OCR Wants to Know How HIPAA Is Impeding Coordination of Care
The opioid epidemic has spurred HHS OCR to issue a request for information from stakeholders about the ways in which HIPAA isn't working as intended. This is a rare opportunity, so if you're someone with expertise or experience in these matters, please consider submitting a comment by the deadline, which is probably February 12, though you may want to submit by the 11th, to be safe.
If you're looking for a jumping-off point, I've included my public comment below.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Re: Department of Health and Human Services, Office for Civil Rights RIN 0945-AA00
In my capacity as a HIPAA consultant—usually for health tech ventures, but also as a person likely to be contacted by confused friends when it comes to HIPAA—my concerns center largely around how few HIPAA-covered entities seem to have found a flexible, scalable middle way that protects patient privacy without unnecessarily restricting treatment options.
It’s no secret that HIPAA and other compliance burdens scare off many startups, and yet the FDA has recently approved opioid addiction app reSET-O for treatment, mental health care is increasingly provided through or supplemented by telecommunication, and sensor-enabled remote monitoring can help determine, for instance, whether a patient is opening or emptying their opioid prescription bottle in a manner that would suggest that prescription abuse should be a concern. In my experience, it is more often the reticence of exceedingly conservative providers to adopt such technologies that ultimately constrains patient choice.
The point isn’t that technology is definitely the panacea that will solve the opioid crisis; it’s that the specter of HIPAA shouldn’t be what prevents us from finding out.
In my dealings with extremely risk-averse providers, I have heard health information management administrators conclude that Bluetooth can never be HIPAA-compliant if the connection isn’t encrypted, even if the data in flight is encrypted. Which rules out most passive data collection that the provider could be utilizing.
I’ve had clients choose to enter into frivolous business associate agreements (BAAs) so that providers would agree to disclosures made at the request of the patient, for the patient’s own purposes, into/onto a platform that did not have a mechanism for ongoing provider access. When this happens, we ask the provider to contractually define which information they’ll be acting in reliance on, for the purposes of complying with the DRS-related terms of the business associate agreement. The obvious answer should of course be, “None.” And yet no such provider has even agreed to stipulate that the “business associate” does not maintain any designated record sets.
I’ve had dealings with compliance officers at healthcare institutions who could not be convinced to amend their impossibly risk-averse BAAs because they don’t understand the interplay between HIPAA and the federal common law of agency. For instance, many traditional providers’ BAA templates impose hard deadlines on breach notification that override the usual definition of “discovery.” Often, these terms cannot be satisfied if the business associate depends on a downstream cloud service provider (CSP) that only offers a non-negotiable BAA.
I’ve acquired clients whose previous (usually hospital-trained) consultants told these business associates that they need to provide a Notice of Privacy Practices (NPP), though this is expressly refuted in the Federal Register and elsewhere. Because of the requirement that a NPP include mention of any stricter standards, this is no small gaffe for business associates with mobile and web platforms, who intend to operate nationally; the cost of an incomplete analysis of relevant state and case law starts around $20K.
In my everyday capacity as a person who understands HIPAA, I’ve come across providers requiring witness signatures for the release of records, in the absence of a legal requirement to do so. This has particular potential to be harmful when required by OB/GYNs, whose patients may include women in abusive or controlling relationships. I encountered one mental health provider telling patients they would have to personally retrieve their paper PHI, even if it meant flying halfway across the continent, because they refused to transfer the records to a new provider, per the patient’s express wishes. (State law, though stricter for some records, did not prohibit this disclosure.) Perhaps the right to electronic access should be stronger, but more importantly, I cannot imagine a larger impediment to the coordination of care than to refuse to disclose records directly to another provider, pursuant to an authorization.
But then, for all the providers who drastically privilege patient privacy over patient agency, there are Uber, Lyft, and Doordash. All have recently entered HIPAA-regulated markets and all insist that their drivers are not their employees, so what are the odds that the drivers have been sufficiently trained in HIPAA compliance? The only choices are to ask drivers to sign BAAs they don’t likely understand, or to take control of their HIPAA training, signalling that drivers are their agents, and potentially risking IRS reclassification of the drivers’ 1099 status. And yet, there are providers willing to partner with these entities, hopefully not for lack of understanding of what goes on behind the scenes.
---
It’s not just providers who are contributing to this polarization, either. OCR’s decision to saddle cloud service providers who discover PHI on their platforms with a business associate (BA) role continues to make little sense, in practice. Given that business associates are independently liable for HIPAA compliance, when do the BA obligations kick in? Upon discovery of the PHI? After some amorphous interval? Because it would normally be an egregious violation for a BA to delete PHI upon which a provider relies, but if CSPs don’t do that here, by forcing ToS violators off the platform, then they find themselves roped into a BA role they weren’t prepared for. When that happens, how long do they have to get compliant? What is their HIPAA liability in the meantime? Protecting PHI should be of the utmost importance, but when does protecting it mean deleting it, versus implementing safeguards? Does it make sense that these cases mostly come down to the user’s decision about whether or not to encrypt their data? According to the Cloud guidance, CSPs storing encrypted data to which they do not hold the key are still BAs, but they, of course, will never discover unwelcome PHI, so they can’t be prosecuted for failing to put safeguards into place.
---
As for whether NPPs are providing the information patients need to exercise their rights, the simple answer is no. BAs aren't just accountants and lawyers, anymore. It’s increasingly common for users/patients to have direct contact with BAs, but to never be informed of the BA’s obligations to them under HIPAA, or how to file a complaint, in any of the BA’s ToS, Privacy Policy, EULA or in the covered entity’s NPP. Take, for instance, an app that provides a messaging portal for mental health providers and their patients. These products often make template BAAs available to therapists wishing to adopt the technology, but how many patients know that their therapist is the upstream provider whom they should approach with privacy concerns about the app? Speaking as a consultant, the incentives aren’t currently aligned to encourage the enumeration of these relationships in the provider’s NPP because they have so little leverage over the BA.
Personally, I once reached out to my insurance provider to inquire as to whether the third party managing their wellness program was their BA, because the details of the arrangement were murky and the wellness provider was asking for family history, genetic information, and a whole host of other sensitive data, but did not mention HIPAA or GINA anywhere on any of their websites or consent forms. I never received a reply.
---
IdeaScale and the Cloud guidance were steps in the right direction, but if OCR truly wants HIPAA to empower patients, it needs to do a lot more communication and education vis-a-vis both the law’s application to technology and upholding patient rights. Technology sometimes moves quickly, and I realize that OCR cannot spend all of its time writing and updating niche guidances, but nor can it ignore the rising role of technology within healthcare.
Lastly, there are probably plenty of comments to this effect already, but if disclosures are to be required for coordination of care, particularly on a deadline, they would be made much easier by unified, interoperable data standards.