The Center for Democracy and Technology (CDT) submitted comments to a notice of proposed rulemaking (NPRM) from the U.S. Dept. of Health and Human Services (HHS) making significant changes to how sensitive patient information is handled under the Health Insurance Portability and Accountability Act (HIPAA). Much of the NPRM implements requirements passed by Congress in the HITECH Act, part of the 2009 stimulus legislation.
Health information technology is poised to transform patient-provider interaction and the delivery of health care, but will also exacerbate privacy risks if comprehensive regulatory safeguards are not in place. A comprehensive framework of privacy and security protections, including greater transparency regarding uses and disclosures of personal health data, is crucial to consumer trust in health information technology and health information exchange.
Most of the proposed regulations are positive from a privacy perspective. However, some of the proposals need clarification and others should be rescinded. This policy post will summarize some of CDT’s positions on four of the more important issues presented in the NPRM. Readers should check out our comments to see CDT’s recommendations on the full set of issues raised in the NPRM.
Under current regulations, “covered entities” – such as hospitals, physician offices, and pharmacies – must obtain prior authorization from patients to use their information to send them marketing communications. The current HIPAA Privacy Rule has several exceptions to the definition of marketing, including communications related to treatment of the individual, communications for case management and care coordination, and communications recommending alternative therapies. Covered entities do not need prior authorization to use a patient’s health information to send communications that fall under these exceptions. Patient advocates generally perceive the restrictions on marketing to be weak due to the broad exceptions to the marketing definition.
In the HITECH Act, Congress tried to narrow these exceptions in cases where a covered entity receives indirect or direct payment to make a communication that would have otherwise qualified for one of the marketing exceptions. In other words, if a communication about a health care product is paid for by that product’s manufacturer, it counts as marketing (unless the communication is about a drug that the patient is currently taking). Unfortunately, this part of the bill was poorly written.
In the NPRM, HHS established that Congress clearly required prior authorization only for those subsidized marketing communications that fall into the category of “health care operations.” For subsidized communications that are for “treatment,” HHS concluded that Congress’ intent was less clear.
The consequences of this proposed distinction between subsidized treatment and operations communications are critical to consumers: subsidized marketing communications that are health care operations require prior authorization, and those that are treatment are subject only to an opt-out.
The current definitions of the terms “treatment” and “operations” overlap significantly in the HIPAA Privacy Rule. In the NPRM, HHS proposes that population-based communications are considered to be “operations,” which is distinct from communications to treat an individual.
In our comments, CDT rejected HHS’ distinction between treatment and operations communications; any communication paid for by product makers urging patients to use or ask their doctors about the manufacturer’s products should be considered marketing and require prior authorization.
To the patient, subsidized communications for treatment or operations are all marketing. In addition, medical interventions often serve dual population and individual treatment purposes, and it will be difficult for providers to appropriately make this distinction (particularly under the influence of a financial subsidy).
Treating all subsidized communications as marketing that require patient authorization is more consistent with Congress’ intent in enacting HITECH and eliminates HHS’ confusing distinction between communications for treatment and those for operations. Patients have a high degree of concern over the use of the electronic health information for marketing purposes, and widespread electronic health information exchange depends heavily on patient trust. HHS should therefore pursue a policy that is more protective of patient privacy.
If HHS retains the distinction between subsidized treatment and operations communications, and imposes only an opt-out for the former, CDT recommended ways to make an out-put policy more effective.
Under the current Privacy Rule, “business associates” are third-party organizations or individuals that perform activities involving patient data on behalf of covered entities. Historically, business associates were not directly accountable for complying with HIPAA privacy and security requirements. Instead, the law required covered entities and business associates to enter into specialized contracts – called “business associate agreements” – containing certain patient privacy protections. However, the protections in the business associate agreements were generally less stringent than those which HIPAA required of covered entities. This has been a longstanding problem in health privacy – legal safeguards diminish as patient data flows downstream.
HITECH changed this by requiring business associates to comply with most of the same privacy and security requirements as covered entities when they handle protected health data. HITECH made business associates directly accountable to federal and state authorities for failure to comply. In the NPRM, HHS proposed a clarification that this requirement would also apply to subcontractors of business associates.
CDT’s comments strongly supported the direct application of privacy requirements and liability to business associates and subcontractors. Nonetheless, the NPRM leaves intact other provisions of the Privacy Rule that provide business associates with overbroad discretion in how they use and disclose patient health data. For example, the Privacy Rule permits business associates to use and disclose patient data to perform data aggregation services and for the management and administration of the business associate. CDT urged HHS to revise the HIPAA Privacy Rule to require business associate agreements to specify the functions the business associate will perform for the covered entity and to limit the collection, uses, and disclosures of patient data only to those functions.
Generally, the HIPAA Privacy Rule only allows covered entities to use or disclose patients’ health information for research purposes with the patient’s authorization, except in certain circumstances. The current Privacy Rule also prohibits covered entities from conditioning a patient’s treatment on obtaining an authorization for research, unless the treatment is part of the research itself. Covered entities are currently prohibited from combining authorization forms for conditioned treatment and unconditioned treatment.
The proposed rule would allow covered entities to combine conditioned and unconditioned authorizations for research, so long as the distinction between the two is clear. The NPRM also sought public comment on whether the Privacy Rule should permit authorizations for future research.
In our comments, CDT recommended that HHS explore a comprehensive approach to privacy for research based on more than patient authorization. Instead of relying so heavily on consent, HHS should develop a package of privacy and security protections rooted in fair information practices and bolstered by the application of technology solutions. CDT did not object to the concept of combining authorizations for conditioned and unconditioned research, but recommended that HHS issue guidance on how best to educate patients on their options and the difference between the authorizations. CDT also argued that authorizations for future research should detail the purposes of the future research, and treatment should not be conditioned on authorizations for future research.
The current HIPAA Privacy Rule gives individuals the right to review or obtain a copy of their health information. Patients have this right for both paper and electronic records. At present, a covered entity must give the patient access within thirty days, with the possibility of a thirty-day extension. In the NPRM, HHS stated that it wants to reduce this to a single time standard for electronic records and asked the public to comment on the idea.
In our comments, CDT recommended HHS adopt a standard of three business days for providers to respond to record requests from their patients. This timeframe has the advantage of aligning with the “meaningful use” initiative – a government program offering incentives to health care providers who adopt electronic medical records – which says program participants must respond to fifty percent of all records requests within three days. Applying the same three-day standard to HIPAA would establish consistency among providers who are meaningful users and those who are not, reducing confusion among patients who may be dealing with multiple providers.
CDT also urged HHS to encourage the industry to provide patients with the capability to download their information. HHS should deem a “download button” to be an acceptable way for covered entities that use web-based portals to provide patients with electronic copies and access to their records. The download capability is already in use at the Dept. of Veterans Affairs and expected soon at the Centers for Medicare and Medicaid Services.
Health care providers offering download capabilities will need to inform to patients of the policies and risks of using the download function, have a means to confirm the individual’s consent to download PHI at the point of decision, use immutable audit logs, and include timestamps in the data indicating when it was downloaded. The Markle Foundation has developed a set of policies that apply the widely endorsed Common Framework for Networked Personal Health Information specifically to download capability. HHS should use these model policies to establish guidelines on covered entities’ use of the download capability.