AHA responds to OCR’s December request for information, recommends education and guidance
The American Hospital Association (AHA) released a letter on February 12 in response to HHS’ request for information (RFI) on modifying HIPAA rules to improve coordinated care, calling for more training and education as opposed to regulatory changes.
Though giving its support for reducing regulatory burdens that may impede coordinated care, the AHA later stated that, “we believe that many of the concerns related to barriers and obstacles to sharing information the RFI’s questions raise would be best addressed through guidance and education.” The AHA added that the current HIPAA framework is generally effective for sharing patient information during treatment, payment, and healthcare operations without creating significant obstacles.
One change the AHA did give its support to is a full federal preemption under HIPAA, which would allow HIPAA to preempt other federal or state laws that require patient information to be handled differently, referring to 42 CFR Part 2, which is a more stringent privacy law than HIPAA (falling under the jurisdiction of the Substance Abuse and Mental Health Services Administration), specifically for records of patients with substance use disorder who are being treated at federally funded Part 2 facilities.
In its statement, the AHA wrote that different privacy requirements hinder providers who need to share information from using a common electronic health record. The AHA also emphasized its stance that 42 CFR Part 2 should be aligned with HIPAA, applying the same privacy requirement to all patient information.
The AHA did not give its support to amending the HIPAA Privacy Rule to require covered entities (CE) to share information to other CEs. HIPAA currently allows patient information to be shared in the course of healthcare operations, and the AHA acknowledged that in today’s clinically integrated setting, patients may not have a direct relationship with all the providers who have access to their information in order to, for example, conduct a population-based analysis. Nevertheless, wrote the AHA, because all providers in an integrated setting should be accountable to all patients, there is nothing in the current privacy regulation that prohibits such information sharing.
Regarding the opioid crisis and serious mental illness, the AHA requested more guidance from the Office for Civil Rights (OCR) regarding existing requirements for permissible uses and disclosures of patient information. The AHA specifically requested guidance from OCR for provider CEs to know when they are acting in compliance with the minimum necessary standard when sharing information with a patient’s family, friends, or other caregivers.
Other highlights from the letter include the AHA supporting OCR’s withdrawal of a previous proposal to establish an individual’s right to an access report, which would have been a report accounting for each time a patient record was accessed. The AHA stated that this puts a substantial burden on hospitals and other CEs and that there are other ways that patients are informed about the way their information is used. The AHA also endorsed eliminating the requirement that healthcare providers make a good faith effort to obtain an individual’s acknowledgement that they received their provider’s notice of privacy practices.
The AHA also suggested that because the HITECH Act made business associates (BA) directly obligated to be HIPAA compliant, OCR should consider whether the requirement for CEs to obtain a business associate agreement, including detailed provisions that already directly apply to the BA, is necessary.
In Addition, the AHA suggested that OCR consider ways to develop a safe harbor for HIPAA CEs that have demonstrated compliance with cybersecurity best practices. The concern raised is that as more commercial apps come into existence that are not considered CEs, and as information from CEs is put into those non-covered apps, patients may not be aware that a commercial company could mine or sell personal health data that the patient entered. The patient may consider the provider CE responsible for that data, putting an undue burden on provider CEs. The AHA suggested that OCR work with other consumer protection agencies to address this issue and to consider the obligations of HIPAA CEs when doing so.