December 30, 2020 • 38 mins
Wes Morris, Clearwater, and Kirk J. Nahra, WilmerHale, discuss the recently-issued Health Insurance Portability and Accountability Act (HIPAA) proposed rule. The podcast discusses key changes made by the proposal, including changes to the minimum necessary standard for care coordination and other information disclosure changes. Sponsored by Clearwater.
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:14):
Support for A H L A comes from Clearwater, the
leading provider of enterprisecyber risk management and HIPAA
compliance software and servicesfor hospitals, health systems,
and their business associates.
Our solutions include ourproprietary software as a
service-based platform, I R MPro, which helps organizations
manage cyber risk and HIPAAcompliance across the
(00:36):
enterprise.
An advisory support and manageservices provided by our deep
team of information security andcompliance experts.
For more information, visitclearwater compliance.com.
Speaker 2 (00:49):
My name is Wes Morris.
I am managing principalconsultant for Clearwater
Compliance.
And I'd like to welcome youtoday to our podcast, discussing
the proposed modifications tothe HIPAA privacy rule, to
support and remove barriers tocoordinated care and individual
engagement.
Uh, joining me this morning isKirk Nara and Kirk and I will
(01:13):
discuss, uh, the major elementsof this proposed rule and, uh,
what it might lead to for thefuture.
Uh, Kirk, would you be so kindjust to introduce yourself and
tell us anything you'd like toknow about you?
Speaker 3 (01:26):
Uh, sure.
Thank you.
Uh, thank you Wes, and thanks to, uh, a H L A for having me.
Um, so I'm Kirk Nara.
I am a partner with WilmerHalein Washington DC where I am the
co-chair of our globalcybersecurity and privacy
practice.
And I've been working onhealthcare privacy issues since,
uh, I'm almost afraid to say1999 or so.
(01:51):
Um, so I've been dealing withthe full evolution of the, uh,
HIPAA rules from the verybeginning, the early drafts, and
I can certainly remember, um,spending a lot of time over, uh,
the Christmas holiday in 2000,just like we're gonna spend time
over the Christmas holiday in2020, um, reading these
enormously long proposals.
(02:11):
So, uh, look forward todiscussion of that today,
Speaker 2 (02:14):
.
Yeah.
Uh, I don't have quite as muchtime in it as you do, Kirk.
I, uh, I, I, I moved fromclinical work, uh, working in
mental health and substanceabuse counseling on April 14th,
2003 into my first role in theworld of HIPAA privacy and
security.
So, uh, I didn't get theopportunity to spend the time on
(02:36):
the original, uh, publication ofthe privacy rule, but certainly
joined right in, uh, starting inoh three, uh, with it just as
much.
So, um, this new proposedmodification, uh, coming as it
is right at the tail end of anadministration, we don't really
(02:57):
know what's going to to happenin the next administration
before we even get into thecontent and the details, what
are your thoughts around that,Kirk?
Speaker 3 (03:07):
Well, I said the, the current administration is
obviously putting out a lot offinal rules, but this is sort of
an odd thing.
This is a proposed rule.
And so the, the, the rule hasn'teven formally been published
yet.
We're working with a, you know,an informal draft.
I mean, it's not a draft, butit's an informal document at
this point.
So the comments to this proposedrule will not be due until
(03:31):
sometime in February at theearliest.
Obviously, there will be a newadministration at that point in
time.
Um, you know, theadministration, I suppose,
between inauguration and thatdue date could pull this whole
thing.
I don't know that that's, uh,high on their priority list.
So I sort of suspect that won'thappen.
But I do think there's gonna bea real question as to, um,
(03:52):
whether the substance will moveforward.
I mean, the, as as you said whenyou were reading the, the, the
title of the document, a lot ofthis proposed rule is driven by
the idea in the head of thecurrent administration, um, in
the mind of the currentadministration, that in a HIPAA
privacy rule to the goal ofcoordinated care or value-based
(04:14):
care, you know, we can debatewhether that's really true or
not.
And so I think there's a lot ofquestions, there are a lot of
important policy questions we'lltalk about today.
And is that, I don't know thatthere's any thinking yet from
the new administration on thoseissues.
Speaker 2 (04:27):
What's the first clock that's starting for us
once this is published?
Speaker 3 (04:31):
Well, I mean, the most important clock right now
is just gonna be the commentperiod.
And there's gonna be a 60 daycomment period between, you
know, when it's published in theFederal Register.
Comments will be due.
Um, again, that, that certainlytakes it at least till February,
assuming that, uh, you know, itgets published between now and
the end of the year, which Iexpect that it, it will, it's
something that could getpublished, um, you know, any day
(04:54):
by the time you're, by the timefolks are hearing this, it may
have already been publishedagain, but, but the substance of
the proposal is set.
The document that we've beenlooking at is in fact, the
substance.
It's just not formally beenprint, been printed and
published yet.
Um, right after that, thegovernment, you know, there's no
timing.
There's no particular mandatorytimeframe at this point.
We've had HIPAA rules that havemoved at a relatively quick
(05:17):
pace.
We have had other HIPAA rulesthat have taken years to get to
go from a proposal to, to afinished rule.
Um, one of the provisions thatis, that was part of the request
for information that proceededthis proposed rule, had to do
with the HIPAA counting rule.
HIPAA counting rule, uh, changesare a holdover from the 2009
(05:41):
Tech Act.
And in this proposed rule, thegovernment basically said, we
don't know what to do about thatyet.
And so we're not even addressingit in this proposal.
So that proposal, um, is nowworking on an, an 11 year time
period.
So, the time all theseissues can be, uh, you know,
again, noth nothing happensquickly, but there are, there
(06:02):
are normal delays and there areextended delays.
And, you know, I really don'tknow where this is gonna fit in
the
Speaker 2 (06:08):
Middle of that.
Yeah.
I remember being concerned aboutthat accounting, uh, element,
uh, back in 2009 when I wassitting as a privacy officer in
a hospital system and thinking,how in the world are we going to
accomplish this?
So, I guess, uh, in thisparticular case,, we find
ourselves in the same place that, uh, the, the folks that are
(06:30):
writing and promulgating theserules have yet to figure out how
are we going to
Speaker 3 (06:35):
Accomplish?
Well, that, that particular,that particular, yeah, that
particular rule is one that Iwill be perfectly happy to have,
just never, never see the lightof day.
I, I work in another area ofprivacy where there's been an
effort by some of the federalregulators to come up with
privacy rules related to, tofaxes, um, commercial faxes.
And my theory is that they'rejust trying to wait long enough
(06:57):
for faxes to disappear.
So they don't actually have tocome up with a rule that may be
sort of what's happening withthe accounting rule.
The, there was in fact aproposal on the HIPAA accounting
rule that goes back to, I think2010 or 2011 mm-hmm.
that's now beenformally pulled.
That, that, that proposal hadthe sort of unusual result of
almost all of the comments beingnegative.
(07:18):
Everybody seemed to dislike thatproposal.
Usually some people like aproposal and some people don't.
That was uniformly disliked.
And so,
Speaker 2 (07:26):
Um,
Speaker 3 (07:26):
Yeah, we'll, we'll, we'll be navigating that, but
that's not today's discussion.
Cause that's
Speaker 2 (07:29):
Not today's
Speaker 3 (07:30):
Discussion, especially, it's not in the
proposed rule.
They said they're gonna dealwith it later.
Speaker 2 (07:34):
Yeah.
So, um, of course, we reallydon't know when the final rule
will be published or if thefinal rule will be published,
but, but supposing that it is,then we start a second clock,
and that is, uh, the compliancedate followed by the enforcement
(07:56):
date.
Let's get into some detailshere.
Um, when we think about whatthis, this, this, um, proposed
modification is all about,what's your big ticket take on
it?
What, what's, what's it reallytrying to do for us?
Yes.
Speaker 3 (08:14):
So, so, so despite how long this document is, I
would break it into two mainpieces
Speaker 2 (08:20):
Mm-hmm.
.
Speaker 3 (08:21):
Um, the first piece has to do with patient access to
their own health information.
And that is a topic that's been,you know, the, the original, the
HIPAA access right.
Has been in the privacy rulesince the very beginning.
There have been complaints andconcerns about how effective
it's been for the entire historyof the hip rules.
(08:43):
Um, those issues have reallygotten a lot more attention in
the last couple of years.
Um, there have been some reallyinteresting efforts in the
private sector to encourage, um,hospitals, particularly to be
better on access.
There's been a number ofdevelopments in other
regulations about encouragingaccess for patients.
(09:06):
And, and then there's beenenforcement by Office of Civil
Rights for the first time.
I mean, I think that, um,there's been problems with
access for many years, but theyviewed as, um, you know, single
issue situations not sort ofworthy of particular enforcement
efforts.
The, the, the current ocr, um,has been taking enforcement
action in connection withpatient access.
(09:26):
So this is an evolution, it's animportant evolution, but it's an
evolution.
It's not a revolution on access.
Right.
So there are a series ofimportant changes that are
somewhat technical, but aredesigned to make it easier and
cheaper and faster for patientsto get access to their records.
That's topic one.
Yeah.
Topic two is much more policydriven, much more complicated,
(09:51):
and frankly, a little, justtrickier in general, the, the
current administration believesthat the HIPAA rules somehow
impede goals related tocoordinated care and value-based
care.
Mm-hmm.
, they also believethat at least to some extent,
(10:14):
HIPAA restrictions played a partin the opioid crisis.
Both of those premises arethings you can question.
Um, I'm not sure I agree withthem, but those are, those are
ideas that are driving thechanges here.
And what we're talking about interms of big picture, you know,
the, the second category iseither expanding the ability of
(10:40):
covered entities to disclose p hi in connection with things like
coordinated care or making itclearer that they are able to
make those disclosures even ifthey were permitted before,
because the government has thisidea that people were not making
disclosures that they wereallowed to make.
(11:01):
And they believe that the reasondoctors and hospitals weren't
making disclosures is cuz theythought they were prevented from
doing it.
So there's a number ofprovisions that are designed to
encourage more sharing ofinformation with the goal of
supporting value-based care,coordinated care, and helping to
deal with, um, things like theopioid crisis.
Speaker 2 (11:24):
So, circling back to the first big one, the access,
right of access as, as younoted, this has been a, uh, a
high visibility item for O C Rat least for the last couple
years.
But I think all the way back tothe first really big, uh, case
involving Cignet Health, I don'trecall what year that was.
(11:46):
I'm sure you recall it, the caseas well, in which it was a 4.3
million, uh, penalty, uh, as aresult of refusing to provide
records to 41 individuals, andthen all kinds of different
iterations and things that were
Speaker 3 (12:02):
Right.
But that's, I mean, that, that,that, that, that is, that is the
one enforcement case that wasnot recent.
But that, but that case is a,again, I, I, I had clients who
freaked out about that case.
Yes.
And, but, but, but that case isa funny case and it's a, you
know, and I, and I said to myclients, what are you actually
worried about here?
In that case, the governmentasked Cignet Healthcare
something like 15 times toRight.
(12:25):
They sent Marshalls, they sent,they sent subpoenas, and
essentially the company justignored them.
And eventually the governmentgot so mad that they entered
into a penalty.
You know, my advice to myclients, and this is really very
sophisticated, you know, highexpertise, legal advice is don't
blow off the government 15times.
It's just the Right, right.
(12:45):
, you know, you re youread, you read the papers in
that case, and you get the sensethat if they had responded the
eighth time, they would've beenfine.
So that case is not really aboutaccess rights, it's about
blowing off the government bythe same couple of years, is
actual cases that are basedentirely on failures to provide
(13:06):
access rights without theblowing off the government
component.
Speaker 2 (13:09):
I I've noticed on several of those in the last
couple of years, that there wastechnical assistance rendered.
Sure.
And, and then still the, the,uh, the patient, the member
didn't, the individual did notreceive what they were, what
they were seeking.
And so it led to further things.
So I feel almost as though thereis still a component of that.
(13:31):
Don't blow us off if we give youtechnical assistance.
Speaker 3 (13:34):
Well, look, I mean the, the, the, if, if, if, if a
patient makes a request to thehospital and the hospital messes
it up for whatever reason, theydon't respond too late,
whatever, and there's acomplaint and they missed one,
the government says, don't missanymore fix it, and you know how
you can fix it going forward.
That's most of the cases, right?
The government doesn't takeaction because you mess.
In fact, I have a, I just closeda case with OCR R for a client
(13:58):
where again, they, they hadgotten a whole bunch of requests
from somebody and they missedone.
And then once it was pointed outthat they missed one, they fixed
it.
And it's fine, you know, the,the government, but, but the
government is doing someindividualized cases.
They just, tho those cases arenot gonna be driven by a single
mistake.
OCR almost never does a casebased on a single mistake, maybe
(14:19):
if it's a really enormousmistake.
I mean, I I, I've been, ID, youknow, when I, when I teach
enforcement on these areas that,you know, there are a small
handful of cases that are casesthat I characterize as sort of
send a message cases.
There was one involving ahospital that had a reality TV
show filmed in the hospital andthe government, yes.
(14:39):
Just wanted to send a messagesaying, look, that's just a bad
idea.
You can't do that.
But for the most part, what thegovernment does is they go after
companies who have had eitherrepeated problems or really
egregious problems.
I mean, the example I use with,with my students is if a
company, a hospital has asecurity breach, and the
government knocks on the doorand says, I'd like to see your
(15:00):
HIPAA security policies, andthey say, what's hipaa?
Okay, that's a problem,.
But they don't tend to, theydon't tend to take cases on a
single, single situation.
But I, but I think what, what,what's been important about the
enforcement a, uh, effort in thelast couple years is that
they're going after these casesagain with whatever baseline of
activity.
But even in situations wherethe, the monetary penalties are
(15:21):
not enormous.
They're moed.
I mean, they're, they, no,nobody wants to pay anything,
but they're relatively small forthe kinds of cases that the
government has normally takenpenalty cases.
But they're doing them andthey're doing'em repeated.
They're doing them repeatedly.
And there's clearly a message tothe healthcare providers that
says, look, you gotta do this.
Right?
This is important.
Now, you can't get away withbeing lazy.
(15:42):
You can't be get away with beingirresponsible.
There are, you know, thegovernment is paying attention
to these issues.
And I think that's an importantmessage.
And at the same time, these rulechanges, these proposed rule
changes are just designed tomake things easier.
For example, there's, there'sinformation about fees they're
(16:03):
trying to reduce, the feesthey're trying to deal with, you
know, accelerating some of thetimetables.
I mean, the, the, the, thetimetable for, for an HIPAA
access right?
Was written in 30 days with theidea of, oh, I gotta, you know,
there's a box of documents and Igotta have somebody in my office
sit at a copy machine and copy.
You know, that's not whathappens anymore.
So the idea, we're gonna make itfaster, we're gonna make it, you
(16:24):
know, so, so a lot of thosethings are, again, they're
relatively, the, the, there'snot a lot of, you know,
sophisticated policy debate thatgoes into, are we gonna make it
15 days instead of 30 days?
But it's important, and it'sgonna, again, all of these
proposals are designed to makeit easier for patients to get
access to their own information,to get them more engaged in the
(16:49):
healthcare system.
Again, all of these things are,I mean, there's trade offs,
right?
I mean, when you, when you makethings faster, uh, there's a,
there's some obligation and someincreased obligation on the
covered entity side.
What they're saying here is, wedon't think it's much on the
covered entity side, and wethink there's a real value to
the patient.
We're gonna draw the line andwe're gonna say, favor the
(17:10):
patient's, right?
To access their own information.
Mm-hmm.
that bestraightforward.
And I don't expect that therewill be a lot of companies who
go out and say, oh my God, wecan't possibly do 15 days.
We really think that, you know,the answer should always be 30
days.
Yeah.
Maybe somebody's gonna say that.
But I think in general, thechanges on patient access are
(17:31):
consistent with a series ofdevelopments that have been
happening for a number of yearsthat reflect the goal of patient
access and reflect improvedtechnology that makes it easier
to respond to those rights.
And again, those are allgenerally good things.
Speaker 2 (17:47):
Yeah.
I also noticed that they gave alot of, uh, of time in, in the,
in the proposed mods todiscussion around things like
allowing an individual to usetheir own device to take a
picture of a screen of their P HI or, uh, allowing an individual
(18:07):
to, um, uh, to make an, uh, anoral request rather than
demanding a written, writtenrequest from'em for access.
Uh, and also drew a line betweenthe use of the authorization
form that most organizationshave, and many have used as
their source document for accessrequests as well.
(18:30):
Uh, but they drew a line therethat said, that's, that's not
really what you should be doing.
So I think in a lot of ways theyare adjusting, uh, to, to try to
make things better.
Uh, I mean, you know, in manycircumstances, being able to sit
there with your provider and theprovider says, well, here's your
labs, Mr.
Morris, and, hey, can I take apicture of those?
Great.
(18:50):
It can create its own challengesin some, in some cases.
Um, but, uh, I think you'reright around the access rules
that we're really not talkingabout wholesale, throwing out
everything considered withaccess in the past and redoing
it.
What about some of the otherchanges to these rules?
I'm really interested in yourtake on this, this, um, the, the
(19:15):
exceptions to the minimumnecessary standards for, uh,
care coordination, casemanagement, and, uh, allowing
for, um, uh, disclosures to, uh,for, for that, uh, care
coordination, case management.
What do you ta what do you thinkabout what's happening there?
Speaker 3 (19:34):
So, so the idea is to make sure, or, or to make it
easier for people to sh youknow, HIPAA covered entities,
mainly doctors, not only doctorsand hospitals could be there.
There's some discussion ofhealth plans as well.
Make it easier for informationto be shared when you're trying
to coordinate care.
(19:54):
Mm-hmm.
.
Yeah.
That level, that's a, that's anadmirable goal, right?
I mean, it's better in generalif healthcare providers have the
right information.
Um, and some of the, some of thechanges are designed to make it
clearer to hospitals and doctorsthat they're allowed to share
(20:14):
for these purposes.
The government seems to believethat people are not sharing
historically because theythought they weren't allowed to.
I don't know if that's truenecessarily.
I suspect there are lots ofoccasions where people just
aren't doing it for otherreasons.
Sometimes, frankly, it could belaziness too.
I mean, and I'm not sure where,where you say something's
(20:34):
permitted and people haven'tbeen doing it before because
they're lazy.
I'm not sure saying even moreclearly that you're allowed to
do it is going to change that.
But that, but that's the idea,is to try to encourage sharing
of information in coordinatedcare settings.
Now, there are, you know, thereare a couple of different
examples of that.
There are examples that arewithin different healthcare
(20:56):
providers.
You know, if I, you know, I, Ihave a primary care physician.
I had surgery on my knee at adifferent hospital because I had
a, you know, I, I, I had aninjury when I was playing
tennis, and I also have beentreated by a psychiatrist
because of Covid i's making mecrazy, and I have a substance
(21:17):
abuse problem.
And so, from a pure healthcareperspective, it's obviously
helpful to the primary carephysician to know all those
things.
The way that the primary carephysician usually knows all
these things is I tell theprimary care physician mm-hmm.
, if I tell theprimary care physician, or I say
(21:38):
to my other doctors, please sendinformation to my primary care
physician.
The doctor has all of thatstuff.
So all of these rules aredesigned to deal with a
situation where I haven't toldmy primary care physician,
they're designed to make iteasier for those other doctors
to share with my primary carephysician.
Probably a good thing at somelevel, but if I haven't told
(21:59):
them, or I don't want to tellthem, having the other doctors
do that, again, we're, we have atrade off there between, um,
between the healthcare system'sinterest and perhaps my interest
in my own healthcare, but at thesame time my own control over
that situation.
I think that's part of thedifficulty.
The other component that we'reseeing here is in connection
(22:23):
with social serviceorganizations.
We have built into thehealthcare system.
And, you know, last coupleyears, this, this isn't a
surprise to most people when youtalk about it, but we learn, you
know, we're learning more andmore that one of the reasons
that people may be in bad healthis that they don't have access
to food, or they don't have goodhousing, goes onto the label of
social determinants of health.
(22:45):
And so there's always been aquestion of whether a hospital,
for example, could discloseinformation to a local food bank
to help a patient.
Now, one way to do that is toask the patient, there's always
been the ability to ask thepatient.
Mm-hmm.
, these rules aredesigned to make it easier for
(23:06):
the hospital to do this withoutasking the patient.
Now, again, there may be reasonsto do that, but it's not cost
free in the sense that thateither means you haven't asked
the patient or the patient hassaid no.
And that's a trickier situation.
So that's why I think it's justa more philosophically
(23:27):
interesting question.
Um, we're trying to, you know,again, there's no, nobody is
gonna share that informationbecause they think it's a bad
thing for the patient.
It's, but, but, but, but I thinkthe issue we're gonna be
thinking about is, do I as adoctor or a hospital get to
decide what's good for thepatient?
If the patient isn't interestedin that or doesn't want to do
(23:47):
that, then the next issue thatwe have to think about, and this
is a, a, a, an important sort ofstructural issue because of the
limitations on the scope of theHIPAA privacy rule.
When information is shared froma hospital to a food bank, for
example, the hospital underthese rules would have a
permitted ability to make thatdisclosure.
(24:09):
But once it goes to the foodbank, we have to recognize that
it's not subject to the HIPAArules anymore because the food
bank isn't a covered entity.
The food bank isn't a businessassociate.
The food bank, as far as HIPAAis concerned, is nothing.
And so that's a result that maybe an acceptable result, but we
have to at least consider theimplications of that result.
(24:30):
That result exists because ofthe history of the HIPAA rules,
where only it's not.
Yeah.
Again, this is, this is, uh,hopefully a reminder for most
people listening to this, butthe HIPAA rules are not overall
medical privacy rules.
They are rules that protectpersonal health information,
protected health informationwhen that information is held by
(24:52):
certain kinds of entities incertain contexts for certain
reasons.
And so we are seeing more andmore examples in our broadly
defined healthcare ecosystemwhere health information isn't
subject to the HIPAA rules.
That's a parallel developmentthat's going on here.
That's something that's, we'reseeing state laws, we're seeing
some efforts at the federallevel.
(25:14):
That's a much bigger issue.
But some of these disclosureprinciples that are in these
proposed rules exacerbate thosescope limitations by saying
information that's protected byHIPAA is now gonna be disclosed
to people who don't have a HIPAAobligation to protect it
anymore.
And again, I'm not at all sayingthat's a bad idea, but it's not
(25:36):
a cost-free idea, and it's nota, you know, it's not an
automatically good idea becauseagain, the option today is to
ask the patient, these rules aredesigned to make it easier for,
for covid entities to disclosewithout asking the patient.
Speaker 2 (25:52):
Yeah.
Quite a valid point there.
And, and I agree very much withyour perspective on that.
Um, couple of other areas that Ijust wanted to touch on very
briefly.
One of the things that I candefinitely get behind, and I
think most people can probablyget behind, is eliminating the
requirement to receive writtenacknowledgement of receipt of
(26:15):
the notice of privacy practices.
Uh, what are your thoughtsaround that one?
Speaker 3 (26:20):
Yeah, so, so there's been a provision in the privacy
rule from the beginning thatsays, um, you know, covered
entities who are directtreatment providers have to give
you a privacy notice when you'rea patient and you're supposed to
sign an acknowledgement that youreceived the notice.
Mm-hmm.
, partly that'sbecause there's no, you know,
the consent that you would besigning in other circumstances,
(26:44):
the consent is assumed by, bythe operation privacy rules.
So you're not actuallyconsenting to anything when you
sign that.
You're just acknowledging thatyou received that.
And so the government hasbasically said in this proposal,
we don't think there's anyparticular, we think there's a
cost associated with having tocollect those acknowledgements
and keep track of them andmaintain them.
(27:05):
And we're just, we're, we'regonna not have that anymore.
I, you know, I, I think it'sfine.
Um, covered entities are stillgonna have to have a procedure
in place to make sure thatpeople are seeing those notices.
But it's, but right now there'snotices.
It doesn't mean anybody'sreading that.
It just means there's signsomething saying it was handed
to you.
So I am not a big fan of theHIPAA privacy notices in
(27:27):
general.
I think that the rule, uh, the,the rule, the way it's written
and, and nothing in the proposedrule is changing this, um,
requires there to be too muchinformation in those documents
that isn't of use to theconsumers.
And so, if I was in charge ofthis, I'd be writing a different
rule to shorten up what'sactually in that notice.
(27:49):
But all they're doing right nowis getting rid of this
acknowledgement, which again, Ithink is, is a, it, it, it's
interesting when you look atsome of the details of the rule,
when they, they, they estimatehow much cost savings there are,
and I'm gonna forget the number,but they, they have an enormous
amount of cost savingsthat they say from not getting
that.
I'm like, I don't know how that,how they get to that amount of
(28:10):
money.
But, uh, um, that, that, that'sa modest tweak.
Um, you know, again, there maybe people who disagree with it,
but it's a, that, that, that,that's very much a tweak without
any big,
Speaker 2 (28:23):
Well, the one point you make was, uh, I, on the
other hand, am the guy who if Igo into a new practice and, and
I'm asked to check in for thefirst time, I'm going to look to
see if you're asking me to signthat acknowledgement.
And if you're actually giving mea copy of your notice, half the
time, uh, they, they asked me tosign for it without it, and I
(28:44):
won't, I won't do so.
Uh, and, and then they'll haveto scramble through the drawers
to find the, the copy of thenotice.
Speaker 3 (28:51):
Right.
But, but, but, but that, but,but that's a problem that exists
today and is changed by gettingrid of, you
Speaker 2 (28:57):
Know, no, no, that won't be,
Speaker 3 (28:58):
That won't obligation anyway.
Yeah.
They have an obligation to giveyou that notice to give you a
copy of it, to make it availableto you.
No, I'll say most of thosepractices, you can probably go
online and look at it anytimeyou feel like it, rather than
look at right then.
Um, there, there is aninteresting discussion.
I, I had the sense when theoriginal rules came out that the
government expected there to be,you know, you would go to the
(29:19):
doctor's office for the firsttime and the doctor would, the
doctor would hand you thatnotice, we know the doctor's not
, not ever the one handing youthe notice, but that you would
then have a, a a, an engagingdiscussion with the doctor about
the privacy practices of thedoctor's office.
And that would result in both ofyou being educated.
None of that ever happened.
.
So that actually comes up in acouple places in this rule where
(29:39):
they envision this comes up inthe patient access section, more
of a discussion between patientsand doctors and hospitals about,
I just don't see any of thatrealistically happening, but
they're trying to facilitatethat.
Speaker 2 (29:53):
Right, right.
Yeah.
The other areas that they, uh,touched on, um, very briefly,
uh, one was, um, basicallypulling telecommunication
communication relay services outof the situation of having to be
a business associate in order toprovide services for people with
(30:13):
a, uh, hearing or sitedisability or a speech
disability.
Uh, and then the other one wasaround, um, expanding the, um,
the armed forces, um, area, uh,to a address the, the US Public
Health Services and, uh, uh, n oa, uh, to include in'em.
(30:35):
But for the most part, those arerelatively modest things, and
especially the armed forces partis not going to apply to a huge
range of organizations.
Would you agree with thatopinion?
Speaker 3 (30:49):
Yes.
.
Yeah.
That's, that's, that's as muchtime as we should spend on the
armed forces change
Speaker 2 (30:54):
.
Exactly.
Yeah.
Now, I worked for the Armedforces at one point, uh, running
, uh, a team of, of specialistsin HIPAA for the Air Force
Medical Service.
And for us, that was a big deal.
Yeah, of course.
But for the rest of theuniverse, it's,
Speaker 3 (31:08):
It's not required.
Well, and that, and that's,that's actually an, you know,
like I was mentioning in thenotice of privacy practices,
that there are things in the, inthe notice that are required to
be there that I don't think areuseful.
You're required to disclose,you're required to include in a
privacy notice, all of thepossible, possible ways in which
you might dispose information.
And for 99% of the patients,those things aren't relevant.
(31:31):
But you have to write them inthe privacy notice for everyone
because one out of a hundred orone out of a thousand times you
might do it.
That ends up, from myperspective, resulting in a
notice that isn't very useful.
But we've got that.
The, the other point you madeabout those relay services, I
think that particular example isa pretty limited example, but
it's a, there's a broaderquestion, which is, you, you
(31:54):
know, there, there's an issuenow with business associates
where if a business associategets one piece of protected
health information, they can bea business associate.
And so there are lots ofsituations where, um, companies
really barely touch theinformation.
There are some that are calledconduits, right?
Like the post office wherethey've said explicitly you're
(32:17):
not a business associate, butthere's a whole bunch of others
where they really barely touchthe information.
They may not even know that it'sprotected health information.
And the rules today have them bea business associate.
And so I've spent all kinds oftime over the last 20 years, you
know, negotiating those deals.
And then both, both sides seemunhappy with them.
And I, I could easily see a moresophisticated analysis that
(32:41):
would cut out some of thebusiness associate category, but
that's not what this rule isdoing.
They're, they're, they'redealing with a particular very
small picture, not, notunimportant, but a very narrow
tweak that they're dealing with.
And, you know, I i I, I sort ofwish that there would be a
broader look at the, the, theHIPAA rules in general.
(33:02):
When the, um, when the high-techrules were coming out, they said
that they were, they were makingchanges.
They were making proposals notonly to address the high-tech
law, but also to address thefirst 10 years of the HIPAA
privacy rule.
And then they didn't do anythingto address the first 10 years of
their privacy rule.
Um, we've never really had a bigfull scale reevaluation.
(33:26):
You know, again, I understandwhy we haven't had it.
It's not like the rules.
I, I love, I love how the ruleswork.
I think the rules have beengenerally very effective where
they apply.
Um, but it's said, there hasn'tbeen a lot of overall thought
about how the rules should work.
And, you know, this, thisproposal is, is a, is is overall
(33:46):
thought on a couple of narrowtopics, but it doesn't do
anything more than that.
Speaker 2 (33:51):
So in essence, we're still continuing the incremental
change approach
Speaker 3 (33:55):
.
Well, and, and, and again, I'mnot saying that's a bad
approach.
I mean, I, I, the, the, the, the, the, the question that's
coming up, and this is a muchbigger topic, I mean, not not
today's topic and, and, butsomething that people in the
healthcare industry should bethinking about is we we're,
we're, we've been dealing with arelatively stable healthcare
privacy environment for about 20years.
(34:15):
Cuz the HIPAA rules, you know,once people understood them and
implemented them, have workedpretty well.
And I think they've generallyworked pretty well for both
consumers and the healthcareindustry.
What we are seeing now is thatthere are more and more places,
and I alluded to this earlier,there are more and more places
in the broader healthcareecosystem where health
(34:38):
information is being collected,created, analyzed, disclosed, et
cetera, that aren't subject tothe HIPAA rules.
And at the same time, we're alsoseeing more and more situations
where there are other laws thatapply to certain kinds of health
information.
And so I think that equilibriumthat we've had for 20 years is
(34:59):
threatened right now because ofall the other kinds of
principles that are crossinghealthcare information that's
gonna be part of, you know, anational privacy law debate.
That's gonna be a part of whatthe states are doing as they
look at broad-based privacylaws.
I've been using one example inCalifornia, many of you may have
heard about the CaliforniaConsumer Privacy Act, which is a
(35:20):
broad privacy law in, inCalifornia.
If you look at, if you're aCalifornia resident, your
healthcare information inCalifornia right now can be
subject to at least sixdifferent regulatory regimes.
I am personally of the view thatthat's bad for both consumers
and industry.
You know, the rare privacy loselose.
(35:42):
And so I think that those biggerpicture topics are bubbling up
as part of a broader debate onnational privacy.
But the, the, what we're seeingon HIPAA is, is that that
incremental discussion, becausethe rules generally work well,
where they apply the problem isall the places they don't apply
or they don't only apply.
Speaker 2 (36:03):
It's an excellent perspective.
I really appreciate that.
Um, I, I think we've covered alot of information thus far.
Uh, what would you give as afinal summation, um, before we
close out today?
Speaker 3 (36:16):
Well, I think pay attention to these rules.
If you have a particularperspective on any of those
information disclosure changes.
Do you think it's, it's toopermissive for industry, you
think there's a patient concernabout that, but I think in
general, I want you to payattention in 2021 to the other
developments that are going onin the privacy space.
(36:39):
Some of which relate tohealthcare, some of which, some
of which directly relate tohealthcare, some of which
indirectly relate to healthcare.
But I think that that's gonna bea really interesting, broader
discussion as we see, again,states moving forward, perhaps
Congress moving forward, um,changes also happening for those
of you who work internationally,different rules in different
(37:00):
countries.
So we're really seeing a lot ofturmoil in privacy generally,
and a lot of that is applying tothe healthcare industry, even
though we have this veneer ofstability around the HIPAA rule.
So that's, that's just creating,that's creating a lot of my work
these days.
It's creating a lot of issuesfor my, for my clients, um, and
(37:21):
just a really, and I think it'sa really interesting issue to
watch because of all theimportant elements of, uh, how
data is used in the healthcaresystem.
Speaker 2 (37:29):
That sounds like a good place to leave it.
Uh, Kirk, thank you so much fortaking the time to, uh, talk
through some of these aspectsof, of the rules.
This says Ben, uh, uh, thepodcast on proposed
modifications to the HIPAAprivacy rule so long, everyone.
Support for A H L A comes from Clearwater, the
leading provider of enterprisecyber risk management and HIPAA
compliance software and servicesfor hospitals, health systems,
and their business associates.
Our solutions include ourproprietary software as a
service-based platform, I R MPro, which helps organizations
manage cyber risk and HIPAAcompliance across the
(00:36):
enterprise.
An advisory support and manageservices provided by our deep
team of information security andcompliance experts.
For more information, visitclearwater compliance.com.
Speaker 2 (00:49):
My name is Wes Morris.
I am managing principalconsultant for Clearwater
Compliance.
And I'd like to welcome youtoday to our podcast, discussing
the proposed modifications tothe HIPAA privacy rule, to
support and remove barriers tocoordinated care and individual
engagement.
Uh, joining me this morning isKirk Nara and Kirk and I will
(01:13):
discuss, uh, the major elementsof this proposed rule and, uh,
what it might lead to for thefuture.
Uh, Kirk, would you be so kindjust to introduce yourself and
tell us anything you'd like toknow about you?
Speaker 3 (01:26):
Uh, sure.
Thank you.
Uh, thank you Wes, and thanks to, uh, a H L A for having me.
Um, so I'm Kirk Nara.
I am a partner with WilmerHalein Washington DC where I am the
co-chair of our globalcybersecurity and privacy
practice.
And I've been working onhealthcare privacy issues since,
uh, I'm almost afraid to say1999 or so.
(01:51):
Um, so I've been dealing withthe full evolution of the, uh,
HIPAA rules from the verybeginning, the early drafts, and
I can certainly remember, um,spending a lot of time over, uh,
the Christmas holiday in 2000,just like we're gonna spend time
over the Christmas holiday in2020, um, reading these
enormously long proposals.
(02:11):
So, uh, look forward todiscussion of that today,
Speaker 2 (02:14):
Yeah.
Uh, I don't have quite as muchtime in it as you do, Kirk.
I, uh, I, I, I moved fromclinical work, uh, working in
mental health and substanceabuse counseling on April 14th,
2003 into my first role in theworld of HIPAA privacy and
security.
So, uh, I didn't get theopportunity to spend the time on
(02:36):
the original, uh, publication ofthe privacy rule, but certainly
joined right in, uh, starting inoh three, uh, with it just as
much.
So, um, this new proposedmodification, uh, coming as it
is right at the tail end of anadministration, we don't really
(02:57):
know what's going to to happenin the next administration
before we even get into thecontent and the details, what
are your thoughts around that,Kirk?
Speaker 3 (03:07):
Well, I said the, the current administration is
obviously putting out a lot offinal rules, but this is sort of
an odd thing.
This is a proposed rule.
And so the, the, the rule hasn'teven formally been published
yet.
We're working with a, you know,an informal draft.
I mean, it's not a draft, butit's an informal document at
this point.
So the comments to this proposedrule will not be due until
(03:31):
sometime in February at theearliest.
Obviously, there will be a newadministration at that point in
time.
Um, you know, theadministration, I suppose,
between inauguration and thatdue date could pull this whole
thing.
I don't know that that's, uh,high on their priority list.
So I sort of suspect that won'thappen.
But I do think there's gonna bea real question as to, um,
(03:52):
whether the substance will moveforward.
I mean, the, as as you said whenyou were reading the, the, the
title of the document, a lot ofthis proposed rule is driven by
the idea in the head of thecurrent administration, um, in
the mind of the currentadministration, that in a HIPAA
privacy rule to the goal ofcoordinated care or value-based
(04:14):
care, you know, we can debatewhether that's really true or
not.
And so I think there's a lot ofquestions, there are a lot of
important policy questions we'lltalk about today.
And is that, I don't know thatthere's any thinking yet from
the new administration on thoseissues.
Speaker 2 (04:27):
What's the first clock that's starting for us
once this is published?
Speaker 3 (04:31):
Well, I mean, the most important clock right now
is just gonna be the commentperiod.
And there's gonna be a 60 daycomment period between, you
know, when it's published in theFederal Register.
Comments will be due.
Um, again, that, that certainlytakes it at least till February,
assuming that, uh, you know, itgets published between now and
the end of the year, which Iexpect that it, it will, it's
something that could getpublished, um, you know, any day
(04:54):
by the time you're, by the timefolks are hearing this, it may
have already been publishedagain, but, but the substance of
the proposal is set.
The document that we've beenlooking at is in fact, the
substance.
It's just not formally beenprint, been printed and
published yet.
Um, right after that, thegovernment, you know, there's no
timing.
There's no particular mandatorytimeframe at this point.
We've had HIPAA rules that havemoved at a relatively quick
(05:17):
pace.
We have had other HIPAA rulesthat have taken years to get to
go from a proposal to, to afinished rule.
Um, one of the provisions thatis, that was part of the request
for information that proceededthis proposed rule, had to do
with the HIPAA counting rule.
HIPAA counting rule, uh, changesare a holdover from the 2009
(05:41):
Tech Act.
And in this proposed rule, thegovernment basically said, we
don't know what to do about thatyet.
And so we're not even addressingit in this proposal.
So that proposal, um, is nowworking on an, an 11 year time
period.
So
again, noth nothing happensquickly, but there are, there
(06:02):
are normal delays and there areextended delays.
And, you know, I really don'tknow where this is gonna fit in
the
Speaker 2 (06:08):
Middle of that.
Yeah.
I remember being concerned aboutthat accounting, uh, element,
uh, back in 2009 when I wassitting as a privacy officer in
a hospital system and thinking,how in the world are we going to
accomplish this?
So, I guess, uh, in thisparticular case,
ourselves in the same place that, uh, the, the folks that are
(06:30):
writing and promulgating theserules have yet to figure out how
are we going to
Speaker 3 (06:35):
Accomplish?
Well, that, that particular,that particular, yeah, that
particular rule is one that Iwill be perfectly happy to have,
just never, never see the lightof day.
I, I work in another area ofprivacy where there's been an
effort by some of the federalregulators to come up with
privacy rules related to, tofaxes, um, commercial faxes.
And my theory is that they'rejust trying to wait long enough
(06:57):
for faxes to disappear.
So they don't actually have tocome up with a rule that may be
sort of what's happening withthe accounting rule.
The, there was in fact aproposal on the HIPAA accounting
rule that goes back to, I think2010 or 2011 mm-hmm.
That, that, that proposal hadthe sort of unusual result of
almost all of the comments beingnegative.
(07:18):
Everybody seemed to dislike thatproposal.
Usually some people like aproposal and some people don't.
That was uniformly disliked.
And so,
Speaker 2 (07:26):
Um,
Speaker 3 (07:26):
Yeah, we'll, we'll, we'll be navigating that, but
that's not today's discussion.
Cause that's
Speaker 2 (07:29):
Not today's
Speaker 3 (07:30):
Discussion, especially, it's not in the
proposed rule.
They said they're gonna dealwith it later.
Speaker 2 (07:34):
Yeah.
So, um, of course, we reallydon't know when the final rule
will be published or if thefinal rule will be published,
but, but supposing that it is,then we start a second clock,
and that is, uh, the compliancedate followed by the enforcement
(07:56):
date.
Let's get into some detailshere.
Um, when we think about whatthis, this, this, um, proposed
modification is all about,what's your big ticket take on
it?
What, what's, what's it reallytrying to do for us?
Yes.
Speaker 3 (08:14):
So, so, so despite how long this document is, I
would break it into two mainpieces
Speaker 2 (08:20):
Mm-hmm.
Speaker 3 (08:21):
Um, the first piece has to do with patient access to
their own health information.
And that is a topic that's been,you know, the, the original, the
HIPAA access right.
Has been in the privacy rulesince the very beginning.
There have been complaints andconcerns about how effective
it's been for the entire historyof the hip rules.
(08:43):
Um, those issues have reallygotten a lot more attention in
the last couple of years.
Um, there have been some reallyinteresting efforts in the
private sector to encourage, um,hospitals, particularly to be
better on access.
There's been a number ofdevelopments in other
regulations about encouragingaccess for patients.
(09:06):
And, and then there's beenenforcement by Office of Civil
Rights for the first time.
I mean, I think that, um,there's been problems with
access for many years, but theyviewed as, um, you know, single
issue situations not sort ofworthy of particular enforcement
efforts.
The, the, the current ocr, um,has been taking enforcement
action in connection withpatient access.
(09:26):
So this is an evolution, it's animportant evolution, but it's an
evolution.
It's not a revolution on access.
Right.
So there are a series ofimportant changes that are
somewhat technical, but aredesigned to make it easier and
cheaper and faster for patientsto get access to their records.
That's topic one.
Yeah.
Topic two is much more policydriven, much more complicated,
(09:51):
and frankly, a little, justtrickier in general, the, the
current administration believesthat the HIPAA rules somehow
impede goals related tocoordinated care and value-based
care.
Mm-hmm.
(10:14):
HIPAA restrictions played a partin the opioid crisis.
Both of those premises arethings you can question.
Um, I'm not sure I agree withthem, but those are, those are
ideas that are driving thechanges here.
And what we're talking about interms of big picture, you know,
the, the second category iseither expanding the ability of
(10:40):
covered entities to disclose p hi in connection with things like
coordinated care or making itclearer that they are able to
make those disclosures even ifthey were permitted before,
because the government has thisidea that people were not making
disclosures that they wereallowed to make.
(11:01):
And they believe that the reasondoctors and hospitals weren't
making disclosures is cuz theythought they were prevented from
doing it.
So there's a number ofprovisions that are designed to
encourage more sharing ofinformation with the goal of
supporting value-based care,coordinated care, and helping to
deal with, um, things like theopioid crisis.
Speaker 2 (11:24):
So, circling back to the first big one, the access,
right of access as, as younoted, this has been a, uh, a
high visibility item for O C Rat least for the last couple
years.
But I think all the way back tothe first really big, uh, case
involving Cignet Health, I don'trecall what year that was.
(11:46):
I'm sure you recall it, the caseas well, in which it was a 4.3
million, uh, penalty, uh, as aresult of refusing to provide
records to 41 individuals, andthen all kinds of different
iterations and things that were
Speaker 3 (12:02):
Right.
But that's, I mean, that, that,that, that, that is, that is the
one enforcement case that wasnot recent.
But that, but that case is a,again, I, I, I had clients who
freaked out about that case.
Yes.
And, but, but, but that case isa funny case and it's a, you
know, and I, and I said to myclients, what are you actually
worried about here?
In that case, the governmentasked Cignet Healthcare
something like 15 times toRight.
(12:25):
They sent Marshalls, they sent,they sent subpoenas, and
essentially the company justignored them.
And eventually the governmentgot so mad that they entered
into a penalty.
You know, my advice to myclients, and this is really very
sophisticated, you know, highexpertise, legal advice is don't
blow off the government 15times.
It's just the Right, right.
(12:45):
that case, and you get the sensethat if they had responded the
eighth time, they would've beenfine.
So that case is not really aboutaccess rights, it's about
blowing off the government bythe same couple of years, is
actual cases that are basedentirely on failures to provide
(13:06):
access rights without theblowing off the government
component.
Speaker 2 (13:09):
I I've noticed on several of those in the last
couple of years, that there wastechnical assistance rendered.
Sure.
And, and then still the, the,uh, the patient, the member
didn't, the individual did notreceive what they were, what
they were seeking.
And so it led to further things.
So I feel almost as though thereis still a component of that.
(13:31):
Don't blow us off if we give youtechnical assistance.
Speaker 3 (13:34):
Well, look, I mean the, the, the, if, if, if, if a
patient makes a request to thehospital and the hospital messes
it up for whatever reason, theydon't respond too late,
whatever, and there's acomplaint and they missed one,
the government says, don't missanymore fix it, and you know how
you can fix it going forward.
That's most of the cases, right?
The government doesn't takeaction because you mess.
In fact, I have a, I just closeda case with OCR R for a client
(13:58):
where again, they, they hadgotten a whole bunch of requests
from somebody and they missedone.
And then once it was pointed outthat they missed one, they fixed
it.
And it's fine, you know, the,the government, but, but the
government is doing someindividualized cases.
They just, tho those cases arenot gonna be driven by a single
mistake.
OCR almost never does a casebased on a single mistake, maybe
(14:19):
if it's a really enormousmistake.
I mean, I I, I've been, ID, youknow, when I, when I teach
enforcement on these areas that,you know, there are a small
handful of cases that are casesthat I characterize as sort of
send a message cases.
There was one involving ahospital that had a reality TV
show filmed in the hospital andthe government, yes.
(14:39):
Just wanted to send a messagesaying, look, that's just a bad
idea.
You can't do that.
But for the most part, what thegovernment does is they go after
companies who have had eitherrepeated problems or really
egregious problems.
I mean, the example I use with,with my students is if a
company, a hospital has asecurity breach, and the
government knocks on the doorand says, I'd like to see your
(15:00):
HIPAA security policies, andthey say, what's hipaa?
Okay, that's a problem,
But they don't tend to, theydon't tend to take cases on a
single, single situation.
But I, but I think what, what,what's been important about the
enforcement a, uh, effort in thelast couple years is that
they're going after these casesagain with whatever baseline of
activity.
But even in situations wherethe, the monetary penalties are
(15:21):
not enormous.
They're moed.
I mean, they're, they, no,nobody wants to pay anything,
but they're relatively small forthe kinds of cases that the
government has normally takenpenalty cases.
But they're doing them andthey're doing'em repeated.
They're doing them repeatedly.
And there's clearly a message tothe healthcare providers that
says, look, you gotta do this.
Right?
This is important.
Now, you can't get away withbeing lazy.
(15:42):
You can't be get away with beingirresponsible.
There are, you know, thegovernment is paying attention
to these issues.
And I think that's an importantmessage.
And at the same time, these rulechanges, these proposed rule
changes are just designed tomake things easier.
For example, there's, there'sinformation about fees they're
(16:03):
trying to reduce, the feesthey're trying to deal with, you
know, accelerating some of thetimetables.
I mean, the, the, the, thetimetable for, for an HIPAA
access right?
Was written in 30 days with theidea of, oh, I gotta, you know,
there's a box of documents and Igotta have somebody in my office
sit at a copy machine and copy.
You know, that's not whathappens anymore.
So the idea, we're gonna make itfaster, we're gonna make it, you
(16:24):
know, so, so a lot of thosethings are, again, they're
relatively, the, the, there'snot a lot of, you know,
sophisticated policy debate thatgoes into, are we gonna make it
15 days instead of 30 days?
But it's important, and it'sgonna, again, all of these
proposals are designed to makeit easier for patients to get
access to their own information,to get them more engaged in the
(16:49):
healthcare system.
Again, all of these things are,I mean, there's trade offs,
right?
I mean, when you, when you makethings faster, uh, there's a,
there's some obligation and someincreased obligation on the
covered entity side.
What they're saying here is, wedon't think it's much on the
covered entity side, and wethink there's a real value to
the patient.
We're gonna draw the line andwe're gonna say, favor the
(17:10):
patient's, right?
To access their own information.
Mm-hmm.
And I don't expect that therewill be a lot of companies who
go out and say, oh my God, wecan't possibly do 15 days.
We really think that, you know,the answer should always be 30
days.
Yeah.
Maybe somebody's gonna say that.
But I think in general, thechanges on patient access are
(17:31):
consistent with a series ofdevelopments that have been
happening for a number of yearsthat reflect the goal of patient
access and reflect improvedtechnology that makes it easier
to respond to those rights.
And again, those are allgenerally good things.
Speaker 2 (17:47):
Yeah.
I also noticed that they gave alot of, uh, of time in, in the,
in the proposed mods todiscussion around things like
allowing an individual to usetheir own device to take a
picture of a screen of their P HI or, uh, allowing an individual
(18:07):
to, um, uh, to make an, uh, anoral request rather than
demanding a written, writtenrequest from'em for access.
Uh, and also drew a line betweenthe use of the authorization
form that most organizationshave, and many have used as
their source document for accessrequests as well.
(18:30):
Uh, but they drew a line therethat said, that's, that's not
really what you should be doing.
So I think in a lot of ways theyare adjusting, uh, to, to try to
make things better.
Uh, I mean, you know, in manycircumstances, being able to sit
there with your provider and theprovider says, well, here's your
labs, Mr.
Morris, and, hey, can I take apicture of those?
Great.
(18:50):
It can create its own challengesin some, in some cases.
Um, but, uh, I think you'reright around the access rules
that we're really not talkingabout wholesale, throwing out
everything considered withaccess in the past and redoing
it.
What about some of the otherchanges to these rules?
I'm really interested in yourtake on this, this, um, the, the
(19:15):
exceptions to the minimumnecessary standards for, uh,
care coordination, casemanagement, and, uh, allowing
for, um, uh, disclosures to, uh,for, for that, uh, care
coordination, case management.
What do you ta what do you thinkabout what's happening there?
Speaker 3 (19:34):
So, so the idea is to make sure, or, or to make it
easier for people to sh youknow, HIPAA covered entities,
mainly doctors, not only doctorsand hospitals could be there.
There's some discussion ofhealth plans as well.
Make it easier for informationto be shared when you're trying
to coordinate care.
(19:54):
Mm-hmm.
Yeah.
That level, that's a, that's anadmirable goal, right?
I mean, it's better in generalif healthcare providers have the
right information.
Um, and some of the, some of thechanges are designed to make it
clearer to hospitals and doctorsthat they're allowed to share
(20:14):
for these purposes.
The government seems to believethat people are not sharing
historically because theythought they weren't allowed to.
I don't know if that's truenecessarily.
I suspect there are lots ofoccasions where people just
aren't doing it for otherreasons.
Sometimes, frankly, it could belaziness too.
I mean, and I'm not sure where,where you say something's
(20:34):
permitted and people haven'tbeen doing it before because
they're lazy.
I'm not sure saying even moreclearly that you're allowed to
do it is going to change that.
But that, but that's the idea,is to try to encourage sharing
of information in coordinatedcare settings.
Now, there are, you know, thereare a couple of different
examples of that.
There are examples that arewithin different healthcare
(20:56):
providers.
You know, if I, you know, I, Ihave a primary care physician.
I had surgery on my knee at adifferent hospital because I had
a, you know, I, I, I had aninjury when I was playing
tennis, and I also have beentreated by a psychiatrist
because of Covid i's making mecrazy, and I have a substance
(21:17):
abuse problem.
And so, from a pure healthcareperspective, it's obviously
helpful to the primary carephysician to know all those
things.
The way that the primary carephysician usually knows all
these things is I tell theprimary care physician mm-hmm.
(21:38):
to my other doctors, please sendinformation to my primary care
physician.
The doctor has all of thatstuff.
So all of these rules aredesigned to deal with a
situation where I haven't toldmy primary care physician,
they're designed to make iteasier for those other doctors
to share with my primary carephysician.
Probably a good thing at somelevel, but if I haven't told
(21:59):
them, or I don't want to tellthem, having the other doctors
do that, again, we're, we have atrade off there between, um,
between the healthcare system'sinterest and perhaps my interest
in my own healthcare, but at thesame time my own control over
that situation.
I think that's part of thedifficulty.
The other component that we'reseeing here is in connection
(22:23):
with social serviceorganizations.
We have built into thehealthcare system.
And, you know, last coupleyears, this, this isn't a
surprise to most people when youtalk about it, but we learn, you
know, we're learning more andmore that one of the reasons
that people may be in bad healthis that they don't have access
to food, or they don't have goodhousing, goes onto the label of
social determinants of health.
(22:45):
And so there's always been aquestion of whether a hospital,
for example, could discloseinformation to a local food bank
to help a patient.
Now, one way to do that is toask the patient, there's always
been the ability to ask thepatient.
Mm-hmm.
(23:06):
the hospital to do this withoutasking the patient.
Now, again, there may be reasonsto do that, but it's not cost
free in the sense that thateither means you haven't asked
the patient or the patient hassaid no.
And that's a trickier situation.
So that's why I think it's justa more philosophically
(23:27):
interesting question.
Um, we're trying to, you know,again, there's no, nobody is
gonna share that informationbecause they think it's a bad
thing for the patient.
It's, but, but, but, but I thinkthe issue we're gonna be
thinking about is, do I as adoctor or a hospital get to
decide what's good for thepatient?
If the patient isn't interestedin that or doesn't want to do
(23:47):
that, then the next issue thatwe have to think about, and this
is a, a, a, an important sort ofstructural issue because of the
limitations on the scope of theHIPAA privacy rule.
When information is shared froma hospital to a food bank, for
example, the hospital underthese rules would have a
permitted ability to make thatdisclosure.
(24:09):
But once it goes to the foodbank, we have to recognize that
it's not subject to the HIPAArules anymore because the food
bank isn't a covered entity.
The food bank isn't a businessassociate.
The food bank, as far as HIPAAis concerned, is nothing.
And so that's a result that maybe an acceptable result, but we
have to at least consider theimplications of that result.
(24:30):
That result exists because ofthe history of the HIPAA rules,
where only it's not.
Yeah.
Again, this is, this is, uh,hopefully a reminder for most
people listening to this, butthe HIPAA rules are not overall
medical privacy rules.
They are rules that protectpersonal health information,
protected health informationwhen that information is held by
(24:52):
certain kinds of entities incertain contexts for certain
reasons.
And so we are seeing more andmore examples in our broadly
defined healthcare ecosystemwhere health information isn't
subject to the HIPAA rules.
That's a parallel developmentthat's going on here.
That's something that's, we'reseeing state laws, we're seeing
some efforts at the federallevel.
(25:14):
That's a much bigger issue.
But some of these disclosureprinciples that are in these
proposed rules exacerbate thosescope limitations by saying
information that's protected byHIPAA is now gonna be disclosed
to people who don't have a HIPAAobligation to protect it
anymore.
And again, I'm not at all sayingthat's a bad idea, but it's not
(25:36):
a cost-free idea, and it's nota, you know, it's not an
automatically good idea becauseagain, the option today is to
ask the patient, these rules aredesigned to make it easier for,
for covid entities to disclosewithout asking the patient.
Speaker 2 (25:52):
Yeah.
Quite a valid point there.
And, and I agree very much withyour perspective on that.
Um, couple of other areas that Ijust wanted to touch on very
briefly.
One of the things that I candefinitely get behind, and I
think most people can probablyget behind, is eliminating the
requirement to receive writtenacknowledgement of receipt of
(26:15):
the notice of privacy practices.
Uh, what are your thoughtsaround that one?
Speaker 3 (26:20):
Yeah, so, so there's been a provision in the privacy
rule from the beginning thatsays, um, you know, covered
entities who are directtreatment providers have to give
you a privacy notice when you'rea patient and you're supposed to
sign an acknowledgement that youreceived the notice.
Mm-hmm.
the consent that you would besigning in other circumstances,
(26:44):
the consent is assumed by, bythe operation privacy rules.
So you're not actuallyconsenting to anything when you
sign that.
You're just acknowledging thatyou received that.
And so the government hasbasically said in this proposal,
we don't think there's anyparticular, we think there's a
cost associated with having tocollect those acknowledgements
and keep track of them andmaintain them.
(27:05):
And we're just, we're, we'regonna not have that anymore.
I, you know, I, I think it'sfine.
Um, covered entities are stillgonna have to have a procedure
in place to make sure thatpeople are seeing those notices.
But it's, but right now there'snotices.
It doesn't mean anybody'sreading that.
It just means there's signsomething saying it was handed
to you.
So I am not a big fan of theHIPAA privacy notices in
(27:27):
general.
I think that the rule, uh, the,the rule, the way it's written
and, and nothing in the proposedrule is changing this, um,
requires there to be too muchinformation in those documents
that isn't of use to theconsumers.
And so, if I was in charge ofthis, I'd be writing a different
rule to shorten up what'sactually in that notice.
(27:49):
But all they're doing right nowis getting rid of this
acknowledgement, which again, Ithink is, is a, it, it, it's
interesting when you look atsome of the details of the rule,
when they, they, they estimatehow much cost savings there are,
and I'm gonna forget the number,but they, they have an enormous
amount of cost savings
that.
I'm like, I don't know how that,how they get to that amount of
(28:10):
money.
But, uh, um, that, that, that'sa modest tweak.
Um, you know, again, there maybe people who disagree with it,
but it's a, that, that, that,that's very much a tweak without
any big,
Speaker 2 (28:23):
Well, the one point you make was, uh, I, on the
other hand, am the guy who if Igo into a new practice and, and
I'm asked to check in for thefirst time, I'm going to look to
see if you're asking me to signthat acknowledgement.
And if you're actually giving mea copy of your notice, half the
time, uh, they, they asked me tosign for it without it, and I
(28:44):
won't, I won't do so.
Uh, and, and then they'll haveto scramble through the drawers
to find the, the copy of thenotice.
Speaker 3 (28:51):
Right.
But, but, but, but that, but,but that's a problem that exists
today and is changed by gettingrid of, you
Speaker 2 (28:57):
Know, no, no, that won't be,
Speaker 3 (28:58):
That won't obligation anyway.
Yeah.
They have an obligation to giveyou that notice to give you a
copy of it, to make it availableto you.
No, I'll say most of thosepractices, you can probably go
online and look at it anytimeyou feel like it, rather than
look at right then.
Um, there, there is aninteresting discussion.
I, I had the sense when theoriginal rules came out that the
government expected there to be,you know, you would go to the
(29:19):
doctor's office for the firsttime and the doctor would, the
doctor would hand you thatnotice, we know the doctor's not
, not ever the one handing youthe notice, but that you would
then have a, a a, an engagingdiscussion with the doctor about
the privacy practices of thedoctor's office.
And that would result in both ofyou being educated.
None of that ever happened.
So that actually comes up in acouple places in this rule where
(29:39):
they envision this comes up inthe patient access section, more
of a discussion between patientsand doctors and hospitals about,
I just don't see any of thatrealistically happening, but
they're trying to facilitatethat.
Speaker 2 (29:53):
Right, right.
Yeah.
The other areas that they, uh,touched on, um, very briefly,
uh, one was, um, basicallypulling telecommunication
communication relay services outof the situation of having to be
a business associate in order toprovide services for people with
(30:13):
a, uh, hearing or sitedisability or a speech
disability.
Uh, and then the other one wasaround, um, expanding the, um,
the armed forces, um, area, uh,to a address the, the US Public
Health Services and, uh, uh, n oa, uh, to include in'em.
(30:35):
But for the most part, those arerelatively modest things, and
especially the armed forces partis not going to apply to a huge
range of organizations.
Would you agree with thatopinion?
Speaker 3 (30:49):
Yes.
Yeah.
That's, that's, that's as muchtime as we should spend on the
armed forces change
Speaker 2 (30:54):
Exactly.
Yeah.
Now, I worked for the Armedforces at one point, uh, running
, uh, a team of, of specialistsin HIPAA for the Air Force
Medical Service.
And for us, that was a big deal.
Yeah, of course.
But for the rest of theuniverse, it's,
Speaker 3 (31:08):
It's not required.
Well, and that, and that's,that's actually an, you know,
like I was mentioning in thenotice of privacy practices,
that there are things in the, inthe notice that are required to
be there that I don't think areuseful.
You're required to disclose,you're required to include in a
privacy notice, all of thepossible, possible ways in which
you might dispose information.
And for 99% of the patients,those things aren't relevant.
(31:31):
But you have to write them inthe privacy notice for everyone
because one out of a hundred orone out of a thousand times you
might do it.
That ends up, from myperspective, resulting in a
notice that isn't very useful.
But we've got that.
The, the other point you madeabout those relay services, I
think that particular example isa pretty limited example, but
it's a, there's a broaderquestion, which is, you, you
(31:54):
know, there, there's an issuenow with business associates
where if a business associategets one piece of protected
health information, they can bea business associate.
And so there are lots ofsituations where, um, companies
really barely touch theinformation.
There are some that are calledconduits, right?
Like the post office wherethey've said explicitly you're
(32:17):
not a business associate, butthere's a whole bunch of others
where they really barely touchthe information.
They may not even know that it'sprotected health information.
And the rules today have them bea business associate.
And so I've spent all kinds oftime over the last 20 years, you
know, negotiating those deals.
And then both, both sides seemunhappy with them.
And I, I could easily see a moresophisticated analysis that
(32:41):
would cut out some of thebusiness associate category, but
that's not what this rule isdoing.
They're, they're, they'redealing with a particular very
small picture, not, notunimportant, but a very narrow
tweak that they're dealing with.
And, you know, I i I, I sort ofwish that there would be a
broader look at the, the, theHIPAA rules in general.
(33:02):
When the, um, when the high-techrules were coming out, they said
that they were, they were makingchanges.
They were making proposals notonly to address the high-tech
law, but also to address thefirst 10 years of the HIPAA
privacy rule.
And then they didn't do anythingto address the first 10 years of
their privacy rule.
Um, we've never really had a bigfull scale reevaluation.
(33:26):
You know, again, I understandwhy we haven't had it.
It's not like the rules.
I, I love, I love how the ruleswork.
I think the rules have beengenerally very effective where
they apply.
Um, but it's said, there hasn'tbeen a lot of overall thought
about how the rules should work.
And, you know, this, thisproposal is, is a, is is overall
(33:46):
thought on a couple of narrowtopics, but it doesn't do
anything more than that.
Speaker 2 (33:51):
So in essence, we're still continuing the incremental
change approach
Speaker 3 (33:55):
Well, and, and, and again, I'mnot saying that's a bad
approach.
I mean, I, I, the, the, the, the, the, the question that's
coming up, and this is a muchbigger topic, I mean, not not
today's topic and, and, butsomething that people in the
healthcare industry should bethinking about is we we're,
we're, we've been dealing with arelatively stable healthcare
privacy environment for about 20years.
(34:15):
Cuz the HIPAA rules, you know,once people understood them and
implemented them, have workedpretty well.
And I think they've generallyworked pretty well for both
consumers and the healthcareindustry.
What we are seeing now is thatthere are more and more places,
and I alluded to this earlier,there are more and more places
in the broader healthcareecosystem where health
(34:38):
information is being collected,created, analyzed, disclosed, et
cetera, that aren't subject tothe HIPAA rules.
And at the same time, we're alsoseeing more and more situations
where there are other laws thatapply to certain kinds of health
information.
And so I think that equilibriumthat we've had for 20 years is
(34:59):
threatened right now because ofall the other kinds of
principles that are crossinghealthcare information that's
gonna be part of, you know, anational privacy law debate.
That's gonna be a part of whatthe states are doing as they
look at broad-based privacylaws.
I've been using one example inCalifornia, many of you may have
heard about the CaliforniaConsumer Privacy Act, which is a
(35:20):
broad privacy law in, inCalifornia.
If you look at, if you're aCalifornia resident, your
healthcare information inCalifornia right now can be
subject to at least sixdifferent regulatory regimes.
I am personally of the view thatthat's bad for both consumers
and industry.
You know, the rare privacy loselose.
(35:42):
And so I think that those biggerpicture topics are bubbling up
as part of a broader debate onnational privacy.
But the, the, what we're seeingon HIPAA is, is that that
incremental discussion, becausethe rules generally work well,
where they apply the problem isall the places they don't apply
or they don't only apply.
Speaker 2 (36:03):
It's an excellent perspective.
I really appreciate that.
Um, I, I think we've covered alot of information thus far.
Uh, what would you give as afinal summation, um, before we
close out today?
Speaker 3 (36:16):
Well, I think pay attention to these rules.
If you have a particularperspective on any of those
information disclosure changes.
Do you think it's, it's toopermissive for industry, you
think there's a patient concernabout that, but I think in
general, I want you to payattention in 2021 to the other
developments that are going onin the privacy space.
(36:39):
Some of which relate tohealthcare, some of which, some
of which directly relate tohealthcare, some of which
indirectly relate to healthcare.
But I think that that's gonna bea really interesting, broader
discussion as we see, again,states moving forward, perhaps
Congress moving forward, um,changes also happening for those
of you who work internationally,different rules in different
(37:00):
countries.
So we're really seeing a lot ofturmoil in privacy generally,
and a lot of that is applying tothe healthcare industry, even
though we have this veneer ofstability around the HIPAA rule.
So that's, that's just creating,that's creating a lot of my work
these days.
It's creating a lot of issuesfor my, for my clients, um, and
(37:21):
just a really, and I think it'sa really interesting issue to
watch because of all theimportant elements of, uh, how
data is used in the healthcaresystem.
Speaker 2 (37:29):
That sounds like a good place to leave it.
Uh, Kirk, thank you so much fortaking the time to, uh, talk
through some of these aspectsof, of the rules.
This says Ben, uh, uh, thepodcast on proposed
modifications to the HIPAAprivacy rule so long, everyone.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com