The American Medical Association penned a letter Feb. 8 to officials at HHS' Office for Civil Rights — the agency tasked with enforcing HIPAA — to recommend potential changes to the healthcare privacy law.
The OCR in December 2018 issued a request for information seeking input on how to modify HIPAA to promote value-based care, inviting stakeholders to weigh in on existing HIPAA provisions that may limit or discourage information sharing. The office said it wants to update HIPAA to support information sharing that helps coordinate care and enhances patients' ability to access their protected health information.
In response to the RFI, the AMA submitted a 29-page letter arguing that although the trade group supports efforts to improve care coordination, patient privacy and confidentiality should be prioritized.
"Generally, the AMA does not object to amending existing regulatory exceptions or definitions to promote care coordination and appreciates OCR's exploration of ways to reduce barriers to sharing PHI," the letter reads. "However, a multifaceted approach that establishes multiple new definitions, permissions or exceptions would add more burden and complexity to an already confusing law and could go too far in infringing on patients' privacy rights.
"We encourage OCR to promote information sharing for treatment and care coordination and/or case management through education and positive incentives — not requirements — especially those that value speed over privacy," the letter continues.
Nine notes on AMA's response to OCR:
1. Patient consent is paramount. "AMA policy and ethical opinions on patient privacy and confidentiality provide that a patient's privacy should be honored unless waived by the patient in a meaningful way, de-identified, or in rare instances when strong countervailing interests in public health or safety justify invasions of patient privacy or breaches of confidentiality."
2. Lack of understanding isn't a reason to diminish privacy laws. "Current HIPAA regulations permit covered entities to use and disclose PHI for care coordination purposes. Covered entities should not be required to disclose PHI for care coordination and/or case management merely because many covered entities, their lawyers and their compliance officers do not understand how HIPAA currently permits such disclosures."
3. Business associate agreements are necessary when a business is performing functions on behalf of a covered entity. "HIPAA rightly leaves the matter up to the covered entity as it is in the best position to know what type of information is in question and how the information should (or should not) be used and disclosed by the clearinghouse. The covered entity is the steward of the patient's PHI and has a duty to the patient to protect his or her information."
4. Mandates to disclose PHI to another covered entity should be opposed. "Requiring a physician to share information against a patient's wishes strips patients of control over their own data and potentially overrides medical decision-making. … The AMA has continuously maintained that an expressed 'need' for information — including for care coordination purposes — does not confer a right to such information."
5. HIPAA changes aren't needed to address the opioid epidemic. "A widespread perception exists that HIPAA prevents physicians from sharing information — especially related to behavioral health and [substance use disorder] — with families and caretakers. This is not true. The HIPAA privacy rule does not prohibit communication with a patient's family members (not only parents), friends or others involved in the patient's care."
6. A step in the right direction: Electronic tracking of patient consent. "At times, providers may more tightly restrict the flow of data because of uncertainty about how the law applies to it. Fortunately, technology can assist physicians with increasing the flow of information while maintaining privacy and a patient's consent. To do so, information should be 'tagged' to identify where the information originated, for what purposes it can be disclosed and to whom."
7. OCR should encourage multiple paths to security. "To best assist clinicians with implementing good security practices (also known as 'cyber hygiene'), the AMA encourages OCR to help reframe the conversation around securing health information from punitive requirements (e.g. fines and penalties associated with security failures) to developing positive incentives that encourage ways to bolster practice resilience and protect patient information."
8. OCR should remove the presumption of guilt after PHI is inappropriately disclosed. "The proposed solutions may add new layers of complexity, potentially exacerbating the tendency to adopt a presumption of non-disclosure out of fear of breach. ... The presumption of guilt on covered entities creates potentially unnecessary burden, stress and compliance costs on physicians. Instead, HHS should base the duty to report a breach on a harm threshold."
9. OCR must defer rulemaking until information blocking rules are final. "We urge OCR to review comments on the forthcoming information blocking rules from the ONC and the CMS to inform its thinking about the questions asked in the RFI. Many of the questions cannot be properly analyzed without fully reviewing those rules in tandem and OCR should not issue any notices of proposed rulemaking on these topics until CMS' and ONC's rules are finalized."