Gerry Blass, President & CEO, ComplyAssistant
Helen Oscislawski, Esq., Founder & Managing Partner, Attorneys at Oscislawski LLC
ComplyAssistant’s President and CEO, Gerry Blass, and healthcare attorney Helen Oscislawski with Attorneys at Oscislawski LLC, were interviewed by Healthcare IT News on how healthcare providers should address protected healthcare information and how to balance the demands of privacy and data exchange. The article, written by Bill Siwicki, was published in June 2020. The following blog post covers some of the key points.
The news late last year around Project Nightingale aroused interest from both healthcare organizations and the public on how and when protected health information (PHI) should be shared. With new technologies, new entrants to the healthcare market, how can healthcare providers balance HIPAA, cybersecurity protections, and the need to easily share data to improve patient care?
Helen Oscislawski and Gerry Blass answered some questions to designed to help CIOs and CISOs and others navigate these tricky issues.
What are the pros of sharing patient data?
- Improved clinical care
Clinicians understand that sharing patient data can improve the quality of care provided to patients; in fact, Promoting Interoperability is in part designed to aid the secure exchange of patient information for this reason.
- Risk and liability avoidance
From a legal perspective, an advantage to sharing patient data exists only if such sharing in effect lessens or eliminates potential legal risks or liabilities which would otherwise arise if the patient data was not shared.
For example, let’s imagine an important diagnostic test result is available on a patient and could be shared with a physician who needs that information to make a critical and emergent treatment decision. However, the test result is located on a separate EMR system and thus is not shared with the physician, which results in a severe negative impact on the patient’s health. This type of situation could lead to potential malpractice liability for the physician that might have been avoided had the patient data been shared.
- Compliance with federal regulations
Regulations implementing the 21st Century Cures Act, and specifically Section 4004, will prohibit what is referred to as “Information Blocking.” Such information blocking will result in potential substantial fines of up to $1 million per year assessed against health IT developers, health information networks (HINs) and health information exchanges (HIEs) that “knowingly and unreasonably” interfere with the sharing or use of electronic patient data. The regulations will also include “appropriate disincentives” for healthcare providers who engage in similar blocking practices.
What are the cons of sharing patient data?
- Potential to share inaccurate data
Let’s take our earlier example of sharing a diagnostic test and turn it on its head. In this scenario, if the patient data comes from a system that does not have the most recent or corrected version of the test result, then the accuracy of the result is compromised. Sharing inaccurate or outdated data could negatively impact patient care and increase the legal risks and liabilities for the end users who rely on it.
- Violation of the HIPAA Security Rule
If data comes from a system that does not have the most recent or corrected version of patient information, that would indicate a lack of data integrity. This violates the HIPAA Security Rule, which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.
What are the implications of sharing patient data?
- More locations of PHI; more security controls
From a privacy and security perspective, increased data sharing typically means that there are more locations of PHI to protect for covered entities (CEs), their business associates (BAs) and downstream BAs. Thus, the scope of audits increases with each new location, along with the need to ensure that the proper agreements and controls are in place.
- Data access limitations
Only individuals who are legally authorized to have access to patient data for a legally permissible purpose should be given access to patient data. The Information Blocking law does not support carte blanche sharing of data with anyone and everyone who wants it. The standards of protecting patient privacy under HIPAA and equivalent state laws still apply.
- Potential updates to HIPAA
The HIPAA Rules have not been significantly updated since 1996. The HITECH / OMNIBUS final rule of 2013 did account for larger fines and potential for lawsuits, along with more stringent requirements for BAs and CEs, but has not accounted for the significant increases in cybersecurity risks over the past 10 years and the corresponding changes in scope of vulnerabilities to control.
Updates to HIPAA, as well as 42 CFR Part 2, are likely needed to fully realize the potential of interoperable sharing of patient data. As part of its “Regulatory Sprint to Coordinated Care,” OCR published a Request of Information (RFI) seeking recommendations and input from the public on how HIPAA could be modified to promote coordinated, value-based health care. In addition to requesting general input on HIPAA, the RFI asked for comments on specific areas of the HIPAA Privacy Rule, including: (1) encouraging information-sharing for treatment and care coordination; (2) facilitating parental involvement in care; and (3) addressing the opioid crisis and serious mental illness; and (4) accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act.
- Clarity in education
Focus on educating internal teams and patients using accurate information on what the new rules and changes actually mean. For staff, it should be part of orientation, annual training and continuous reminders both protecting PHI, when it is proper to share it, and the value of both. Accuracy and clarity of the content of such education is paramount. When done right, this will enable staff and patients to better understand the value of sharing data.
In the early days of HIPAA, especially from a privacy standpoint, there was a lack of understanding about the Notices of Privacy Practices and who could disclose PHI to whom. That resulted in refusals to make authorized disclosures due to ignorance and fear of violations, penalties or sanctions. Now, the sharing of protected data is a norm of how healthcare is now delivered. The best way that CIOs and CISOs can create a privacy and security strategy that manages HIPAA with the interoperability and information blocking rules is to truly understand the requirements and restrictions of each.