There's broad industry support for revamping the U.S.' decades-old health privacy law to encourage patient access and care coordination, but provider groups are deeply worried about unintended consequences on the privacy and security of sensitive medical information if it becomes more widely available, implementing the changes during COVID-19 and squaring them with other data blocking regulations.
"We question the need for these changes, particularly at this time," the American Medical Association wrote in its letter to HHS Office of Civil Rights. The physician group noted practices are currently making major changes to their IT and data exchange processes to come in compliance with two sweeping rules promoting interoperability finalized last year, and continue to face significant overhead from COVID-19.
"We urge OCR to reconsider implementing a massive change to patient privacy laws in the midst of this transition," the group wrote.
If finalized, the Trump-era rule, which received more than 1,400 comments, would loosen a number of long-held standards for the privacy of protected health information under the Health Insurance Portability and Accountability Act passed in 1996.
That would make it easier for providers to disclose information during emergencies and coordinate care with health companies and patients' families and caregivers.
Though supportive of the effort, provider groups said they are concerned the changes as proposed would result in too much information sharing, which could have a big impact on privacy and could create or exacerbate inequities in care. The proposal would make it significantly easier for third parties, including app developers, to access sensitive health data.
AMA agreed with the proposal that covered entities be prohibited from imposing requirements on patients requesting that PHI be sent to a third party, but said some safeguards exist for a reason. The association urged regulators to withdraw the mandate requiring covered entities to act on oral requests to share electronic PHI with third parties and maintain written instruction, to ensure data is sent to the right recipients.
"The AMA strongly opposes the finalization of any policies expanding the current ability of covered entities — or any other type of entity, including smartphone apps and third parties — to override an individual's privacy preferences," AMA wrote.
The Association of American Medical Colleges suggested third parties should need to be certified as meeting minimum security standards before data can be shared, and that providers should have more discretion in whether or not they send PHI to third parties.
Health IT groups also aired concerns about the ramifications of allowing covered entities to transmit electronic information to apps, without requiring the apps to include privacy and security controls or sign business associate agreements.
Additionally, allowing patients to direct copies of their PHI to third parties could place additional burden on providers in terms of labor and costs, and raises security issues, the College of Healthcare Information Management Executives (CHIME), which represents health IT leaders, said.
Providers said they should be allowed to charge a cost-based fee in cases when a patient wants them to transit an electronic copy of PHI in an EHR, or a physical copy of PHI through a non-internet-based method to a third party.
And clinicians should be able to use their professional judgement in deciding when to allow patients to take photos or videos of their PHI, providers argued. Giving patients blanket permission to record of data during a visit is overly prescriptive, and could result in "unreasonable workflow disruptions" for providers, the Medical Group Management Association, which represents more than 15,000 U.S. practices, said.
However, the Healthcare Information and Management Systems Society said it was supportive of the HIPAA modifications, including straightforward guidance for providers to transfer PHI at a patient's request, calling it more efficient. HIMSS also said it supports patients' ability to take notes, video or photos of their PHI at the point of care, though said it's imperative to educate patients and providers that this is the case.
"OCR's policy changes in this area are overwhelmingly positive," HIMSS wrote.
Provider groups also took issue with a proposal to shorten the window for responding to a person's request for access. Currently, providers have 30 days, including an optional 30-day extension, but the proposed rule would require HIPAA-covered entities to respond "as soon as practicable," and no later than 15 days in most cases.
"Shortening this timeline in the current environment would make compliance infeasible for many medical groups and disproportionately penalize small and independent practices," MGMA said. "Shortening the timeline to 15 calendar days would create a de facto priority to meet every request as quickly as possible, which may prohibit practices from timely responding to requests that are actually urgent or emergent in nature."
IT vendors were split on shortening the window, with HIMSS calling 15 days a "reasonable measure of timeliness" for a request. But CHIME commented the reduction "will not always be feasible and could add costs to the healthcare system," suggesting regulators should document exceptions.
Organizations should continue to have 30 days given the variation in technology and records required to move data, WEDI, a group advising HHS on health IT, commented.
And should HHS finalize the proposed rule, industry stakeholders asked the agency to publicize how it plans to educate covered entities about the scope of changes required to implement the regulations, particularly given the significant overlap with the information blocking regulations and regulations on the confidentiality of patients' substance use disorder records, and HIPAA's complex nature.
"A common regulatory framework (including terms and definitions) will improve compliance and reduce operational burden on providers subject to these rules and reduce confusion for patients," AAMC wrote. "We urge HHS to provide detailed and integrated guidance to providers that accounts for the different HHS rules governing health information exchange that providers may be subject to."
And HIPAA alone isn't enough to protect medical data in today's information economy, IT groups warned, joining providers in calls to harmonize the regulations with other federal privacy regulations.
"The lack of educational awareness as well as the lack of clarity regarding the scope of HIPAA, who is obligated to abide by HIPAA, as well as how it is interpreted, enforced, and intersects with other privacy laws has created significant gaps in compliance and enforcement," HIMSS said. "Our nation needs a comprehensive health privacy law that encompasses all these issues from a broader perspective and one that is implementable."