Next Up is the HIPAA Burden

William HymanWilliam A. Hyman
Professor Emeritus, Biomedical Engineering
Texas A&M University, w-hyman@tamu.edu
Read other articles by this author

In the continued theme of easing burdens previously created, HHS now wants to know, via a Request for Information, how HIPAA rules “may impede the transformation to value-based health care” or “limit or discourage coordinated care among individuals and covered entities without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information (PHI)”. Through the Office of Civil Rights (OCR) HHS wants to know about provisions of the HIPAA rules that may present obstacles to, or place unnecessary burdens on, the ability of covered entities and business associates to conduct care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system. Note that these functions are generally thought to need sharing of information which is exactly what HIPAA restricts.

OCR asks about what modifications to the rules would promote information sharing. Ironically it is suggested that the rules could be changed from restriction to encouraging, incentivizing, or requiring covered entities to disclose PHI to other covered entities. In other words we created rules to stop you from sharing but now we are going to make you. “Requiring” should set off burden alarm bells since require always creates burdens. Additionally, covered entities might be encouraged to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis. This sound to me like a distinct loss of privacy unless the patient has given appropriate and specific informed consent. As an aside, I recently learned that more people die from alcohol related issues than die from opioids, but what is a crisis has rarely had a rational basis.

Other rule modifications might include implementing the HITECH Act requirement to provide helpful information to individuals from their EHR, to minimize regulatory burdens and disincentives to the adoption and use of interoperable EHRs, and eliminating or modifying the requirement to obtain written acknowledgment of receipt of a providers’ Notice of Privacy Practices. The latter would be intended to reduce burden and free up resources to devote to coordinated care, but without compromising transparency or an individual’s awareness of his or her rights. The first part suggests that there are requirements of the HIPAA Act (of 1996) that have not yet been implemented. The second part notes the continuing challenge of moving patient data between EHRs. The last part reflects that discovery that paperwork burdens can detract from care.

These topics are elaborated on in 32 pages of discussion and questions. Promoting information sharing has 21 questions, parent and caregiver involvement 5, accounting of disclosures 16, and privacy disclosures 12. One might wonder about the burden associated with digesting and responding to this effort to reduce burdens.

Comments are due by February 11, 2019.