#NewHIPAA Proposed Privacy Rule Thread starting. These are my notes, there'll be a blog post summarizing these later. 1/??? And I'm not even going to try to count these or tag all with #NewHIPAA, I'll just keep them in this thread.
357 pages, PDF here: hhs.gov/sites/default/…
357 pages, PDF here: hhs.gov/sites/default/…
Basically this is needed because healthcare providers say "I can't do that b/c HIPAA, and patients say "yes you can", and lawyers say "but ...", and trees, we need to save some trees.
A lot of the input on this rule came from a request for information in 2018.
A lot of the input on this rule came from a request for information in 2018.
The big points are: Give me my damn data, and let me take notes, and do it faster, and you can get it in the form and format that you ask for, w/o having to bring umpteen forms of id, clarifying when you can be charged, changing the fee structure, making fees more transparent ...
providing better supports for care coordination activities from covered entities, for treatment or operations, better integrating with social services, lowering the bar to release of information when there's a reasonable belief in potential harm, ...
Saving trees and ink on notice of privacy practices (I can't tell you how many times I've been asked to sign for receipt of these having never been given them), enabling services for blind or deaf or otherwise communication disabled patients to use a third party service to help.
Effective within 60 days after publication of a final rule, with compliance in 180 days (six months)
What is care coordination and case management? It's critical for value based care, but what exactly is it? HHS wants you to tell them.
OIG defines it: “deliberate organization of patient care activities & sharing of info... between 2 or more value-based
enterprise participants & patients, tailored to improving health outcomes of the target patient population, in order to achieve safer & more effective care ..."
enterprise participants & patients, tailored to improving health outcomes of the target patient population, in order to achieve safer & more effective care ..."
They give quite a few other definitions too.
& now we're at the bottom of page 19 and can skip a bunch of stuff unless you really need to understand why HHS/CMS can make these rules. In short, HIPAA, HITECH, & 21st Century Cures legislation says CMS can. On to page 34
& now we're at the bottom of page 19 and can skip a bunch of stuff unless you really need to understand why HHS/CMS can make these rules. In short, HIPAA, HITECH, & 21st Century Cures legislation says CMS can. On to page 34
While OCR has beaten everyone over the head with a stick, communicated in every way imaginable about their intent, some people just don't get it unless they write new regulations. That's basically what page 38 says.
Oh what a tangled web we weave ... as CMS proposes to define EHR and PHR based on HITECH. I'm surely expecting a reference to a reference in ONC's regulatory future...
Ciox vs. Azar plays prominently in the next few pages. If you want to learn more: google.com/search?q=Ciox+…
Embodied in this proposed rule is the limited right recognized under that action for a patient to direct the exchange of PHI _contained in an EHR_ from one party to a third party according the patient's direction.
Patients need this clarification to be spelled out in the Federal Register in order to get covered entities to act on it.
It seems the lawyerly default is "If it isn't explicitly granted, it must be forbidden," and so CMS has to spell it out.
It seems the lawyerly default is "If it isn't explicitly granted, it must be forbidden," and so CMS has to spell it out.
The definition of EHR will wend it's way through 42 USC 17921, 45 CFR 164.501, 45 CFR 160.103.
Along the way, the undefined term "Clinician" will also receive an entry in the healthcare regulatory dictionary.
Along the way, the undefined term "Clinician" will also receive an entry in the healthcare regulatory dictionary.
I used to work with electronic dictionaries, I wonder if any one makes one that includes all the definitions in US law and regulation with cross references and indices...
Anyway, back to work (or play if you have a weird brain like mine).
Anyway, back to work (or play if you have a weird brain like mine).
Once you get through definitions, we're now on page 49, about 15% of the way through.
Here's an interesting topic, I wonder what Judy will think about patient's taking video of a physician's traversal through their EHR record, or capturing screen shots & then sharing them on FB.
Here's an interesting topic, I wonder what Judy will think about patient's taking video of a physician's traversal through their EHR record, or capturing screen shots & then sharing them on FB.
It's apparently going to become another one of those rights that CMS has to spell out that patients can use video, still images, and other resources when examining their record.
But no, you cannot connect your thumb drive to the system (which is actually fine by me, I don't want my thumb drive to get infected by ransomware).
As for how you can make the request, providers can still require it be written, but it's going to get easier:
unreasonable measures ... include requiring notarization..., accepting requests only on paper form, only
in person at the facility, or only through the online portal.
unreasonable measures ... include requiring notarization..., accepting requests only on paper form, only
in person at the facility, or only through the online portal.
And faster: 15 days is long enough, as proven in at least 5 states already. And ... "To limit compliance complexity, the Department proposes to uniformly apply this timeliness requirement, regardless of the form or format of the PHI (e.g., paper or electronic)"
And API driven b/c if a provider has an API enabled EHR, then ePHI is considered to be readily producable in an electronic form and format by the entity.
We didn't enable that feature is NOT an excuse (and never was, but now it's written down).
We didn't enable that feature is NOT an excuse (and never was, but now it's written down).
And if another regulatory authority at the state or federal level requires production by an entity in a particular form and format (say, somebody like @ONC_HealthIT), then yeah, that's readily producible too.
And oh, remember how that third party direction needed to be written... NOT any more. Oral or electronic requests are allowed.
And directed to a third party enables patients to use their right of access to have one HCP get data from another
And directed to a third party enables patients to use their right of access to have one HCP get data from another
Here's a good one for HIEs to respond to at the top of page 77 (a fifth of the way through): ...To clarify that the
Privacy Rule permits covered entities to use HIEs to “broadcast” queries on behalf of an individual to determine [who] have PHI about the individual & get copies!
Privacy Rule permits covered entities to use HIEs to “broadcast” queries on behalf of an individual to determine [who] have PHI about the individual & get copies!
On fees: As a result, the Ciox v. Azar court found that the Department had improperly imposed the fee limitations
in the access right to direct a copy of PHI to a third party without notice and comment rulemaking.
So guess what, here's notice & comment rulemaking below at p79
in the access right to direct a copy of PHI to a third party without notice and comment rulemaking.
So guess what, here's notice & comment rulemaking below at p79
Here's the accompanying chart: 
This sounds about right to me ... "The Department believes that access through an internet-based method likely occurs without involvement of covered entity workforce members, and thus believes that the covered entity likely incurs no allowable labor costs or expenses."
On fee transparency:
"the Department proposes to add a new subsection
525 to 45 CFR 164 to require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization."
"the Department proposes to add a new subsection
525 to 45 CFR 164 to require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization."
The next couple of pages go on to say: Print it on your web site, make it available to patients, stick to it, and oh, by the way, if you are smart, you'll make sure it is consistent with federal and state law and regulation too...
A 40 question essay test starts on page 93 with questions letter a through nn asking respondents for specific responses to the CMS proposed regs. You will be graded on practicality, brevity, and clarity. You have 60 days from official publication in the FR. It's open book. Go.
And now we are at the top of page 102, only 245 pages to go.
There's a lot more about how to identify individuals and authorize requests.
Therefore, a covered entity ... that [uses APIs like #FHIR] but denies ... individual access, to a designated personal health application, or other application ... [may be screwing up big time.]
Therefore, a covered entity ... that [uses APIs like #FHIR] but denies ... individual access, to a designated personal health application, or other application ... [may be screwing up big time.]
Hey @AMugge, don't you wish you could say "screwing up big time" in regulatory text...
Take home quiz starts on page 107, answer questions a through f. Homework due in about 2 months. Submit your answers to regulations.gov under Docket ID number HHS-OCR0945-AA00. All test answers will become public and attributable to you.
Next up: The Department proposes to clarify the definition of health care operations in 45 CFR 164.501 to encompass all care coordination and case management by health plans,
whether individual-level or population-based
whether individual-level or population-based
I'm guessing this is going to start with definitions like usual, ... and I'm right. In fact, that's about the extent of this section.
Healthcare operations = population-based activities [for] improving health or reducing ... health care costs; protocol development; case management & care coordination; contacting of ... providers & patients w/ info about ... alternatives; & related [non-treatment] functions
Minimum Necessary: Another HIPAA bugaboo. Is it about to bite the big one? Let's see.
[CMS] proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered ... provider for care coordination & case management.
[CMS] proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered ... provider for care coordination & case management.
Yes and no. The exception would apply only to those care coordination and case management activities that are at the individual level.
I'm of two minds about this:
Personally, I'd like my insurance company to stay out of my health care business as much as possible, ... but ... they are a [necessary] evil for NOW. So, give them the tools to do their work for people who can benefit.
Personally, I'd like my insurance company to stay out of my health care business as much as possible, ... but ... they are a [necessary] evil for NOW. So, give them the tools to do their work for people who can benefit.
Eight questions starting on page 120 due in about 9 weeks on minimum necessary.
45 CFR 164.506(c)(6) would expressly permit covered entities to disclose PHI to social services agencies, community based organizations, HCBS providers, &
other similar 3rd parties that provide health-related services to ... individuals for individual-level care coord/case mgmt
other similar 3rd parties that provide health-related services to ... individuals for individual-level care coord/case mgmt
This basically boils down to: We want to write this down so you actually get it, even though we think this is already permitted, but ... well, some of you are denser than others ...
Did I say that in my out loud voice?
Did I say that in my out loud voice?
There's some solid research questions for you to ponder (a-h) starting at page 130 and ending on 132.
This next one hits home hard: CMS wants to replace “serious and imminent threat” with a “serious and reasonably foreseeable threat”.
God yes, please yes, hell YES!
God yes, please yes, hell YES!
Nearly 30 odd years ago, my father wound up in a hospital while my mother was off on a cruise with her mother in Alaska. He had had a TIA, and was eventually after some time discharged in great emotional distress (one provider described him as suicidal). ...
To make a long story short, he later attempted suicide, an event which brought me home to PA for a month from where I was living in Florida, and resulted (in combination with other events) in subsequent long term disability.
Some of that could have been prevented if some Dr. had actually said something to my mother about his mental state at the time. Now, this was before HIPAA, so that wasn't the excuse given, BUT, this is exactly the kind of thing that could be prevented by that wording change.
Back to the rules... CMS notes that 42 CFR part 2 changes are not in the scope of THIS rule ... BUT there will be more later to address needed changes there.
Department proposes to amend 5 provisions of the Privacy Rule to replace “exercise of professional judgment” with “good faith belief” as the standard pursuant to which covered entities would be permitted to make certain uses and disclosures in the best interests of individuals.
adopting a “serious & reasonably foreseeable threat” standard could further enable a healthcare provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is likely to occur “imminently.”
Dang, they read my mind. As I said, been there, done that.
Questions on this topic start on p158, due in 4 fortnights plus or minus
Questions on this topic start on p158, due in 4 fortnights plus or minus
Next up: Saving trees. That Notice of Privacy Practices that they make you sign for but don't even give you some times? CMS wants to eliminate the signature form, and make some changes to add a certain kind of boilerplate to make some things more understandable.
Yup. I'm in favor of this. Post your NPP prominently, make it easy to find, but stop telling me I have to sign this form, and I'll stop telling you how recently I read HIPAA and you didn't.
Another dive down a related rabbit hole: I switch my pharmacy from Walgreens to CVS a few years back b/c of NPP signature snafu. The signature was on card swipe machine, and first I refused to sign, and they said they had to have it, and I said, then give me the NPP...
They couldn't find it. But finally they did, after 15 minutes of searching. On the back of the prescription information safety pages, they wouldn't give me until I signed. And you couldn't pay for the meds w/o signing.
Environmental cost for those forms alone can be estimated at around 2 cents per page x 330 million people x 4 times a year x 1.32 billion times 2 cents = $26.4M in paper & ink + time @ 10 seconds / signature * 1.32 billion * $15/hr (a reasonable wage) * 2 parties = $55M = $80+M
See google.com/search?q=how+m… for reams in a tree (about 20), which means about 1.32 million trees a year saved by this one.
I think I'll submit these estimates as comments on cost savings... someone (maybe @AMugge) will get to laugh and that will break up a very interesting day plowing through all the comments for someone.
In any case, that would be an answer to question F on page 166. Feel free to copy my answer. It's not cheating on this test.
Next up: TRS services
The Department proposes to expressly permit covered entities (and their business associates, acting on the covered entities’ behalf) to disclose PHI to TRS communications assistants to conduct covered functions
The Department proposes to expressly permit covered entities (and their business associates, acting on the covered entities’ behalf) to disclose PHI to TRS communications assistants to conduct covered functions
Another aside: This image from the back of my walking gallery jacket flickr.com/photos/4512874… tells a similar story which is provided in more detail here reginaholliday.blogspot.com/2011/06/phoeni…
So yes, make it easy for patients to get communications, and not just those who need TRS, but also translation services. Yeah, I know that comment won't result in a change THIS round, sadly, there's just not enough wiggle room in how they worded the rule, but maybe next time.
Wait, what? My comment won't impact the rule? Right. There's rules about rule-making. My comment is too far off topic, and cannot result in a response (this time). If CMS had asked about other communications challenges, I could have weighed in and maybe gotten a change.
So why make a comment, if I know it won't impact the rule? Because I'm not just speaking to the rule, but to the regulator, and my feedback may give them something to think about for the next rule.
Next up, expanding armed forces to mean uniformed services... I'm wondering where this came from, & how COVID-19 impacts on the uniformed public health service might have influenced this text. This is CMS saying, hey, um we forgot our own here, & who else? NOAA. Let's fix it.
So now we are at page 174, and frankly, also done at least for the night.
But let me explain. This is a proposed rule. Read and respond to what they are thinking first, and THEN fix the actual regulation text. That was like page 10-174, except we get to skip the why we can write this stuff that I always do.
We also get to skip the cost / benefit analysis, p 274 - 336.
The rest starting from p 337 is the actual TEXT of the proposed rule. Now that you've absorbed the what were they thinking, it's time to see what they wrote. I'm going to sleep on that before moving to the next part.
The rest starting from p 337 is the actual TEXT of the proposed rule. Now that you've absorbed the what were they thinking, it's time to see what they wrote. I'm going to sleep on that before moving to the next part.
@ThreadReaderapp can you unroll this and wrap it up in a bow for me?
• • •
Missing some Tweet in this thread? You can try to
force a refresh
