HIPAA Progress: Incremental or By a Leap?

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

After a bit longer of a delay than was initially expected, the Department of Health and Human Services released a proposed rule to change pieces of HIPAA. The proposed rule is the outcome from a request for information that closed in February of 2019, where HHS posed a number of questions mostly focused on how HIPAA interacts with value based care goals. The request aligned with other questions at the time as to whether data were too restricted in flow from fulfilling overarching goals of alignment and coordination.

Since issuing the request for information, other events clearly occurred (not actually referring to COVID-19) that emphasized over perceived limitations or introduced new expectations. The events include a string of settlements for denials of the right of access along with a clear desire to facilitate access. Opening up access has also been driven forward (at least in regulatory text) by the final interoperability and information blocking rules promulgated as a result fo the 21st Century Cures Act. The attention for those issues directly connects to the right of access that has existed for years in the HIPAA Privacy Rule, but was an area that did not really get much attention in the request for information.

With all of the background information of how the proposed rule came to be, the actual contents arguably do not meet expectations of being a sea change to HIPAA. Instead, the proposed rule is largely composed of incremental bits of change that codify longstanding behaviors or attempt to remove arguable gray areas.

Right of Access
The right of access gets what feels to be primary billing in the proposed rule. A lot of time and attention is giving to highlighting what HHS sees as shortcomings in compliance spanning from not being quick enough to provide information to throwing up many barriers to a request just being made, let alone accepted. Attempting to remove or reduce those barriers, the proposed rule shortens the length of time in which an organization must respond and seeks to have unreasonable burdens removed from the request itself.

Shortening the response time clearly aligns with other changes, most notably the information blocking rule. If information must be promptly available through portals and other interfaces as a result of the information blocking rule, then having to wait 30 days to get a request for access fulfilled makes even less sense. The government is staking a position that electronic information should be readily accessible and not require a significant period of time to gather and present. Even if that is not actually true at the moment, regulatory requirements of such a black and white nature can push the market to a place of compliance.

The more interesting proposed change centers on removing unnecessary barriers. Why should a request have to be on a particular organization’s own form? Why is notarization on a signature needed? Why must a form be submitted in person? All of these are questions posed in the proposed rule because at least one organization somewhere will impose at least one of these requirements. As should be known, none of the issues are required and can be considered hurdles that dissuade individuals from submitting a request.

By emphasizing that unreasonable burdens cannot be placed upon individuals in requesting their own information, the proposed rule will put an official stamp onto guidance that the basic requirements set out in the regulation are really all that need to be in place. The message gets back to creating collaboration between organizations and individuals, not combative positions in which an organization creates the appearance of wanting to hold onto information to the detriment of an individual.

Care Coordination and Care Management
The second primary focus of the proposed rule is expanding definitions and uses of patient information for care coordination and care management. The twin concepts tie into the push toward value based care as principles of sharing and interflow of data lie under both concepts. The end goal is to create a system where all organizations involved in an individuals care, whether traditional healthcare, community based, or other, can know what is happening with the individual and be able to act from a place of knowledge.

The conceptual point is hard to argue with and it is easy to say that data are not shared because HIPAA is erected as an illusory barrier to the sharing. However, sharing may actually be occurring more than expected behind the scenes, especially as new models of care are crafted. The benefit of the proposed rule could be to enable a more efficient creation of the relationships that do not necessarily need to be constrained by covered entity to business associate or covered entity to covered entity structures. More freedom in that regard could be welcome, though it will be necessary to consider and hopefully identify where unintended consequences are being created.

Where is the Big Change?
As the discussion suggests, the proposed rule does not contain any singular fundamental alteration of what HIPAA does or how it governs privacy and security. Why is that the case? A change that big (which happened with the Omnibus Rule of 2013) almost always needs to be premised upon new legislation. Many original authorizing statutes do not (and likely cannot) give unfettered discretion to an agency to wholly reinterpret stated goals at any time. Instead, big updates need to go through Congress first, which can result in new overarching direction to the regulatory agencies.

If legislative change is needed, where will it come from? The beginning of a new year (2021) and the hopeful light at the end of the COVID-19 tunnel could allow attention to turn back to federal privacy legislation that establishes a national scheme similar to comprehensive privacy schemes seen in the European Union or California over the past couple of years. Even if a full privacy bill is not possible, an incremental step of covering more so-called non-traditional healthcare data, such as the information created by wearables and direct-to-consumer products, by expanding the reach of HIPAA to cover many of the new repositories where health data reside could prove helpful. Covering more of what is inarguably healthcare data that currently slides right past HIPAA would create more consistent protections for the data and set clear expectations on all. Instead of organizations attempting to avoid crossing a line from non-regulated to regulated, all could be put onto a level playing field with the same set of rules.

The argument is appealing. The argument for expanding HIPAA also goes to a major complaint that privacy protections are inconsistent and the inconsistency just harms individuals. A broader privacy scheme in this direction would go to one of the concerns about the information blocking rule about third party applications that are not subject to HIPAA being able to sweep an individual’s healthcare data, ostensibly at the individual’s request, but without the individual likely being aware of or understanding what privacy rights could be given away.

The whole discussion about why the big change is missing from the proposed rule is meant to show that real change cannot be done just by a change to regulations. Coalition building and lobbying of legislatures would be necessary along with educating on missing aspects. That all takes a lot of time and effort, so who will be up for the challenge?

Where is HIPAA Left?
Despite the potential takeaway that HIPAA is being left in a state of disrepair, that should not be a final understanding. Instead, it should be appreciated that HIPAA can and should still operate functionally and in a way that promotes the appropriate protection and use of healthcare information. Acknowledging limitations and places where advancement are possible can also underscore how well the current regulations work. The HIPAA Privacy Rule supports business functionality within the healthcare industry with a healthy balance of individual rights. The HIPAA Security Rule is flexible and creates a solid foundation for operational success, even with the bulk of the rule predating most of the major technology in current use.

If HIPAA can meet so many needs, why does it cause problems? Misunderstandings and a lack of awareness as to how HIPAA should operate are the biggest culprits. Statements about HIPAA being misapplied are easy to make and do not seem to alter the reality. If education and training are not doing their jobs, then enacting new legislation and regulations also will not solve the problem. Instead, the new laws can fall into the same traps.

Optimistically, more individuals within and outside of the healthcare industry express a desire to know how HIPAA actually works. Even if knowledge does not progress at the same rates, the side advancing more quickly can prop the other up and provide incentive to catch up or face the consequences.

What Next?
The next steps are not necessarily clear. While the future cannot be predicted, everyone can work together to make the best of the existing situation and accentuate the positive.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.