|
From the May 2002 Issue Best of the Best: IT Solutions in 2001
|
Removing Bottlenecks How the HIPAA privacy rule may impact care coordination and healthcare quality—and steps HHS can take to protect them.
On March 27, 2002, the Bush administration and Department of Health and Human Services (HHS) released a new proposed HIPAA privacy rule focused on reducing financial burdens to private industry. While the healthcare industry, the press and HHS itself have widely reported the staggering costs that HIPAA privacy compliance could exact, there has been a serious dearth of attention to the privacy rule’s impact on healthcare quality. Without significant modification, the privacy rule may disrupt the critical flow of patient health information for care coordination and care management activities, perhaps the most promising innovation in the pipeline for improving patient health outcomes while also containing costs. Unfortunately, the new privacy rule ignores most of these threats. It carries a 30-day comment period, after which the rule could become final at any time. Impact of Care Coordination The Institute of Medicine (IOM), the arm of the National Academy of Sciences that published the now legendary study, To Err Is Human: Building a Safer Health System, recently published another seminal report. In Crossing the Quality Chasm: A New Health System for the 21st Century (hereafter called the “IOM Report”), the IOM argues that care coordination is not only integral to preventing medical errors, but also to protecting and improving overall healthcare quality, especially for the chronically ill. In both reports, the IOM contends that chronic care coordination is dependent upon the free flow of patient health information to care coordinators, and upon improved technologies to promote it. As the press release to the IOM Report emphasized, “The nation’s healthcare industry has foundered in its ability to provide safe, high-quality care consistently to all Americans. … Reorganization and reform are urgently needed to fix what is now a disjointed and inefficient system.” The IOM Report concluded that, “clinicians, healthcare organizations, and purchasers … should focus on improving care for common, chronic conditions such as heart disease, diabetes, and asthma that are now the leading causes of illness in the United States and consume a substantial portion of health care resources. These ailments typically require care involving a variety of clinicians and healthcare settings, over extended periods of time … who work so independently from one another that they frequently provide care without the benefit of complete information about patients’ conditions, medical histories, or treatment received in other settings. …” Therefore, the nation’s costliest health quality problem correlates directly with the effectiveness of care coordination, which in turn depends upon unhindered access to health information. The IOM Report boldly suggests a restructuring of the healthcare infrastructure so that healthcare is based primarily on:\u Shared knowledge and free flow of information through innovation in healthcare IT (administrative simplification, electronic medical records, Internet and Web-based provider and patient access to health information);
These findings are a clarion call to support and promote care coordination companies and activities, including disease management (DM), predictive modeling, nurse call centers, telemonitoring, e-health, electronic medical records and other healthcare technologies that play a role in coordinating medical information and care on behalf of patients and their doctors. High-quality DM programs, for example, focus directly on the chronic conditions that the IOM Report considers most costly and ripe for new models of intervention. They also improve clinical and financial outcomes in every one of the areas considered most problematic by the IOM Report. The signature value of such companies and programs is their ability to assist healthcare providers and patients to assemble and synchronize health information across the spectrum of settings, modalities and specialties of care, so medical errors do not occur, the services provided comport with “best practices,” and the patient’s progress can be accurately gauged against national treatment guidelines, outcomes expectations and other evidence-based benchmarks. The only way such programs can continue their innovation in coordinating care is if they continue to have access to confidential patient health information. Unintentionally, the HIPAA privacy rule in its current form could wholly preclude such access, in turn obstructing care coordination and, therefore, all other healthcare quality improvement. HIPAA Bottlenecks The HIPAA privacy rule, even after the Bush administration’s recent modifications, may bar “covered entities” (health plans, HMOs, PPOs, ERISA plans, hospitals, physicians and other providers) from disclosing critically important patient-identifiable health information (“protected health information”) to entities that coordinate care for the chronically ill. The regulation poses at least the following threats: First, the regulation does not by its terms clearly permit covered entities to share HIPAA-protected health information for disease management and care coordination purposes unless, of course, cumbersome and expensive patient authorizations are obtained. While the privacy rule allows covered entities to disclose health information without patient authorization to their disease management and e-health “business associates” (or to their health IT vendors) for population management activities under the so-called “health care operations” exception, it no longer expressly permits such disclosures for care management, treatment support and care coordination of individuals pursuant to the “treatment” exception. Thus, ironically, medical information may flow without hindrance for care coordination of populations (e.g., to enable companies to send out mailings describing their services) but may not reach care coordinators to enable them to provide services, such as direct patient care management (e.g., nurse chat programs and patient self-management training). HHS should revise the privacy rule expressly to permit covered entities to use and disclose protected health information for disease management and care coordination purposes focused on individuals, via either the “treatment” exception or a new “disease management” or “treatment support” exception. Second, the privacy rule provides a perverse incentive to disease management and care coordination companies to avoid information collection and treatment support functions for patients, physicians and health plans because they might become labeled “health care providers” under the rule’s unprecedented, expansive definition. HHS should revise the privacy rule expressly to exclude DM, e-health, healthcare technology (and other “treatment-support” entities not required to be licensed as providers under state law) from the definition of “health care provider.” Third, the privacy rule requires business associates of covered entities (including care coordination entities) to return or destroy HIPAA-protected health information after termination of their contracts with “covered entities” and also prevents “covered entities” from sharing information with business associates (without cumbersome and expensive authorizations) for the “business associate’s” own information uses. The unintended consequences of this provision could block the free flow of key health information to providers in perpetuity. The rule fails to recognize that patients may continue to obtain services from the DM company via a different insurer or employer arrangement, and that DM firms will need the data for the purposes of clinical research, outcomes and clinical guideline development. HHS should revise the privacy rule to permit DM, care coordination, e-health, healthcare technology and other “treatment-support” programs to retain HIPAA-protected health information. In meetings with the author, White House and HHS officials have almost entirely agreed with and supported the reforms to these problems suggested above. Unfortunately, they were not able to fix them in the new privacy rule modifications or in previous HIPAA Guidance, citing the removal of HIPAA cost burdens and tackling controversial political issues as more significant and immediate concerns. Resolving these dilemmas is important, but unclogging HIPAA’s care coordination bottleneck is even more important. Failing to address the data flow implications for healthcare quality now can only result in even higher costs and even bigger political problems later. Conclusion The IOM Report argues that coordination of patient information and care management is the single realm of the healthcare industry with the greatest capacity to improve patient care outcomes and access to appropriate care, to reduce medical errors and to contain spiraling costs. The care coordination, e-health, and health technology sectors should move quickly to convince HHS to amend HIPAA to heed the IOM Report’s critical warnings. Unless HHS reforms the HIPAA privacy rule to foster the unfettered sharing of health information for disease management and care coordination purposes, the American healthcare system may lose its most powerful asset in improving chronic care and reducing its costs—just as the baby boomer population, on the brink of large-scale increases in the incidence of chronic disease, threatens to exact the biggest financial and healthcare toll the system has ever experienced. © 2002 Nelson Publishing, Inc |
|
|
HIPAA
Watch
for May 2002
By James M. Jacobson is a Partner in the National Health Law Group of Holland & Knight LLP, practicing in the firm’s Boston and Washington, D.C. offices. Contact him at