Industry players are critical of a provision in the stimulus law that gives patients added control of their health records, as the public comment period closed last week on proposed revisions to key federal health information privacy and security rules.
AHIMA voices concern over proposed privacy rule changes
The American Recovery and Reinvestment Act of 2009, also known as the stimulus law, contained a number of more-stringent provisions that amended the privacy and security provisions of the Health Insurance Portability and Accountability Act of 1996. The stimulus law included a ban on the sale of patient data and tougher penalties for privacy and security violators.
But the requirement in the stimulus law that most pushes the privacy status quo toward increased protection—and one that not surprisingly received a lot of push back in the comments on the proposed rule—is the statutory requirement that patients who pay for care out of their own pockets, should be able to control and block any disclosure to their insurance companies of records pertaining to that treatment. HHS has received about 300 comments on its proposed rule, according to a spokesperson.
Dan Rode, vice president of policy and government relations for the American Health Information Management Association, described the insurance-related consent provision as a “nightmare.” AHIMA's position is that the requirement could jeopardize the integrity of healthcare data, Rode said, but also is unworkable given current technology.
In effect, the requirement calls for a partial override of a controversial 2002 amendment to the HIPAA privacy rule that so-called covered entities—generally hospitals, physician office practices, pharmacies and claims clearinghouses—are not required to comply with patient requests for restrictions of disclosures of their medical records if the records are shared for treatment, payment or other healthcare operations. It is also significant in that consent management technology, once developed and deployed to facilitate patient control over information to insurance companies, could also be put to use by providers in affording patient consent in other areas, such as compliance with more stringent federal and state privacy laws that require special treatment for healthcare records involving highly sensitive information.
HHS' Office for Civil Rights, in its proposed rule, not only upheld the statutory requirement constraining covered organizations when a patient pays in full out-of-pocket (it had no legal authority to do otherwise), but also interpreted the rule such that a covered organization “is also prohibited from making such disclosure to a business associate of the health plan.”
AHIMA, in its comment letter, devoted more than six pages out of its 18-page response to concerns about the impact of the insurance consent provisions. “AHIMA members note that it is very likely that few individuals will request such a right, as a percentage of the total patient population, while the attempt to build any process or system to respond to this requirement will be costly for all,” it said.
“When I asked our members about this, I did ask them for ways that we could do this, and we couldn't come up with one, unless we hand bill everyone,” Rode said. “The larger the organization, the bigger the problem. You have all sorts of that information flowing through different systems. It's not just the EHR. It's the accounting system, the lab system. You have to fix them to tag the information, which nobody knows how to do just now.”
Fixing the problem is likely beyond the scope of the Office for Civil Rights' authority, however, Rode said.
The Association of American Medical Colleges, in its nine pages of comments, supported a recommendation in a 2009 report by the Institute of Medicine on health information technology, privacy and research for what the AAMC described as “compound authorization.” It said that a single patient consent should be sufficient to cover disclosures of patient records for future, unspecified research, if an institutional review board determines “that the new research is not incompatible with the initial consent.”
Ivy Baer, director and regulatory counsel for the AAMC who helped draft the association's response, said in an interview that many medical researchers feel the current privacy rule contains “impediments to research.” Baer said the AAMC agrees with language in the proposed rule that allows for patients to consent at the same time to the use of their protected health information in both specified current research and future research less specifically described. The Office for Civil Rights language said such a compound authorization is permissible “as long as it is clear to individuals that they do not have to agree to both.”
A coalition of 11 privacy and civil liberties organizations, meanwhile, filed a 23-page response, calling for the use of advanced technology to meet the nation's privacy needs. It also asked that these technologies—demonstrated in June to a privacy and security work group of the federally chartered Health IT Policy Committee—be required components for certification of electronic health-record systems under federal IT subsidy programs. The coalition includes the American Civil Liberties Union, Consumer Action, American Association of People with Disabilities, Private Citizen and Patient Privacy Rights Foundation.
These technologies, the letter said, electronically enable providers to record and enforce patient consent directives, segment sensitive information as required by federal and state privacy laws, and, specifically, enable providers to meet a new requirement that gives patients the right to withhold consent for the disclosure to their insurance companies if a patient pays out of pocket.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.