By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure – #HCdeJure
The excuses for health information not freely flowing are numerous, but very often come back to alleged privacy concerns under the Health Insurance Portability and Accountability Act and its associated regulations, or “HIPAA” as it is more often referred to. The excuses often fall back on a position that HIPAA requires all patient-related information to be fully locked down and maintained in “airtight” systems that can only be opened with permissions. While that is the perceived standard, actual systems do not really reflect this position. Despite the likely reality, the privacy concerns are raised between providers, by providers to patients, between vendors and any number of combinations among those groups.
The end result arising out of the fear about HIPAA compliance is data being locked down and “not” openly shared when or where needed. The “not” is put into quotations because even before getting to what the regulations permit, the reality is that information in many instances does get shared around. The sharing may occur in the ordinary course of business and without the actors sharing the information knowing that such sharing is allowed directly because of HIPAA. The prime example of such information sharing would be for payment purposes as no provider will forego getting paid for services rendered. When information is locked down though, barriers are thrown up to prevent it from going from one system to another or between providers. Such restrictions result in frustration, anger, or some other similar emotion.
However, while waiting for further regulations through the 21st Century Cures Act, some unknown future law or just modifications to existing regulations, there is hope under HIPAA. A recent blog post from the Office for Civil Rights and Office for the National Coordinator of Health IT emphasized the information portability and encouragement for sharing of data already contained within HIPAA. Those points are very accurate and certainly bear repeating.
Taking the behind the scenes side of things first, a very broad swath of actions is permissible under the HIPAA Privacy Rule to enable movement of data. Namely, the permissible actions fall under what are referred to as “TPO” or treatment, payment, and healthcare operations. Each of those terms is specifically defined under HIPAA.
Taking treatment first, the term is designed to enable providers to interact with one another and ensure that information gets to where it is needed for the benefit of patients. This means providers can consult with one another or request information from a patient’s prior provider. It does not mean that a prior provider should make access overly difficult. For instance, an example that I have used frequently is a primary care physician being in the exam room with their patient. The physician wanted information from the patient’s ob/gyn’s office. With the patient in the room, the call was placed, but the ob/gyn’s office would not release the information without a signed release from the patient. That is not required and just imposed unnecessary burdens on the ability of the primary care physician to work with the patient. The refusal to provide information was premised upon not wanting to breach privacy, but done so in an extreme manner.
Turning to payment, information can be shared for purposes of obtaining or verifying payment obligations. Such sharing goes to information going back and forth between providers and insurance companies. As suggested above, it is highly unlikely that providers will not take necessary or appropriate action to be compensated for services provided. Payment can also extend to collections when individuals are not paying obligations that are owed. That may not be expected, but collections are a part of payment.
Lastly, the definition of health care operations is arguably the broadest permissible use of patient information. Many providers and entities are surprised when the breadth of activities is discussed. Operations include utilization review, quality improvement and release of information when pursuing a sale or other fundamental transaction impacting the entity. All of the actions go to enabling the smooth running of a business.
While the above is a brief description of how information may be used and shared in the general course of a healthcare business for TPO, on many occasions the TPO permissible uses and disclosures are either overlooked or not known. Ultimately, the TPO categories should show that HIPAA does not interfere with the ability to let information go and be where it is needed. Instead, HIPAA encourages the use and disclosure of information. It is also important to remember that there are other uses and disclosures that can occur with authorization or an opportunity to object, though those become more specific.
It is also important to consider the times when a patient or individual can direct or request the use or disclosure of their own health information. This is the second point made by the OCR and ONC post. Individuals are granted significant rights of access and some control over their own information. Access is certainly a prime area where misconceptions exist. The HIPAA regulations include very limited times as to when access can be denied, which do not apply in the vast majority of circumstances. Assuming that access is granted appropriately, individuals should get almost free access to their information and be able to ensure that it is sent to other providers. Reality is far from this ideal, but it is important to keep what should happen in mind to hopefully spread the correct understandings of what HIPAA permits.
The persistence of information blocking and other impediments to the free flow of health information underscores the deep-rooted nature of HIPAA myths or willful ignorance. Too many organizations quickly move past HIPAA without even attempting to understand what it does and what it allows. Accordingly, it is important to continually work to dispel such misunderstandings about HIPAA. One of the main considerations at this point is to get those in the industry from the provider, payor and vendor perspective to understand how HIPAA enables sharing of information and does not align with information blocking or other barriers. Instead, HIPAA is really a facilitator when its actual terms are correctly interpreted. If the correct message continues to be spread, then eventually understanding will catch up with the current state of regulation.
This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.