The Office for Civil Rights (OCR) is asking the public for ways to modify HIPAA regulations, specifically to drive cost savings and value, notes Jeffrey P. Drummond, JD, partner with Jackson Waller in Dallas. The changes are intended to help HIPAA mesh better with coordinated care platforms and improve care coordination, he says.
HIPAA is naturally obstructive to care coordination, Drummond says. “Any efforts at care coordination naturally assume ready exchange of patient information among providers, payors, and others involved in the care of the patient, or the patient population, while HIPAA’s focus on privacy and security generally limits information sharing,” he says. “However, as currently established, HIPAA does allow for such sharing of patient medical records, as long as the purpose of the disclosure is treatment, payment, or general healthcare operations.”
In most cases where information would or could be shared to assist with care coordination, HIPAA would allow it, Drummond says. The major problem is that too many people in the healthcare industry do not understand HIPAA and are afraid of it, Drummond says, so they refuse to share information even though HIPAA would allow it.
Another major problem is that given the combination of the Facebook and other social media platform privacy issues all over the news, as well as the daily reports of major breaches of personal and medical information, many people are too afraid their medical record privacy will be abused, he says.
“People fear for their privacy, so they don’t want their information released, even though releasing the information in an appropriate manner would actually improve their healthcare and the overall cost of healthcare,” Drummond says.
Those problems cannot be fixed by changing HIPAA, Drummond says, because as currently structured, HIPAA already should work to allow appropriate information exchange for care coordination and value-based healthcare.
“I do not see any major changes being made to HIPAA,” Drummond says. “However, given the push for regulatory change, and the need to be seen to be doing something, particularly something de-regulatory, I would expect some tinkering around the edges.”
This is what Drummond expects in future changes to HIPAA:
- minor tweaks to the definition of “healthcare operations” to clarify and possibly expand the ability to share protected health information for population health, emergencies, and value-based care initiatives;
- minor clarifications regarding “personal representatives” and when parents are (or are not) treated as such;
- specific language (more likely guidance than changes to the actual text of the regulations) addressing uses and disclosures in the mental health and substance abuse arena;
- revisions to the “accounting of disclosures” requirements (proposed regulations have been languishing there for years) to streamline the process by eliminating much of the requirement (contrary to the emphasis of HITECH to increase the requirement);
- finalization of the rule allowing individuals to share in the fines levied by OCR for a HIPAA breach;
- specific language addressing when a ransomware attack (or similar technology-driven incident) is a reportable breach.
Some commentators will ask for removal of the requirement to have patients sign to acknowledge receipt of the Notice of Privacy Practices when they first go to their doctor, Drummond says, but he does not think that actually will occur.
“It would definitely remove a noticeable burden on both providers, who have to print out notices, ask for signatures, and keep track of them. Ultimately, that’s a small burden to make sure that providers actually provide the notice, and patients have an opportunity to think about how their information is going to be used and disclosed,” he says. “Ultimately, I think they’ll leave it in place as is.”
- Jeffrey P. Drummond, JD, Partner, Jackson Waller, Dallas. Telephone: (214) 953-5781. Email: [email protected].