments on the matter from the public and healthcare industry stakeholders.

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

The RFI was registered to the Office of Management and Budget for review on November 13, 2018. It is currently not known when the RFI will be issued.

What answer are CMS and HHS expecting to receive?

The feedback HHS is expecting to receive will then be used to assess HIPAA aspects which are causing problems, whether certain restrictions to facilitate information sharing could be removed, and also identifying the areas of miscommunication that will need further guidance before being issued on HIPAA Rules.

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The RFI would specifically seek comment on several questions, including whether it should create a legal safe harbor for disclosing a patient’s information for purposes of care coordination or case management and in what instances a patient’s information should be shared without a patient’s express authorization.

Now, such a scenario could make a hospital vulnerable to HIPAA fines, since there aren’t definite ways to ensure that other providers are looking at data for shared patients exclusively, since they would have access to a hospital’s entire record system.

Creating a safe harbor for shared-data agreements would give hospitals more confidence to open their EHRs to partner healthcare stakeholders.

How will change benefit patients and care providers?

According to the law, information can only be shared electronically between so-called covered entities (e.g., health plans, healthcare clearinghouses and providers). Lately, the social determinants of health have been an issue providers were increasingly seeking to address, but  HIPAA regulations have been undermining these efforts. The RFI could also change the situation in this respect: by allowing other entities, such as housing agencies and food banks, access to information concerning patient that healthcare providers could share.

When talking about the care itself, since patients don’t presently have relationships with all of the providers, it becomes difficult to effectively and quickly treat a patient. Hospitals and other care providers are unable to efficiently share data with each other, as part of coordinated care efforts. This impedes a hospital’s ability to make meaningful quality and efficiency improvements to a patient’s health. This could all be changed by putting new rules in place

Hospital administrators’ fear of opening their electronic health record systems to providers at another organization treating the same patient, is a common data-sharing problem that could be avoided. The goal of such data-sharing arrangements would be to allow everyone on a care team to view what treatments a patient is receiving in real time. This could of course lead to better care and less time spent on a hospital bed waiting for papers to go back and forth. Healthier patients, in a healthier, less expensive healthcare system could be in reach by changing and adapting HIPAA rules.