HIPAA Year in Review

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

HIPAA experienced yet another year of attention, questioning, and enforcement. The issues around in 2019 were not necessarily new, though arguably approaches are beginning to change. Getting a handle on the issues may provide a means for better adherence to privacy and security principles contained in HIPAA and improving all overall operations.

From the enforcement perspective, 2019 saw the first two settlements involving the individual right to access as well as settlements based on more of the same. As would be expected, the two settlements for failure to grant access to records fulfilled long-stated promises that individual rights would garner more attention from the Office for Civil Rights. The first right of access settlement centered on not honoring an individual’s request, giving that individual’s attorney a difficult time, and taking almost a year in total to finally provide the complete record. The first settlement generated a significant amount of attention since problems around right of access have long been known, but without any serious action taken to hold organizations accountable for non-compliance. From the fundamental issue, right of access often accounts for a big portion of the complaints filed with OCR each year. Despite that reality, all resolutions previously occurred through technical advice and guidance to the entity not living up to its responsibility to provide access.

To the point technical guidance in the background, failure to adequately follow that guidance played into the second settlement based upon failure to provide access. In the second case, an individual requested access to records in an electronic format. As happens too often, the request was not honored in a sufficient amount of time, nor were the records provided in the request format. After the first failure, OCR provided guidance on how to respond to the request. Despite the technical assistance, the entity still failed to provide access in the manner requested. The potential outcome from the second settlement is that, barring a really bad set of facts, OCR will continue to pursue technical assistance as the means of resolving access issues, but could use the threat of a monetary settlement if its advice is not followed. Requiring an individual to remain subject to jumping through so many hoops may not be ideal from the individual’s perspective as it represents only a small incremental step forward.

The timing of the settlements is intriguing given the amount of focus placed on the right of access by outside efforts. Notably, Ciitizen Health, a newer startup, published a scorecard that rates organizations on adherence to right of access requirements. Results are a bit all over the place, which is likely not that surprising. Another effort, Unblock Health, was also tarted to increase awareness around access and improve individual understanding (an issue touched upon in a Healthcare de Jure episode with Grace Cordovano from Enlightening Results). The confluence of these events suggests that pressure will continue to be exerted, which will pick up new dimensions when the pending information blocking rule is finalized.

Another aspect of the second access settlement is an entity either ignoring or not agreeing with statements from OCR. The second right of access settlement included a hint of not following OCR’s guidance, but the issue was even more prominent in the settlement with Sentara Hospitals. In the Sentara settlement, OCR emphasized that OCR believed the scope of a breach was broader than reported by Sentara and explained why the breach applied to more people than was reported. Despite the undoubtedly polite request from OCR to send a breach notification to more individuals, Sentara refused. The refusal underscored a disagreement as to what constituted a breach. While some regulatory questions and analyses can result in honest differences of opinion, if OCR says that a breach occurred and notification is necessary, that is not a time to argue. A less risky approach is to bite one’s tongue and do what is asked. The alternative is being made a headline and paying money to OCR.

Paying appropriate attention to security settings represented a common thread among settlements as well. Two of the first settlements in 2019 focused on not setting up systems well, which left information exposed. While technology cannot necessarily assure that data will be secure at all points in time, the potential compromise should not be encouraged by leaving the proverbial front door open. Not taking the basic step of activating all available controls equates to introducing unnecessary risk in a scenario where enough exist without any help.

Beyond the settlement landscape, another significant development for HIPAA was whether it contains adequate measures to protect the privacy of health information. The impetus for the debate was an announced agreement between Google and Ascension Health that would see Google host a good bulk of Ascenion’s health information as well as grant access to that data for development purposes. Debating how HIPAA allows data to be used is important, but it also overlooks that data have been shared with many partners for years as the treatment, payment, and health care operations definitions drive the use and disclosure of a lot of health information. One of the newer permutations to the set up is the participation of big technology companies and other companies that were not traditionally in the healthcare space. Getting into healthcare for the first time can be challenging, especially if an organization is used to ingesting and manipulating large amounts of data without much if any restriction previously. Challenges, however, can be addressed and overcome.

The arguably bigger question is whether HIPAA, as currently constructed, fully aligns with a more digital world and one where health information is created and used daily by organizations not subject to HIPAA’s requirements. Should a comprehensive privacy system (such as the European Union’s General Data Protection Regulation) be implemented to avoid piecemeal, at best, privacy protections. Whether a comprehensive privacy system is needed will remain an ongoing consideration as neither the answer to the question or the means of structuring the answer can be finalized easily. Reasonable minds will differ and accounting for all interests without creating unintentional barriers or hindering desirable development. Ultimately, any new privacy regime will drive a shift in thinking from current efforts. While the process of getting to a new system proceeds, it is essential to fully understand and comprehend the current system. It is fully acknowledged that HIPAA was drafted and passed prior to the development or availability of current technology, but that does not mean co-existence is impossible. From that perspective, transparent, honest dialogue coupled with bringing multiple perspectives into the discussion may lessen or remove issues that only existed because of misplaced preconceptions.

A request for information opened by the Department of Health and Human Services at the beginning of 2019 offers the possibility of some changes though. In particular, the request for information asked whether changes were needed to HIPAA to help with the transition to value based care. While that request is does not directly touch upon technology or even privacy concerns, a lot of value based care development is connected to implementation and utilization of new technology-based solutions. The synergies between the concepts present the opportunity for change, although limited by what is feasible absent a statutory change. Hopes for broad, sweeping changes to the regulations implementing HIPAA should not be expected since the regulations cannot undercut or contradict the statute.

The year was an active one when it comes to HIPAA and presages continued issues and debates. Bringing light to the situation is the best outcome barring a change in the law or regulations. No one benefits from private griping or frustration. To the contrary, collaboration and coordination are good paths to follow. What will 2020 bring? Only time will tell.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.