Over the last decade, members of the medical and public health communities around the world have widely studied and acknowledged the impact of social determinants of health (SDOH)—the conditions in the environments where people live, learn, work, play, and age—on a wide range of health, functioning, and quality-of-life-risks and outcomes. In the past year or so, U.S. federal government policy has made a fundamental shift to align with this notion, focusing in part on better integration of health data and human services data to realize improved health outcomes that patients experience.
This policy shift is highlighted in the U.S. Department of Health & Human Services’ (HHS’) 2020-2025 Federal Health IT Strategic Plan, and is underscored in the Biden Administration’s American Rescue Plan and other policy recommendations that include ways to address SDOH, particularly in the wake of the COVID-19 pandemic. Through these policies and legislative initiatives, we have seen HHS agencies, such as the Office for Civil Rights (“OCR”), the agency that enforces HIPAA, the Office of the National Coordinator for Health Information Technology (“ONC”), the agency charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information, and others, signal that use and disclosure of patient information for certain treatment and health care operations activities, namely care coordination and management, to address SDOH is not only permissible but encouraged at both the individual-level and the population-level.
OCR’s Notice of Proposed Rulemaking (NPRM) published in January 2021, proposes pivotal changes to key standards, definitions, and patient rights under the HIPAA Privacy Rule, which are geared toward promoting care coordination and value-based care, and empowering patients with greater access to their health information. More specifically, in addition to facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhancing flexibilities for disclosures of protected health information (PHI) in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies, OCR’s NPRM seeks to clarify the (already existing) scope of a HIPAA covered entity’s ability to disclose PHI to social service agencies, community-based organizations, home and community-based service providers, and other similar third parties providing health-related services in order to facilitate coordination of care and case management for permissible treatment and health care operations purposes under the law. As proposed, the HIPAA Privacy Rule’s definition of “health care operations” would be amended to expressly permit disclosure of PHI for care coordination and case management activities, whether population-based or focused on particular individuals, and without a patient authorization.
If finalized, this clarification would give comfort to covered health care providers and health plans seeking to address SDOH among their patient and member populations that they may use and disclose PHI for these purposes without running afoul of HIPAA. In effect, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, their patient’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a local service agency that arranges such services for individuals, or disclose PHI to a senior center to help coordinate necessary health-related services for a patient such as arranging for a home aide to help the patient with their prescribed at-home prescription or post-discharge treatment protocol. Likewise, a covered health plan may disclose PHI to facilitate care coordination and case management activities as part of the plan’s health care operations, including working closely with community-based organizations and/or multi-disciplinary teams to address SDOH and coordinate comprehensive wraparound services, such as clinical and behavioral health care, social services, and patient advocates to support certain populations, such as senior citizens or people experiencing food insecurity, homelessness, severe mental illness or substance abuse disorders.
Demonstrating consensus around the use of patient information in the clinical context to address SDOH, last week ONC released version 2 of the United States Core Data for Interoperability (“USCDI”), which now includes patient information related to SDOH, as well as sexual orientation and gender identity. USCDI is a standardized set of health data classes and data elements for nationwide, interoperable health information exchange. ONC requires compliance with the USCDI version 1 for health information technology (“IT”) certified to its Health IT Certification Program, 2015 Edition Cure Update in order to establish baseline standards for capturing health information in electronic health records and for exchanging that information with other systems. USCDI version 1 is also incorporated into ONC’s Information Blocking Rule, which prohibits interference with access, exchange, and use of electronic health information by health care providers, health information exchanges and health information networks, and ONC-certified health IT developers. For more information on the Information Blocking Rule, please refer to Reed Smith’s 2021 Health Care Outlook, Info Blocking webinar series, and recent Health Industry Washington Watch blog posts.
While compliance with USCDI version 2 is not mandated for ONC-certified health IT at this time or health care providers or systems from a documentation or data sharing perspective, it serves as additional evidence that the activities a HIPAA covered health care provider or health plan undertake to address SDOH can fall within the scope of treatment and health care operations activities consistent with OCR’s proposed clarifications and modifications to the HIPAA Privacy Rule.