- When it comes to amending HIPAA to keep pace with movement toward paying for value, provider and hospital groups are encouraging baby steps — not major change. In response to a request for information from HHS, the organizations were cautious of any requirements that they share information more widely.
- The RFI, posted in December, sought ideas on how HIPAA could be amended to improve care coordination. The broad request asked for ideas on what protected personal health information (PHI) covered entities should be expected to share as well as technical capabilities for doing so.
- In comments due Tuesday, the American Hospital Association, American Medical Association and others were adamant that providers should not be required to disclose PHI to other covered entities and that the current window for responding to requests for record access should not be changed.
Provider groups frequently expressed worry that new requirements or changes to existing ones would put additional administrative burden on healthcare workers — which HHS in the Trump administration has adamantly opposed.
In its comments, AHA said it maintains support for full federal preemption under HIPAA, as opposed to a patchwork of state regulations that can supersede the rule, but recognized that would require intervention of Congress. The group pushed back against punitive measures related the the rule and said concerns relayed in the RFI would be best addressed by more guidance and education.
"Frequently, it is the lack of such guidance from the Office for Civil Rights (OCR) that does more than repeat the language of the regulatory text that can create anxieties among covered entity providers about potential noncompliance and its significant consequences that leads them to be extremely cautious about using and disclosing patients' information for efficient care coordination and/or case management and to advance value-based health care," AHA wrote.
Roy Wyman, a partner at Nelson Mullins, told Healthcare Dive he's not surprised providers are pushing back on changes to the privacy rule. They tend to look at privacy and health information in terms of ownership, and oppose being forced to share it. That metaphor becomes more misleading, however, as technology like blockchain make information distribution easier and faster, he said.
"While regulations can change frequently, the basic way we view the world can be slow to change," Wyman said. "I expect that there will be significant tension between how providers tend to see the world, and what the regulations demand, for some time."
AMA said that it supports the goals of care coordination and proper case management, but warned against putting speed over privacy and suggested using "education and positive incentives — not requirements."
AMA also said it is not the case the use of APIs will unleash a free flow of information and said, "HHS must manage expectations about what information a patient can actually access through an EHR app or patient portal."
This is in contrast to the picture HHS put forward earlier this week in releasing long-awaiting rulemaking on interoperability and information blocking regulations. In a call with reporters ONC Coordinator Don Rucker touted standardized APIs as "a major effort to get patients able to access their patient records and control their care."
The Medical Group Management Association said it opposes disclosures for treatment, payment and operations, saying disclosing that information "would be excessively burdensome and unnecessary" because current EHRs can't produce the reports and few patients ask for them.
The group also argued the current maximum response time of 30 days is needed because of the "tremendous variation" between practices in format and location of medical records.
In addition, MGMA opposes any mandate for a covered provider to disclose PHI to another covered entity, regardless of purpose. "Requiring practices to share information that could be in opposition to the wishes or stipulations of a patient could supersede medical decision-making and clearly removes the right of the patient to control who has access to their health information," the group wrote.
When it put out the RFI, HHS also brought up the ongoing opioid crisis. HHS Deputy Secretary Eric Hargan said in a statement at the time the department had "heard stories about how the Privacy Rules can get in the way of patients and families getting the help they need."
But AMA disagrees with that characterization, stating flatly in its comments: "Changes to the Privacy Rule are not needed to address the opioid epidemic."
AHA, AMA and MGMA also pushed back against punishment for providers when PHI is inappropriately disclosed.