Minnesota Hospital Association

Policy & Advocacy

rules, regulations and comments

The Minnesota Hospital Association continually monitors state and federal rules and regulations to keep members informed and advocates on behalf of members regarding the impact of regulations on the state’s hospitals and health systems. MHA submits comment letters to share recommendations and feedback with the appropriate government organizations and health care stakeholders. Examples of rules and regulations that MHA addresses include those implementing federal or state health care reform efforts, changing payment methodologies, establishing community benefit or other standards for tax-exempt organizations, or modifying government oversight of health care activities.

February 12, 2019

MHA comments on the OCR RFI on Modifying HIPAA Rules to Improve Coordinated Care

February 12, 2019     

The Honorable Roger Severino
Office for Civil Rights
Department of Health and Human Services
Attention: RFI, RIN 0945-AA00
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, S.W. Washington, DC 20201   

Submitted electronically through www.regulations.gov  
RE: HHS-OCR-0945-AA00; Request for Information on Modifying HIPAA Rules to Improve Coordinated Care   

Dear Director Severino:

On behalf of our 141-member hospitals and health systems, the Minnesota Hospital Association (MHA) offers the following comments and suggestions regarding the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) request for information (RFI) regarding changes to the Health Insurance Portability and Accountability Act (HIPAA) rules to improve care coordination for Minnesota’s hospitals and health systems and the patients they serve.   

At the outset, MHA supports the recommendations and detailed comments submitted by the American Hospital Association (AHA). Instead of duplicating AHA’s analysis and suggestions, MHA’s comments will focus on the issues of most concern to Minnesota’s hospitals and health systems.   

MHA supports OCR’s interest in removing regulatory barriers and decreasing regulatory burdens to facilitate efficient care coordination and case management, while preserving privacy and security of protected health information (PHI). This initiative aligns with current Centers for Medicare and Medicaid Services’ (CMS) plans to facilitate the transformation from volume to value-based health care while preserving the privacy and security of PHI.   

MHA seeks to highlight the importance of reconciling HIPAA regulations and state laws when it comes to addressing PHI and improving care coordination. Federal preemption under HIPAA, under which the HIPAA requirements would be the prevailing nationwide standard for protecting the privacy and security of patient information, would eliminate overlap and redundancy to ease the regulatory burden on providers when it comes to patient care coordination and developing value-based programs. While we recognize that reform of the preemption framework may require involvement of the legislative branch, we urge OCR to prioritize efforts aimed at educating Congress about the significant burdens the lack of preemption imposes for robust information sharing necessary for effective care coordination and/or case management and the transformation to value-based health care.

Section a. Promoting Information Sharing for Treatment and Care Coordination  
As health care becomes more coordinated with community-based services, care delivery partnerships are forming beyond the clinic and hospital setting. As such, PHI disclosures to a non-HIPAA covered entity could help the partnerships and streamline care to be successful. The Privacy Rule permits, but does not require, covered entities to use and disclose PHI for treatment, payment and health care operations. Hospitals and health care providers strive to share health information to support care coordination, case management and the transition to value-based health care when permitted legally. Amending the privacy rules to require covered entities to disclose PHI to other covered entities will not promote greater information sharing for these important purposes. Additionally, the requirement could add to the cost of care and create confusion among stakeholders.   

MHA asks OCR and CMS to provide guidance to clearly delineate between covered and not covered entities, and what information can be disclosed, specifically for care coordination activities. This will lessen confusion around who is permitted to disclose what information to whom and promote care coordination between health care and community services without fear of violating HIPAA regulations. Clarification could eliminate the need to require disclosures. Clarification would strike a balance between the goal of efficient care coordination and apprehensions around disclosures to non-covered entities.    

Many of the concerns related to barriers and obstacles to sharing information raised in the RFI’s questions would be best addressed through guidance and education. Frequently, it is the lack of helpful guidance from OCR that does more than merely repeat the language of the regulatory text that creates anxieties among covered entity providers about potential noncompliance and its significant consequences that leads them to be extremely cautious about using and disclosing patients’ information for efficient care coordination and/or case management and to advance value-based health care. When unsure, the default position is to not disclose or share patients’ information unless and until individual patient authorization has been secured.   

Communication between covered entities and individuals is absolutely necessary for coordinating patient care. As covered entities interact more frequently with patients and families, it is essential that covered entities are using communication modes that are effective and easy to use by a very diverse population of individuals. More and more people use text messaging, social media, and related applications to communicate. In the HIPAA Omnibus Rule, effective March 26, 2013, and the Individual Right of Access Guidance issued on February 25, 2016, OCR provided some clarification on how Covered Entities and Business Associates can communicate with individuals using unencrypted email. Covered Entities and Business Associates would benefit greatly from additional guidance on how to properly implement texting and other new communication technologies into their patient communication strategies. The guidance should include any required consents or notice requirements recommended by OCR and examples of how a Covered Entity or Business Associate should conduct a risk assessment and risk management plan for additional unencrypted communication modes.    

MHA supports keeping the privacy rule’s existing timeliness requirements for responding to requests for access unchanged. These requirements, which mandate that covered entities must act on a request for access no later than 30 days after receiving the request and provides for only one 30-day extension of time to act on access request (provided that the covered entity provides a written statement of the reasons for the delay and the date by which it will complete any action on the request), are outer limits. In general, the 30-day time frame does not pose a significant issue or burden on PHI record sharing between one covered to another covered entity. In many incidences, it may only take a few business days to process and follow through on requests. However, for providers that use third parties to respond to PHI requests, a shortened timeframe could place an undue burden on providers and risk compliance. Additionally, variations of “if/then” for the deadline to provide records to the patient and to care providers, or for purposes of care coordination, becomes more complex and challenging, especially in larger organizations with multiple legacy systems in a variety of media. The addition of multiple timeframes to electronic and paper record systems would create undue administrative burden and inefficiencies for organizations. Maintaining the current approach is preferable to amending the rule to impose different timeliness standards based on how the PHI is maintained.

MHA cautions OCR with respect to permitting individuals to “opt out” of disclosures, such as for healthcare operations. We offer similar guidance with respect to requiring covered entities to get affirmative authorization from the patient before releasing information to another provider. Minnesota providers already operate under both of those conditions today, and we have found it to be extraordinarily burdensome to manage and implement. Regardless of whether the covered entity is a large hospital system or a single practitioner, managing opt-outs and consents adds significant costs to the health care system with very little value for our communities. In 2017, the Minnesota Department of Health surveyed patients and providers about the burdens associated with managing our state’s strict consent requirements. Patients self-reported that they were not sure if their information was shared with providers across specialty services, and families felt burdened by the responsibility of translating medical information on behalf of loved ones. Providers’ costs varied, but one health care system cited over $2 million a year in training, staff time, and technology expenses solely to manage the consent/opt-out processes. MHA recommends that OCR do not further disadvantage providers from having access to clinically appropriate information, most especially for core functions like treatment, payment, and healthcare operations.   

Section b. Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness  
In the RFI, OCR encouraged covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies. This PHI would be shared with a particular focus on the opioid crisis and treatment for substance abuse. This provision would be related to Code of Federal Regulations 42 Part 2 (42 CFR Part 2), which applies to any individual or entity that is federally assisted and holds itself out as providing, and provides alcohol or drug abuse diagnosis, treatment or referral for treatment.    

MHA supports alignment of the 42 CFR Part 2 regulation with the HIPAA regulation as the proper and effective solution to eliminating barriers to sharing of patient information that is essential for care coordination, compatible with electronic exchange of information and supportive of performance measurement and improvement. Applying the same requirements to all patient information, whether behavioral- or physical-health related, would support the appropriate information sharing essential for clinical care coordination and population health improvement in the current patient care environment, where behavioral and physical health care are integrated to produce the best outcomes for all patients.   

The separate privacy structure under 42 CFR Part 2 creates challenges for the integration of behavioral and physical health care simply because patient data related to behavioral health cannot be handled like all other health care data. The majority of individuals who experience a behavioral illness or substance use disorder have a comorbid physical health condition. Additionally, primary care has become the prevailing location for patients to receive treatment that addresses all their health needs – behavioral as well as medical. Evidence confirms that integrating mental health, substance-use disorder and primary care services produces the best patient outcomes.

The requirement in the 42 CFR Part 2 regulation for individual patient consents significantly complicates the sharing of important patient information essential for coordinating care and population health improvement. Permitting providers to handle and treat patient data related to behavioral health as simply another part of a patient’s total health care data protected by HIPAA is a critical component of a more effective approach to caring for and achieving the best outcomes for all patients.   

Providers’ clinical judgement should be paramount in determining when and what information should be shared with families and caregivers. MHA supports limits on parental access to PHI, specifically in the case of disclosure of adolescent health information related to mental health, substance use and sexual health. The disclosure of this information is prohibited under certain state and federal regulations and it is important to maintain these protections.   

Aligning the regulations would promote efficient, integrated care while protecting and treating all patients equally and may reduce the fear and stigma felt by patients who receive mental health care and substance-use disorder treatment. All patient treatment information is sensitive and should be used only for purposes that support the individual except under the specific circumstances outlined in law.   

Section c. Accounting of Disclosures  
The Health Information Technology and Economic and Clinical Health (HITECH) Act expanded the accountability for disclosure requirements. The OCR released a proposed rule in May 2011 that would require covered entities that implemented an electronic health record (EHR) to make an “access report” detailing PHI access upon request. This RFI details OCR’s intention to withdraw from the May proposed rule and asks for suggested alternative approaches for such accountability.    

MHA supports withdrawing the proposed regulations requiring a comprehensive accounting of disclosures. An “in-depth” investigation into PHI access is incredibly burdensome for providers given the insurmountable level of data EHR software would need to generate. Taking treatment as an example, to successfully provide coordinated care, multiple departments and providers access information for care delivery. An accounting of all such access or disclosures would be extremely voluminous and have little value to the patient.   

The experiences of hospitals to-date suggest that patients are more interested in knowing whether a specific violation relating to their electronic medical record has occurred and getting detailed information in response to a specific inquiry and investigation by the hospital’s privacy and compliance staff. Patients value these investigations because they provide information about specific violations and what appropriate disciplinary and other measures were taken to ensure that violations do not reoccur. A patient concerned about a future potential misuse, such as a relative working in the hospital who may inappropriately access records, also can use this mechanism to work with a hospital in advance to create a process for minimizing the possibility that such inappropriate access will occur. These processes and practices already are in place and are aimed at ensuring that patients are getting the information they feel they need and of most value. MHA asks the OCR to finalize the removal of this requirement, as we do not see any added value to patients in tracking and providing this information when it is rarely requested.

Section d. Notice of Privacy Practices  
MHA is generally supportive of allowing health providers to use the model Notice of Privacy Practice or another form of communication that accomplishes the objectives of privacy disclosure.
For example, links on websites, patient health record portals, booklets, etc. can replace the regulations requiring the “good faith effort” rather than having to produce patient-signed documentation of said efforts. MHA believes this sufficiently balances patient notification with ample opportunities to find and access privacy information.    

Section e. Additional Ways to Remove Regulatory Obstacles and Reduce Regulatory Burdens to Facilitate Care Coordination and Promote Value-Based Health Care Transformation  
As health care providers in Minnesota, which has a consent requirement for nearly all disclosures of PHI, including for treatment, payment and operations, MHA’s hospital and health system members are acutely aware of the challenging interplay between HIPAA and state privacy laws. MHA wants to highlight to OCR that changes to HIPAA to increase interoperability need to also take into account HIPAA’s unique preemption standard. Currently, the HIPAA preemption standard causes HIPAA to act as a floor, and any state privacy law that is more stringent than HIPAA shall prevail. For states with a more stringent consent standard, such as Minnesota, OCR should, instead of just focusing on requiring TPO disclosures, focus on whether a broader preemption standard may achieve the interoperability goals more efficiently. Specifically, if OCR and HHS could adjust the preemption standard to fully preempt state privacy laws requiring consent for disclosures for treatment, payment and health care operations, national health systems and their technology partners could create tools and practices that are standardized and not tailored at a state-specific level.   

Alternatively, if OCR is not interested in modifying the preemption standard, OCR nevertheless needs to account for more stringent state laws in its assessment of the viability and practical impact of requiring disclosures for treatment, payment and operations. Because of state laws, such as Minnesota, OCR must either (a) explicitly declare that state laws that require consent for TPO disclosures conflict with HIPAA’s future requirement of TPO disclosures, and therefore those state laws are preempted, or (b) establish some type of safe harbor provision for covered entities in instances where disclosing TPO information would violate state and/or other federal law in the absence of a patient’s consent.    

As always, we appreciate the opportunity to respond to OCR as it considers modifying HIPAA rules to improve care coordination. If you have any questions, please feel free to contact Mark Sonneborn at msonneborn@mnhospitals.org or Briana Nord Parish at bnordparish@mnhospitals.org.


Mark Sonneborn
Vice President, Health Information and Analytics

Briana Nord Parish
Director of Policy