The 800-Pound HIE
Gorilla Tiger in "Meaningful Use"
There has been a lot of discussion around the Meaningful Use (MU) criteria. CMS has an entire website dedicated to the subject, as does ONC. Although the clinical criteria of MU may garner much of the attention, the privacy and security components are also significant. In particular, the MU criteria pertaining to Health Information Exchange (HIE) raise certain fundamental privacy questions.
In short, the HIE requirements for MU include the ability to: (1) exchange “key” clinical information among providers of care and patient authorized entities electronically, and (2) perform at least 1 test of exchanging information. The crucial question, then, is what exactly does "and patient authorized entities" suggest? In listening to the privacy discussion taking place in various ONC Workgroups, including the newly-established Privacy & Security Tiger Team, one could reasonably conclude that this requirement might evolve to mean that a HIE will need to be able to capture and implement patients' specific and granular preferences (e.g., patient is "ok” with releasing info to Provider B, but not to Provider C) -- at least if you want to meet MU criteria.
This interpretation, however, could throw a wrench into HIE networks across the nation that have implemented an Opt-Out consent model in part in reliance on a legitimate belief that when HHS adopted the final version of the HIPAA Privacy Rule it also vetted and already decided the question of whether a patient's prior written authorization should be required before general health information can be shared between treating providers for treatment purposes -- and it affirmatively decided to create the "Treatment Exception". In fact, many states have laws that contain a similar exception. New Jersey, for example, specifically permits two treating doctors to share pertinent information about a common patient and expressly states that the prior consent is not required in such instances if it is in the best interest of the patient (see N.J.A.C. 13:35-6.5(d)3).
Links to the full legislative history related to the promulgation of the HIPAA Privacy Rule can be found on HHS’s website, but, a closer look at the August 14, 2002 “Modification to the HIPAA Privacy Rule –Final Rule" are worth a second read in particular. For those who wish to review it in full, I have posted a full exerpt of the relevant sections under the “Continue Reading” window below, but in sum HHS removed the requirement of obtaining prior patient authorization after reviewing numerous public comments on the issue and concluding that:
As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded ...
The Final HIPAA Privacy Rule was adopted after HHS released multiple proposed versions, considered significant public comment, and followed administrative rule-making procedures -- all over the course of almost 3 years. Thus, as policies are recommended and developed for the HIE context, prior debate and dialogue is relevant and should not be forgotten or dismissed.
D. Section 164.506--Uses and Disclosures for Treatment, Payment, and Health Care Operations
December 2000 Privacy Rule. Treatment and payment for health care are core functions of the health care industry, and uses and disclosures of individually identifiable health information for such purposes are critical to the effective operation of the health care system. Health care providers and health plans must also use individually identifiable health information for certain health care operations, such as administrative, financial, and legal activities, to run their businesses and to support the essential health care functions of treatment and payment. Equally important are health care operations designed to maintain and improve the quality of health care. In developing the Privacy Rule, the Department balanced the privacy implications of uses and disclosures for treatment, payment, and health care operations and the need for these core activities to continue. The Department considered the fact that many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity's health care business. Given public expectations with respect to the use or disclosure of information for such activities and so as not to interfere with an individual's access to quality health care or the efficient payment for such health care, the Department's goal is, and has always been, to permit these activities to occur with little or no restriction.
Consistent with this goal, the Privacy Rule published in December 2000 generally provided covered entities with permission to use and disclose protected health information as necessary for treatment, payment, and health care operations. For certain health care providers that have direct treatment relationships with individuals, such as many physicians, hospitals, and pharmacies, the December 2000 Privacy Rule required such providers to obtain an individual's written consent prior to using or disclosing protected health information for these purposes. The Department designed consent as a one-time, general permission from the individual, which the individual would have had the right to revoke. A health care provider could have conditioned treatment on the receipt of consent. Other covered entities also could have chosen to obtain consent but would have been required to follow the consent standards if they opted to do so.
The consent requirement for health care providers with direct treatment relationships was a significant change from the Department's initial proposal published in November 1999. At that time, the Department proposed to permit all covered entities to use and disclose protected health information to carry out treatment, payment, and health care operations without any requirement that the covered entities obtain an individual's consent for such uses and disclosures, subject to a few limited exceptions. Further, the Department proposed to prohibit covered entities from obtaining an individual's consent for uses and disclosures of protected health information for these purposes, unless required by other applicable law.
The transition provisions of the Privacy Rule permit covered health care providers that were required to obtain consent to use and disclose protected health information they created or received prior to the compliance date of the Privacy Rule for treatment, payment, or health care operations if they had obtained consent, authorization, or other express legal permission to use or disclose such information for any of these purposes, even if such permission did not meet the consent requirements of the Privacy Rule.
March 2002 NPRM. The Department heard concerns about significant practical problems that resulted from the consent requirements in the Privacy Rule. Covered entities and others provided numerous examples of obstacles that the consent provisions would pose to timely access to health care. These examples extended to various types of providers and various settings. The most troubling, pervasive problem was that health care providers would not have been able to use or disclose protected health information for treatment, payment, or health care operations purposes prior to their initial face-to-face contact with the patient, something which is routinely done today to provide patients with timely access to quality health care. A list of some of the more significant examples and concerns are as follows:
- Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the prescription if the individual had not already provided consent under the Privacy Rule.
- Hospitals would not have been able to use information from a referring physician to schedule and prepare for procedures before the individual presented at the hospital for such procedure, or the patient would have had to make a special trip to the hospital to sign the consent form.
- Providers who do not provide treatment in person may have been unable to provide care because they would have had difficulty obtaining prior written consent to use protected health information at the first service delivery.
- Emergency medical providers were concerned that, if a situation was urgent, they would have had to try to obtain consent to comply with the Privacy Rule, even if that would be inconsistent with appropriate practice of emergency medicine.
- Emergency medical providers were also concerned that the requirement that they attempt to obtain consent as soon as reasonably practicable after an emergency would have required significant efforts and administrative burden which might have been viewed as harassing by individuals, because these providers typically do not have ongoing relationships with individuals.
- Providers who did not meet one of the consent exceptions were concerned that they could have been put in the untenable position of having to decide whether to withhold treatment when an individual did not provide consent or proceed to use information to treat the individual in violation of the consent requirements.
- The right to revoke a consent would have required tracking consents, which could have hampered treatment and resulted in large institutional providers deciding that it would be necessary to obtain consent at each patient encounter instead.
The transition provisions would have resulted in significant operational problems, and the inability to access health records would have had an adverse effect on quality activities, because many providers currently are not required to obtain consent for treatment, payment, or health care operations.
Providers that are required by law to treat were concerned about the mixed messages to patients and interference with the physician-patient relationship that would have resulted because they would have had to ask for consent to use or disclose protected health information for treatment, payment, or health care operations, but could have used or disclosed the information for such purposes even if the patient said ``no.''
As a result of the large number of treatment-related obstacles raised by various types of health care providers that would have been required to obtain consent, the Department became concerned that individual fixes would be too complex and could possibly overlook important problems. Instead, the Department proposed an approach designed to protect privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded (see section III.H. of the preamble for a discussion of the strengthened notice requirements).
Specifically, the Department proposed to make the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations more flexible for all covered entities, including providers with direct treatment relationships. Under this proposal, health care providers with direct treatment relationships with individuals would no longer be required to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, would have regulatory permission for such uses and disclosures.
The NPRM included provisions to permit covered entities to obtain consent for uses and disclosures of protected health information for treatment, payment, or health care operations, if they wished to do so. These provisions would grant providers complete discretion in designing this process. These proposed changes were partnered, however, by the proposal to strengthen the notice provisions to require direct treatment providers to make good faith efforts to obtain a written acknowledgment of receipt of the notice. The intent was to preserve the opportunity to raise questions about the entity's privacy policies that the consent requirements previously provided.
Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' The vast majority of commenters addressed the consent proposal. Most comments fell into three basic categories: (1) Many comments supported the NPRM approach to eliminate the consent requirement; (2) many comments urged the Department to require consent, but make targeted fixes to address workability issues; and (3) some comments urged the Department to strengthen the consent requirement.
The proposed approach of eliminating required consent and making obtaining of consent permissible, at the entity's discretion, was supported by many covered entities that asserted that it would provide the appropriate balance among access to quality health care, administrative burden, and patient privacy. Many argued that the appropriate privacy protections were preserved by strengthening the notice requirement. This approach was also supported by the NCVHS.
The comments received in response to the NPRM continued to raise the issues and obstacles described above, and others. For example, in addition to providing health care services to patients, hospices often provide psychological and emotional support to family members. These consultations often take place long distance and would likely be considered treatment. The consent requirement would make it difficult, or impossible in some circumstances, for hospices to provide these important services to grieving family members on a timely basis.
Comments explained that the consent provisions in the Rule pose significant obstacles to oncologists as well. Cancer treatment is referral-based. Oncologists often obtain information from other doctors, hospital, labs, etc., speak with patients by telephone, identify treatment options, and develop preliminary treatment plans, all before the initial patient visit. The prior consent requirement would prevent all of these important preliminary activities before the first patient visit, which would delay treatment in cases in which such delay cannot be tolerated.
Other commenters continued to strongly support a consent requirement, consistent with their views expressed during the comment period in March 2001. Some argued that the NPRM approach would eliminate an important consumer protection and that such a ``radical'' approach to fixing the workability issues was not required. They recommended a targeted approach to fixing each problem, and suggested ways to fix each unintended consequence of the consent requirement, in lieu of removing the requirement to obtain consent.
A few commenters argued for reinstating a consent requirement, but making it similar to the proposal for acknowledgment of notice by permitting flexibility and including a ``good faith'' standard. They also urged the Department to narrow the definition of health care operations and require that de-identified information be used where possible for health care operations.
Finally, a few commenters continued to assert that consent should be strengthened by applying it to more covered entities, requiring it to be obtained more frequently, or prohibiting the conditioning of treatment on the obtaining of consent.
The Department continues to be concerned by the multitude of comments and examples demonstrating that the consent requirements would result in unintended consequences that would impede the provision of health care in many critical circumstances. We are also concerned that other such unintended consequences may exist which have yet to be brought to our attention. The Department would not have been able to address consent issues arising after publication of this Rule until at least a year had passed from this Rule's publication date due to statutory limitations on the timing of modifications. The Department believes in strong privacy protections for individually identifiable health information, but does not want to compromise timely access to quality health care. The Department also understands that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and a health care provider includes the patient's ability to be involved in discussions and decisions related to the use and disclosure of protected health information about him or her.
A review of the comments showed that almost all of the commenters that discussed consent acknowledged that there are unintended consequences of the consent requirement that would interfere with treatment. These comments point toward two potential approaches to fixing these problems. The Department could address these problems by adopting a single solution that would address most or all of the concerns, or could address these problems by adopting changes targeted to each specific problem that was brought to the attention of the Department. One of the goals in making changes to the Privacy Rule is to simplify, rather than add complexity to, the Rule. Another goal is to assure that the Privacy Rule does not hamper necessary treatment.
For both of these reasons, the Department is concerned about adopting different changes for different issues related to consent and regulating to address specific examples that have been brought to its attention. Therefore, the options that the Department most seriously considered were those that would provide a global fix to the consent problems. Some commenters provided global options other than the proposed approach. However, none of these would have resolved the operational problems created by a mandatory consent.
The Department also reviewed State laws to understand how they approached uses and disclosures of health information for treatment, payment, or health care operations purposes. Of note was the California Confidentiality of Medical Information Act. Cal. Civ. Code Sec. 56.
This law permits health care providers and health plans to disclose health information for treatment, payment, and certain types of health care operations purposes without obtaining consent of the individual.
The California HealthCare Foundation conducted a medical privacy and confidentiality survey in January 1999 that addressed consumer views on confidentiality of medical records. The results showed that, despite the California law that permitted disclosures of health information without an individual's consent, consumers in California did not have greater concerns about confidentiality than other health care consumers. This is true with respect to trust of providers and health plans to keep health information private and confidential and the level of access to health information that providers and health plans have.
The Department adopts the approach that was proposed in the NPRM, because it is the only one that resolves the operational problems that have been identified in a simple and uniform manner. First, this Rule strengthens the notice requirements to preserve the opportunity for individuals to discuss privacy practices and concerns with providers. (See section III.H. of the preamble for the related discussion of modifications to strengthen the notice requirements.) Second, the final Rule makes the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations optional on the part of all covered entities, including providers with direct treatment relationships. A health care provider that has a direct treatment relationship with an individual is not required by the Privacy Rule to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, have regulatory permission for such uses and disclosures. The fact that there is a State law that has been using a similar model for years provides us confidence that this is a workable approach.
Other rights provided by the Rule are not affected by this modification. Although covered entities will not be required to obtain an individual's consent, any uses or disclosures of protected health information for treatment, payment, or health care operations must still be consistent with the covered entity's notice of privacy practices. Also, the removal of the consent requirement applies only to consent for treatment, payment, and health care operations; it does not alter the requirement to obtain an authorization under Sec. 164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule or any other requirements for the use or disclosure of protected health information. The Department intends to enforce strictly the requirement for obtaining an individual's authorization, in accordance with Sec. 164.508, for uses and disclosure of protected health information for purposes not otherwise permitted or required by the Privacy Rule. Furthermore, individuals retain the right to request restrictions, in accordance with Sec. 164.522(a). This allows individuals and covered entities to enter into agreements to restrict uses and disclosures of protected health information for treatment, payment, and health care operations that are enforceable under the Privacy Rule.
Although consent for use and disclosure of protected health information for treatment, payment, and health care operations is no longer mandated, this Final Rule allows covered entities to have a consent process if they wish to do so. The Department heard from many commenters that obtaining consent was an integral part of the ethical and other practice standards for many health care professionals. It, therefore, does not prohibit covered entities from obtaining consent.
This final Rule allows covered entities that choose to have a consent process complete discretion in designing that process. Prior comments have informed the Department that one consent process and one set of principles will likely be unworkable. Covered entities that choose to obtain consent may rely on industry practices to design a voluntary consent process that works best for their practice area and consumers, but they are not required to do so.
This final Rule effectuates these changes in the same manner as proposed by the NPRM. The consent provisions in Sec. 164.506 are replaced with a new provision at Sec. 164.506(a) that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations. A new provision is added at Sec. 164.506(b) that permits covered entities to obtain consent if they choose to, and makes clear any such consent process does not override or alter the authorization requirements in Sec. 164.508. Section 164.506(b) includes a small change from the proposed version to make it clearer that authorizations are still required by referring directly to authorizations under Sec. 164.508.
Additionally, this final Rule includes a number of conforming modifications, identical to those proposed in the NPRM, to accommodate the new approach. The most substantive corresponding changes are at Secs. 164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The provisions at Secs. 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment, and health care operations are collapsed into a single provision, and the language is modified to eliminate the consent requirement.
The references in Sec. 164.532 to Sec. 164.506 and to consent, authorization, or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment, and health care operations prior to the compliance date of the Privacy Rule are deleted. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization would apply to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions are not necessary.
This final Rule also includes conforming changes to the definition of ``more stringent'' in Sec. 160.202; the text of Sec. 164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), and Sec. 164.520(b)(1)(ii)(B); the introductory text of Secs. 164.510 and 164.512, and the title of Sec. 164.512 to eliminate references to required consent.