Health care providers and others who have had difficulty navigating HIPAA’s [1] regulations in order to coordinate care are in luck because on December 14, 2018, the Department of Health and Human Services, Office for Civil Rights (“OCR”) published a Request for Information titled, “Modifying HIPAA Rules to Improve Coordinated Care” (herein the “Request for Information” or the “RFI”). [2] OCR wants to better understand how HIPAA’s privacy regulations might impede coordination of care, particularly in the context of addressing the opioid crisis. [3] OCR has identified specific regulations for review but also asks for additional suggestions for modifying HIPAA’s privacy regulations (the “Privacy Rule”) to achieve greater coordination of care among health care providers and other caregivers.

Coordination of care refers to “the deliberate organization of patient care activities between two or more participants (including the patient) involved in the patient’s care to facilitate the appropriate delivery of health care services.” [4] The recent opioid epidemic has highlighted the need to more broadly share patient information to coordinate care and better promote recovery, and OCR’s Request for Information on how best to balance the competing interests of protecting patients’ well recognized privacy rights with encouraging greater coordination of care is timely. OCR asks anyone who has experienced coordination of care issues — including participants on interdisciplinary teams and task forces who are trying to provide care to people with opioid addiction — to speak up and share their issues and ideas for resolving them and to provide comments on the specific changes to the Privacy Rule that OCR is considering.

Stakeholders should take full advantage of this opportunity to advocate for relaxing the Privacy Rule’s restrictions to increase coordination of care and to explain to OCR how certain parts of the Privacy Rule may actually impede care. Comments must be submitted to OCR no later than February 12, 2019. [5]

The remainder of this alert explains some of the specific rules that OCR is considering changing and how OCR hopes to balance any additional burdens the changes may create with the benefits increased coordination of care may produce for patients and their recovery. This alert also explains that while the proposed changes may promote greater coordination of care, other state and federal laws that are more stringent than HIPAA may nevertheless continue to obstruct the highly integrated coordination of care OCR desires.

Potential Changes to the Privacy Rule to Increase Sharing Information Among Covered Entities OCR believes promoting greater access to protected health information (“PHI”) PHI, both with respect to who can access the PHI as well as the amount of PHI available to them, will result in greater care coordination. To this end, OCR wants to “encourage, incentivize or otherwise require covered entities to disclose PHI to other covered entities.” [6]

For example, the Privacy Rule permits — but does not require — a covered entity to disclose PHI to another covered entity for treatment purposes. [7] OCR questions whether covered entities should be required to disclose PHI to other covered entities for care coordination, and if so, what time frame should apply for such disclosures. [8] OCR questions whether the time period should be 30 days or less. OCR seeks information on the burdens (specifically costs) that covered entities may incur if the Privacy Rule requires covered entities to make these disclosures.

The Privacy Rule also limits the amount of PHI covered entities may share for care coordination purposes to a limited data set or such other minimum amount of information necessary to achieve the permitted purpose of the disclosure (referred to as the “minimum necessary rule”). [9] Only disclosures to a health care provider for treatment, upon the request of the Secretary of the Department of Health and Human Services, upon the request of the patient, pursuant to an authorization, required by law, or otherwise required for compliance with the Privacy Rule are excluded from the minimum necessary rule. [10] OCR questions whether excluding disclosures for care coordination purposes from the minimum necessary rule could enhance care coordination among health care providers and other involved caregivers, such as family members. [11]

OCR also believes that some covered entities have been reluctant to “disclose PHI to social service agencies or community-based support programs” for purposes of coordinating care and providing related supports for individuals “experiencing homelessness or suffering from chronic conditions, including serious mental illness.” [12] OCR is considering an “express regulatory permission” for coordination of care purposes. [13] OCR questions whether any form of an agreement (e.g., an agreement similar to a business associate agreement) should be required. [14] OCR also requests “information about any relevant state or other law containing standards that are different from, and perhaps inconsistent with, either existing HIPAA requirements or potential proposed changes to the HIPAA Rules.” [15]

OCR is also examining:

  • Whether covered entities should be required to disclose PHI to health care providers not subject to HIPAA (i.e., those health care providers that do not engage in standard electronic transactions) or would such disclosures pose an undue risk to the privacy of the information? Should these health care providers be required to provide some form of assurances to the disclosing covered entities that the PHI will be used and disclosed appropriately? [16]
  • What limitations should apply to disclosures to other covered entities or health care providers? Should sensitive information such as psychotherapy notes or genetic information be excluded unless expressly authorized by the patient? [17]
  • Should there be a timeliness requirement associated with disclosures to other covered entities for treatment (and/or payment and health care operations purposes)? Should the timeliness requirement vary depending on whether the PHI is maintained in electronic health records? [18]
  • Should patients have the right to opt out from having their PHI disclosed for certain purposes, such as health care operations, including care coordination purposes? [19]
  • How do other laws, in particular 42 CFR Part 2 (relating to confidentiality of substance use disorder patient records), hinder sharing information even if HIPAA permits such general disclosures? [20]
  • Whether OCR should “expressly permit disclosures of PHI to multi-disciplinary/multi-agency teams tasked with ensuring that individuals in need in a particular jurisdiction can access the full spectrum of available health care?” [21]

OCR’s questions demonstrate the countervailing concerns related to enhanced coordination of care and patient privacy, as well as OCR’s desire to balance the burdens and benefits associated with the changes to the law.

Sharing PHI to Promote Parental and Caregiver Involvement The onset of the opioid epidemic and the increase in serious mental health illness has magnified existing barriers in sharing PHI with those involved in a patient’s recovery, including non-covered entities, caregivers, and family members, for coordination of care purposes. However, any increase in the ability to share PHI must be balanced with a patient’s right to privacy and to control his or her own treatment. OCR’s challenge is to provide for meaningful coordination of care while retaining appropriate privacy protections for patients so as not to discourage them from seeking treatment. [22] OCR seeks input into the measures it might take to increase the appropriate sharing of critical information, including:

  • Should a parent or guardian of an unemancipated minor child be considered the personal representative of the child regardless of whether consent for services was provided by someone else? Should such a change in the Privacy Rule be limited to instances involving substance use disorder or serious mental illness? [23]
  • Should the Privacy Rule be modified to promote greater access to treatment information for parents of children who have reached the age of majority or for spouses? If so, what are appropriate limitations to such access? [24]
  • Should adult children be permitted access to treatment information regarding their parents, even in cases where the adult child is not the personal representative of the parent? If so, what are appropriate limitations to such access? [25]

Even if OCR makes changes to the Privacy Rule to increase the ability to better coordinate care, an array of other state and federal privacy laws may continue to prevent it. These laws typically govern who may access treatment information or further disclose it and for what purposes. These laws also typically convey rights to patients to control their health information. In certain cases, such as substance use disorder or mental health treatment, patient protections may be more stringent than for other types of health information because of the potential stigma associated with these diagnoses. HIPAA does not preempt more stringent state and federal laws so modifications to the Privacy Rule alone may not resolve the problem or a lack of care coordination. [26]

For example, in Pennsylvania substance use disorder treatment information “may only be disclosed with the patient’s consent and only (i) to medical personnel exclusively for purposes of diagnosis and treatment of the patient or (ii) to government or other officials exclusively for the purpose of obtaining benefits due the patient as a result of his drug or alcohol dependence ….” [27] Other disclosures require a court order after application showing good cause. [28] In determining good cause, the court must “weigh the need for the information sought to be disclosed against the possible harm of disclosure to the person to whom such information pertains, the physician-patient relationship, and to the treatment services ….” Pennsylvania’s law has been interpreted to be stricter than HIPAA, and as such, it controls with respect to the use or disclosure of substance use disorder information. [29] As a result, changing only the Privacy Rule would not address the requirements under Pennsylvania law.

Increasing Transparency through Accounting of Disclosures In 2009 with the passage of the Health Information Technology for Economic and Clinical Health Act , Congress directed OCR to implement regulations to account for disclosures of information from electronic health records for treatment, payment and health care operations purposes (collectively “TPO”). [30] Disclosures for TPO purposes are currently exempt from being recorded for and included in accountings. [31] Previously, OCR requested information from stakeholders on how to effectuate Congress’ instruction and in response learned that most electronic health record systems could not distinguish between a use of PHI and a disclosure of PHI. [32] As a result, OCR issued a Notice of Proposed Rulemaking (“NPRM”) requiring that health care providers produce an “access report” which would include both uses and disclosures, but the responses to the NPRM were overwhelmingly against the proposal, largely because the electronic health records health care providers currently use do not provide for recording these types of disclosures and modifying the systems to do so would be extremely burdensome and costly. Commenters also questioned the usefulness of such an access report.

In the RFI, OCR announces that it is withdrawing its NPRM and the proposal to provide an access report, but OCR’s decision means that it is starting all over again to determine how to best to effectuate Congress’ mandate to provide an accounting of disclosures for TPO purposes from electronic health record systems. [33] OCR’s requests for comments show that it is attempting to assess just how frequently accountings are requested, how time consuming they are to produce, and to factor the information into its decision regarding accounting for TPO disclosures. OCR also wants to determine if existing electronic health record systems have the capability to produce accountings electronically and if they currently capture disclosures for TPO even though at this point such disclosures are not required to be included in an accounting. [34] If they do not, OCR seeks information on how burdensome it would be to implement such a feature. Additionally, OCR wants to better appreciate the capabilities of the electronic health records systems with respect to: [35]

  • The ability to distinguish between a “use” of PHI for TPO and a “disclosure” for TPO.
  • The types of information that is automatically collected for a disclosure for TPO.
  • The descriptions accompanying the disclosure and whether these descriptions are standardized.
  • The degree of centralization of electronic health record systems — namely, does an entity have a single system or are the systems decentralized such that various departments within a single covered entity have their own systems.
  • The cost to implement a feature within an electronic health record system to automatically record disclosures for TPO purposes.
  • A description of the burdens on health care providers to conduct a diligent investigation into disclosures for TPO upon an individual’s request.
  • Whether the names of the individuals receiving the information should be included.
  • Whether accountings for TPO should be limited only to disclosures occurring through an electronic health record system or should these disclosures apply regardless. [36]

OCR also questions how business associates are involved in the production of the accounting and whether business associates should be required to provide this information directly to individuals, as opposed to providing the information to the covered entity.

The scope of OCR’s request for comments demonstrates its desire to balance the burden and cost in producing accountings that include TPO disclosures with the value of these potential modifications. The effort in making these accountings available should be proportionate to the volume of such requests and not unduly burdensome for health care providers.

Notice of Privacy Practices OCR’s final Request for Information pertains to the requirement that health care providers provide a notice of privacy practices to their patients and that those health care providers with a direct treatment relationship make a good faith effort to obtain a signature from patients of the receipt of the notice. [37] The notice serves as a vehicle for patients to understand how their health care providers use and disclose their PHI and also to educate patients on their rights regarding their PHI.

OCR requests input as to whether the signature and recordkeeping requirements associated with providing the notice should be eliminated because they add questionable value to the privacy equation. OCR asks for an explanation of the burden “in economic terms” the requirements place on health care providers “to obtain a good faith effort to obtain an individual’s written acknowledgment of receipt of the providers [notice of privacy practices]” and how frequently health care providers are unable to obtain the signature. [38] OCR also wants to determine whether the form of the notice of privacy practices is confusing for patients and whether they mistake it as, among other things, a precondition to receiving care. [39] OCR is also curious as to whether the educational purpose underlying the notice is being achieved — namely, does the notice sufficiently explain patients’ rights with respect to their information as well as how the covered entities use and disclose their information or are other educational measures warranted? [40] OCR is also considering creating a compliance safe harbor for covered entities that choose to use a form of notice provided by OCR. [41]

Conclusion Encouraging greater coordination of care by making health information more available, and while maintaining appropriate privacy protections for patients, may prove to be a significant enhancement to treating patients, especially those suffering from substance use disorder or serious mental illness. However, the overlay of other federal and state laws governing the use and disclosure of patient information will continue to provide challenges. A law that provides more stringent protections to a patient’s privacy will continue to control whether patient treatment information can be shared and with whom. Consequently, states and other federal agencies will need to make the same type of examination that OCR is making with respect to HIPAA if comprehensive coordination of care and case management are to be achieved.