Care coordination, an important component of value-based health care, requires an ability to transition patients and their records among various providers. To reduce impediments to such transition, the Office for Civil Rights (OCR) sent out a request for information (RFI) in December asking health care providers and the public to comment on some of the ways in which HIPAA limits or discourages providers from sharing protected health information (PHI).

OCR sought input by mid-February in 4 major categories of the HIPAA regulation: how the privacy rule might be amended to encourage information sharing among providers; how it might be made easier to share information with parents and caregivers during health emergencies, with a particular focus on opioids; better ways to inform patients about how their information has been accessed; and eliminating the requirement for written acknowledgment of privacy policies.

Christine Clements, a partner at the Washington-D.C.-based law firm Sheppard, Mullin, Richter & Hampton, LLP, said OCR has requested this input for a few reasons. One of these is how old HIPAA is. “It can use some updating because how care is delivered, how providers interact with each other and payers, and how payers and providers interact with patients is changing,” Clements said. “To a large extent, HIPAA is out of date.”

Second, because the risk of noncompliance with HIPAA is so high, “it’s a lot easier just not to share or drag your feet in providing information,” she said.

Many of the comments on OCR’s site were from individuals and patient advocacy groups. They typically objected to HIPAA changes that would result in freer movement of patient information. A number of comments related to concerns about oversharing of behavioral health and substance use information.

Encouraging disclosure

The American Hospital Association (AHA) sent a letter to OCR noting the presence of “anxieties among covered entity providers about potential noncompliance and its significant consequences” that make them cautious about disclosing information, even for care coordination. They noted that covered entities do share information, and requiring them to do so would not promote greater disclosure.

They suggested ways to improve information flow. For example, they said all providers within an integrated care setting should be able to access a patient’s medical information even if the patient does not have a “direct treatment relationship” with the providers. They also noted that placing a timeframe on the release of information would unduly burden providers.

Clements does not necessarily agree. She suggests making the timely release of requested records imperative. “There should be a requirement that requested information be disclosed within a certain amount of time. Making it an obligation would be the most significant change for facilitating exchange of information for care coordination and value-based arrangements.”

Health emergencies

With regard to increasing the exchange of information in emergency situations, especially with regard to opioid use, AHA said better guidance on the scope of permissible uses of information would help providers feel more comfortable sharing information with families and case managers. The AHA argued that allowing substance use and behavioral health records to be released without individual patient consent would improve care coordination.

Access reports

OCR previously proposed the idea of “access reports” in which a patient must be informed who accessed their PHI and which PHI was accessed. AHA supports withdrawal of this proposal. When OCR suggested these reports, they were not balancing patients’ privacy with the burden it would place on providers to produce the reports, AHA said. The association also noted that such reports may result in misunderstandings about how PHI has been used.

Privacy practices

Providers are supposed to make a good faith effort to get written acknowledgment from patients who receive their Notice of Privacy Practices. In its RFI, OCR noted that requiring signatures may be too much to ask of providers. The AHA agrees, as does Clements, who said patients fall into 3 categories when it comes to signing privacy practices documents: Some sign it without giving it much thought, some want to negotiate the terms with their providers, and the third group includes those who refuse to sign.

“It should be a policy that requires posting and if they are in compliance with that, they don’t necessarily have to get the next step of getting something in writing,” Clements said.

Clarifying what to do with privacy practices, what is and is not permissible to disclose and to whom information can be released would go a long way to helping providers better coordinate care while complying with HIPAA.

“As a general observation, HIPAA is an area where HHS could have done a better job providing the industry with really helpful guidance,” Clements said. “If OCR was more engaged in providing guidance, maybe the RFI wouldn’t have been needed.”