Patients want their healthcare information to stay private. Healthcare provider organizations want to keep patient data secure. But the need for interoperability and sharing of protected health information can often put those two aspirations at odds.
Further, as the privacy and security landscape keeps changing – not least during this unprecedented public health crisis, with its complex and fast-moving demands for data sharing – many are asking whether HIPAA and its landmark Privacy Rule may need some updating after nearly 25 years.
To discuss these challenges and other related issues, Healthcare IT News has brought together two experts in the field.
Helen Oscislawski is a healthcare attorney at Attorneys at Oscislawski LLC, which specializes in IT and privacy issues. Gerry Blass is president and CEO of ComplyAssistant, a vendor of governance, risk and compliance software.
The two took part recently in a Q&A designed to help CIOs and CISOs and others navigate these tricky issues.
Q. What are the pros of sharing patient data? What does it mean for providers and patients?
Oscislawski This question can be answered from a number of different perspectives. For example, a doctor might be inclined to believe that a pro of sharing patient data is that it can improve the quality of care provided to patients. A CIO, on the other hand, might see sharing patient data as beneficial to improving the value and efficiency of the CIO’s organizational IT systems. My response, however, is focused solely on any potential legal pros of sharing patient data.
From a legal perspective, any pros to sharing patient data exist only if such sharing in effect lessens or eliminates potential legal risks or liabilities that would otherwise arise if the patient data was not shared. For example, let’s imagine that there is an important diagnostic test result that is available on a patient and could be shared with a physician who needs that information to make a critical and emergent treatment decision.
However, the test result is located on a separate EHR system that does not share clinical data with providers who use a different EHR solution. For that reason only, the diagnostic test result is not shared with the physician, and this in turn results in a severe negative impact on the patient’s health. Therefore, these sorts of situations could lead to potential malpractice liability for a physician that might have been avoided had the patient data been shared.
There is another significant legal pro to sharing patient data that is coming down the pike. The regulations implementing the 21st Century Cures Act, and specifically Section 4004, which prohibits what is referred to as “information blocking,” will result in potential substantial fines of up to $1 million per year being assessed against health IT developers, HINs and HIEs that “knowingly and unreasonably” interfere with the sharing or use of electronic patient data.
Blass From a privacy and security perspective, increased data sharing typically means that there are more locations of PHI to protect for covered entities, their business associates (BAs) and downstream BAs. The scope of audits then increases with each new location, along with the need to ensure that the proper agreements and controls are in place.
Q. Who should and should not have access to patient data?
Oscislawski Only individuals who are “legally authorized” to have access to patient data for a legally permissible purpose should be given access to patient data. Even though we are moving into an era when there are going to be new and real legal consequences for improper refusal to share patient data, it is incredibly important that custodians of patients’ data – including providers, facilities and their HIPAA BAs – are not improperly pressured into opening up their patient data to anyone and everyone who claims that they are entitled to access the data as a result of this new law.
The information-blocking law does not support carte blanche sharing of data with anyone and everyone who wants it. The standards of protecting patient privacy under HIPAA and equivalent state laws still apply. That means when you are approached by an external party looking to get access to patient data, you still have to go through asking what is the purpose of their access and use of the patient data, and is it a permissible purpose that is expressly allowed under HIPAA and state law exceptions, without the patient’s authorization or signed consent. If the answer is “not,” then that person should not be getting access to the patient data, unless the access is consented to by the patient.
Blass From a HIPAA standpoint, the same rules apply for use and disclosure, minimum necessary, etc. The same governance, risk management and compliance requirements are necessary to protect PHI and make sure it is legally shared. The Notice of Privacy Practices (NPP) under the HIPAA rule will either require updates due to the 21st Century Cures Act or there will be a need for a new notice to supplement the NPP. There could also be an impact on BA agreements from the standpoint of the Cures Act, as well. We can see this opening up the potential for new policies, procedures and audits that present the complete compliance picture for both HIPAA and the Cures Act.
Q. What are the cons of sharing patient data?
Oscislawski Again, this question can be answered from a number of different perspectives. From a legal perspective, any potential legal cons of sharing patient data would flow from the potential legal risks and liabilities that might result from such sharing. To illustrate the point, we can take my previous example of sharing the diagnostic test and turn it on its head a bit. There, whether sharing the specific data might be a pro or con depends on the accuracy of the data.
So, for example, if the diagnostic test is shared from its original source system and its accuracy is certain, then the outcome favors sharing the patient data – and this is a pro. However, if the patient data comes from a system that does not have the most recent or corrected version of the test result, then the accuracy of the result is compromised and sharing the data would be a con because there is a chance of it increasing the legal risks and liabilities for the end users who rely on it when it is not accurate.
Blass In the case where the “data comes from a system that does not have the most recent or corrected version of the test result…,” that would indicate a lack of data integrity that would violate the HIPAA Security Rule, and of course present a con and potential impact on patient care, as Helen mentioned.
Q. What are the risks and implications for IT teams to enable the sharing of data, while protecting it from parties who should not have access?
Oscislawski I am not sure that fundamentally there is anything different that needs to be done. Under the HIPAA Security Rule, IT teams should already be developing detailed role-based access charts and assigning credentials accordingly to authorized individuals based specifically on their job function, or the legally authorized purpose for which such individual is to access patient data
Blass The HIPAA Security Rule already also required that there is a process in place for authenticating and verifying the identity of a requesting organization and individual. Therefore, these same security standards and implementation specifications need to continue to be followed, as well as developing industry best practices.
Q. How do healthcare CIOs and CISOs best balance the tenets of promoting interoperability with HIPAA?
Oscislawski The best way that CIOs and CISOs can balance HIPAA with the interoperability and information-blocking rules is to truly understand the requirements and restrictions of each. Too often I hear misinformation or misunderstandings about how certain provisions of HIPAA are defined or applied. The same is true for the interoperability and information-blocking rules. The key is to get educated on an accurate reading of what the rules actually say, or don’t say.
Be wary of individuals who offer overly broad generalizations of what the rules are saying, like, “You have to share all of your patient information because, if you don’t, you are engaging in illegal information blocking.” The devil is in the details, and CIOs and CISOs will need to understand the details of both HIPAA and the interoperability rules to strike the right balance.
Blass In the early days of HIPAA, especially from a privacy standpoint, there was a lack of understanding about the Notices of Privacy Practices and who could disclose PHI to whom. That resulted in refusals to make authorized disclosures due to ignorance and fear of violations, penalties, sanctions, etc. Today there is a much clearer understanding, but it took a while, and may still be confusing for some providers.
Helen is correct in that high-level conclusions of “all or none” are normally incorrect, and that workforce education on illegal information-blocking and its relation to HIPAA will certainly be a big priority and necessity to attempt to avoid the confusion that occurred during the early days of HIPAA.
Q. What potential implications could this have on HIPAA? Does it mean we need updates to HIPAA?
Oscislawski The government has realized that updates to HIPAA, as well as 42 CFR Part 2, are likely needed to fully realize the potential of interoperable sharing of patient data. As part of its “Regulatory Sprint to Coordinated Care,” OCR published a request of information (RFI) seeking recommendations and input from the public on how HIPAA could be modified to promote coordinated, value-based healthcare. In addition to requesting general input on HIPAA, the RFI asked for comments on specific areas of the HIPAA Privacy Rule, including: (1) encouraging information-sharing for treatment and care coordination; (2) facilitating parental involvement in care; … (3) addressing the opioid crisis and serious mental illness; and (4) accounting for disclosures of PHI for treatment, payment and healthcare operations as required by the HITECH Act.
Blass The fact is that the HIPAA rules have not been significantly updated since 1996. The HITECH/Omnibus final rule of 2013 did account for larger fines and potential for lawsuits, along with more stringent requirements for BAs and covered entities to manage them, but has not accounted for the significant increases in cybersecurity risks over the past 10 years and scope of vulnerabilities to control.
For that, there are other frameworks to work with, such as the NIST CSF and others. So, from the standpoint of the topics mentioned by Helen, I agree that we should see updates to HIPAA; and from a privacy and security standpoint we should see a stronger link between HIPAA and other frameworks, such as NIST CSF, and/or other frameworks.
Q. How do healthcare providers successfully educate their internal teams and their patients on the value of sharing data?
Oscislawski I would recommend focusing on educating internal teams and patients on accurate information on what the new rules and changes actually mean. Accuracy and clarity of the content of such education I think [are] paramount – if it is done right. Then, I think that patients will make the value determination themselves.
Blass Agreed – it should be part of orientation, annual training and continuous reminders on both protecting PHI and when it is proper to share it, and the value of both. It truly is an extension of the training that should already be operational.