- Written by Pat King Pat King
- Category: HIPAA HIPAA
- Published: 21 February 2016 21 February 2016
- Hits: 85591 85591
Population health is all the rage in health care these days. The industry consensus is that it will not be possible to contain health care costs, and improve quality, without the ability to capture data from health care providers' records and analyze it to determine whether providers are adhering to clinical practice guidelines or meeting benchmarks, and to track patients across the continuum of care. However, individually identifiable patient information cannot be disclosed to a central repository without assuring that this disclosure is permitted under HIPAA.
HIPAA permits the use and disclosure of protected health information (PHI) without express patient authorization for the purposes of treatment, payment and health care operations. The HIPAA Privacy Rule defines "health care operations" as including quality assessment and improvement, including outcomes evaluation and development of clinical guidelines; population-based activities related to improving health or reducing health care costs; and care coordination. Sounds like what the data repository will be used for. However, that's not the end of the inquiry. The Privacy Rule permits one provider to disclose PHI to a second provider (or other HIPAA-covered entity, like a health plan) only if both have a relationship with the patient, or both are part of an Organized Health Care Arrangement (OHCA).
OK, so what's an OHCA? The HIPAA Privacy Rule defines this as either:
- a clinically integrated care setting in which individuals typically receive health care from more than one health care provider; or
- an organized system of health care in which the participating HIPAA-covered entities hold themselves out to the public as participating in a joint arrangement, and participate in joint activities such as utilization review, quality assessment and improvement, or payment if the participants share financial risk.
I don't know if the authors of the HIPAA Privacy Rule had this in mind, but the concept of "clinical integration" has a long history under the antitrust laws. Why antitrust? Because networks of health care providers may include parties who are economic competitors (e.g., independent physicians or physician groups who compete, and hospitals or hospital systems which compete with each other for managed care contracts). Collaboration among competitors can lead to price fixing. So, these horizontal arrangements are generally illegal unless the participants are either financially integrated (e.g., they are all at risk, like members of an IPA contracting with an HMO) or clinically integrated. If participating physicians are actively engaged in collaborative clinical activities, such as developing clinical practice guidelines and physician performance measures, conducting peer review, and implementing quality improvement initiatives, then the benefits of the arrangement for improving quality and efficiency will outweigh threats to competition.
So, population health activities using a repository drawn from individual patient records can be permitted under HIPAA if the participating health care providers are part of a clinically integrated health care arrangement. For more on this, read the whitepaper recently published by the Office for Civil Rights and the Office of the National Coordinator for Health Information Technology.
People responsible for information privacy and security know that one of the most formidable risk factors, that cannot be fully mitigated no matter what you do, is the human factor. We fallible humans, in spite of all warnings to the contrary, fall for phishing schemes, click on harmless-sounding links that actually connect to malicious sites, and otherwise endanger data security. Probably hundreds of hospital employees have been fired for browsing through electronic health records looking for celebrity tidbits, and yet people still do it.
I’m writing this on Valentine’s Day, so it is with sorrow that I mention that the human factor can cause the most havoc when the human involved is a disaffected spouse or jilted lover. In a recent case with a background more typical of one of the Housewives episodes than case files of the Office for Civil Rights, an estranged husband of a manager at a DME company blew the whistle on sloppy record keeping procedures at the firm. When his wife left him, she left behind patient records along with other detritus of the failed marriage. Recognizing the problems inherent with a person having no connection to patient treatment possessing this information, the public-spirited ex-spouse complained to the OCR. On investigation, OCR agreed that the DME company had not maintained reasonable safeguards for the protected health information in its custody. This conclusion was based in part on statements made by the ex-wife (who by then was also an ex-employee).
OCR sought a penalty of $239,800, and the company appealed. The Administrative Law Judge upheld the penalty, finding that the company failed to maintain written policies on protection of patient information, and a member of its workforce disclosed PHI to an unauthorized person.
While the DME company might not have prevented the marital break-up, they certainly would have been in a better position to deal with the fallout if they had written policies detailing how employees should secure PHI. In particular, this company had no policies to monitor documents removed from the office and ensure their safe return, which “meant that PHI could be missing for indefinite periods without the company’s knowledge.”