- Healthcare providers should not let HIPAA misunderstandings prevent the appropriate sharing and use of patient information for population health management and care coordination, the Office of the National Coordinator reminds stakeholders in a new blog post on HealthITBuzz.
Health data interoperability and information exchange are often stymied by inaccurately restrictive interpretations of the foundational privacy rule, which may lead to decreased levels of patient engagement, lost opportunities for better care coordination, and even preventable instances of patient harm.
“At ONC, we hear all of the time that the Health Insurance Portability and Accountability Act (HIPAA) makes it difficult, if not impossible, to move electronic health data when and where it is needed for patient care and health,” write ONC Chief Privacy Officer Lucia Savage, JD and Aja Brooks, JD, Privacy Analyst. “This is a misconception, but unfortunately one that is widespread.”
The “real” HIPAA supports interoperability and promotes the sharing of personal health information (PHI) “when and where it is needed for patient care,” the authors add.
In a pair of new fact sheets, the ONC outlines a number of use cases in which patient consent or authorization to share data is not required. “The new fact sheets remind stakeholders through practical, real-life scenarios, that HIPAA supports interoperability because it gives providers permission to share PHI for patient care, quality improvement, population health, and other activities,” Savage and Brooks write.
The sample situations include those related to the direct treatment of a particular patient and to organizational operations, such as developing care coordination protocols or clinical guidelines, providing patient management services, or engaging in quality evaluations through an accountable care organization or other program.
The first fact sheet addresses the confusion over using PHI for healthcare reform initiatives such as population health management. Under HIPAA, a covered entity may disclose PHI to another covered entity – or that entity’s business associate – without first obtaining patient consent for the following operational reasons:
Developing protocols and clinical guidelines or conducting training programs and credentialing activities
Evaluating the performance of healthcare providers or health plans, conducting quality assessments and improvement activities, or reviewing qualifications for healthcare professionals
Actively engaging in patient safety or population health management activities such as case management, care planning, or contacting providers and patients about possible treatment alternatives.
However, if a covered entity wishes to exchange PHI for any of these reasons, they must first make sure that they have an established relationship with the patient, that the PHI in question is directly related to the needs of that relationship, and that the covered entity only discloses the minimum amount of information required to complete the task at hand.
These requirements have been the source of much confusion since health data interoperability and HIE became so critically important to the provision of coordinated care. HIPAA was designed and implemented long before electronic data exchange was commonplace, and many stakeholders fear that the rule is too antiquated to meet the demands of the current healthcare environment.
But HIPAA does allow providers to use certified EHR technology (CEHRT) and secure exchange protocols to engage in many of the proactive care coordination and population health management strategies that have become the backbone of new reform efforts. In the second fact sheet, the ONC explains how PHI can move across organizations for the purposes of patient treatment.
“’Treatment’ is broadly defined as the provision, coordination, or management of health care and related services by one or more providers, including the coordination or management of health care by a provider with a third party; consultation between providers relating to a patient; or the referral of a patient for care from one provider to another,” the document says.
That means that an inpatient hospital can help a patient choose the right specialist, surgeon, or rehab facility, for example, by sending the patient’s records to three or four prospective providers to make sure that all downstream organizations have the necessary data at hand to make an informed decision about future treatment.
Providers may also use HIPAA to improve their retrospective self-assessments. If a patient is transferred to another facility, but the original provider wishes to get an update about the patient’s outcome for quality assessment purposes, that provider may query a health information exchange organization for an update.
Unaffiliated organizations may also exchange information for population health or patient safety purposes, the document adds. Community hospitals that may not have any financial or organizational relationship with one another may, nonetheless, share the same pool of patients. If a patient acquires an infection at one facility, other hospitals in the community have the right to share PHI to try to discover the source of the problem and forestall future outbreaks.
“A common question that arises is whether the disclosing [entity] will be held responsible under HIPAA for what the receiving provider does with the PHI once the hospital has disclosed it in a permissible way under HIPAA,” the fact sheet acknowledges. “For example, what if the receiving physician experiences a breach of the PHI?”
Most providers need not worry about getting roped into legal disputes in that situation, the ONC reassures the community. If the covered entity transmitting the PHI has released the data in a secure and permitted manner, and made all reasonable attempts to ensure that it is delivered to the right partner in a private way, they will not be held liable for what happens on the receiving end.
This does not mean that the transmitting provider should send data indiscriminately without first ensuring that their exchange partner is abiding by appropriate privacy and security standards, but it does mean that healthcare organizations have more data exchange options than they may have previously thought.