Over the course of 2021 and 2022, we saw a slew of both finalized and proposed regulatory changes coming out of both the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator (ONC) in support of interoperability. While we’ve been actively following the trajectory of those regulations, and more notably their subsequent proposals that were released in December 2022 and April 2023, respectively, as Privacy Officer of 1upHealth, it’s the proposed modification to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that I’m most curious about.

At some point during the second half of the 2023 calendar year, it’s expected that the Department of Health and Human Services (HHS) is going to finalize the “Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” a proposed rule issued in January 2021. The final rulemaking was originally slated for March 2023, which has quickly come and gone, so it seems that the Final Rule could be published any day now. In addition to being another strong move towards promoting interoperability, this would also be the most substantial change to HIPAA since 2013. 

While the list of proposed changes is quite robust, the core changes can essentially be categorized into three categories: 

• Expansion of the individual’s right to access Protected Health Information (PHI)
• Expansion of a Covered Entity’s right to use and disclose PHI for individual-level case management and care coordination
• Reduction in the restrictions and barriers on a disclosure for treating providers

The following is a summary of the key changes by category (1).

Expansion of the individuals’ right to access to Protected Health Information (PHI), including:

• Inclusion of definitions for electronic health record (EHR) and personal health application to provide clarity as to proposed modifications to not only the individual’s right of access, but to the modified right of the individual to direct a covered healthcare provider to transmit an electronic copy of PHI in an EHR to a designated third-party 
• An expansion to the individuals’ right to inspect and obtain to include broader inspection rights such as the ability to take notes, videos, photographs, and/or use any other personal resources to view and/or capture images of their PHI
• A reduction in the Covered Entity’s required response time to a request for access from thirty (30) calendars days, to extend for another thirty (30) calendar days, to “as soon as practicable,” but no later than fifteen (15) calendar days, with one available option to extend for another fifteen (15) calendar days
• Additional clarity with respect to the form and format of a response to a request for PHI by clarifying the definition of “readily producible” and the express inclusion of standards-based Application Program Interfaces (APIs), to the extent the Covered Entity and/or their respective Business Associates (such as EHRs) maintain such APIs or are required to maintain such APIs under applicable State and/or Federal laws, within such definition
• The addition of a requirement for a Covered Entity to inform individuals that when a summary of PHI is provided, in lieu of full access that the individual is entitled to either obtain a full copy of the PHI, or alternatively direct a full copy of the PHI in an EHR to a third party, except to the extent a summary is offered because the request for a copy is being denied in accordance with applicable law 
• A reduction in the identity verification burden on individuals requesting access rights by expressly prohibiting Covered Entities from imposing unreasonable identity verification measures (i.e., any activity that requires unnecessary effort or expense) on an individual   
• An additional right for an individual to require covered healthcare providers to send electronic copies of PHI in an EHR to a third party, as part of the individual’s right of access, thus supporting the individual’s right to request the sharing of PHI among covered healthcare providers and health plans. The request must be “clear, conspicuous, and specific,” but can be provided orally or in writing. In addition, if directly instructed by an individual, who is either a prospective or existing patient and/or a current member, respectively, via a valid request to obtain an electronic copy of PHI maintained in an EHR, the receiving healthcare provider or health plan would be required to submit the request on the individual’s behalf, and the disclosing healthcare provider must respond accordingly as if the request came from the individual. This provides a secondary method, other than the standard treatment, payment, or operations (TPO) exception, in which a covered entity may obtain an electronic copy of PHI from another covered entity.
• An amendment to the permissible fee structure for responding to requests for the delivery of direct records to a third party, and defining situations where electronic PHI (ePHI) should be provided at no cost, as well as the addition of a requirement for Covered Entities to post estimated fee schedules on their websites for access requests, to provide specific estimations when requested, and provide itemized bills for completed requests

Expansion in a Covered Entity’s right to use and disclose PHI for individual-level case management and care coordination, including:

• A grammatical amendment to the definition of Health Care Operations, to clarify that case management and care coordination are not conditioned on population-level activities and also includes individual-level activities by health plans and covered healthcare providers 
• The creation of a defined exception to the “minimum necessary” standard for any use or disclosure by a health plan or a covered healthcare provider in furtherance of individual-level care coordination and case management activities, regardless of whether such activities constitute treatment or healthcare operations 
• An addition to the implementation specifications for treatment, payment, and healthcare operations that expressly permit a Covered Entity to disclose PHI to social services agencies, home and community-based services (HCBS) providers, and other third-parties that provide health-related services to specific individuals in furtherance of individual-level care coordination and case management activities, regardless of whether such activities constitute treatment or healthcare operations

Reduction in the restrictions and barriers to disclosure for treating providers, including:

• A reduction of the standard for the uses and disclosures of PHI from “professional judgment” to “good faith belief that the use or disclosure is in the best interest of the individual,” with the presumption that the Covered Entity’s act was in good faith for the following circumstances: 
  • Disclosure of PHI to a family member who is not a personal representative for an unemancipated minor
  • Disclosure of the name, location, and general condition of an incapacitated individual in the facility’s directory
  • Disclosure of PHI to persons involved in care (or payment of care) for an individual when there is no knowledge of an objection from the individual for such disclosure
  • Disclosure of PHI to persons involved in care (or payment of care) for an individual when such disclosure is in the best interests of the individual
  • Verification of the identity of a person requesting PHI and the authority of such person to have access to such PHI
• A reduction of the standard for uses and/or disclosures of PHI to avert a threat to the health and safety of a person (including the individual to whom the PHI pertains) from  “serious and imminent” to “serious and reasonably foreseeable,” with the presumption that the threat was reasonably foreseeable and that the healthcare provider was acting in good faith   
• The elimination of the requirement for a direct treating provider to either obtain an individual’s written acknowledgement of its notice of privacy practices (NPPs) or document their good faith efforts and the reason for not obtaining that written acknowledgement. In lieu of a signed written acknowledgement, HHS proposes to amend the content requirements for all NPPs (not just those of direct treating providers) to ensure individuals understand their rights by requiring NPPs to include how an individual can access their health information, how to file HIPAA complaints, and their right to both receive a copy of the NPP and discuss its contents with a designated person (and how and where to contact such person) 

Proposed regulations focus on improving and increasing an individual’s access to health information 

While HHS, ONC, and CMS are all discrete agencies with their own separate agendas and goals, there are some key areas of overlap between each agency’s proposed regulations. Focusing primarily on the foregoing HHS proposal; ONC’s Cures Act, and the proposed updates released in April 2023; and CMS’ Interoperability and Patient Access regulations, with its proposed updates in December 2022, there is one large looming theme – improving and increasing an individual’s access to health information. 

All three of the aforementioned regulations are operating under the core assumption that providing individuals with broader access to their health information will ultimately empower them to make more informed and educated healthcare decisions. Another similarity between all three regulations is the implicit understanding that an individual’s right to access their own health information also applies to those entities that make up the individual’s care team. 

We see this sentiment reflected in the proposed HHS amendments to not only the individual’s right of access, but in the expansion of the definition of healthcare operations and the proposed exception to the minimum necessary standard for care coordination and case management. We see this similarly outlined in CMS’ proposed Payer-to-Payer on FHIR Exchange and Provider Access APIs, respectively, as well as in ONC’s information blocking provisions that attempt to restrict direct and indirect access to electronic health information, especially in the context of treatment, payment, and healthcare operations activities.  

Differences in data format remain across proposed regulations

As discussed in my previous blog post, the regulatory gap between the proposed CMS and ONC regulations and HIPAA’s current patient privacy requirements, has been perhaps one of the biggest (if not the biggest) barriers to true interoperability. And while these proposed changes could go a long way in bridging that gap, there is still one rather large roadblock that has yet to be fully addressed. While all three of the proposed regulations identify the value of data exchange, the format in which that data is made available remains the biggest differentiator across the three proposed regulations. 

All three of the regulations discuss and identify the value of both standard-based APIs and FHIR, but only CMS has gone so far as to actually mandate both. As part of its Certified Health IT Program, ONC does require organizations seeking certification to support certain FHIR APIs for interoperability. However, in its most recent regulatory update, ONC’s focus with respect to promoting interoperability has shifted quite prominently to incentivizing organizations to participate in its Trusted Exchange Framework and Cooperation Agreement (TEFCA). 

Lack of aligned mandate around a prescriptive technical methodology or data format for interoperability will stymie progress   

While ONC has stated that it fully intends to have FHIR-based APIs as a fundamental part of the future architecture, today, data exchange via TEFCA is facilitated by a brokered IHE exchange with CCDA 2.1 documents. Similarly, while HHS has provided more clarity around the form, format, and manner in which information needs to be made available under an individual’s right of access, and has further clarified that standards-based APIs, especially those mandated by state or federal law, would clearly fit within the definition of “reasonably producible,” it too has not mandated a prescriptive technical methodology or data format for interoperability.   

When I think about the lack of standardization in data exchange, I cannot help but be reminded of the biblical parable of the Tower of Babel. The basic premise is that centuries after the great flood that essentially wiped out the population, the human race all spoke the same language. In an act of rebellion, they decide to build a city and a tower with its “top to the heavens.” It’s at that point that God comes down to see what the people have done and realizes that in speaking a common language, the people are unified and as a result they will be able to accomplish any feat. He punishes them for their defiance and forces them all speak different languages, essentially deterring them from ever completing the city or the tower. 

While the story of the Tower of Babel is an etiology designed to explain why people across the world speak different languages and was ultimately intended to teach a different lesson than the one I am actually leveraging here, I think the analogy still tracks. While there is clear alignment in terms of the desired end goal (i.e. interoperability), the lack of consistency in the form and format is ultimately going to keep us from building our tower. 

It’s for this very reason that I strongly believe that in order to truly make an impact on the healthcare industry, organizations are going to have to take a FHIR-first approach when it comes to interoperability.  I think this quote from Genesis 11:6 says it best “… they have all one language, and this is only the beginning of what they will do; nothing that they propose to do will now be impossible for them.”