National Association of ACOs
601 13th Street, NW, Suite 900 South
Washington, DC 20005 | 202-640-1985
April 9, 2021
Department of Health and Human Services
Office for Civil Rights (OCR)
200 Independence Ave SW
Washington, DC 20201
RE: Transparency in Disclosure of PHI (HHS–OCR–0945–AA00)
Dear Ms. Nguyen:
The National Association of Accountable Care Organizations (NAACOs) honors the opportunity to comment on the proposed rule of modifying the HIPAA Privacy Rule to support and remove barriers to Coordinated Care and Individual Engagement. On behalf of various partners and alliances working across the political aisle, we appreciate the efforts undertaken to improve patients’ accessibility to their medical information and safeguard privacy rules. This initiative’s pursuit would ensure that accountability is preserved across the transmission process of protected health information (PHI). Thus, patients can continue to experience quality of care. At the same time, federal agencies remain at the helm of policymaking to optimize compliance with the proposed rule. Collectively, covered entities such as hospitals, health insurance companies, medical providers, and constituents alike would be affected based on the present trends unfolding without this policy under consideration. Therefore, NAACOs support implementing the proposed rules under the condition that more clarification is placed forth to protect constituents while abating unreasonable institutional demands and incentives. In essence, the policy should not insulate affected parties from the consequences of their actions. Still, the amended changes augment the possibility of overregulation even if it may not be perceptible to those impacted by the proposed changes.
The Costs of Changing Privacy Rules to Medicare Beneficiaries 1
Medicare patients seek reduced medical costs and quality of care in the Medicare program. Though the proposed rule’s modifications advocate for privacy standards to be re-evaluated to advance organizational strategies across healthcare systems, the transition to value-based care is deemed unfeasible if accountability is nonexistent in care coordination and case management. As such, the accountable care model lands in a standstill to enhance the role of population health. Ensuring that covered entities receive more than the minimum information of patients’ PHI for individual care coordination and case management represents a violation of patients’ right to manage their health (§164.510, 2021). Health care operations should instead rely on information shared for the past ten years to assess fellow patients’ health status. Accordingly, patients who do not provide informed consent for disclosing PHI run the risk of being crippled by uncertainties that may impact externalities such as out-pocket costs and career prospects if prospective employers request the information.
Care Coordination and Case Management: Administrative Burdens 1
The department recognizes that undue regulatory burdens are placed on millions of Americans. NAACOs remain committed to ensuring patients across ACOs understand their privacy rights and their responsibility to report errors in their medical records to the appropriate government bodies. In particular, we support the Department of Health and Human Service’s decision to remove barriers caused by administrative burdens and not strengthen bureaucratic systems that do not create value for providers and patients alike. The dissolution of administrative costs and bureaucratic automatons would empower patients to manage decisions related to their health and provide the assurance needed on available benefits.
Patients and health entities must work in tandem by incorporating patients’ challenges to ensure these administrative blockages are removed and improve target populations’ health outcomes for a value-based care system. As such, NAACOs propose that the department perform routine monitoring on the impact of disclosure on coordination for Medicare and Medicaid beneficiaries. The collected information from patients serves as fodder for feedback loopholes to develop practical solutions for the proposed rule’s implementation phase. Simultaneously, the political robustness of constituents’ recommendations is assessed during each stage of the implementation for service provision.
Summary of Proposals to Modify the Individual Right to Access 1
The department seeks comment on allowing patients to authorize the sharing of PHI among covered entities. As NAACOs previously commented, by enabling patients to choose the entities to access their medical information, it becomes unclear the intervention of ACOs on behalf of patients when there is a breach of confidentiality in transmitting the medical information maintained by the Discloser or covered health plans.2 By adding this verbiage in the proposed rule, the recommended course of action is sufficiently likely to produce the required positive outcomes to justify the proposed rule’s general costs and risks (§ 164.525, 2021). The absence of the proposed verbiage hinders the transparency purported in disclosing such confidential information among consumers, health care providers, and health plans. In all fairness, the absence of clear ramifications in case of a breach of information does not equip us as an organization to answer patients’ countermoves to the policy. Similarly, the proposed rules do not address the ethical costs of implementing these changes to the privacy rule. NAACOs encourage the department to mandate that medical providers do not disclose PHI to third parties unless they receive prior authorization from patients.
Adding Definitions for Electronic Health Record or EHR and Personal Health Application 1
The rationale for using Personal Health Applications is only justifiable if specific criteria and standards in HIPAA are enacted to inspect these platforms’ appropriateness. Equally important, guidance should be provided on whether the user-friendly features in personal health applications will follow a standardized format or differ across health insurance coverage for constituents. At the center of these topical areas, patients’ safety must be leveraged to foment equitable policies.
As such, the rule does not outline retrospectively how these health applications will be vetted for security and quality assurance for the sole use of health information transmission. The lack of information on the types of information shared across these platforms may make it confusing for patients and covered entities to comply with (§ 164.514, 2021).
Notwithstanding, this is especially true with federal agencies gauging the assimilation of the privacy rule changes into standard operating procedures for regulatory review. Undoubtedly, constituents and covered entities’ interests differ with their competing ideas on managing compliance costs if they lobby for this regulation and the administration of the interoperable processes to support the proposed rule. NAACOs suggest that a notice of access be sent to patients on these virtual platforms during the transmission of information between health plans, health care providers, and patients.
Clarifying the Scope of Covered Entities’ Abilities to Disclose PHI to Certain Third Parties for Individual-Level Care Coordination and Case Management That Constitutes Treatment or Health Care Operations 1
Based on the disclosure clause, approximately 329 million individuals will be affected by the change of policies. The apprehension of NAACOs to support this legislation is in tandem with the public’s fear that providers may not necessarily know when to disclose PHI for the continuum of care. Suppose covered entities such as pharmacies or health care facilities are permitted to disclose information without prior approval. In that case, this may result in the violation of the HIPAA rules. Currently, a list of recipients has not been drafted concerning receiving PHI except for health plans and health care providers (§164.506, 2021). The benefits of this proposed rulemaking are numerous in preventing harm to patients. Nevertheless, the implications from policy to practice across health care organizations and federal agencies remain for speculation in the future.
We appreciate the opportunity to comment on the departments’ “HIPAA Privacy Rule to support and remove barriers to Coordinated Care and Individual Engagement” proposed rule. NAACOs advocate relentlessly to protect millions of Americans’ health so that their access to health care is not compromised regardless of their ability to pay. Should you have additional questions, I look forward to providing further insight to the department on this initiative by contacting me at (246) 567- 2365 or email@example.com.
- The United States, The Department of Health and Human Resources. (2021). Proposed modifications to the HIPAA privacy rule to support, and remove barriers to, coordinated care and individual engagement. 86 Fed. Reg. 6446-6538.
- Revcycle Intelligence. (2021). Preparing physician practices for direct contracting, risk models. Retrieved from https://revcycleintelligence.com/news/preparing-physician-practicesfor-direct-contracting-risk-models)