February 12, 2019
for Civil Rights
of Health and Human Services
Attention: RFI, RIN
H. Humphrey Building, Room 509F
Independence Avenue, S.W.
Submitted electronically through www.regulations.gov
Request for Information on Modifying HIPAA Rules to Improve Coordinated Care
Dear Director Severino:
behalf of our 141-member hospitals and health systems, the Minnesota Hospital
Association (MHA) offers the following comments and suggestions regarding the
Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
request for information (RFI) regarding changes to the Health Insurance
Portability and Accountability Act (HIPAA) rules to improve care coordination
for Minnesota’s hospitals and health systems and the patients they serve.
the outset, MHA supports the recommendations and detailed comments submitted by
the American Hospital Association (AHA). Instead of duplicating AHA’s analysis
and suggestions, MHA’s comments will focus on the issues of most concern to
Minnesota’s hospitals and health systems.
MHA supports OCR’s interest in removing regulatory barriers
and decreasing regulatory burdens to facilitate efficient care coordination and
case management, while preserving privacy and security of protected health
information (PHI). This initiative aligns with current Centers for Medicare and
Medicaid Services’ (CMS) plans to facilitate the transformation from volume to
value-based health care while preserving
the privacy and security of PHI.
MHA seeks to highlight the importance of
reconciling HIPAA regulations and state laws when it comes to addressing PHI
and improving care coordination. Federal preemption under HIPAA, under which the HIPAA
requirements would be the prevailing nationwide standard for protecting the
privacy and security of patient information, would eliminate
overlap and redundancy to ease the regulatory burden on providers when it comes
to patient care coordination and developing value-based programs. While
we recognize that reform of the preemption framework may require involvement of
the legislative branch, we urge OCR to prioritize efforts aimed at educating
Congress about the significant burdens the lack of preemption imposes for
robust information sharing necessary for effective care coordination and/or case
management and the
transformation to value-based health care.
Section a. Promoting Information Sharing for
Treatment and Care Coordination
health care becomes more coordinated with community-based services, care
delivery partnerships are forming beyond the clinic and hospital setting. As
such, PHI disclosures to a non-HIPAA covered entity could help the partnerships
and streamline care to be successful. The Privacy Rule permits, but does not
require, covered entities to use and disclose PHI for treatment, payment and
health care operations. Hospitals and health care
providers strive to share health information to support care coordination, case
management and the transition to value-based health care when permitted
legally. Amending the privacy rules to
require covered entities to disclose PHI to other covered entities will not
promote greater information sharing for these important purposes. Additionally,
the requirement could add to the cost of care and create confusion among
MHA asks OCR and CMS to provide guidance to clearly
delineate between covered and not covered entities, and what information can be
disclosed, specifically for care coordination activities. This
will lessen confusion around who is permitted to disclose what information to whom
and promote care coordination between health care and community services
without fear of violating HIPAA regulations. Clarification could eliminate the
need to require disclosures. Clarification
would strike a balance between the goal of efficient care coordination and
apprehensions around disclosures to non-covered entities.
of the concerns related to barriers and obstacles to sharing information raised
in the RFI’s questions would be best addressed through guidance and education. Frequently, it is the lack of helpful
guidance from OCR that does more than merely repeat the language of the
regulatory text that creates anxieties among covered entity providers about
potential noncompliance and its significant consequences that leads them to be
extremely cautious about using and disclosing patients’ information for
efficient care coordination and/or case management and to advance value-based health care. When unsure, the default
position is to not disclose or share patients’ information unless and until
individual patient authorization has been secured.
between covered entities and individuals is absolutely necessary for
coordinating patient care. As covered entities interact more frequently with
patients and families, it is essential that covered entities are using
communication modes that are effective and easy to use by a very diverse
population of individuals. More and more people use text messaging, social
media, and related applications to communicate. In the HIPAA Omnibus Rule,
effective March 26, 2013, and the Individual Right of Access Guidance issued on
February 25, 2016, OCR provided some clarification on how Covered Entities and
Business Associates can communicate with individuals using unencrypted email. Covered Entities and Business Associates
would benefit greatly from additional guidance on how to properly implement
texting and other new communication technologies into their patient
communication strategies. The guidance should include any required consents
or notice requirements recommended by OCR and examples of how a Covered Entity
or Business Associate should conduct a risk assessment and risk management plan
for additional unencrypted communication modes.
MHA supports keeping the privacy rule’s
existing timeliness requirements for responding to requests for access unchanged. These
requirements, which mandate that covered entities must act on a request for
access no later than 30 days after receiving the request and provides for only
one 30-day extension of time to act on access request (provided that the
covered entity provides a written statement of the reasons for the delay and
the date by which it will complete any action on the request), are outer
limits. In general, the 30-day time frame does not pose a
significant issue or burden on PHI record sharing between one covered to
another covered entity. In many incidences, it may only take a few business
days to process and follow through on requests. However, for providers that use
third parties to respond to PHI requests, a shortened timeframe could place an
undue burden on providers and risk compliance. Additionally,
variations of “if/then” for the deadline to provide records to the patient and
to care providers, or for purposes of care coordination, becomes more complex
and challenging, especially in larger organizations with multiple legacy systems in a variety of media. The addition of multiple timeframes to electronic and paper record systems would create undue administrative burden and inefficiencies for organizations. Maintaining the current approach is preferable to amending the rule to impose different timeliness standards based on how the PHI is maintained.
MHA cautions OCR with respect to
permitting individuals to “opt out” of disclosures, such as for healthcare
operations. We offer similar guidance with respect to requiring covered
entities to get affirmative authorization from the patient before releasing
information to another provider.
Minnesota providers already operate under both of those conditions today, and
we have found it to be extraordinarily burdensome to manage and implement.
Regardless of whether the covered entity is a large hospital system or a single
practitioner, managing opt-outs and consents adds significant costs to the health
care system with very little value for our communities. In 2017, the Minnesota
Department of Health surveyed patients and providers about the burdens
associated with managing our state’s strict consent requirements. Patients
self-reported that they were not sure if their information was shared with
providers across specialty services, and families felt burdened by the
responsibility of translating medical information on behalf of loved ones.
Providers’ costs varied, but one health care system cited over $2 million a
year in training, staff time, and technology expenses solely to manage the
consent/opt-out processes. MHA recommends
that OCR do not further disadvantage providers from having access to clinically
appropriate information, most especially for core functions like treatment,
payment, and healthcare operations.
Section b. Promoting Parental and Caregiver
Involvement and Addressing the Opioid Crisis and Serious Mental Illness
In the RFI, OCR encouraged covered entities,
particularly providers, to share treatment information with parents, loved
ones, and caregivers of adults facing health emergencies. This PHI would be
shared with a particular focus on the opioid crisis and treatment for substance
abuse. This provision would be related to Code of Federal Regulations 42 Part 2
(42 CFR Part 2), which applies to any individual or entity that is federally
assisted and holds itself out as providing, and provides alcohol or drug abuse
diagnosis, treatment or referral for treatment.
supports alignment of the 42 CFR Part 2 regulation with the HIPAA regulation as
the proper and effective solution to eliminating barriers to sharing of patient
information that is essential for care coordination, compatible with electronic
exchange of information and supportive of performance measurement and
improvement. Applying the same requirements to
all patient information, whether behavioral- or physical-health related, would
support the appropriate information sharing essential for clinical care
coordination and population health improvement in the current patient care
environment, where behavioral and physical health care are integrated to
produce the best outcomes for all patients.
separate privacy structure under 42 CFR Part 2 creates challenges for the
integration of behavioral and physical health care simply because patient data
related to behavioral health cannot be handled like all other health care data.
The majority of individuals who experience a behavioral illness or substance
use disorder have a comorbid physical health condition. Additionally, primary
care has become the prevailing location for patients to receive treatment that
addresses all their health needs – behavioral as well as medical. Evidence
confirms that integrating mental health, substance-use disorder and primary
care services produces the best patient outcomes.
requirement in the 42 CFR Part 2 regulation for individual patient consents
significantly complicates the sharing of important patient information
essential for coordinating care and population health improvement. Permitting
providers to handle and treat patient data related to behavioral health as
simply another part of a patient’s total health care data protected by HIPAA is
a critical component of a more effective approach to caring for and achieving
the best outcomes for all patients.
Providers’ clinical judgement
should be paramount in determining when and what information should be shared
with families and caregivers. MHA supports limits on parental access to PHI,
specifically in the case of disclosure of adolescent health information related
to mental health, substance use and sexual health. The disclosure of this information
is prohibited under certain state and federal regulations and it is important
to maintain these protections.
the regulations would promote efficient, integrated care while protecting and
treating all patients equally and may reduce the fear and stigma felt by
patients who receive mental health care and substance-use disorder treatment.
All patient treatment information is sensitive and should be used only for
purposes that support the individual except under the specific circumstances
outlined in law.
Section c. Accounting of Disclosures
The Health Information Technology
and Economic and Clinical Health (HITECH) Act expanded the accountability for
disclosure requirements. The OCR released a proposed rule in May 2011 that
would require covered entities that implemented an electronic health record
(EHR) to make an “access report” detailing PHI access upon request. This RFI
details OCR’s intention to withdraw from the May proposed rule and asks for
suggested alternative approaches for such accountability.
MHA supports withdrawing
the proposed regulations requiring a comprehensive accounting of disclosures. An
“in-depth” investigation into PHI access is incredibly burdensome for providers
given the insurmountable level of data EHR software would need to generate.
Taking treatment as an example, to successfully provide coordinated care,
multiple departments and providers access information for care delivery. An accounting of all such access or
disclosures would be extremely voluminous and have little value to the patient.
The experiences of hospitals to-date
suggest that patients are more interested in knowing whether a specific
violation relating to their electronic medical record has occurred and getting
detailed information in response to a specific inquiry and investigation by the
hospital’s privacy and compliance staff. Patients value these investigations
because they provide information about specific violations and what appropriate
disciplinary and other measures were taken to ensure that violations do not
reoccur. A patient concerned about a future potential misuse, such as a
relative working in the hospital who may inappropriately access records, also
can use this mechanism to work with a hospital in advance to create a process
for minimizing the possibility that such inappropriate access will occur. These
processes and practices already are in place and are aimed at ensuring that
patients are getting the information they feel they need and of most value. MHA asks the OCR to
finalize the removal of this requirement, as we do not see any added value to
patients in tracking and providing this information when it is rarely
Section d. Notice of Privacy Practices
MHA is generally supportive of allowing health providers to use
the model Notice of Privacy Practice or another
form of communication that accomplishes the objectives of privacy
disclosure. For example, links on websites,
patient health record portals, booklets, etc. can replace the regulations
requiring the “good faith effort” rather than having to produce patient-signed
documentation of said efforts. MHA believes this sufficiently balances patient
notification with ample opportunities to find and access privacy information.
Section e. Additional Ways to Remove
Regulatory Obstacles and Reduce Regulatory Burdens to Facilitate Care
Coordination and Promote Value-Based Health Care Transformation
As health care providers in Minnesota, which
has a consent requirement for nearly all disclosures of PHI, including for
treatment, payment and operations, MHA’s hospital and health system members are
acutely aware of the challenging interplay between HIPAA and state privacy laws.
MHA wants to highlight to OCR that changes to HIPAA to increase
interoperability need to also take into account HIPAA’s unique preemption standard.
Currently, the HIPAA preemption standard causes HIPAA to act as a floor, and
any state privacy law that is more stringent than HIPAA shall prevail. For
states with a more stringent consent standard, such as Minnesota, OCR should,
instead of just focusing on requiring TPO disclosures, focus on whether a
broader preemption standard may achieve the interoperability goals more
efficiently. Specifically, if OCR and HHS could adjust the preemption standard
to fully preempt state privacy laws requiring consent for disclosures for
treatment, payment and health care operations, national health systems and
their technology partners could create tools and practices that are
standardized and not tailored at a state-specific level.
Alternatively, if OCR is not interested in modifying
the preemption standard, OCR nevertheless needs to account for more stringent
state laws in its assessment of the viability and practical impact of requiring
disclosures for treatment, payment and operations. Because of state laws, such
as Minnesota, OCR must either (a) explicitly declare that state laws that
require consent for TPO disclosures conflict with HIPAA’s future requirement of
TPO disclosures, and therefore those state laws are preempted, or (b) establish
some type of safe harbor provision for covered entities in instances where
disclosing TPO information would violate state and/or other federal law in the
absence of a patient’s consent.
always, we appreciate the opportunity to respond to OCR as it considers modifying HIPAA rules to improve care
coordination. If you have any questions, please feel free to contact Mark
Sonneborn at firstname.lastname@example.org
or Briana Nord Parish at email@example.com.
Vice President, Health Information and Analytics
Briana Nord Parish
Director of Policy