In New Opioids Legislation, Patient Privacy Holds Serve | Rajiv Leventhal, Managing Editor | Healthcare Blogs Skip to content Skip to navigation

In New Opioids Legislation, Patient Privacy Holds Serve

| Reprints
The attention has turned to patient privacy as a new opioids package nears the President’s desk

Congress’ sweeping opioids legislation—a bill that includes several important health IT provisions—has created much debate in recent days and weeks, as stakeholders sit on different sides of the table over a key patient privacy element.

For background, two weeks ago, the U.S. Senate passed The Opioid Crisis Response Act of 2018, which has the core purpose to improve the ability of various health departments and agencies to address the opioid crisis—including the ripple effects of the crisis on children, families, and communities—as well as help states implement updates to their plans of safe care, and improve data sharing between states.

The House passed its version of the legislation in June, and then after a committee was convened to reconcile the differences between the two bills, the House passed the latest version by a vote of 393 to 8. The Senate will now need to pass this consensus legislation— the SUPPORT for Patients and Communities Act— before it can go to the President for his signature.

One of the major points of controversy was whether or not the federal law, 42 CFR Part 2—which keeps mental health records separate from other health records and prevents the sharing of these confidential treatment records without a patient's explicit consent—would be amended and be aligned with HIPAA [the Health Insurance Portability and Accountability Act]—as many have clamored for. Indeed, while some healthcare stakeholders believed that patient privacy laws should be changed so providers could more easily share information about a patient’s history of substance use, others have maintained that the privacy laws ought to remain intact.

While “the House had approved changes in its original legislation, H.R. 6082 (115), they didn’t make it into the Senate version and were ultimately dropped in negotiations,” according to a recent report in Politico’s Morning eHealth Newsletter. As such, the 42 CFR Part 2 patient privacy law will remain intact.

What’s perhaps most fascinating about this debate is the major players that are on each side of it. According to a recent article in STAT News, “The AMA [American Medical Association] said it believed there was a ‘fundamental misunderstanding’ among groups working to incorporate the proposal into a sprawling opioids bill. Relaxing restrictions on patient privacy, the AMA wrote, could prevent individuals with addiction from seeking medical treatment in the first place.”

The AMA wrote in a letter to lawmakers that the intent of 42 CFR Part 2 is to encourage patients to seek treatment for addiction knowing that their health information will not be shared, thereby easing fears of discrimination and negative legal consequences resulting from their substance use. The AMA’s letter continued, “Aligning Part 2 with HIPAA would effectively remove privacy rights from a particular patient population—the very rights that were created to encourage SUD [substance use disorder] treatment.”

Importantly, the AMA also brought up two other key points in its argument. First, the association noted that amending 42 CFR Part 2 laws would impact more than just opioid addiction. For instance, the AMA wrote, “Alignment [with HIPAA] would remove the privacy rights of all patients who seek treatment at a Part 2 program for any SUD and could discourage patients from seeking treatment not only for opioid dependency, but for other addictions as well.”

The second point the AMA brought up was that patient information is simply not as available as some make it out to be. While those who support aligning Part 2 with HIPAA envision a patient’s SUD records being available to all of the patient’s providers at any given time, the AMA said that given the current state of interoperability, this not practical. The group wrote, “A clinician cannot go to his or her electronic health record (EHR) and ‘pull’ a patient’s SUD information upon request—in other words, regardless of whether Part 2 has been aligned with HIPAA, a clinician cannot simply search a patient’s name in his or her EHR and obtain all of the patient’s information. This problem exists even now with information covered by HIPAA…”

As Politico also has reported, Sen. Patty Murray (D-Wash) was very much in the middle of the dispute as well. Its report noted, “Murray, the ranking member of the Senate HELP (Health, Education Labor & Pensions) Committee, has been withholding her support for including a controversial privacy measure in the sweeping bill to address the opioid crisis despite support by other Democrats including her state's governor. She has reservations about a change that would make it easier for doctors to see a patient's substance abuse records.”

Politico spoke to three lobbyists who said that Washington Gov. Jay Inslee had lobbied Sen. Murray to include an overhaul in the final opioids legislation. “An aide to Murray said she was willing to negotiate a solution that resulted in improved care coordination while protecting patients' privacy,” according to that report.

Meanwhile, other health IT groups, such as the College of Healthcare Information Management Executives (CHIME), the American Hospital Association (AHA), and various major health insurers, feel differently about this significant privacy issue. In a letter from CHIME to Senate and House representatives, obtained by Fierce Healthcare, the group’s President and CEO, Russell Branzell, wrote, “It is essential that healthcare providers have a complete medical history with all relevant information that will help them make clinical decisions. To ensure the highest quality of care, information pertaining to substance use disorder is pertinent.”

The CHIME letter continued, “Unfortunately, under current law, 42 CFR Part 2, SUD treatment and diagnoses are kept confidential from providers which can be extremely problematic when a clinician is attempting to treat someone but is unaware of their prior addiction history. Our members strongly support synchronizing these consent policies, which will reduce the burdens imposed by these two different sets of rules and facilitate consent for the purposes of treatment, payment and healthcare operations pursuant to HIPAA.”

And according to the aforementioned STAT piece, “The groups pushing the measure say that the current restrictions inhibit providers from accessing information critical to providing quality treatment—giving a common example in which a doctor, not knowing a patient has a history of addiction, unknowingly prescribing opioids for pain treatment.”

In the end, the privacy advocates were the side who came out on top, since the proposed amendment to 42 CFR Part 2 never got included in the final version. But digging deeper, the big-picture impact of not including this amendment is also worth exploring.  

It was quite interesting to me that the AMA—the largest association of physicians in the U.S.—was leading the charge against the Part 2 amendment. To this point, it’s important to keep in mind how many physicians feel about EHRs—namely that they add to their workdays, thereby causing increased burnout.

Using this logic, if physicians are not keen on EHRs, one could understand why they would be opposed to this type of data sharing without a patient’s explicit consent. And without that physician trust in the technology—which gets extended down to the patient level as well—it’s quite possible that consent would be tough to get. If that were the case, as the AMA believes, patients might be hesitant to seek treatment for SUD in the first place.

As the debate over patient privacy surely will continue, there are many who believe that the 42 CFR Part 2 law is severely outdated. Indeed, the Part 2 regulations restricting how data of patients with substance use disorders is shared were written in 1975 out of concern that the information could be used against individuals, causing them to avoid seeking needed treatment.  As such, since it is required the patient to consent every time their data was shared or accessed, health information exchanges (HIEs) and others have found it challenging to work around these restrictions. Many HIEs have just avoided the issue during their startup phases.

To this end, the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), did re-write portions of the Part 2 law in a rule that was finalized earlier this year. But still, those who believe that Part 2 should be aligned with HIPAA do not believe that the rule went far enough at all to solve data sharing issues.

So for now, it’s the patient privacy advocates that continue to hold serve in this ongoing match.

The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


AMIA Calls for Harmonization of Data Privacy Policies

November 16, 2018
| Reprints

As the lines between consumer and clinical data systems continues to blur, there is a need to harmonize health sector data privacy policy, such as the Health Insurance Portability and Accountability Act (HIPAA) and consumer data policy to develop a new era of privacy policy, according to the American Medical Informatics Association (AMIA).

AMIA provided written comments last week in response to the National Telecommunications and Information Administration’s Request for Comment (RFC) on the Administration’s approach to consumer privacy. NTIA, an agency within the Department of Commerce, was seeking feedback on ways it can advance consumer privacy while also protecting innovation. The RFC sought feedback on how certain organizational privacy goals and outcomes can be achieved. These outcomes include organizational transparency, user control over personal information, reasonable minimization of data collection, organizational security practices, user access and correction, organizational risk management, and organizational accountability.

In its written comments, AMIA encouraged the Trump administration to closely examine both HIPAA and the Common Rule and develop an explicit goal to harmonize “health sector” and “consumer sector” data privacy policies. The informatics group cautioned the Administration against a patchwork of consumer privacy policies that is already the norm in the health sector.

Jeff Smith, vice president, public policy at AMIA, notes that given the health sector’s experience with HIPAA and the Common Rule, there is a unique opportunity to accomplish two aims with this executive and legislative branch conversation—harmonize health sector data privacy policy with consumer data privacy policy and develop a national forum and framework to allow states flexibility to address local needs and norms.

In its written comments, AMIA noted that differences in the interpretation of HIPAA have led to wild variations in application. The group thus urged the administration to balance the need for both prescriptive process-oriented policies and outcome-oriented policies, writing that “[a]n over-emphasis on vague or difficult-to-measure outcomes without guidance on process will result in the failings of HIPAA – wide variation in interpretation and inconsistent implementation.”

AMIA went on to not only reiterate its support for patients always having access to their data, but advocated extending this principle to other sectors of the economy and elevating it to “a prerequisite condition and central organizing principle from which other outcomes derive.”

Further, while AMIA broadly supported the RFC’s high-level goals, it recommended that the administration also focus on “closing regulatory gaps” that endanger data privacy. Citing a 2016 ONC report, AMIA pointed out that there are health-related technologies that exist outside the scope of HIPAA, Federal Trade Commission (FTC) regulation, or state law. Thus, a truly comprehensive approach to consumer privacy should address these gaps, AMIA wrote.

Finally, AMIA encouraged the administration to take several steps to address data governance and ethical use. It recommended that FTC “develop a framework for organizations to use that supports trust, safety, efficacy, and transparency across the proliferation of commercial and nonproprietary information resources,” in addition to an “ethical framework around the collection, use, storage, and disclosure of the personal information consumers may provide to organizations.”

“We applaud the administration for initiating this long overdue conversation. As the lines between consumer and clinical devices continues to blur, the need for harmonized federal policy becomes more pronounced,” Douglas B. Fridsma, M.D., Ph.D, AMIA President and CEO, said in a statement. “Just as we strive to ensure that patients have access to and control over their data, we must strive to deliver the same for consumers. The administration should learn from the health sector and develop improved privacy policies across all sectors of the economy.”


More From Healthcare Informatics


Time to End ‘Wild West’ of Health Data Usage in HIPAA-Free Zones

| Reprints
Beyond consent, bioethicists argue for ethical guidelines governing fair use of data
Click To View Gallery

In a recent conversation, a CMIO described the era of Meaningful Use and ICD-10 to me as the “doldrums of regulatory reform” that “sucked up all the oxygen” in the industry, leaving little room for innovation. So I can see why there would be little appetite for more regulation related to health data, and obviously the current administration prefers market-based solutions to regulatory ones.

Yet the Oct. 22 meeting, “Data Min(d)ing: Privacy and Our Digital Identities,” put on by the U.S. Department of Health & Human Services, made it clear to me that as more health data is gathered (and sold) outside the clinical setting, there is a “Wild West” atmosphere in which pretty much anything goes in terms of what companies not covered by HIPAA can do with our health data.

As an example, an April 2018 CNBC article noted that Facebook “has asked several major U.S. hospitals to share anonymized data about their patients, such as illnesses and prescription information, for a proposed research project. Facebook was intending to match it up with user data it had collected in order to help the hospitals figure out which patients might need special care or treatment.” (That project is currently on hiatus, Facebook said.)

The HHS meeting brought together industry leaders and researchers for some thought-provoking presentations about the many ways genetic, wearable and EHR health data is being used. For instance, James Hazel, Ph.D, J.D., a research fellow at the Center for Biomedical Ethics and Society at the  Vanderbilt University Medical Center, presented his research that involved a survey of the privacy policies proffered by U.S. direct-to-consumer genetic testing companies. Hazel noted that there has been huge growth in direct-to-consumer genetic testing, with an estimated 12 million people tested in the United States. Beyond offering consumers the services, these companies doing the testing wish to monetize that data through partnerships with pharmaceutical companies and academic researchers. There is also value to government and law enforcement officials – to solve cold cases, for instance.

There is a patchwork of federal and state laws governing disclosure of secondary data usage to consumers, but the industry is largely left to self-regulate, he said. In his survey of 90 companies offering these genetic data services, “10 percent had no policies whatsoever,” he said. About 55 companies had genetic data policies, but there was tremendous variability in policies about collection and use. Less than half had information on the fate of the sample. In terms of secondary use, the majority of policies refer to internal uses of genetic data. However, very few addressed ownership or commercialization. And although almost all made claims to being good stewards of the data, 95 percent did not provide for notification in case of a data breach. The provisions for sharing de-identified data are even less restrictive. Hazel noted that 75 percent share it without additional consent from the consumer.

Hazel’s take-home message: “We saw variability across the industry. Also, we had a group of law students and law professors read the policies and there was widespread disagreement about what they meant,” he said. “Also, nearly every company reserves the right to change the policy at any time, and hardly any company provided for individual notice in event of a change.” He finished his presentation with a question. “What is the path forward? Additional oversight by the Federal Trade Commission? Or allowing industry efforts to take the lead before stepping in?”

In a separate presentation, Efthimios Parasidis, J.D., a professor of Law and Public Health at the Ohio State University, spoke about the need for an ethical framework for health data.

Parasidis began by noting that beyond data security and privacy, consent and notice are inadequate ethical markers. “If one looks at regulations, whether it is HIPAA, the European Union’s GDPR, or California’s recently enacted consumer privacy law, the regulatory trend has been to emphasize consent, deletion rights and data use notifications,” he said. While these are important regulatory levers, missing is a forum for assessing what is fair use of data. “Interestingly, few areas of data collection require ethics review,” he stressed. HIPAA does not speak to when data use is ethical but rather establishes guidelines for maintaining and sharing certain identifiable health information. Even those protections are limited. HIPAA only applies to covered entities, he noted. It does not apply to identifiable health information held by a wide variety of stakeholders, including social media, health and wellness apps, wearables, life insurers, workers’ compensation insurers, retail stores, credit card companies, Internet searches, and dating companies.

“While the volume of identifiable health information held in HIPAA-free zones engulfs that which is protected by HIPAA and may support more accurate predictions about health than a person’s identifiable medical records,” Parasidis said, “the limits of HIPAA’s protections go beyond scope. For data on either side of the HIPAA divide, an evaluation of ethical implications is only required for human subject research that falls under the Common Rule. Much of data analytics falls outside the Common Rule or any external oversight.”

Citing the Facebook example mentioned above, Parasidis noted that tech giant Amazon, Apple, Google, Microsoft and Uber are entering the digital health space. “The large swathes of identifiable information that these entities hold raise a host of ethical questions,” he added, “including widespread re-identification of de-identified health information, health profiling of individuals or groups and discrimination based on health conditions.”

Policies and guidelines can supplement the small subset of data covered under legally mandated ethics review, he explained. For instance, federal agencies sometimes use internal disclosure review boards to examine ethical implications of data disclosure. But it is not clear this type of review is happening in the private sector.

Parasidis described work he has done with Elizabeth Pike, director of Privacy Policy in the Office of the Chief Information Officer at HHS, and Deven McGraw, who served as deputy director of health information privacy at HHS, on a framework for ethical review of how health data is used.

One way to think about more robust ethics review is the use of data ethics review boards, he said. Their structure can be modeled on institutional review boards or disclosure review boards. “This new administrative entity is necessary because much of contemporary data analytics falls outside existing frameworks,” he said. “We argue that these boards should focus on choice, responsiveness, accountability, fairness and transparency — a CRAFT framework. For instance, choice goes beyond consent. Individuals have an ongoing interest in their health data and should be able to specify how it is collected, analyzed and used.”

Reasonable minds can disagree on the relative weight of ethical principles or how they should be enacted into the context of data use deliberations, he said. “We nevertheless believe there remains an urgent need to craft an ethical framework for health data.”



Related Insights For: Privacy


Despite HIPAA Law, Researchers Say Getting Medical Records Still is Burdensome

October 8, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Although federal law has long promoted patients’ access to their protected health information, a recent study of 83 hospitals has revealed that there was noncompliance with federal regulations for formats of release and state regulations for request processing times.  

The research, published recently in JAMA, also found that there was discordance between information provided on medical records release authorization forms and that obtained directly from medical records departments regarding the medical records request processes.

The Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) gives patients the right of access to their protected health information. Per federal regulation, medical record requests must be fulfilled within 30 days of receipt (with the possibility of a single 30-day extension) in the format requested by the patient if the records are readily producible in that format.

Despite HIPAA and the fact that electronic health records (EHRs) are much more widespread now than in years past, patients may not be able to easily request, receive, and manage their medical records. Under guidance from the U.S. Department of Health and Human Services, hospitals are permitted to impose a reasonable cost-based fee for the release of medical records, but costs still remain high. What’s more, many hospitals add procedural obstacles that can limit patient access, the researchers noted.

To this point, a GAO (Government Accountability Office) report earlier this year also found some troubling trends regarding patient access to medical records. The GAO analyzed four states, finding one instance in which patients paid more than $500 for a single medical record request, and another in which one patient was charged $148 for a PDF version of her medical record.

For this latest study, researchers collected both medical records release authorization forms from each hospital, and subsequently telephoned each hospital’s medical records department to collect data.

Among the 83 hospitals, 44 (53 percent) provided patients the option on the forms to acquire their entire medical record. For individual categories of “requestable” information on the forms, as few as nine hospitals (11 percent) provided the option of selecting release of physician orders and as many as 73 hospitals (88 percent) provided the option of selecting release of laboratory results. Most hospitals (92 percent) provided the option of an “other” category for requesting information not explicitly listed on the form.

Among the telephone calls made, all the hospitals said they were able to release entire medical records to patients. When asked if any information would be withheld with a request of an entire medical record, two hospitals disclosed that nursing notes would not be released unless they were specifically requested. However, just 25 percent of the hospitals who were called said they were able to release information onto patient portals. All hospitals stated in telephone calls and on the forms that they could release information via mail.

Regarding cost, on the authorization forms, 35 percent of hospitals disclosed exact costs for releasing medical records, 22 percent said they would charge patients without specifying a cost, and 36 percent did not specify anything about fees. For a 200-page record, the cost of release ranged from $0.00 to $281.54, based on the 29 hospitals that disclosed costs.

Among the telephone calls, 82 out of 83 hospitals disclosed costs for paper formats of release. For a 200-page record, the cost of release as communicated in telephone calls ranged from $0.00 to $541.50. And of the 82 hospitals that disclosed costs, 48 hospitals (59 percent) stated costs of release above the federal recommendation of a $6.50 flat fee for electronically maintained records.

Finally, for processing times for medical records release, of the 71 hospitals that provided mean times of release when called, 21 percent reported mean times of less than 7 days; 25 percent in seven to 10 days; 31 percent in 11 to 20 days; 5 percent in 21 to 30 days; and 3 4 percent in more than 30 days. In general, most hospitals were able to release records in electronic format in a shorter time frame than records in paper format.

Of the hospitals that responded with times of release, seven had ranges extending beyond their state’s requirement before applying the single 30-day extension granted by HIPAA.

The researchers concluded, “Requesting medical records remains a complicated and burdensome process for patients despite policy efforts and regulation to make medical records more readily available to patients. Our results revealed inconsistencies in information provided by medical records authorization forms and by medical records departments in select U.S. hospitals, as well as potentially unaffordable costs and processing times that were not compliant with federal regulations. As legislation, including the recent 21st Century Cures Act, and government-wide initiatives like MyHealthEData continue to stipulate improvements in patient access to medical records, attention to the most obvious barriers should be paramount.”

See more on Privacy

betebet sohbet hattı betebet bahis siteleringsbahis