Originally Published to HealthITSecurity on May 3, 2022
May 03, 2022 – Since HIPAA was signed into law more than 25 years ago, misconceptions surrounding its purpose, reach, and limitations have persisted.
The COVID-19 pandemic exacerbated those misconceptions—multiple public figures cited HIPAA as a reason not to share their vaccination status. As a result, the HHS Office for Civil Rights (OCR) released guidance emphasizing that HIPAA strictly applies to covered entities.
OCR stressed that despite common misconceptions, the HIPAA Privacy Rule does not prohibit any individual, business, or HIPAA-covered entity from asking whether an individual has received a vaccine.
But vaccination status is not the only way HIPAA has been misinterpreted over the years. HIPAA’s relationship to interoperability and ongoing confusion surrounding information blocking rules further underscores the need for federal guidance and clarification.
At the 2nd Annual HealthITSecurity Virtual Summit, panelists discussed the intricacies of HIPAA compliance, interoperability efforts, information blocking rules, and how they interact with one another.
HOW HIPAA SUPPORTS INTEROPERABILITY
The 21st Century Cures Act refers to interoperability as a technology’s ability to enable the secure use and exchange of electronic health information. Interoperability promotes patient data access and encourages health IT developers to create technologies that will allow fewer redundancies, improved clinical workflows, and data sharing.
“To achieve true interoperability, providers need to maintain data liquidity. And that means that a patient has access to their data readily,” Chris Bowen, founder and chief information security officer at ClearDATA, observed during the panel session.
HIPAA, however, ensures the privacy and security of protected health information (PHI), among other functions. The HIPAA Privacy Rule and the HIPAA Security Rule established safeguards and best practices for covered entities creating, using, or maintaining PHI.
At first glance, these standards may appear to be at odds. But as much as HIPAA focuses on privacy and security, it also addresses the need for health data to flow through the healthcare ecosystem.
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being,” HHS’ website states.
“The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing,” the agency continues. “Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”
HIPAA has a reputation for being restrictive and outdated, even prompting legislators to introduce a bill that would modernize HIPAA to reflect the current tech landscape if passed. While HIPAA’s protections are limited when it comes to certain modern-day issues such as third-party health app security, HIPAA does not actually hinder interoperability efforts.
“HIPAA was drafted to protect PHI but also to facilitate exchanges of PHI among healthcare providers,” Dianne Borque, member at law firm Mintz, explained during the panel session. “So, HIPAA inherently is built to support interoperability.”
Borque pointed to HIPAA’s three main “exceptions” that allow covered entities to disclose protected health information without patient authorization: treatment, payment, and healthcare operations. For example, covered entities are allowed to consult with other healthcare providers about an individual’s treatment, or disclose information as part of a claim for payment to a health plan. In addition, health plans can use PHI to provide customer service to enrollees.
“Those three exceptions under HIPAA liberally permit the sharing of information and would not, as a substantive matter, interfere with interoperability,” Borque maintained. “It is just another tool to help get PHI from here to there.”
INFORMATION BLOCKING STIRS UP CONFUSION
The Office of the National Coordinator for Health Information Technology (ONC) published its Information Blocking Final Rule in May 2020, further complicating how health data moves throughout the health IT ecosystem.
Part of the 21st Century Cures Act, the rule defines information blocking as any practice that interferes with accessing, exchanging, or using electronic health information (EHI). While PHI refers to data under HIPAA, EHI is more expansive.
Save for eight official exceptions to the information blocking provision, everyone who is subject to the rule must quickly respond to any legitimate request to exchange EHI and eliminate known barriers to EHI exchange.
“Interoperability and information blocking rules together are designed to work hand in hand to allow patients to access their health information through the application of their choosing without technical barriers,” Brad Rostolsky, partner with Reed Smith’s HIPAA and health privacy and security practice, explained during the panel session.
Since the information blocking rules went into effect in April 2021, compliance challenges and misconceptions have prevented the transition from going smoothly in some cases.
“We see a lot of confusion with the information blocking rules, and I think it is because they are parallel. They overlap to an extent with the HIPAA Right of Access provisions,” Borque noted.
“Theoretically, you could comply with HIPAA’s access rule but still have an information blocking scenario, and that’s a bit scary.”
While HIPAA has similar rules for providing timely and cost-effective access to data, the Information Blocking Rule sets higher standards and accelerated timelines for EHI exchange.
In addition, Borque noted that some entities might inadvertently engage in information blocking practices out of fear of violating HIPAA. For example, if a covered entity implemented security processes that far exceeded HIPAA’s requirements and thus made it difficult to provide EHI, they could be accused of information blocking.
Within the first year of the information blocking rule, providers have also run into obstacles out of reluctance to provide test results to patients before speaking with them first. However, preventing patients from viewing test results if they request to do so could be considered information blocking.
Information blocking will likely continue to be challenging to interpret until enforcement actions come along and shape compliance efforts.
“One of the most critical pieces is that the interoperability rules and the information blocking rules do not change what HIPAA says,” Rostolsky emphasized. “And one of the key facets of HIPAA, interoperability, and information blocking is access.”
As federal guidance advances and the means for exchanging and maintaining health data change over time, individuals and entities subject to these rules will have to further prioritize patient access. OCR made patient access a priority of its own with recent case resolutions under the HIPAA Right of Access Initiative.
Figuring out how to comply with changing policies while also maintaining data security and protecting patient privacy is a significant challenge, but one that the healthcare sector will need to tackle head-on as the industry awaits further regulatory guidance.
“Going forward, the way to achieve that balance so that you can have security and interoperability is through education and making sure that those common misconceptions do not exist within your organization,” Borque remarked. “It is all about balance.”