NAACOS HIPAA Response February 12 2019

February 12, 2019

U.S. Department of Health and Human Services
Office for Civil Rights
Attention: RFI, RIN 0945– AA00
c/o: Marie Meszaros
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, SW
Washington, DC 20201

Re: RIN 0945–AA00; Docket HHS–OCR–0945–AA00

Dear Ms. Meszaros:

The National Association of Accountable Care Organizations (NAACOS) is pleased to submit comments in response to the Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, as published in the December 14, 2018 Federal Register¹. This is the third request for information in the U.S. Department of Health and Human Services’ (HHS) “Regulatory Sprint to Coordinate Care.”²> We appreciate HHS’s efforts to examine barriers to the health system’s move to value-based care and policies that may limit care coordination. We share the administration’s goal to accelerate value-based transformation and appreciate the opportunity to provide our views on how to clarify or modify the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Breach Notification Rules, collectively referred to as the HIPAA Rules, to further that goal.

The ACO model is a market-based solution to fragmented and costly care that empowers local physicians, hospitals, and other providers to work together and take responsibility for improving quality, enhancing patient experience, and reducing waste. Importantly, the ACO model also maintains patient choice of clinicians. While the origin of Medicare ACOs dates back to the George W. Bush administration, the number of ACOs in Medicare has grown considerably in recent years and last year included nearly 650 ACOs, covering 12.3 million beneficiaries.³ ACOs have been instrumental in the shift to value-based care, and a central part of the ACO concept is to improve patient care and reduce unnecessary expenditures through well-coordinated care. Being able to receive patient records in a timely manner, which is permissible under HIPAA Rules, is imperative to proper coordination and ACOs’ success. ACOs must also know where patients receive care outside of their organizations if they are on the hook for patients’ total cost of care.

Last year, the Centers for Medicare and Medicaid Services (CMS) finalized a set of changes, which it calls Pathways to Success, which will place more Medicare Shared Savings Program (MSSP) ACOs at financial risk

for hitting pre-set spending targets, known as benchmarks.⁴ While we appreciate the administration’s efforts to accelerate the move to value-based care, NAACOS has expressed concern that moving too swiftly to risk-bearing models may cause ACOs to drop out of the voluntary Share Savings Program.⁵ ACOs would benefit from the regulatory tools we recommend below, as they are being asked to potentially repay large sums of money in shared losses for not hitting spending targets.

Recommendation 1: Modify definitions of treatment, payment, and health care operations to specifically include ACOs.

Federal regulations already allow certain uses and disclosures of protected health information by covered entities in 45 C.F.R. § 164.502.⁶ More precise definitions of treatment, payment, and health care operations are further outlined in 45 C.F.R. § 164.506.⁷ These definitions, found at 45 C.F.R. §164.103, are already broad and reasonably allow for ACOs to conduct well-coordinated care. But ACOs’ and HHS’s efforts to foster value-based care would mutually benefit from specifically naming ACOs and care coordination efforts in definitions of permissible uses and disclosures. Medicare ACO programs have grown considerably since the last time HIPAA Rules were updated in 2013, and regulations need to be updated to reflect the substantial role ACOs play in care coordination.

As noted later in this letter, more education and awareness of HIPAA’s permitted disclosures is needed as some risk-adverse providers would rather not share protected health information (PHI) than risk enforcement action for an unauthorized disclosure. However, ACOs could point to regulatory language that certain sharing of PHI is allowed if ACOs were specifically mentioned in regulation. The addition of this precise use case of PHI wouldn’t preclude the existing broad language of permissible disclosures.

Specifically, the definitions of “treatment,” “payment,” and “health care operations” at 45 C.F.R. § 164.103 should be revised to read, as follows.

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient, including for purposes of accountable care; or the referral of a patient for health care from one health care provider to another.

Payment means: (1) The activities undertaken by: (i) Except as prohibited under § 164.502(a)(5)(i), a health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or (ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and (2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:…(v) Utilization review activities, including precertification and preauthorization of services, concurrent and retrospective review of services, including for purposes of determining accountable care…

Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions: (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); accountability for the quality, cost, and overall care of patients and beneficiaries; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;…

Recommendation 2: Align HIPAA and 42 CFR Part 2 to improve the quality and safety of care.

NAACOS is an active member of the Partnership to Amend 42 C.F.R. Part 2 (“Part 2”), which advocates for aligning Part 2 with HIPAA for the purposes of treatment, payment, and health care operations.⁸ Such an alignment would remove the barrier to integrated care for patients with opioid and other substance use disorders.

Patients must submit written consent prior to the disclosure of their substance use treatment records, which is often challenging and limits whole-person integrated care and care coordination. In situations where the patient does not give consent, Part 2 regulations may lead to a doctor treating a patient and writing prescriptions for opioid pain medication for that individual without knowing the person has a substance use disorder. Separating patients’ addiction records from the rest of their medical records creates obstacles and prevents patients from receiving safe, effective, high quality substance use treatment and coordinated care. In short, Part 2 is not compatible with the way health care is delivered in the 21^st Century.

In order to modernize these regulations, Part 2 needs to harmonize with HIPAA to allow for the transmission of substance use treatment records without written consent for treatment, payment, and health care operations. This will promote integrated care and enhance patient safety, while providing health care professionals with one federal privacy standard for all of medicine. Initiating a rulemaking process for Part 2 will open the door for necessary reforms, allowing for better coordination, safer and more effective treatment for patients, while maintaining strong patient protections.

Recommendation 3: Give ACOs access to HIPAA Eligibility Transaction System feeds.

Proper care coordination requires providers know where patients receive care and then work together to coordinate care. Because Medicare ACO programs allow seniors the freedom to visit any provider they choose, care delivery teams are often in the dark about other providers whom beneficiaries visit. Yet ACOs are still held financially accountable for these patients without knowledge about key encounters like hospitalizations and emergency department visits that allow care teams to follow-up with discharge instructions and ensure a more effective transition of care.

HHS should make HIPAA Eligibility Transaction System (HETS) feeds available to ACOs. HETS allows providers to check Medicare beneficiary eligibility in real-time using a secure connection. Anytime a Medicare beneficiary visits a medical provider, an ACO could be aware through this HETS feed. This would allow ACO providers to communicate with treating providers at the hospital and to work with the beneficiary upon his or her release to ensure optimal treatment, medication adherence, and follow up care. Providing ACOs access to this critical information in real time will allow ACOs to further enhance care coordination, improve outcomes, and reduce costs.

Recommendation 4: Avoid mandates to create the least burdensome rules possible.

HIPAA Privacy, Security, and Breach Notification Rules were designed to protect the privacy and security of patient health information. The HIPAA Rules are flexible and scalable to accommodate the broad range in types and sizes of entities that must comply with them. But mandating the sharing of information with additional entities risks creating more burden on health systems responding to requests, for example from a payer seeking documentation on a patient’s stay. Mandated sharing may be utilized to ultimately deny care to patients while potentially compromising important patient privacy. Instead, the flexibilities that currently exist with the HIPAA Rules should be maximized.

If the HIPAA Privacy Rule were revised to require disclosures of PHI for care coordination, HIPAA covered entities and their business associates would be burdened with undertaking preemption determinations for many state-specific issues related to treatment, including with regard to state law protections for certain categories of “sensitive” PHI. For example, many states require individual consent for the disclosure of information regarding: HIV and AIDS, genetics, substance use disorders, hepatitis, biological parentage, sperm donation, other sexually-transmitted diseases, abuse, etc. If the HIPAA Privacy Rule were revised to require disclosure of PHI, including “sensitive” information under state law, for example, from one health care provider to another within a certain time period, and the first health care provider, or its business associate, was unable to obtain consent from the individual to make the disclosure, which law should the provider or business associate violate—state or federal? Further, if such request must be made within a specific time period, the first health care provider, or its business associate, will have significantly increased burdens associated with making what would likely be daily required disclosures under HIPAA to other health care providers, particularly with regard to the workforce members required to review requests, verify requestors, and ensure appropriate safeguards to any particular timely disclosure.

Importantly, any disclosure of substance use disorder records protected by 42 C.F.R. Part 2 (“Part 2”) would also generally require the consent of the individual who is the subject of such information. Unless and until the Part 2 regulations are revised to conform with the HIPAA Rules, in any case where a disclosure of such Part 2-protected information were necessary, health care providers and their business associates would risk violating Part 2 and be subjected to criminal penalties for such, if they complied with a required disclosure under the HIPAA Rules. As such, it is likely that the majority of health care providers or business associates, who are put in the unenviable position of complying with either Part 2 or HIPAA, would choose to comply with Part 2, given the criminal liability.

Recommendation 5: Increase public outreach and education of allowable disclosures under HIPAA Rules.

Due to the complexity of HIPAA Rules, there is a large amount of misinformation and misunderstanding around requirements and what the law truly allows in terms of sharing patient information. There is no single standardized program that could appropriately train employees of all entities. Furthermore, fear of sharing PHI in instances where it may not be allowed and increased enforcement action by HHS’s Office for Civil Rights (OCR) has created an environment where some risk-adverse providers don’t share PHI even though it’s allowed by HIPAA.

Therefore, we recommend HHS conduct a broad education campaign to increase understanding of HIPAA and what HIPAA Rules currently allow for sharing of PHI for treatment, payment and health care operations. Providing clear and concise education to the provider community would eliminate confusion around HIPAA while providing clinicians and health care teams with greater confidence in their ability to share certain health information.

OCR in the past has released subregulatory guidance to help explain permissible uses of PHI under HIPAA. While useful, such guidance needs to be continually pushed out to provider and patient communities who need constant reminders that such resources exists. Without such efforts, OCR’s resources and guidance risk being forgotten. Public education would also benefit from additional discussion about the importance of all care providers having complete summary of their health status with compliant data sharing. NAACOS points out there’s very little current medical school curricula regarding HIPAA. Providers need more opportunities for continuing medical education (CME) on HIPAA such as refreshed or updated modules. Without such updates, a medical professional could complete a CME module and then not have another opportunity to be reminded about HIPAA Rules.

Recommendation 6: Balance the low patient demand expanded accounting of disclosures reports with the high burden it will place on ACOs.

NAACOS urges OCR to proceed with great caution in considering a requirement that covered entities provide patients with an accounting of disclosures of the PHI for treatment, payment and health care operations. Such a move has the potential to create an undue administrative burden. Current technology does not allow for providers to easily produce such disclosure reports. A recent survey from the Medical Group Management Association found only about 22 percent of medical practices said they had an electronic medical record system that was able to produce an accounting disclosure report. That survey found 94 percent of practices viewed the production of accounting disclosure reports as extremely, very or somewhat burdensome. Furthermore, there is a very low volume of requests for accounting of disclosures, signaling this is not a key area of concern for patients.

The Health Information Technology for Economic and Clinical Health (HITECH) Act specifically requires that HHS take “into account the interests of the individuals in learning the circumstances under which their PHI is being disclosed” while taking “into account the administrative burden of accounting for such disclosures.” Given the incredible burdens on HIPAA covered entities involved with auditing all disclosures of PHI, retaining such audit documentation, and providing such to an individual upon request, OCR should expand the right to an accounting of disclosures only to those patients who request it in advance.

Additionally, OCR could propose that covered entities do periodic audits to identify and account for impermissible disclosures to those workforce members of the entity who do not have a need to know the individuals’ PHI. This approach would provide assurance to individuals while limiting the burdens on HIPAA covered entities and business associates. In its consideration of implementing this provision of the HITECH Act, we urge OCR to balance the low patient demand versus the high burden on health care providers, including ACOs.

Conclusion

HIPAA Rules provide important privacy protections for patients while allowing reasonable sharing of PHI for treatment, payment and health care operations. While HHS should make small tweaks to acknowledge the growing importance of ACOs, it should be cautious of wholesale changes. Instead, HHS would be better served educating health care stakeholders about the sharing of PHI that’s allowable today. NAACOS appreciates HHS’s work to address the important issue of care coordination and is willing to work with you to further the goals of well-coordinated care, which align with the goals of ACOs. Should you have any questions about this letter or the ACO program, please contact David Pittman at [email protected].

Sincerely,