Clarifying whether certain types of data-sharing are allowed under HIPAA proved a major theme at a COVID-19 pandemic response hearing convened by the Health Information Technology Advisory Committee on Wednesday.
The day-long hearing replaced the advisory group's monthly meeting for April.
More than a dozen representatives from healthcare providers, health information exchanges, software vendors and federal agencies at the virtual meeting presented on how they've been addressing the novel coronavirus, as well as challenges they've faced, to help inform HITAC's policy recommendations to HHS' Office of the National Coordinator for Health Information Technology.
A resounding theme involved clarifying what information can be shared for public health disclosures under HIPAA, the federal law restricting release of medical information.
Debbie Condrey, chief information officer of healthcare interoperability not-for-profit the Sequoia Project, urged HHS to standardize data that HIPAA-covered entities are expected to disclose for public health during the COVID-19 emergency.
Under HIPAA, covered entities are required to include only the "minimum necessary" amount of medical data when sharing information for public health. Determining how much information that entails can be challenging for providers, and on the local level states have different public health reporting requirements from one another.
Condrey suggested HHS specify that submitting data from the Consolidated-Clinical Document Architecture—a set of templates and standards for data exchange—or equivalent electronic documents meets that minimum necessary threshold. HHS already encourages organizations to use CCDA to fulfill requirements for the Promoting Interoperability Programs, formerly known as meaningful use.
"Provider organizations must abide by the HIPAA minimum necessary requirements for public health disclosures, and they need assurance that clinical data contained in C-CDAs and other electronic documents can be released for public health purposes," Condrey said.
Others suggested HHS establish sources like the ONC's U.S. Core Data for Interoperability—a standardized, but limited, set of data elements—as meeting the minimum necessary threshold.
Setting a standard at the national, rather than state, level could help to streamline data-sharing for healthcare organizations reporting information for public health.
Waiting on states to set this guidance is a "very inefficient approach," said Dr. Steven Lane, clinical informatics director for privacy, information security and interoperability at Sutter Health and a member of HITAC. "I hope that ONC will continue to do everything they can to support HHS in developing some guidance in that area."
Clarifications into HIPAA might extend past the ONC's authority, as HHS' Office for Civil Rights is the agency tasked with enforcing HIPAA. But attendees urged the ONC to capitalize on its role as a coordinator for health IT across agencies.
"This problem of the politics and fear of HIPAA is killing us," said Dr. Clem McDonald, director of the Lister Hill National Center for Biomedical Communications at the National Library of Medicine and a member of HITAC.
HHS has already unveiled notable HIPAA flexibilities in recent weeks.
Earlier this month, the Office for Civil Rights said it wouldn't impose penalties on business associates that offer "good-faith" disclosures of protected health information for public health purposes during the COVID-19 emergency, even if the company isn't expressly permitted to do so by the HIPAA-covered entity it works with.
More flexibilities under HIPAA could be helpful, said Arien Malec, senior vice president of research and development at Change Healthcare and a member of HITAC.
To ensure the OCR's announcement of enforcement discretion has "the maximal effect," Malec suggested the agency release additional guidance allowing business associates who aren't directly contracting with a HIPAA-covered entity to still be able to disclose information for public health purposes, as long as they subsequently notify the covered entity.
"A number of us are struggling with interpreting or putting into practice the existing guidance, because it notes—or it assumes—that there's a direct connection between the business associate and the covered entity," he said. "In many cases, business associates are business associates to other business associates."