Is Information Sharing Hindering by HIPAA Rules?

The HHS has put together a Request for Information (RFI) to identify how HIPAA Rules are hindering patient information sharing and creating boundaries for healthcare providers to provide patient treatment.

HHS is seeking comments from the public and healthcare sector stakeholders on any provisions of HIPAA Rules which are discouraging or restricting coordinated care and case management among hospitals, physicians and patients.

The RFI is part of a new scheme called Regulatory Sprint to Coordinated Care. This scheme seeks to remove barriers that are preventing healthcare groups from sharing patient information while retaining protections to ensure patient and data privacy is in place.

The comments gathered as part of this scheme will guide the HHS on how HIPAA can be improved, and which policies should be sought in rulemaking to help the healthcare sector transition to coordinated, value-based health care.

The RFI was sent to the Office of Management and Budget for review on November 13, 2018. It is currently not known when the RFI will be issued.

Certain stipulations of HIPAA Rules are perceived to be obstructing information sharing. The American Hospital Association has criticized some of these issues and has urged the HHS to take action.

While there are certainly parts of HIPAA Rules that would benefit from an update to enhance the sharing of patient health information, in some instances, healthcare groups are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other bodies without the need to obtain prior permission from patients.

The feedback HHS is seeking will be used to review what parts of HIPAA are causing issues, whether there is scope to remove certain limits to facilitate information sharing, and areas of misunderstanding that call for further guidance to be released on HIPAA Rules.

HIPAA does allow healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without permission from patients. However, there is some uncertainty about what constitutes treatment/healthcare operations in some scenarios, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare suppliers. Simplification of HIPAA Rules could help in relation to this, as could the creation of a safe harbor for good faith disclosures of PHI for reasons related to case management and care coordination.

While the HHS is eager to instill an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any amendments applied to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered groups will still be asked to configure controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

Along with a general request for information, the HHS will specifically be seeking feedback on:

  • The methods of accounting of all sharing of a patient’s protected health information
  • Patients’ acknowledgment of receipt of a suppliers’ notice of privacy practices
  • Creation of a safe harbor for good faith sharing of PHI for purposes of care coordination or case management
  • Sharing protected health information without a patient’s authorization for treatment, payment, and health care operations
  • The lowest necessary standard/requirement.

While the RFI is likely to be applied, there are no guarantees that any of the comments sent in will lead to HIPAA rule amendments.