- In recommendations to the Department of Health and Human Services, the American Health Information Management Association and American Medical Informatics Association are recommending updates to HIPAA that would both clarify right to access and reduce barriers to patient data sharing.
The open comment period for HHS’ request for information closed on Tuesday, and in separate letters, both AMIA and AHIMA made recommendations for how HIPAA should reflect the shift into value-based care and the need for greater access.
Healthcare has lagged behind other sectors when it comes to providing information to its customers, AMIA President and CEO Doug Fridsma, MD wrote. While HIPAA gives patients the right to a copy of their data, many still struggle to obtain their records.
For AHIMA, the right to access outlined in HIPAA is fundamental to improving patient health and healthcare.
“AHIMA believes that opportunities exist to enhance an individual’s right to access their health information with modifications to HIPAA and beyond,” AHIMA CEO Wylecia Wiggs Harris wrote.
“Ultimately, the best measure of whether an individual access request has been fulfilled is whether the needs of the requestor have been met,” she added. “It is often the case that a patient may request ‘any and all records” because he or she may not know what information they are seeking.”
But HIPAA poses three challenges to making that happen, according to AMIA. It takes too long for data to be shared in permissible situations, including right to access; HIPAA has been misused to restrict sharing PHI; and HIPAA is actually a barrier to sharing mental health data.
Further, HIPAA has been a barrier to research and population health management.
“We understand that HIPAA already permits sharing of PHI in the case of treatment and that patients already have a right to a copy of their information,” Fridsma wrote. “The reality is that despite this permission and despite this right, HIPAA has instilled a pervasive concern over the legality of sharing patient data improperly – especially related to requests for PHI based on treatment and for individual access.”
As a result, AMIA recommended the Office for Civil Rights require the timely sharing of data with patient consent and provider requests. In addition, clarity is needed to demonstrate HIPAA permits PHI sharing under these circumstances.
AMIA also added that OCR should “elevate the failure to deliver an individual ‘right of access’ to an enforcement and penalty priority on par with data breaches.”
To get there, OCR should work with the Office of the National Coordinator to make sure certified health IT platforms can provide individuals a complete, electronic copy of their data as part of HIPAA’s right to access.
AMIA also recommended OCR draft guidance or “take more binding steps” to ensure lawful PHI requests under treatment be labeled obligatory – not just permissible. There also needs to be formal OCR guidance permitting PHI sharing to those organizations that don’t necessarily fall under HIPAA.
OCR should also revise or clarify rules around PHI use for data-driven research purposes. AMIA added that OCR should work closely with covered entities and business associates to develop IT-enabled audit trails and disclosure accounting for accountability and oversight “that compels sharing.”
“If the desired outcome of the public policy is to make more complete access, exchange, and use of patient data available for improved care coordination, then we must have robust means for understanding who was granted access and for which purpose,” Fridsma wrote.
“This is the crux of the trade-off between removing providers from legal uncertainty in sharing data (e.g., force sharing through an information blocking rule or through a revised interpretation of HIPAA), while providing more accountability and oversight for those data that are shared,” he added.
AHIMA worked with AMIA on its own recommendations to HHS, including converging HIPAA with health IT certification that would establish a new term: health data set. This would include all clinical, biomedical, and claims data managed by covered entities and business associates.
Health data sets would support HIPAA right to access and ONC’s Certification Program, which would allow for individuals to electronically view, download, or transmit data to a third party, or access data through open APIs.
Further, AHIMA recommended revising the definition of HIPAA’s designated record for greater clarity and predictability on what constitutes a data record set to providers and patients.
AHIMA also stressed extending HIPAA’s right to access to non-covered entities, like mHealth and health social media applications to create “uniformity of health data access policy, regardless of covered entity, business associate, or other commercial status.”
OCR should also encourage note sharing between providers and patients, including the OpenNotes effort, while clarifying existing guidance around third-party access to patient data.
“AHIMA recommends that covered entities should be required to disclose PHI when requested by another covered entity for treatment and payment purposes,” Wiggs Harris wrote. “AHIMA members note that instances persist in which a covered entity may be unwilling to disclose PHI even though the information is for the provision of care.”
“We believe that if HIPAA is revised to require such a disclosure for treatment and payment, it would create a bright-line for covered entities and help facilitate the sharing of PHI for care coordination purposes,” she added. “We don’t believe that such a change in the regulations would impose substantial administrative costs on covered entities, as the majority of covered entities today disclose PHI when requested for treatment purposes.”
Both AMIA and AHIMA have recently made similar recommendations to Congress, calling for a HIPAA upgrade to support patient access to their own data, including easier access, use, and transmission of data.