HIPAA Musings: Random Thoughts on Privacy and Security

With the holidays quickly receding, there was some time for reflection. When given that time (and honestly spurred to some degree by the HIPAA request for information), different issues about HIPAA wandered through my mind. With so many issues to ponder, and taking a page Boston Globe sports columnist Dan Shaughnessy and his picked up pieces columns, here are various musings about HIPAA:

Why is it assumed that HIPAA and the goals of value-based care cannot co-exist with HIPAA as currently in place? The permissible uses and disclosures under treatment, payment and health care operations are quite extensive. In fact, in beginning to work on comments for submission to Office for Civil Rights (OCR) in response to the request for information, population health style concepts are already included in the definition of health care operations. Further, sharing of information among health care providers and payors is clearly permissible. If other parties are brought into the fold, then those parties will likely fit into one of those categories or be a business associate. In all instance,

HIPAA allows utilization of the data.Control and use of data are essential components of most contracts. Almost every analytics, consulting, or similar vendor wants to retain and keep using patient data even once a contract ends. While most such vendors are aware enough to request continued use of only de-identified data, that is not always the case. When a vendor wants to keep identifiable patient data, it suggests that the vendor does not accurately understand HIPAA.

However, retention of de-identifiable data is strongly argued for since it can enable development of new tools or refinement of existing ones. To the vendors, there is an arguable trade-off that the fees charged will be less if data can be kept or some other argument. These arguments counter the often default position of covered entities that de-identification and subsequent use can only occur with explicit permission. As with all things, neither side is right or wrong, but it is an unavoidable debate.

While the debate over ownership or control of healthcare data remains strong (my thoughts are clear in this post), the underlying issue often seems to be one of access.

Specifically, individuals find it overly difficult and complicated to get access to their records with organizations throwing up barriers left and right. Fundamentally, HIPAA is clear on the right of access and it should not be denied. Frankly, a major HIPAA fine or settlement over denial of access is probably only a matter of time because if an organization makes access difficult for one person, it is likely doing the same to many others. If enough complaints pile up, action may occur.

Regardless, why should good relations with a patient be strained over such a simple issue? While it is appreciated that making a copy is not necessarily as easy as pushing one button, it also should not be made into an insurmountable obstacle. If access were easier, then the debate about ownership and control could potentially be moderated into a more productive discussion over ensuring the smooth, seamless, and steady exchange of data.

Why does every natural disaster have to trigger a “waiver” of HIPAA now? It seemed to have started with some of the hurricanes a few years ago, but now every time something happens there is the announcement of a limited waiver. HIPAA allows sharing of limited information without a waiver, including confirming that an individual is being treated and directory style information.

Further, when the limited waiver is dug into, it does not actually do all that much since it only waives compliance with issues that arguably non-“material” in nature anyway. That is not to say that any organization subject to HIPAA can ignore compliance obligations, but the waiver does not put wholesale freedom into place either.

When it comes to keeping family members or other involved parties in the dark, it is not necessitated by HIPAA. HIPAA allows information to be shared with family members, though with acknowledged limitations. It is more likely that state law could be the real culprit for not being able to share information. if that is the case, then be honest that state law is at issue. Don’t pin everything onto HIPAA.

If an organization has deep pockets and there is any sort of violation that occurs, that organization should be feeling pretty nervous nowadays. The fines imposed by OCR in 2018 for HIPAA violations set a troubling trend that organizations with an ability to pay will be targeted. That pattern emerged starting in February and continuing into November when large fines were imposed over conduct that arguably was not as egregious as previous actions that resulted in negligible or no fines. Now, even “small” breaches could be used to investigate and get into the realm of imposing a fine. That cannot be a comfortable position for any entity. However, there is an easy means of addressing or mitigating the issue: focus on compliance now and always. If an organization makes honest, good faith efforts to avoid issues, then there is a strong argument that a fine should not be imposed. At a minimum, do not miss conducting a risk analysis. It is possible that every single HIPAA settlement includes a finding that the organization did not conduct a sufficient risk analysis or one at all. Skipping is probably inexcusable at this point in time.

Lastly, at least for the moment, one of the biggest issues surrounding HIPAA is a continuing lack of understanding of what HIPAA does and how HIPAA operates. It does not matter whether the lack of understanding is deliberate or not, it must change. So many opportunities exist for education and training that there are few excuses to avoid. While the pace of guidance from OCR has slowed if not stopped altogether, there is still a fair amount of information available on the OCR website to give an organization or individual a solid start on comprehending how HIPAA operates. The ability to learn assumes a desire to learn though. Too often there is a feeling of trying to drag individuals or organizations to the proverbial water and then an obstinate decision to avoid taking the next step. That issue cannot be resolved by anyone other than the individual or organization resisting. Culture change is happening, but not quickly enough.

While those are not nearly all of the musings around HIPAA that bounce around in my head, it is a start. Look for further musing over the course of the year, which will be a means of pouring out an almost stream of consciousness rambling, but having a unifying theme of wanting to drive awareness and understanding to a better place.

This article was originally published on Mirick O’Connell’s Health Law Blog.

By Matt Fisher, Esq Twitter: @matt_r_fisher Host of Healthcare de Jure – #HCdeJure