Dear Mr. Severino:
The Sequoia Project is pleased to submit comments to the Office for Civil Rights (OCR) in response to the Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (RFI). We appreciate OCR’s commitment to consider thoughtfully the comments that it receives from its stakeholders in response to such requests.
The Sequoia Project is a non-profit, 501(c)(3) public private collaborative that advances interoperability for the public good. The Sequoia Project previously served as a corporate home for several independently governed health IT interoperability initiatives, including the eHealth Exchange health information network and the Carequality interoperability framework. The eHealth Exchange health information network and Carequality now operate under their own corporations, but coordinate with Sequoia and their perspectives inform these comments that we are submitting to OCR.
The Sequoia Project currently supports the RSNA Image Share Validation Program and the Patient Unified Lookup System for Emergencies (PULSE). Our comments on the RFI are based on our significant experience supporting large-scale, nationwide health data sharing initiatives, including assessments of interoperability and security capability of exchange participants. Through these efforts, we serve as an experienced, transparent and neutral convener of public and private-sector stakeholders to address and resolve practical challenges to interoperability, including in-depth development and implementation of trust frameworks and associated agreements. This work extends to several crosscutting projects, including patient matching, improving the quality of clinical documents exchanged, information blocking, and other matters prioritized by stakeholders, such as health IT disaster response.
Our deep experience implementing national-level health IT interoperability, including our track record of supporting and operationalizing federal government and private sector interoperability initiatives, such as the eHealth Exchange, Carequality and PULSE, provide a unique perspective on interoperability-related provisions of the RFI.
Overview
In this letter, we provide priority high-level comments intended to help OCR evaluate potential enhancements to Health Insurance Portability and Accountability Act (HIPAA) privacy and security regulations. We share with OCR an overall aim to improve the health and health care of patients and our nation through more seamless authorized access to patients’ health information.
We support OCR’s desire to evaluate potential revisions to provisions of HIPAA regulations that may impede the ongoing transformation to value-based care or interfere with coordinated care without meaningfully protecting the privacy or security of protected health information (PHI). The Sequoia Project and its affiliated initiatives are committed to efficient and useful electronic exchange of health care information and agree with the need to strike an optimal balance between privacy and security and access to PHI to meet the range of legally and contractually permitted purposes for such information. We have seen first-hand how uncertainty about what is permitted or required under HIPAA has impeded organizational and individual willingness to share information and to engage with health information exchange initiatives.
In the Appendix to this letter, we answer selected OCR questions for which The Sequoia Project has pertinent information and experience to bring to bear.
Conclusions
We thank the OCR for providing the opportunity to comment on this RFI. The Sequoia Project is eager to assist OCR and the Department in advancing our national interoperability agenda.
Most respectfully,
Mariann Yeager
CEO, The Sequoia Project
Appendix
The Sequoia Project’s Answers to Selected Questions Posed in the Office for Civil Rights Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (RIN 0945-AA00)
5.a. How commonly do business associate agreements prevent clearinghouses from providing PHI directly to individuals?
In our experience, business associate agreements (BAA) commonly prevent business associates, such as clearinghouses, from providing PHI directly to an individual requester. Instead, the clearinghouse is typically directed to forward such requests to the covered entity.
5.b. Should health care clearinghouses be subject to the individual access requirements, thereby requiring health care clearinghouses to provide individuals with access to their PHI in a designated record set upon request? Should any limitations apply to this requirement? For example, should health care clearinghouses remain bound by business associate agreements with covered entities that do not permit disclosures of PHI directly to an individual who is the subject of the PHI?
The Sequoia Project does not support requiring clearinghouses to provide an individual with their own PHI as part of a designated record set on request. Such a requirement will lead to significantly higher clearinghouse operating costs and would make it very difficult for covered entities to know when PHI for which they are responsible has been disclosed. Certainly, BAAs should continue to define clearinghouses’ permitted disclosures of PHI.
5.c. Alternatively, should health care clearinghouses be treated only as covered entities— i.e., be subject to all requirements and prohibitions in the HIPAA Rules concerning the use and disclosure of PHI and the rights of individuals in the same way as other covered entities—and not be considered business associates, or need a business associate agreement with a covered entity, even when performing activities for, or on behalf of, other covered entities? Would this change raise concerns for other covered entities about their inability to limit uses and disclosures of PHI by health care clearinghouses? For example, would this change prevent covered entities from providing assurances to individuals about how their PHI will be used and disclosed? Or would covered entities be able to adequately fulfill individuals’ expectations about uses and disclosures through normal contract negotiations with health care clearinghouses, without the need for a HIPAA business associate agreement? Would covered entities be able to impose other contractual limitations on the uses and disclosures of PHI by the health care clearinghouse?
The Sequoia Project does not support eliminating BAAs for clearinghouses that provide services to other covered entities. Although clearinghouses are covered entities, their unique role in providing services to other covered entities, as detailed in this question, makes BAAs defining such services an important element of their operation.
5.d. If health care clearinghouses are not required to enter into business associate agreements with the other covered entities for whom they perform business associate functions, should such requirement also be eliminated for other covered entities when they perform business associate functions for other covered entities?
The Sequoia Project does not support eliminating BAAs for covered entities when they provide services to other covered entities. When they do so, their role is much more akin to that of a business associate than a covered entity and BAAs help ensure that HIPAA-related obligations are clearly established and enforced.
7. Should covered entities be required to disclose PHI when requested by another covered entity for treatment purposes? Should the requirement extend to disclosures made for payment and/or health care operations purposes generally, or, alternatively, only for specific payment or health care operations purposes?
We anticipate that the forthcoming HHS “information blocking” rule required by the 21st Century Cures Act will impose new requirements on covered entities and others to not withhold information when requested for a permitted purpose. Information blocking requirements may be the better way to address these issues than would be revisions to HIPAA regulations. Fundamentally, Sequoia is not certain that requiring covered entities to exchange PHI for treatment, payment and healthcare operations (TPO) with any other covered entity is needed at this time, although it could provide covered entities with the legal mandate that they currently lack to support more robust exchange. We have observed that covered entities are willing to exchange PHI for treatment purposes and do not believe that additional HIPAA requirements to do so are needed. At the same time, however, covered entities have been less willing to agree to exchange PHI for reasons other than treatment. This reluctance seems to have a variety of sources. We urge OCR to carefully consider comments received on this issue.
7.a Would this requirement improve care coordination and/or case management? Would it create unintended burdens for covered entities or individuals? For example, would such a provision require covered entities to establish new procedures to ensure that such requests were managed and fulfilled pursuant to the new regulatory provision and, thus, impose new administrative costs on covered entities? Or would the only new administrative costs arise because covered entities would have to manage and fulfill requests for PHI that previously would not have been fulfilled?
Please see Question 7 for our general perspectives. Requiring that covered entities disclose PHI for treatment and operations might improve care coordination and/or care management since these can be considered treatment or operations (depending on the discloser). More generally, this proposed policy change could simplify information exchange as, today, with disclosure permitted but not required, covered entities must develop policies to guide them on when PHI will and will not be disclosed. If OCR makes distinctions between treatment and other permitted purposes for a new policy, we suggest that it define information exchange for care coordination/care management as treatment regardless of the type of covered entity exchanging or requesting the information.
At the same time, requiting such disclosures could create additional complexity and create further conflicts between HIPAA and state laws. For example, covered entities currently develop governance mechanisms to monitor administration of their policies, which would need to be updated to reflect any HIPAA regulatory revisions. This potential new provision could also create new burdens if organizations feel obligated to expand or revise their policies to inform patients about the ability to opt out of certain types of exchanges.
7.b. Should any limitation be placed on this requirement? For instance, should disclosures for healthcare operations be treated differently than disclosures for treatment or payment? Or should this requirement only apply to certain limited payment or health care operations purposes? If so, why?
In general, simplicity is the best approach. Rather than having different requirements for treatment, payment or healthcare operations, we recommend having standard requirements that are clear and unambiguous. Such an approach assures that everyone understands the rules. If OCR does implement limitations to a new requirement to disclose, it should ensure that any distinctions are crystal clear and can be implemented using electronic exchange models. In addition, one further route that OCR might take would be to revise HIPAA regulations to indicate that care coordination and case management can be considered treatment when conducted by health plans, especially as part of a value-based care arrangement.
7.c. Should business associates be subject to the disclosure requirement? Why or why not?
Business associates can and should only access, use or disclose PHI within the framework of the services they provide to the covered entity. If a covered entity is required to disclose PHI for treatment, payment or healthcare operations and a business associate’s scope of services includes helping the covered entity fulfill its obligations, then the business associate should be required to disclose PHI as requested by the covered entity per the BAA. We do not, however, support requiring business associates to disclose PHI independent of their obligations under their BAA with the covered entity.
8. Should any of the above proposed requirements to disclose PHI apply to all covered entities (i.e., covered health care providers, health plans, and health care clearinghouses), or only a subset of covered entities? If so, which entities and why?
If OCR decides to require disclosure of PHI, this requirement should not apply to clearinghouses given their unique role. In addition, required disclosure by providers to health plans (beyond what is already contractually required) might require a separate framework than disclosures to other providers.
9. Should a HIPAA covered entity be required to disclose PHI to a non-covered health care provider with respect to any of the matters discussed in Questions 7 and 8? Would such a requirement create any unintended adverse consequences? For example, would a covered entity receiving the request want or need to set up a new administrative process to confirm the identity of the requester? Do the risks associated with disclosing PHI to health care providers not subject to HIPAA’s privacy and security protections outweigh the benefit of sharing PHI among all of an individual’s health care providers?
As previously discussed, Sequoia recognizes that non-covered providers can be an integral part of the networks of caregivers that support the health and wellness of individuals. To the extent that non-covered providers are involved with covered healthcare providers or with health plans in the care or wellness of individuals, these non-covered providers should have appropriate access to information and covered entities should be permitted, but not required, to make such disclosures. We note that non-covered entities, absent such agreements, do not have the same HIPAA obligations to protect health information, nor to limit requests to minimum necessary data in specified circumstances, as do covered entities and that lack of such protections is a material risk that must be considered.
10. Should a non-covered health care provider requesting PHI from a HIPAA covered entity provide a verbal or written assurance that the request is for an accepted purpose (e.g., TPO) before a potential disclosure requirement applies to the covered entity receiving the request?
Yes, disclosure in this scenario should only be required if such an assurance is provided. eHealth Exchange and Carequality require any Participant submitting an electronic request for PHI to assert a valid Permitted Purpose and represent that it has obtained the requisite permissions, under HIPAA or other applicable law, from the individual whose PHI is being sought. We strongly support a requirement that any party requesting PHI provide assurance that the request is for a valid purpose under HIPAA or other applicable law if compliance with such a request is mandated by a change in the HIPAA regulations. We have found that having a set of permitted purposes that are known by, and agreed to, by all those who request information is essential to developing a sustainable trust framework.
11. Should OCR create exceptions or limitations to a requirement for covered entities to disclose PHI to other health care providers (or other covered entities) upon request? For example, should the requirement be limited to PHI in a designated record set? Should psychotherapy notes or other specific types of PHI (such as genetic information) be excluded from the disclosure requirement unless expressly authorized by the individual?
See our answer to Question 7 for our general approach to the broad policy change contemplated by OCR. If it proceeds with such a policy, and is considering limitations on what must (rather than permitted) be exchanged, we note that the definition of a Designated Record Set is extremely broad and includes any medical or payment records maintained by, or on behalf of, a covered entity and any other information used by, or for, a covered entity to make decisions about an individual. This definition is so extensive that it would essentially include all information in an individual’s medical record and not serve as a practical limitation on information exchange.
We would support further study of ways to develop a common set of requirements to enable certainty about the types of information required to be disclosed if such a policy to require disclosure is adopted. Finally, we agree that certain types of PHI, such as psychotherapy notes or genetic information, should be excluded from any new disclosure requirement unless expressly authorized by the individual. At the same time, definitions of such categories of PHI must be extremely clear and able to be implemented in practice, especially in electronic exchange models.
12. What timeliness requirement should be imposed on covered entities to disclose PHI that another covered entity requests for TPO purposes, or a non-covered health care provider requests for treatment or payment purposes? Should all covered entities be subject to the same timeliness requirement? For instance, should covered providers be required to disclose PHI to other covered providers within 30 days of receiving a request? Should covered providers and health plans be required to disclose PHI to each other within 30 days of receiving a request? Is there a more appropriate timeframe in which covered entities should disclose PHI for TPO purposes? Should electronic records and records in other media forms (e.g., paper) be subject to the same timeliness requirement? Should the same timeliness requirements apply to disclosures to non-covered health care providers when PHI is sought for the treatment or payment purposes of such health care providers?
Sequoia supports shorter timelines for covered entities to provide PHI for TPO purposes, especially when records are maintained electronically and can be furnished electronically. The current 30-day timeline may have been appropriate in a paper-based environment in which medical records personnel were required to physically retrieve records and manually search those records for the requested information. In a digital environment, the 30-day timeline does not seem necessary or appropriate. In many instances, records can be queried automatically, and results transmitted immediately. This model of access is occurring every day in the U.S., to the benefit of individual patients and their healthcare providers. Increasing availability of open, standards-based application programming interfaces (APIs) will further enhance the ability to make PHI available in real-time (or near real-time).
We emphasize however, that although parts of the designated record set will be available online in electronic form, well standardized, and able to be provided rapidly as suggested, other parts of the designated record set may be archived offline or in non-electronic media. Certainly, information not readily accessible online for any reason should not be subject to revised requirements for providing access in less than 30 days.
Fundamentally, The Sequoia Project believes that the construct of defining specific timelines within which covered entities must respond to requests for PHI is outdated given the technology currently deployed across the healthcare sector. Rather than simply shortening the current 30-day timeline, Sequoia suggests a different approach in which covered entities are required to provide PHI requested for TPO as rapidly as the covered entity’s technology will support. For many covered entities, the supported technology will be a synchronous transaction in which the PHI is sent instantaneously upon receipt of the electronic request. We further recommend that covered entities be required to document if they are unable to comply and explain why this is the case.
13. Should individuals have a right to prevent certain disclosures of PHI that otherwise would be required for disclosure? For example, should an individual be able to restrict or “opt out” of certain types of required disclosures, such as for health care operations? Should any conditions apply to limit an individual’s ability to opt out of required disclosures? For example, should a requirement to disclose PHI for treatment purposes override an individual’s request to restrict disclosures to which a covered entity previously agreed?
Sequoia recognizes the extreme sensitivity that continues to surround individuals’ ability to limit disclosure of some or all, of their PHI and recognizes that such sensitivity might increase if HIPAA TPO disclosures are required rather than permitted, as contemplated in prior RFI questions.
Based on our years of experience building eHealth Exchange and Carequality, and our work curating the Data Use and Reciprocal Support Agreement (DURSA), we also appreciate the need for providers to have access to as much information about their patients as possible. We support the work of the Centers for Medicare and Medicaid Services (CMS) to put patients at the center of their care and empower patients to direct with whom their information is shared. We likewise believe that the Privacy Rule should continue to support individuals’ rights to control their information, including PHI.
The extent to which patients have an appropriate ability to control access to their PHI will, in our view, enhance the level of trust that individuals have in health information networks, which will lead to more widespread data sharing. At the same time, implementing specific and granular opt-out provisions for TPO can be administratively and technically challenging and actually create a barrier to necessary information access. We believe that an evolution of the current HIPAA model for TPO opt-out would be appropriate if overall requirements for TPO disclosure are increased as OCR contemplates. Specifically, patients should be free to make such a request to a covered entity (e.g., provider) and the covered entity should be permitted to honor this request if it agrees to do so.
14. How would a general requirement for covered health care providers (or all covered entities) to share PHI when requested by another covered health care provider (or other covered entity) interact with other laws, such as 42 CFR Part 2 or state laws that restrict the sharing of information?
The relationship of the HIPAA Privacy Rule and state privacy laws (which can be more stringent than what HIPAA requires) has been the subject of extensive debate and is heavily documented in legal writings. HIPAA preempts state laws that are contrary to HIPAA requirements unless a specific exception exists that is recognized by the Secretary of HHS (see 45 CFR 160.203). Establishing whether a specific state law is preempted under HIPAA depends on the facts and circumstances of each situation. If the HIPAA Privacy Rule is amended to require disclosure by a covered entity to another covered entity upon request, it is possible that current or future state laws could establish privacy rights among individuals that would limit such disclosures or enable the individual to block such disclosures.
For 42 CFR Part 2, the situation is somewhat different since that statute regulates a particular type of health care provider (substance abuse treatment centers, or units within hospitals, that receive federal support). Again, a comprehensive legal analysis is beyond the scope of this RFI. As a general matter, however, the requirements of 42 CFR Part 2 would supersede any HIPAA provisions that were contrary to the Part 2 requirements.
15. Should any new requirement imposed on covered health care providers (or all covered entities) to share PHI when requested by another covered health care provider (or other covered entity) require the requesting covered entity to get the explicit affirmative authorization of the patient before initiating the request, or should a covered entity be allowed to make the request based on the entity’s professional judgment as to the best interest of the patient, based on the good faith of the entity, or some other standard?
No. Neither consent nor authorization should be required for legally permitted TPO requests. Such a new consent requirement, accompanying a new requirement for TPO disclosure, would be an unnecessary administrative burden and add further complexity to electronic health data exchange models, as consent requirements are already a significant impediment to information exchange and consent management is a significant burden. We especially note that such a new consent requirement would apply to all requests, not just any new requests that occur as a result of a new requirement for TPO disclosure, and hence would be even more of a burden than might be expected.
It is also essential to recognize that, if each request requires consent, this change could significantly reduce the value of any new requirement to respond to TPO requests. If this new consent requirement is imposed, it should certainly not apply to requests by providers.
Overall, we see significant practical, technical and cost challenges from such a requirement. It would disrupt current and highly successful exchange models and could negatively affect quality of care if additional steps are needed to continue sharing information for treatment. It is also at odds with emerging API models of information access.
Finally, see our response to Question 13 regarding the rights of individuals to direct how their information is shared. The HIPAA Privacy Rule currently requires that an individual has the right to request restrictions on the use and disclosure of their PHI for TPO. If the Privacy Rule were revised to require that a covered entity disclose PHI in response to a request, the Privacy Rule as currently written would still enable an individual to request that their provider not share certain information. Fundamentally, we do not support new consent requirements for requesters and do not recommend that this consent requirement be changed.
16. What considerations should OCR take into account to ensure that a potential Privacy Rule requirement to disclose PHI is consistent with rulemaking by the Office of the National Coordinator for Health Information Technology (ONC) to prohibit “information blocking,” as defined by the 21st Century Cures Act?
The Sequoia Project recommends that OCR not propose any revisions to the Privacy Rule until ONC has published its final information blocking rule as required by the 21st Century Cures Act, and associated guidance, and there also is some experience with its implementation. We also recommend that OCR take into consideration comments submitted under this RFI as well as the requirements in the final information blocking rule when considering revisions to the Privacy Rule. Overall, OCR and ONC should seek to harmonize a Final Rule on information blocking and any proposed and final rules on HIPAA revisions. Overall, we do note that greater clarity on HIPAA obligations could enhance the ability to comply with and enforce information blocking provisions. In addition, OCR will need to take account of state laws as it seeks to harmonize HIPAA and information blocking provisions.
17. Should OCR expand the exceptions to the Privacy Rule’s minimum necessary standard? For instance, should population-based case management and care coordination activities, claims management, review of health care services for appropriateness of care, utilization reviews, or formulary development be excepted from the minimum necessary requirement? Would these exceptions promote care coordination and/or case management? If so, how? Are there additional exceptions to the minimum necessary standard that OCR should consider?
Sequoia is concerned that covered entities currently act to limit the amount of information that they disclose because of confusion about the exact interpretation of the minimum necessary standard. Compliance officers for covered entities are required to take all reasonable steps to assure that the covered entity does not violate HIPAA, even if this action means that some PHI that could possibly be disclosed is not disclosed. Overall, we believe that all stakeholders would benefit from clarifications on how to interpret the minimum necessary rule for payment and healthcare operations.
Although OCR could expand the current exception to the minimum necessary rule to include payment and healthcare operations, we are concerned that only expanding the exception to include specific types of PHI within these broad categories would limit information sharing and quickly become outdated. On balance, rather than eliminating the minimum necessary standard, we believe that OCR should provide guidance that delineates how to comply with this standard using a data set (extent of information) that is appropriate for the activities called out in this question, rather than removing this standard for such services.
18. Should OCR modify the Privacy Rule to clarify the scope of covered entities’ ability to disclose PHI to social services agencies and community-based support programs where necessary to facilitate treatment and coordination of care with the provision of other services to the individual? For example, if a disabled individual needs housing near a specific health care provider to facilitate their health care needs, to what extent should the Privacy Rule permit a covered entity to disclose PHI to an agency that arranges for such housing? What limitations should apply to such disclosures? For example, should this permission apply only where the social service agency itself provides health care products or services? In order to make such disclosures to social service agencies (or other organizations providing such social services), should covered entities be required to enter into agreements with such entities that contain provisions similar to the provisions in business associate agreements?
This question touches on some of the issues presented in Questions 7.a. and 9. Please see our responses to those questions. The Sequoia Project is committed to enabling interoperability across different networks and organizations reflecting the increasingly broad scope of care delivery. We believe that the basic framework of the Privacy Rule regarding TPO is sound. At the same time, OCR could clarify that any activities that support the health or wellness of an individual constitute treatment or healthcare operations for purposes of HIPAA. Such an approach would allow covered entities to disclose PHI or even require such disclosure should OCR decide to amend the Privacy Rule to require certain disclosures.
Sequoia does think that, if disclosure is required, data sharing arrangements and associated data protections should be documented, either through an agreement or another written document. At the same time, in the example provided by OCR in this question, the local housing agency does not meet the definition of a HIPAA business associate because it is not providing a service to the hospital. Instead, it is helping find housing for the patient and might need access to some PHI in terms of the patient’s condition and special needs. So, a HIPAA BAA is not needed but some type of documentation is needed to govern how the housing agency uses the PHI. This documentation need not include all of the provisions of a traditional business associate agreement.
20. Would increased public outreach and education on existing provision of the HIPAA Privacy Rule that permit uses and disclosures of PHI for care coordination and/or case management, without regulatory change, be sufficient to effectively facilitate these activities? If so, what form should outreach, and education take and to what audiences(s) should it be directed?
Sequoia does not believe that merely increasing education or public outreach will fully address the confusion about when PHI can, or should, be shared for care coordination and/or case management. As noted above, Sequoia supports changes to the Privacy Rule to clarify that PHI can, and should, be shared in support of care coordination and/or case management.
31. Should the Department require covered entities to account for their business associates’ disclosures for TPO, or should a covered entity be allowed to refer an individual to its business associate(s) to obtain this information? What benefits and burdens would have covered entities and individuals experience under either of these options?
The Sequoia Project does not support any requirement that business associates be responsible for responding directly to individuals regarding an accounting of disclosures. By definition, a business associate is performing a service to a covered entity and we believe it is appropriate for the covered entity to remain responsible for providing any required accounting of disclosures.
37. What data elements should be provided in an accounting of TPO disclosures, and why? How important is it to individuals to know the specific purpose of a disclosure – i.e., would it be sufficient to describe the purpose generally (e.g., for “for treatment,” “for payment,” or “for health care operations purposes”), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the range of activities that constitute “health care operations?” On what basis do commenters make this assessment?
Based on our experience with health information exchange, we believe that general levels of description, as illustrated in the question, should be sufficient and would be more practical to implement. At the same time, this approach would reinforce the need for updated guidance on the definitions of each component of TPO to reflect current clinical, operational, and business practices and patient and consumer expectations.
41. The HITECH Act section 13405(c) only requires the accounting of disclosures for TPO to include disclosures through an EHR. In its rulemaking, should OCR likewise limit the right to obtain an accounting of disclosures for TPO to PHI maintained in, or disclosed through, an EHR? Why or why not? What are the benefits and drawbacks of including TPO disclosures made through paper records or made by some other means such as orally? Would differential treatment between PHI maintained in other media and PHI maintained electronically in EHRs (where only EHR related accounting of disclosures would be required) disincentivize the adoption of, or the conversion to, EHRs?
The complexities of accounting of disclosures requirements have been well documented. We therefore do not support expansion of such requirements if imposed by regulation, beyond disclosure through an EHR, for example to include oral disclosures or other disclosures through non-EHR means.
