In This Issue:
“Healthcare-Related” Calls: Ambiguity at the Intersection of HIPAA and TCPA
Privacy Concerns Related to Inclusion of Social and Behavioral Determinants of Health in EHRs
You’re Invited to a New Manatt Webinar, “HIPAA and the Learning Health System: Balancing the Risks and Benefits of the Digital Healthcare Revolution.”
HHS Seeks Public Comment on Draft Guidance for “Standard of Care” Research
Did You Miss Manatt’s Recent Webinar, “Reinventing Long-Term and Post-Acute Care”?
Answers to 4 Key Questions Around Long-Term and Post-Acute Care
“Healthcare-Related” Calls: Ambiguity at the Intersection of HIPAA and TCPA
Authors: Marc Roth, Partner, Advertising, Marketing and Media, Manatt, Phelps & Phillips, LLP | Helen Pfister, Partner, Healthcare Industry, Manatt, Phelps & Phillips, LLP | Anne O. Karl, Associate, Healthcare Industry, Manatt, Phelps & Phillips, LLP
Editor’s Note: The Federal Communications Commission (FCC) has established exemptions from certain requirements of the Telephone Consumer Protection Act (TCPA) for healthcare messages regulated under the Health Insurance Portability and Accountability Act (HIPAA).1 Although the exemption appears to give healthcare providers broad latitude in calling or texting patients, there is ambiguity around the scope of the exemptions. The TCPA exemption applies to “healthcare” messages regulated under HIPAA—but HIPAA does not expressly define “healthcare” messages. In a recent article published in Bloomberg BNA’s Privacy and Security Law Report, summarized below, attorneys in Manatt’s Privacy and Healthcare divisions address these issues and attempt to provide some guidance in navigating these uncharted waters. Click here to download a free PDF of the full article.
The TCPA and the “Healthcare” Message Exemption
The TCPA prohibits calls and text messages (collectively referred to as “calls”)2 from being transmitted to a consumer’s mobile device using an autodialer, as well as prerecorded messages from being placed on landlines, without the recipient’s prior consent. The FCC rules implementing the TCPA (TCPA Rules)3 differ based on whether the call contains a commercial or noncommercial message:4
If a call contains a noncommercial message, the TCPA Rules require the consumer’s “express consent,” which generally may be obtained when the consumer provides his or her mobile phone number to the caller.5
If a call contains a commercial message, the TCPA Rules require that the recipient provide his or her “express written consent.”6 This higher standard must be met to transmit advertisements and telemarketing messages to consumers’ mobile devices and place prerecorded calls to consumers’ landlines.7
If a message is intended to be noncommercial but contains any commercial messaging, it is considered a “dual-purpose call,” triggering the more stringent express written consent standard.8
The “Healthcare” Message Exemption Defined
In the FCC’s 2013 Rule Change (the new rules that established the stricter “written consent” standard, which went into effect October 16, 2013), the FCC created an exemption for calls that contain a commercial healthcare message made by, or on behalf of, a covered entity or its business associate as defined in the HIPAA Privacy Rules.9 Therefore, the TCPA Rules exempt from the express written consent requirement commercial calls made to mobile devices and prerecorded messages placed on landlines that contain a “healthcare” message under HIPAA.
When creating the exemption, the FCC adopted the reasoning that the Federal Trade Commission (FTC) had set out when it modified the Telemarketing Sales Rule (TSR) in 2008.10 The FCC concurred with the FTC’s thinking in exempting healthcare-related messages from the TSR11—specifically noting the six reasons the FTC listed for the exemption:
The delivery of healthcare-related prerecorded calls subject to HIPAA is extensively regulated by the federal government;
Subjecting healthcare-related calls to the TSR could create inconsistencies with HIPAA and other federal statutes governing healthcare programs, frustrating congressional intent;
The number of healthcare providers that call a patient is limited, in “sharp contrast to the virtually limitless number of businesses” that could make calls to consumers;
There is no incentive for providers that make healthcare-related prerecorded calls to attempt to increase sales “through an ever-increasing volume or frequency of calls;”
The “reasonable consumer” would likely not view prerecorded healthcare calls as coercive or abusive; and
Healthcare-related calls have not been the focus of the type of privacy abuses that the TSR was intended to remedy.12
Interestingly, the FCC did not exempt noncommercial calls conveying health-related messages made to consumers’ mobile devices and noncommercial prerecorded messages to landlines. These calls still require the caller to obtain express consent. As noted above, under the TCPA Rules, the caller obtains an individual’s express consent when that individual provides his or her phone number with the reasonable expectation that the number will be used for its intended purpose.13
In summary, entities sending “healthcare” messages regulated under HIPAA do not need to obtain express written consent prior to calling a consumer’s mobile line through an autodialer or transmitting prerecorded messages to a landline. They still, however, must obtain “express consent.”
HIPAA Regulation of Health Information
HIPAA14 regulates how health insurers and providers (collectively referred to as covered entities), as well as their vendors (referred to as business associates), use or disclose healthcare information.15 It does not expressly define “healthcare” messages, creating ambiguity around the TCPA’s exemption.
HIPAA does not apply to all healthcare information. Instead, it applies primarily to “protected health information” (PHI), which is defined as individually identifiable information that:
1. Is created or received by a healthcare provider . . . and
2. Relates to the past, present or future physical or mental health or condition of that individual; the provision of healthcare to an individual; or the past, present or future payment for the provision of healthcare to an individual.16
HIPAA Privacy Rule Governs How Covered Entities May Use or Disclose PHI
Under the HIPAA Privacy Rule, covered entities and business associates may not use or disclose PHI unless:
The HIPAA Privacy Rule expressly permits or requires a specific use or disclosure, or
The individual whose information would be disclosed (or his or her representative) authorizes the use or disclosure in writing.17
The HIPAA Privacy Rule permits covered entities and business associates to use or disclose PHI without a patient’s authorization for, among other things, treatment, payment or healthcare operations.18 Before a covered entity or business associate can use PHI for marketing purposes, however, the HIPAA Privacy Rule requires that individuals provide written authorization.19
Covered entities or their business associates using or disclosing PHI when contacting a patient must first assess the purpose of the contact. If the contact is driven by a marketing purpose, the HIPAA Privacy Rule requires written authorization. In contrast, if the contact is driven by a purpose that the HIPAA Privacy Rule permits—such as information about the patient’s ongoing treatment or a health-related product or service that the covered entity provides—written authorization is not needed.
HIPAA Security Rule Regulates the Mechanisms Covered Entities Use to Share PHI
Under the HIPAA Security Rule, messages covered entities or their business associates send that contain PHI must be sent securely.20 Entities are required to assess whether it is “reasonable and appropriate” to deploy encryption. If not, they must document why it would not be “reasonable and appropriate” to implement an equivalent alternative.21
Although covered entities and their business associates must comply with the HIPAA Security Rule in their electronic communications with patients, regulators have clarified that patients have the right to receive healthcare communications in the format that works best for them—even if their preferred method is insecure. For example, the Department of Health and Human Services Office of Civil Rights, which enforces HIPAA, recently clarified that covered entities can send an individual unencrypted email, as long as they have provided a “light warning” that the email will not be secure—and the patient still prefers to receive the unencrypted email.22
Putting HIPAA and the TCPA Together
As discussed, the TCPA exempts “healthcare messages” from covered entities and their business associates from the requirement to obtain an individual’s express written consent before making certain types of phone calls. HIPAA, however, only addresses the use and disclosure of PHI. Further, it does not expressly define “healthcare” messages. This disconnect in terminology between the TCPA and HIPAA presents compliance challenges for providers. Until courts or the FTC clarify some of the ambiguity, covered entities and their business associates should consider the following questions before making automated calls to patients’ mobile devices or prerecorded calls to their landlines:
Is it PHI? If the information being transmitted concerns or contains PHI, the covered entity must ensure the communication complies with HIPAA.
If it is PHI, is it marketing? If the call does constitute marketing under the HIPAA Privacy Rule, the covered entity must obtain the patient’s prior written authorization.
If it is PHI but not marketing, is the call for “commercial” purposes? As discussed, the “healthcare” message exemption applies only to “commercial” automated calls. Noncommercial automated calls delivering “healthcare messages” still require the patient’s express consent. Although the patient’s providing a phone number may constitute express consent under the TCPA, recent court cases have raised questions about whether the patient must specifically agree to receive certain types of calls.
If it is not PHI, is it a “healthcare” message? Without a definition of “healthcare” message under HIPAA, there is no clear line for covered entities between “healthcare” messages and other types of messages. Therefore, covered entities must assess each call on a case-by-case basis.
1 Pub. L. No. 104-191 (1996).
2 A text message is considered a telephone call under the TCPA. In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CC Docket No. 92-90, Report and Order, 7 FCC Rcd. 8752, 8774, ¶ 43 (1992) (concluding the text messages should be subject to the TCPA); Satterfield v. Simon and Schuster Inc., 569 F.3d 946 (9th Cir. 2009) (8 PVLR 959, 6/29/09).
3 47 C.F.R. §§ 64.1200 et seq.
4 For purposes of this article, “commercial” shall mean “advertisements” and “telemarketing,” as those terms are defined in the TCPA Rules, C.F.R. §§ 64.1200(f)(1), 64.1200(f)(12) (2012).
5 The TCPA and the TCPA Rules do not define “express consent,” but the FCC and most courts have held that the provision of a mobile number by a consumer to the calling/texting party satisfies this requirement. In re Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991, CC Docket No. 92-90, Report and Order, 23 FCC Rcd. 559, 564 (2008) (the 2008 FCC Ruling); Mais v. Gulf Coast Collection Bureau, Inc., No. 13-14008, 2014 BL 274379 (11th Cir. Sept. 29, 2014) (13 PVLR 1731, 10/6/14). However, some courts have qualified this approach by considering the manner and context by which a consumer provides her number, and the consumer’s understanding and expectation of how her number will be used. See Kolinek v. Walgreen Co., No. 1:13-cv-04806, 2014 BL 232925 (N.D. Ill. Aug. 11, 2014) (12 PVLR 1067, 6/17/13).
6 2013 Rule Change, §§ 32-34 (2012) (11 PVLR 924, 6/11/12); 47 C.F.R. §§ 64.1200 (a) (2), 64.1200(f) (8) (2012).
7 47 C.F.R. § 64.1200(8). In re Rules and Regulations Implementing the TCPA, 27 FCC Rcd. 1830, 1838, ¶¶ 20-26 (Feb. 15, 2012). Although the FCC promulgated these rules in 2012, they did not become effective until 2013 (11 PVLR 1581, 10/29/12).
8 See Chesbro v. Best Buy Stores, LP, 697 F.3d 1230 (9th Cir. 2012) (citing FCC discussion on “dual-purpose” calls in 2003 Report and Order, at 14097-98, ¶¶ 140-142). The U.S. Court of Appeals for the Ninth Circuit upheld a district court finding that prerecorded “courtesy” messages made by Best Buy to its Best Buy Reward Zone members regarding unused program certificates were not solely “informational,” but, rather, dual-purpose telemarketing calls, as they encouraged consumers to make a purchase (11 PVLR 1557, 10/22/12).
9 45 C.F.R. § 160.103; 47 C.F.R. § 64.1200(a)(2) and § 64.1200(a)(3)(v) (2012).
10 See 16 C.F.R. § 310; see also 73 Fed. Reg. 51,164 (Aug. 20, 2008).
11 77 Fed. Reg. 34,233, 34,240 (June 11, 2012).
13 See supra note 6.
14 45 C.F.R. § 160.164.
15 45 C.F.R. §§ 164.502(e), 164.504(e), 164.532(d) and (e).
16 45 C.F.R. § 160.103.
17 45 C.F.R. § 164.502(a).
18 45 C.F.R. § 164.506(c).
19 45 C.F.R. §§ 164.501, 164.508(a)(3).
20 See HIPAA Security Rule for additional details on what constitutes a secure message.
21 45 C.F.R. § 164.306(d)(3).
22 78 Fed. Reg. 5566, 5634 (2013).
Privacy Concerns Related to Inclusion of Social and Behavioral Determinants of Health in EHRs
Author: Deven McGraw, Partner, Healthcare Industry, Manatt, Phelps & Phillips, LLP
Editor’s Note: The Institute of Medicine Committee on Recommended Social and Behavioral Domains and Measures for Electronic Health Records released its final report last week, identifying “domains and measures” that capture the social determinants of health to inform the development of recommendations for Stage 3 meaningful use of electronic health records (EHRs).1
In a new paper for the Institute of Medicine (IOM), summarized below, Deven McGraw of Manatt Health addresses privacy concerns related to including social and behavioral determinants of health (SBDH) in EHRs.2 The paper discusses the purpose of assuring appropriate privacy protections for this information, summarizes relevant federal privacy and security laws, and reviews the technical capability of certified EHR technology (CEHRT) to reinforce privacy protections for SBDH. In addition, it provides recommendations to ensure public trust in the collection, use and disclosure of SBDH information. Click to access and read the full paper.
Why Privacy Matters
A 2013 survey of consumer attitudes toward health information technology and exchange found a high level of public support for electronic health records. Half of respondents, however, thought EHRs would worsen privacy and security.3 The consequences for failing to address privacy and security concerns could be significant. One out of eight patients does not seek treatment for a sensitive medical condition or withholds critical information from healthcare providers because of concerns about confidentiality.4
The SBDH information identified by the Committee may be highly sensitive. For example, patients may worry that information about alcohol use, if shared outside of the treatment setting, may be used to affect their employment status or impact their ability to obtain a loan. They also may be concerned that they will be treated differently because professional and hospital staff see information about food or housing insecurity, socioeconomic characteristics or exposure to violence.
If the conditions for the receipt of meaningful use incentive payments either require or encourage the collection of this information, professionals and hospitals participating in the meaningful use program will need to comply with applicable privacy and security laws. Ideally, they will adopt organizational or institutional good data stewardship practices to earn (and keep) patient trust in the collection, use and disclosure of SBDH information.
The HIPAA Privacy and Security Rules
Eligible professionals, eligible hospitals and critical access hospitals that meet the “covered entity” definition under HIPAA6 are required to comply with the HIPAA Privacy and Security Rules. The Privacy Rule governs the use and disclosure of identifiable health information in either paper or electronic format (known as protected health information or PHI) by covered entities. The Security Rule establishes the security safeguards to be adopted to protect electronic identifiable health information (known as ePHI). The definition of PHI includes SBDH data.
Collection of SBDH Information
HIPAA’s Privacy Rule does not require providers to get the patient’s oral or written authorization before collecting PHI. The HIPAA Privacy Rule’s “minimum necessary” provisions, however, do set some parameters with respect to “requests” for PHI.7
When information is being requested from another covered entity, the “minimum necessary” provisions require the request to be limited to that which is “reasonably necessary to accomplish the purpose for which the request is made.”8 For recurring PHI requests, providers must implement policies and procedures that limit the PHI requested to that which is reasonably necessary to fulfill the purpose of the request.9 For other requests, providers are required to develop criteria that will enable requests to be limited to what is reasonably necessary to accomplish the purpose and review individual requests in accordance with those criteria.
With respect to the collection of SBDH data by eligible professionals and hospitals as part of the meaningful use program, these rules mean that providers must develop policies and protocols for routine receipt of data to ensure that the information collected is what is reasonably necessary to fulfill the purpose (or purposes) for which it is collected. For episodic collection, it is still required to develop criteria that ensure the collection meets the “reasonably necessary” standard.
Uses and Disclosures for Treatment, Operations and Payment
The Privacy Rule treats SBDH information the same as other information gathered by a professional and stored in the records (with the exception of psychotherapy notes). Professionals and hospitals may use and disclose this information, along with other information gathered from the patient, to treat the patient and for treatment-related administrative tasks (known as healthcare operations), without needing prior oral consent or written authorization from the patient.11
Professionals and hospitals also may disclose this information, without prior consent or authorization, to obtain payment for care. All uses and disclosures of PHI (except disclosures for treatment purposes) are subject to the Privacy Rule’s aforementioned “minimum necessary” standard. This standard requires a covered entity to identify the persons or classes of persons who need access to PHI to carry out their duties, and the category or categories of PHI to which access is needed—and then make reasonable efforts to limit PHI access according to those decisions.12 The HIPAA Privacy Rule also allows professionals and hospitals to rely on information requests from other covered entities, such as payers, for what constitutes the “minimum necessary” standard.13
In addition, the Privacy Rule’s minimum necessary provisions prohibit disclosing an entire medical record, except when justified as reasonably necessary to accomplish the purpose of the use, disclosure or request.14 These provisions arguably require professionals and hospitals to have a way to prevent access to or disclosure of certain types of data in the EHR, including SBDH, if that data is not needed to accomplish a given purpose.
Disclosures to Public Health Authorities
The Privacy Rule permits the disclosure of PHI to public health authorities “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.”15 Consequently, a professional or hospital may disclose SBDH data to a public health authority, as long as that public health authority has legal authorization to collect that data. Such a disclosure does not require the prior consent or authorization of the individual.
Disclosures to Nonpublic Health Authorities
Eligible professionals and hospitals may have a need (or a legal requirement) to disclose SBDH data to nonpublic health authorities. The Privacy Rule does permit disclosures of PHI by eligible professionals and hospitals where they are required by law.16 The Privacy Rule also permits professionals and hospitals to disclose PHI:
To public health or other authorities “authorized by law to receive reports of child abuse or neglect.”
To report abuse, neglect or domestic violence to an entity authorized by law to receive such reports.
To certain entities/individuals for workplace safety matters.
To avert a serious and imminent threat to health or safety.17
In addition, HIPAA permits PHI to be disclosed for law enforcement purposes — but there are limits to the amount of information that can be disclosed when the disclosure is not being conducted pursuant to a subpoena or other court order.18 The information that may be disclosed is restricted to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death (if applicable), and a description of distinguishing facial characteristics.19
Uses and Disclosures Requiring Authorization
A use or disclosure of PHI—including SBDH information—that is not expressly permitted by the Privacy Rule requires the prior authorization of the patient. To be valid, an authorization required by HIPAA must be in writing and include:
A description of the information to be used or disclosed,
The name of the person or class of persons authorized to make the requested disclosure,
The name of the person or class of persons to whom the information is to be disclosed,
A description of each purpose of the disclosure,
An expiration date or event, and
The signature of the individual or their legal personal representative.20
Uses and disclosures of identifiable SBDH data for research purposes require prior patient authorization—but there are exceptions.21 For example, uses of this information in preparation for research (for example, to identify potential subjects for a research study) do not require prior patient authorization, as long as the information is not removed from the covered entity.22 In addition, a privacy board or institutional review board (IRB) may waive the requirement for authorization if it determines and documents that the use or disclosure of PHI involves only a minimal risk to privacy.
The Privacy Rule has historically required authorizations for research uses and disclosures of PHI to be study-specific. Recently, however, OCR issued guidance allowing patients to more generally authorize future research using their PHI, as long as subjects would reasonably expect their information to be used for the described research.23
The HIPAA Security Rule
SBDH data collected by eligible professionals and hospitals is subject to the same security rules under HIPAA as other types of ePHI. CEHRT includes functionalities that can assist them with compliance. For example, CEHRT is required to include capabilities for identity proofing and authentication of system users, access controls, automatic log-off, encryption of data at rest and in motion, and protections for data integrity.24
Eligible professionals or hospitals cannot depend on their CEHRT to fulfill all of their Security Rule responsibilities. They are required, both by the Security Rule and meaningful use requirements, to conduct a security risk assessment and address any security deficiencies.25 They also must comply with all Security Rule requirements and consider all “addressable” implementation specifications.
De-Identified Data and Limited Data Sets
The HIPAA Privacy Rule provisions defining de-identified and limited data sets, and regulating the use of the latter, do not include unique considerations for SBDH information. Information that is “de-identified” is not subject to HIPAA. The Privacy Rule provides two methodologies for de-identifying health information:
1. The safe harbor, which requires the removal of 18 categories of identifiers26 and no actual knowledge that the data can be re-identified.
2. The expert or statistician method, which requires that a person with appropriate statistical experience determines and documents that the risk of re-identification is very small.27
Under both methodologies, the standard is not zero risk of re-identification. Consequently, some very low risk is likely to exist even in a properly de-identified HIPAA data set.
The HIPAA Privacy Rule also allows covered entity professionals and hospitals to use a “limited data set” for healthcare operations, public health and research.28 A limited data set can be achieved by removing 16 categories of identifiers—essentially the safe harbor list for de-identification—but dates and some geographic information can be retained.29 Covered entities may not use or disclose limited data sets without a data use agreement that establishes the permitted purposes for which the data set may be used or disclosed and prohibits the re-identification of individual patients.30
Other Laws Protecting the Privacy and Security of Health Information
Information that is collected by a federally funded or federally assisted substance abuse treatment provider, and that identifies or has the potential to identify the patient as someone receiving (or who has received) substance abuse treatment, is also governed by federal law (42 C.F.R. Part 2, known as Part 2). These rules allow information to be used by the actual Part 2 provider for treatment purposes. Disclosure of this information, however, even for treatment purposes, requires the express authorization of the patient.31
State laws also may provide additional protections for certain types of SBDH information. HIPAA does not preempt any state laws that provide greater privacy protections for patients.32 Eligible professionals and hospitals will need to consider whether there are additional laws in their states governing how they collect, use and disclose SBDH information.
Nonlegal Considerations—Good Privacy Stewardship and the Limits of Technology
Even though HIPAA and other applicable laws may treat SBDH data the same as other health information, eligible professionals and hospitals may seek to handle it with greater care, given its sensitivity. HIPAA provides some parameters for how healthcare providers can collect, use and disclose SBDH data. Once the information is disclosed, however—even lawfully—the recipient may not be subject to HIPAA or other confidentiality standards.
Ultimately, the goal of protecting the privacy and confidentiality of SBDH information is to earn the trust of patients. Eligible professionals and hospitals should consider the mantra of the federal Health IT Policy Committee: patients should not be surprised to learn what happens to their health data. At a minimum, this suggests that providers should be transparent to patients about the collection, use and disclosure of their health information—particularly of SBDH data.
HIPAA requires covered entities to provide patients with a Notice of Privacy Practices —but this notice is not required to share the details of what covered entities actually do with health information. Instead, it explains what HIPAA permits and what types of uses and disclosures require authorization.34
Often transparency goals can be met through an informed consent process. As noted above, HIPAA does not require the consent or authorization of the patient to share SBDH data for treatment purposes, or for public health or other legally required purposes. It does, however, expressly permit covered entities to obtain consent as a matter of practice.35
Where HIPAA does not require prior written authorization, entities may use other ways to inform and/or gather consent from the patient. For example, a provider may document that a patient has orally agreed to share SBDH information or may adopt a policy of informing patients about the policies and practices around using and disclosing SBDH data, allowing patients to opt out.36
Under the HIPAA Security Rule, covered entities are required to implement procedures to control and validate a person’s access to SBDH data based on his or her role or function.37 The Rule leaves discretion to covered entities, however, about how to implement this.
Laws providing special protections to certain types of data or certain types of uses or disclosures —and the desire to afford such protections, even in the absence of legal requirements—have led to calls for a technical capability within CEHRT to segment or sequester sensitive information. That would allow patients to withhold sensitive data while sharing other information. The certification requirements for CEHRT, however, do not require segmentation capabilities.
The Health IT Policy Committee, through its Privacy and Security Tiger Team, is considering the viability of technical capabilities to segment substance abuse treatment data covered under Part 2.38 But whether CEHRT will include this functionality in the future is unknown.
Eligible professionals and hospitals participating in the meaningful use program may, under HIPAA, collect, use and share SBDH data for treatment purposes, and disclose this data to public health officials acting within the scope of their authority, without the need to obtain patient consent. Express patient authorization likely is required to share SBDH data with social services agencies or for purposes such as research (unless the authorization requirement is waived by a Privacy Board or IRB).
Professionals and hospitals will need to ensure compliance with baseline federal (and potentially state) health privacy laws. Building patient trust, however, around the collection, use and disclosure of this information is critical. Earning that trust may require adopting additional measures, such as transparency, consent and access controls.
1 Committee on the Recommended Social and Behavioral Domains and Measures for Electronic Health Records, Phase 2, Institute of Medicine (November 2014).
2 At the time the paper was drafted and submitted to the IOM, Deven McGraw was finishing up her tenure as the Director of the Health Privacy Project at the Center for Democracy & Technology. Deven joined Manatt Health on April 21, 2014. This paper evaluated the initial social and economic determinants of health domains and measures identified in the IOM Committee’s Phase 1 report (issued March 2014).
3 Ancker, JS et al., Consumer experience with and attitudes toward health information technology: a nationwide survey, J Am Med Inform Assoc 2013; 20:152-156.
4 Israel T Agaku, Akinyele O Adisa, Olalekan A Ayo-Yusuf, Gregory N Connolly, Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Inform Assoc amiajnl-2013-002079. Published Online First: 23 August 2013.
5 The use of the term “eligible hospital” is intended to refer to both eligible hospitals and critical access hospitals, as those terms are defined in the meaningful use regulations.
6 45 C.F.R. § 160.103.
7 45 C.F.R. § 164.514(d)(1).
8 45 C.F.R. § 164.514(d)(4)(i).
9 45 C.F.R. § 164.514(d)(4)(ii).
10 45 C.F.R. § 164.514(d)(4)(iii).
11 45 C.F.R. § 164.502(a)(1)(ii). Treatment is “the provision, coordination or management of health care and related services by one or more health care providers,” including coordinating or managing healthcare with a third party. 45 C.F.R. § 164.501.
12 45 C.F.R. § 164.514(d)(2).
13 45 C.F.R. § 164.514(d)(3)(iii)(B).
14 45 C.F.R. § 164.514(d)(5).
15 45 C.F.R. § 164.512(b).
16 45 C.F.R. § 164.512(a).
17 45 C.F.R. § 164.512(b), (c), & (j).
18 45 C.F.R. § 164.512(f).
19 45 C.F.R. § 164.512(f)(2)(i).
20 45 C.F.R. § 164.508(c)(1).
21 Research is a “systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” 45 C.F.R. § 164.502.
22 45 C.F.R. § 164.512(i)(1)(ii).
23 78 Fed. Reg. 5566, 5612-13 (January 25, 2013).
24 45 C.F.R. § 170.302, sections (o)-(v).
25 See http://www.hitechanswers.net/meaningful-use-core-objective-security-risk-analysis/.
26 45 C.F.R. § 164.514(b)(2).
27 45 C.F.R. § 164.514(b)(1).
28 45 C.F.R. § 164.514(e)(3).
29 See 45 C.F.R. § 164.514(e)(2).
30 45 C.F.R. § 164.514(e)(4).
31 42 C.F.R. Part 2, Sections 2.13, 2.32.
32 45 C.F.R. § 160.203.
33 45 C.F.R. § 164.520(a).
34 45 C.F.R. § 164.520(b).
35 45 C.F.R. § 164.506(b).
36 The HIPAA Privacy Rule does provide patients with a right to request that information not be used or disclosed; however, the Rule does not require providers to agree to this request. 45 C.F.R. § 164.522(a).
37 45 C.F.R. § 164.310(a)(2)(iii).
You’re Invited to a New Manatt Webinar, “HIPAA and the Learning Health System: Balancing the Risks and Benefits of the Digital Healthcare Revolution.” Click to Register Free and Earn CLE.
Hear a Panel of Leading Providers Reveal How to Manage the Obstacles and Maximize the Opportunities in Leveraging Digital Health Data to Advance Learning.
The United States is undergoing a digital healthcare revolution. The percentage of physicians using an advanced electronic health record (EHR) system almost tripled in the last five years. Hospital use skyrocketed from about 9% in 2008 to more than 80% in 2013. We already are seeing the benefits, with 88% of providers reporting that EHRs produce clinical benefits and 75% reporting quality improvements.
But there is a hurdle to realizing big data’s full value. While the Health Insurance Portability and Accountability Act (HIPAA) allows EHR data to be used easily for internal quality improvements, applications that support building a “learning health system” trigger more stringent regulation. HIPAA actually presents a barrier to leveraging EHRs and other digital data to fuel medical learning and treatment advances.
How should HIPAA evolve to fit the digital healthcare environment? How can we upgrade our regulatory framework to support a true learning health system? How can we use digital data to glean better, faster insights for improving patient care? Learn the answers at a new, free Manatt webinar, “HIPAA and the Learning Health System: Balancing the Risks and Benefits of the Digital Healthcare Revolution.” (NOTE: This program is approved for 1.0 CLE credit in NY and CA.)
Deven McGraw—Partner, Healthcare Industry, at Manatt, Phelps & Phillips, LLP, and the chair of the Privacy and Security Workgroup of the federal Health Information Technology (HIT) Policy Committee—will lead a panel of senior leaders from key providers in sharing:
The potential health information privacy harms—and why health information is unique.
The current federal regulation of health information risks—and why today’s framework for reusing health data is not sufficiently risk-based.
The explanation of the HIPAA paradox—and the limits it places on creating a learning health system.
The characteristics of a reimagined framework—and how regulatory change can be achieved.
The route to establishing analytic practices that lower risks while driving learning.
Don’t miss this chance to discover how to resolve the HIPAA paradox—and create a system that both protects privacy and advances learning. Even if you can’t make our original airing on December 10, register now, and we’ll send you a link to view the program on demand.
Deven McGraw, Partner, Healthcare Industry, Manatt, Phelps & Phillips, LLP
Rachel Nosowsky, Deputy General Counsel, University of California plus other senior leaders from major providers.
HHS Seeks Public Comment on Draft Guidance for “Standard of Care” Research
Author: Deven McGraw, Partner, Healthcare Industry, Manatt, Phelps & Phillips, LLP
In recognition that the evidence base is too thin for much of the medical care delivered in the United States, the Affordable Care Act (ACA) included a big boost in funding—an additional $1.1 billion —to support comparative effectiveness research. Comparative effectiveness research enables comparisons of treatments and prevention strategies to determine which work best for which populations and under what circumstances. It is frequently governed by federal regulations issued by the Department of Health and Human Services (HHS) Office of Human Research Protections (OHRP), found at 45 C.F.R. Part 46 (otherwise known as the Common Rule).
The Common Rule governs human subjects research that is conducted or funded by HHS or takes place in entities that have agreed to be bound by these rules for all human subjects research, regardless of funding source. Human subjects research includes research utilizing a patient’s identifiable health information.
The Challenge of Assessing Research Risk
OHRP recently released draft guidance for research evaluating “standards of care.” Standard of care research evaluates treatments or procedures that are already recognized and used in practice, but where there is insufficient evidence regarding which work better for a given condition and/or a specific population. (Click to read the guidance.)
The Common Rule generally requires a review by an Institutional Review Board (IRB) for human subjects research. The IRB evaluation must consider the risks and benefits that would result from the research, as distinct from the risks and benefits patients would experience if they were not participating in the study. When the patient’s consent is required, that consent must be informed. The information the patient receives must include a description of any “reasonably foreseeable risks.”
When there is more than one standard of care for treating the patient—and a lack of evidence about which treatment offers the greatest effectiveness or lowest risk—it is often difficult for researchers and IRBs to compare the risks associated with studying those treatments versus the ordinary risks a patient seeking treatment would face. Without clear evidence on comparative efficacy and risk, patients often receive the treatment that their particular provider is accustomed to delivering or that may be covered by their health benefit plan. Under what circumstances does studying the competing standards of care create greater risks than a patient would face in an ordinary treatment circumstance?
How the OHRP Draft Guidance Addresses Risk in Standard of Care Studies
The draft guidance attempts to provide more information about how OHRP believes IRBs and researchers should assess research risk in standard of care studies. It focuses on studies involving randomization —i.e., research in which patients are randomly assigned to receive one treatment or the other. The guidance states that:
“OHRP generally considers the risks of a specific standard of care being evaluated to be risks of research if (1) a standard of care that at least some of the individual subjects will be assigned to receive will be different from the standard of care that they would have received if they were not participating in the study, and (2) there might be different risks associated with those standards of care.” (Emphasis added.)
The guidance goes on to state:
“When a research study assigns the specific version of the accepted standards of care to be used, it is almost certain that at least some of the subjects will receive a different standard of care than they would have received if not participating in the research.”
The guidance seems to presume that randomization itself (at least at the individual patient level) always introduces risk, even in circumstances where there is no evidence that one standard of care is better, or less risky, than another. The guidance further states that “[i]t is equally important to recognize that the risks of the research do not include the risks that are created by the medical condition for which the person is being treated, or the risks associated with any available standard of care treatment that they would receive for that condition outside of the research.” Consequently, studies that compare outcomes for individuals where the patients were not assigned to a particular treatment (for example, analysis of outcomes data or observational research) do not introduce additional research risks.
Of note, the guidance does not specifically mention “cluster” randomization, where instead of the randomization occurring at the individual patient level, an entire setting (e.g., hospital or physician practice) is randomized to a particular treatment or prevention approach.
The guidance also offers assistance on determining which risks of research are “reasonably foreseeable” and therefore need to be disclosed to patients as part of the informed consent process. If evaluating a particular risk is a purpose of the research, that risk is “reasonably foreseeable” and needs to be disclosed.
HHS is seeking comments on the draft guidance, which must be submitted in writing by December 23, 2014. Click to read the HHS notice. For additional commentary on the regulations governing comparative effectiveness research, click to read a summary of “Ethics, Regulation and Comparative Effectiveness Research” recently published in The Journal of the American Medical Association.
If you are interested in discussing the draft guidance in more detail and potentially filing comments, please contact Deven McGraw at email@example.com or 202-585-6552.
Did You Miss Manatt’s Recent Webinar, “Reinventing Long-Term and Post-Acute Care”?
Click here to view the program free, on demand. Click here for a free PDF of the presentation.
Were you unable to attend Manatt Health’s new webinar, “Reinventing Long-Term and Post-Acute Care?” Now you have a second chance to benefit from this valuable guide to navigating the exploding growth and transformational trends remapping the long-term and post-acute care (LTC and PAC) landscape. Just click here to view the program free, on demand. To download a free PDF of the presentation for your continued reference, click here.
As you’ll learn during the program, the Congressional Budget Office projects that 20% of the U.S. population will be 65 or older by 2050, compared to just 12% in 2000 and 8% in 1950. One study estimates that more than two-thirds of 65-year-olds will need assistance to deal with impaired functioning at some point, sharply increasing the need for long-term care assistance. Adding to the soaring demand for long-term care is the growth in younger patients with chronic and disabling conditions.
The webinar supports you in crafting new strategies to thrive in an LTC and PAC environment undergoing massive expansion fueled by an aging population—and seismic shifts driven by reform. The information it shares reveals:
The ways LTC and PAC providers are redefining themselves to adapt to emerging reforms, evolving Integrated Delivery Systems (IDS) and the sea change in the healthcare system.
The demographic, structural, regulatory, political and technological forces that will be the strongest change drivers for LTC and PAC—from their current status to their projected effects.
The powerful trends redesigning LTC and PAC providers’ relationships with consumers, as well as their business models with health plan and Accountable Care Organization (ACO) partners.
The approaches states and health systems are implementing to meet the “challenge of the vulnerable,” as the population ages and the need for caregiving skyrockets.
The decisions and actions LTC and PAC providers must take to navigate the new market.
The program offers important guidance for ensuring LTC and PAC providers can anticipate and prepare for a dramatically different road ahead. But every organization has unique needs that require focused solutions. If you would like our LTC and PAC experts to speak with you and your team about your specific issues and challenges, please contact them at:
Carol Raphael, 212-790-4571, firstname.lastname@example.org
Stephanie Anthony, 212-790-4505, email@example.com
Tony Fiori, 212-790-4582, firstname.lastname@example.org
Answers to 4 Key Questions Around Long-Term and Post-Acute Care
Authors: Carol Raphael, Senior Advisor, Manatt Health Solutions | Stephanie Anthony, Director, Manatt Health Solutions | Tony Fiori, Managing Director, Manatt Health Solutions
Editor’s Note: One of the most compelling segments of our recent webinar, “Reinventing Long-Term and Post-Acute Care,” was our dynamic question and answer session with our audience. So many viewers submitted questions that we ran out of time to address them all. Below, Manatt’s presenters provide their responses to four questions of critical importance in today’s ballooning long-term care (LTC) and post-acute care (PAC) market. If you haven’t yet viewed the session and want to hear all of the questions covered during the program, along with the answers, just click here to view the program free, on demand. To download a free PDF of the presentation for your continued reference, click here.
You mentioned the growing importance of correct post-acute placement. What advances do you see in this key process?
There are five key advances that will promote appropriate placement of patients in post-acute care settings:
Medicare site-neutral payment policies across all post-acute care providers (starting with long-term acute care hospitals in 2016) will minimize or eliminate the significant variations in Medicare payments for the same service(s) in different post-acute care settings for patients with the same clinical profile, thereby discouraging unnecessary placement of patients in high-cost settings.
The expansion of bundled payment arrangements across acute and post-acute sites of care will incentivize providers to place patients in the lowest-cost setting that is most appropriate for their clinical and functional needs.
Medicare’s development of a standardized clinical/functional assessment tool for use across all post-acute care settings will help providers identify the optimal post-acute care setting for each patient.
Large health systems are beginning to integrate with post-acute care in several important ways. Looking to increase throughput, ease transitions across care settings and prevent readmissions, hospitals and health systems are developing their own screening criteria, embedding algorithms in electronic medical records (EMRs). In addition, they are empowering social workers and clinicians to (1) identify patients for referrals to post-acute care settings or consults and (2) develop the most effective treatment, transition and patient follow-up plans. Health systems also are creating systems of care that seek to manage patient care across the acute and post-acute care continuum through owned PAC assets or aligned/affiliated partnerships with other PAC providers.
Increased reporting requirements on quality of care and patient outcomes will enable payers, as they develop their provider networks, to identify and steer patients toward high-quality, low-cost providers.
The achievement of goals will be dependent on e-health connectivity. Please address the importance of health information exchange, the establishment of the complete electronic health record (EHR) and how sharing healthcare data will enable the achievement of identified goals.
We couldn’t agree more that e-health connectivity is crucial to achieving goals around patient care. Effectively coordinating and managing episodes of care for patients with chronic and comorbid conditions is fundamentally dependent on communication among patients, families and providers. The sharing of patient health information across the care continuum (acute, post-acute, primary care, behavioral health and specialty providers) is key to optimizing outcomes. Patients’ electronic health (or medical) records (EHRs or EMRs) must include detailed and comprehensive information, particularly with respect to discharge summaries and instructions, as well as prescription medications and medication management protocols.
While LTC and PAC providers generally are behind the curve in adopting EMR systems and capabilities—and thinking about interoperability of systems with other providers—this is starting to change. As payers move toward value-based purchasing arrangements with providers, large health systems (e.g., Partners and Advocate Health Care) increasingly are looking to integrate with post-acute care provider systems and processes. At the same time, more post-acute care providers (e.g., Kindred and Amedisys) are enhancing their EMR capacity. These efforts will help ensure smooth care transitions for their patients, as well as improve patient care and outcomes.
Can you please comment on the need to educate the current workforce about the new model of care—including integration, collaboration and value?
Certainly, there is a serious workforce shortage and high staff turnover in the LTC and PAC industry. Exacerbating the issue is the critical need to train providers and care managers in care coordination and care management models for patients with chronic and comorbid conditions. These new models are emerging across payers and providers—and it’s crucial that LTC and PAC staff understand and implement them to support effective care and optimal outcomes.
Both “traditional” providers and care managers (such as physicians, nurses and social workers) and nontraditional providers (such as community health workers and patient navigators) must be trained in:
Care management goals and objectives,
Effective interventions for the specific populations being served, and
The use of information technology (IT) systems and analytic tools for managing and monitoring patient care.
The training should require certification to ensure a shared knowledge base and uniform set of standards. We are starting to hear calls throughout the industry for improved training. For example, the National Association of Professional Geriatric Care Managers recommends that geriatric care managers be certified as care managers through one of three nationally recognized bodies: The Commission for Case Management Certification, The National Academy of Certified Care Managers or the National Association of Social Workers.
Do you foresee a time when inpatient rehabilitation facilities (IRFs) and/or long-term acute care hospitals (LTACHs) may cease to exist as stand-alone entities, given the move to site-neutral/bundled payments?
The move toward site-neutral/bundled payments will continue to increase reliance on home healthcare and skilled nursing facilities, most notably for short-term rehab and skilled services. This will put increased pressure on IRFs and LTACHs, threatening their longer-term financial viability.