HHS is set to start the long process of revising HIPAA rules to better enable a switch from fee-for-service medicine to value-based care, which requires significant sharing of protected health information (PHI) for purposes of care coordination, outcomes research and quality improvement. But even as this process goes forward, provider organizations are struggling with ways to comply with current regulations while still working with payers eager to move to value-based contracts and risk-sharing initiatives.
The HHS request for information (RFI), which has been sent to the Office of Management and Budget (OMB) for review before publication, will ask whether there are provisions of HIPAA that present barriers to coordinated care. Dena Castricone, chair of the privacy and cybersecurity group at law firm Murtha Cullina LLP in New Haven, Connecticut, tells RPP that the major issue the RFI will seek to address is data-sharing as it relates to highly collaborative value-based care models.
“While HIPAA generally permits the sharing of protected health information for treatment purposes and health care operations, the existing regulatory definitions of each can act as a barrier under certain circumstances,” Castricone says. “Those definitions, along with other concepts in HIPAA, could benefit from updates that contemplate the present day reality of the more collaborative care models.”
Provider organizations and their vendors are signing agreements right now with payers that require care coordination based on information-sharing. And that has required some creative thinking and arrangements.
Deborah Gersh, national health care practice co-chair at law firm Ropes & Gray LLC in Chicago, Illinois, says discussions on the privacy implications for value-based care arrangements have been on a case-by-case basis “where we were trying to find a solution for our client.” Those solutions can be complex and require extra resources that would be better spent on care improvement activities, she says.
RFI Will Consider New Safe Harbor
Groups like the American Hospital Association (AHA) have been telling HHS for years that changes are needed to HIPAA in order to facilitate value-based care.
“The HIPAA regulation currently restricts the sharing of a patient’s medical information for ‘health care operations’ like quality assessment and improvement activities, including outcomes evaluation, or activities that relate to the evaluation of provider qualifications, competence or performance, to information about those patients for whom both the disclosing and receiving providers have—or have had—a patient relationship,” the group said in a 2016 letter to then-President-elect Trump. “The challenge that strict regulatory prohibition poses in the integrated care setting is that patients frequently do not have a relationship with all of the providers among whom information should be coordinated.” When contacted by RPP, an AHA spokesperson said the association’s position is unchanged.
Although the Centers for Medicare & Medicaid Services (CMS) spearheaded the initial big push into value-based care with primary care-based Medicare programs, especially the Medicare Shared Savings Program, private insurers have taken up the mantle and are implementing innovative care and payment arrangements based on the so-called Triple Aim: improved quality, cost and satisfaction. And it’s private sector value-based arrangements that run into HIPAA roadblocks.
To realize the benefits of value-based care, all participating providers need to be able to share data and conduct population-based data analyses, AHA says. “The HIPAA medical privacy regulation enforced by the Office for Civil Rights should permit a patient’s medical information to be used by and disclosed to all participating providers in an integrated care setting without requiring that individual patients have a direct relationship with all of the organizations and providers that technically ‘use’ and have access to the data.”
An RFI is the first stage in what likely will be a four-step process before any regulation is final. Typically an RIF is followed by an advance notice of proposed rulemaking, then a notice of proposed rulemaking, and ultimately a final rule. OMB review is required at all stages of the process.
According to the synopsis of the document sent to OMB for review, the RFI would specifically seek comment on a number of topics:
-
Methods of accounting of all disclosures of a patient’s PHI.
-
Patients’ acknowledgment of receipt of a provider’s notice of privacy practices.
-
Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management.
-
Disclosures of PHI without a patient’s authorization for treatment, payment and health care operations.
-
The minimum necessary standard/requirement.
Under HIPAA, and depending on the nature of the care coordination, these activities are sometimes considered “treatment” and other times are considered a health care operation function, with such services being provided by a business associate (BA), Gersh says. This has the potential to create additional burdens on the BA care coordinator, because the use and disclosure of patient data can be subject to restrictions imposed under its business associate agreement (BAA) with the covered entity (CE), she says.
Gersh adds that there’s room in the regulations for a better definition of care coordination that would allow those BA care coordinators to be considered health care workforce members. “Workforce” in HIPAA could be expanded to include people not currently covered in that definition and who also aren’t considered to be BAs, she says.
