After the Trump administration announced COVID-19 relief bill (H.R. 6074), US Department of Health and Human Services (HHS) Secretary Alex Azar issued a limited waiverof certain HIPAA sanctions to improve data sharing and patient care in the interest of public health during this pandemic.
HIPAA, the primary piece of legislation governing the sharing of health information, permits covered entities to disclose protected health information (PHI) without an individual’s authorization or permission for 12 national-priority purposes, including two that stand out during the current COVID-19 health crisis: Public Health Activities and Serious Threat to Health or Safety.
These provisions are in place to safeguard covered entities that are disclosing PHI because the disclosure is in the best interest of public health or is done to prevent/lessen a serious and imminent threat to a person or the public. Thus, the disclosure of suspected or confirmed COVID-19 cases to the following entities/individuals are currently permitted per the limited waiver:
- To a public health authority, such as the CDC
- At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority
- To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations
Additionally, Office for Civil Rights announced it will not impose penalties for noncompliance with HIPAA regulations against providers using telehealth platforms that may not comply with the privacy rule during the COVID-19 pandemic.
This news comes on the heels of the of HHS’s March 9, 2020, announcement of the final rules of the bipartisan 21st Century Cures Act, including the information blocking rule designed to promote interoperability and patient access.
The driving force behind the Office of the National Coordinator for Health Information’s desire to implement these new rules, which faced stiff opposition from major electronic health record (EHR) firms and health systems, stems from issues associated with interoperability. Interoperability, or the ability to send and receive secure patient records among various health organizations, is one of the many challenges facing healthcare today. Ultimately, the goal of the information blocking rule is to encourage the free flow of electronic health information while eliminating barriers, allowing patients to more effectively manage their health information.
These rules were designed to implement certain provisions of the Cures Act to advance interoperability and support the access, exchange, and use of electronic health information while establishing new rules to prevent information blocking practices (e.g., anti-competitive behaviors) by healthcare providers, developers of certified health IT, health information exchanges, and health information networks as created by the Cures Act. “It calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured electronic health information using smartphone applications.”
As long-time advocates for data sharing, ECG is both encouraged and optimistic that these new announcements have and will continue to promote data sharing. Historically, government regulations have had a profound impact in making permanent change. However, increased adoption of data-sharing techniques will be a gradual process. In light of COVID-19, it makes sense to promote public health by allowing the use of Facebook or other commonly available technologies for sharing data; but keep in mind that most of the HIPAA provisions are still in force, and the use of less-secure exchanges is likely temporary.
Flashback to HITECH
Prior to 2009, a few forward-thinking healthcare providers were offering health information exchange (HIE) as a differentiator. The notion was that HIE would create “stickiness” with the organizations. Physicians would refer patients to organizations where it was easier to get test results and patients would have better outcomes.
The HITECH Act, signed into law in February 2009, provided “financial incentives to healthcare professionals for the meaningful use of certified qualified EHRs.” The incentive payments were substantial, and the penalties for noncompliance impacted reimbursement.
However, many obstacles made data sharing difficult. Vendors interpreted the published standards differently; states imposed stricter requirements for consent for certain types of sensitive information (i.e., behavioral health); and providers selectively chose who they would exchange data with and how, using HIPAA as an excuse for not engaging in sharing data with competitors. Regardless, these regulations have had a long-term impact in expanding data sharing.
The Cures Act is too new to make a meaningful impact, but work was already underway to expand data sharing to include advancements in telehealth and more accessible technology. Competition from commercial labs that email test results to patients as well as more open API development will continue to drive more change.
Looking to the Future
The latest modifications to HIPAA do not erase the need for healthcare organizations to protect information, so organizations that take advantage of the latest HIPAA waivers should do so cautiously. The waivers will eventually expire or be rewritten, so organizations will need to evaluate the solutions they have adopted during the COVID-19 response and ensure they are compliant with HIPAA guidelines. Data sharing will be easier than before, on account of the waivers and the Cures Act, but healthcare providers must continue to be good stewards of the data for their patients, providers, and the public.
Organizations need an overall data-sharing strategy going forward. In times of crisis, we reach for the easiest, most available, and least expensive solution(s). Acting fast is critical as organizations combat COVID-19. But beyond the pandemic, healthcare leaders will need to assess which new technologies have the greatest return—whether in terms of cost, patient engagement, provider satisfaction, or community health—build a plan for the future.
Actions Executives Can Take
- Embrace the concept of data sharing and begin to think about sharing best practices with other facilities or work groups. This will improve the healthcare status of the communities you serve.
- Develop an IT strategy and take the time to assess, evaluate, work with core vendors, and explore options with new vendors to take advantage of the rules under the Cures Act.
- Update your organizational risk assessments to include new software. Continue to conduct annual risk assessments in compliance with the new regulations.
- Begin identifying appropriate stakeholders involved in assessing and maintaining compliance, such as IT and compliance department leaders.
- Should compliance not be achievable by the deadline, begin developing remediation plans to address the compliance concerns.
Healthcare executives should carefully review these new changes and continue to monitor the implications they might have on any existing or potential EHR contracts, technical specifications, and business or information release policies. ECG will continue to provide guidance and assistance in these areas to support your facility through these groundbreaking advancements in healthcare and information sharing.
Published March 31, 2020