• AAFP Advises HHS on Improving HIPAA Without Adding Burden

    May 13, 2021, 5:27 p.m. News Staff — Patients should control when and where their information is shared — and physicians should not be charged with counseling them on associated risks to their privacy. Preventing that increased administrative burden was among the aims of a detailed letter the Academy recently sent HHS regarding proposed changes to the HIPAA privacy rule. 

    hipaa concept

    The Academy’s May 6 letter led by cautioning that the HIPAA revisions proposed Jan. 21 by HHS’ Office for Civil Rights — in tandem with sweeping information blocking and other health IT regulations implemented by CMS and the Office of the National Coordinator for Health Information Technology — would “require family physicians to change their administrative workflows and invest in a variety of new technologies to ensure compliance.” Consequently, the letter noted, such hurdles would reduce physicians’ time with patients.

    “We strongly encourage OCR to coordinate closely with ONC and CMS to harmonize regulatory requirements related to information sharing and health information technology,” the AAFP added.

    The letter was sent to Robinsue Frohboese, acting director of HHS’ civil rights office, and signed by AAFP Board Chair Gary LeRoy, M.D., of Dayton, Ohio.

    The Academy has a robust confidentiality policy, the letter reminded HHS, and supports policies that “improve patients’ access to their data, as well as the ability to share patients’ health information across the care team, while also protecting patients’ fundamental right to privacy and the patient-physician relationship.”

    Story Highlights

    In keeping with these positions, the AAFP called on HHS’ OCR to adjust its proposed rulemaking in several key areas.

    Patient Access to Personal Health Information

    The proposed rule would let patients take notes, photos and videos “to view and capture personal health information in a designated record set as part of their right to inspect the PHI in person” — and require physician practices to provide this access without imposing a fee.

    Noting the AAFP’s support of patients’ rights, the letter reiterated the Academy’s concerns that the expense of supporting increased PHI access should not fall to physician practices.

    “Current certified electronic health record technology does not have the functionality to establish a restriction to view only one individual’s record,” the letter said. “Therefore, in addition to providing a convenient place, the practice must also incur staffing costs for practice staff to navigate the EHR on behalf of the patient to ensure other patients’ PHI is protected. Even if such a CEHRT functionality was available, the patient would likely not know how to navigate the EHR and therefore would still require the assistance of practice staff.

    “For these reasons, we think it is reasonable for practices to charge a reasonable fee, particularly when the patient invokes this right outside of an active care encounter.”

    Third-party Access to PHI

    The proposed rule would make it easier for patients to orally request that records be sent to another health care entity, an allowance for which the AAFP expressed support.

    But directing physicians to disclose PHI to non-clinician third parties without written instruction “may not sufficiently protect patients’ privacy,” the Academy warned, and could “result in a variety of unintended consequences, ultimately eroding patients’ privacy and exposing physician practices to additional security risks.”

    The AAFP instead recommended policy allowing “covered entities to have a standard process to authorize disclosure of PHI.”

    The AAFP also noted that the proposed rule would shift onto physicians the responsibility of notifying patients about privacy and security risks when PHI is transmitted to third parties not governed by HIPAA, including numerous popular mobile apps. “The AAFP strongly believes that this burden should not be on physicians or any other clinicians,” the letter said.

    “We are also concerned that, without the ability to charge reasonable fees or be permitted to deny disclosure requests, physician practices will be required to aggregate data on behalf of patients and be overrun with disclosure requests,” the letter added. “The AAFP strongly urges OCR to ensure that the costs, technical challenges and administrative burdens associated with this proposal do not fall on physician practices.”

    Third-party Disclosures

    The Academy urged the OCR to rethink a new HIPAA section proposed in the rule that would permit PHI disclosure to non-clinician third parties without the patient’s express authorization. Though some of these third parties would provide health-related social services addressing social determinants of health, “there are a variety of situations where such a disclosure to a community-based organization or other agency could cause significant discomfort or harm to a patient, jeopardizing their safety and the patient-physician relationship,” the AAFP wrote.

    “The AAFP supports disclosure of PHI to social and community organizations when that disclosure is consistent with a patient’s express wishes. We again reiterate that patients should control when and where their information is shared.”

    Similarly, the Academy advised revision of the proposed rule’s alteration of PHI disclosure policy regarding people with mental illness, substance use disorder or emergency conditions.

    The new rule would replace the current standard’s emphasis on professional judgement with the presumption that “a covered entity was acting in good faith absent evidence that the covered entity acted in bad faith.” The Academy said this good-faith presumption “could improve the sharing of necessary information for the purposes of coordinating or managing a patient’s care” but urged the OCR to “ensure that this change does not result in unintended consequences, such as causing patients to lose their housing, employment, child custody or other rights if the covered entity shares information against their wishes.”

    “This is particularly true for Black, Indigenous and other patients of color, undocumented individuals and others who often are disproportionately harmed by the criminalization of substance use,” the Academy added. “In order to protect patient safety and well-being, as well as preserve the patient-physician relationship, we urge OCR to ensure that the patient’s own preferences regarding the disclosure of their health information are always prioritized.”

    Eliminating ‘Notice of Privacy’ Requirements

    The Academy strongly supported the proposed rule’s elimination of requirements to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s notice-of-privacy practices and retain it for six years.

    As the Academy noted in February 2019 comments, “removing the written-acknowledgement requirement would reduce administrative burden, such as the need to administer, store, update and monitor compliance,” the latest letter said. “We do not believe the current requirements add significant value for patients or their physicians.”

    EHR Definitions

    “The AAFP is concerned that the proposed definition and use of the term EHR will be confusing for physicians and increase the burden associated with complying with HIPAA and other regulations,” the letter said. “It is not clear how this definition of EHR aligns with electronic health information, which is used in information blocking and interoperability regulations to facilitate the sharing of information.”

    The OCR referred to the Academy’s definition of EHR when formulating the proposed rule. However, that definition “was not created for the purpose of determining what information should be shared with a patient or third-party, as OCR’s proposed definition is,” the letter warned, adding that the proposed definition “requires physician practices to share information that is not sharable with existing certified EHR technology.”

    “The EHR definition should be a working definition that limits what must be shared to the types of data that are reasonably available and sharable using CEHRT,” the Academy said. “The definition should also align with the definition of a designated record set.

    “We recommend that ONC align the definitions of EHR and EHI and avoid creating an additional term to describe similar types of patient’s health information.”

    Timely Access

    The AAFP conditionally supported the proposal to require covered entities to disclose information, at the patient’s direction, within 15 days but pointed out that this deadline may be challenging in some cases.