CMS to ask if HIPAA is a barrier to care coordination

The CMS wants to know how it can reduce HIPAA burdens that limit care coordination and has submitted a proposal for a request for information to the White House's Office of Management and Budget.

The goal of the solicitation is to figure out if HIPAA regulations are limiting or discouraging coordinated care and case management among hospitals, physicians and other providers. The OMB received the RFI Tuesday and has up to 90 days to review it.

Any such barriers may undermine attempts by the agency to move Medicare from a fee-for-service to a value-based pay system, it said in the notice.

The RFI would specifically seek comment on several questions, including if it should create a legal safe harbor for disclosing a patient's information for purposes of care coordination or case management and in what instances a patient's information should be shared without a patient's express authorization.

Groups like the American Hospital Association have complained that HIPAA has impeded providers' ability to come together and create care management teams.

Patients frequently don't have relationships with all of the providers with whom information would be shared as part of coordinated care efforts. This makes it difficult for them all to share data with each other, which derails a hospital's ability to make meaningful quality and efficiency improvements to a patient's health, it said.

A common data-sharing quandary is hospitals being afraid to open their electronic health record systems to providers at another organization treating the same patient. The goal of such data-sharing arrangements would be allowing everyone on a care team to view what care a patient is receiving in real time, according to Mark Swearingen, a Hall Render attorney focused on health information privacy and security.

The scenario could open a hospital up to HIPAA fines as there aren't clear ways to ensure that other providers are only looking at data for shared patients as they would have access to a hospital's entire record system.

Creating a safe harbor for shared-data agreements would give hospitals more confidence to open their EHRs to partner healthcare stakeholders.

"Clients are worried they'll be the next provider paying a $5.5 million penalty when they are making good faith efforts to share information," Swearingen said.

The RFI could also open the door to allowing providers to share patient information with other entities, such as ike housing agencies or food banks, according to Tom Miles, an attorney at Wachler & Associates.

Providers are increasingly seeking to address social determinants of health, but those efforts also have been hampered by HIPAA regulations.

Under the law, information can only be shared electronically between so-called covered entities which are health plans, healthcare clearinghouses and providers.