AMIA calls out specific challenges to proposed modifications to HIPAA Privacy and Enforcement Rules

In comments sent to Secretary Kathleen Sebelius at the U.S. Department of Health and Human Services, AMIA (American Medical Informatics Association) called out 10 specific challenges to proposed modifications to HIPAA Privacy and Enforcement Rules. AMIA's comments, sent on behalf of its membership of 4,000 informatics professionals, detail key issues of concern related to the Notice of Proposed Rulemaking (NPRM) on HIPAA modifications, along with suggestions for models of change. The following areas were cited:

Position: AMIA supports the NPRM in extending requirements of the Privacy and Security Rules for Business Associates (BAs) to their subcontractors. AMIA supports the extension of HIPAA rule compliance obligations to specific types of BAs, including health information exchanges (HIEs), Regional Health Information organizations (RHIOs), and personal health record (PHR) vendors as stipulated by HITECH.

AMIA is concerned about operational and financial challenges of extending and executing agreements related to the use and disclosure of protected health information "downstream".

AMIA suggests that HHS consider the development of 'model' BA contract language in the Final Rule.

Position: Currently, communications related to prescribed drugs and biologics qualify as health care operations, which are excepted from the definition of marketing. Health care operations do not require patient authorizations and are eligible for remuneration as associated costs. AMIA supports inclusion of legitimate treatment communications, such as educational support materials distributed by Covered Entities, in the definition of qualified health care operations.

AMIA supports the opportunity for patients to 'opt out' of future fundraising solicitations, but does not see a benefit to offering 'opt out' statements prior to first solicitations.

Position: AMIA opposes a change in the current definition for Limited Data Sets (LDSs) from "not fully identifiable" protected health information (PHI) to "fully identifiable" PHI, which would prohibit the sale of LDSs, and provide little incentive for Covered Entities to create, maintain, use, and make available very large electronic data sets.

AMIA suggests modified language to new - 164.508 (a)(4)(ii)(B), which would make an exception for research purposes, cost restrictions for PHI exchanged in the form of limited data sets. If cost restrictions related to - 164.508 (a)(4)(ii)(B) are included in the Final Rule, AMIA urges the HHS to consider including all costs related to aggregating electronic PHI in general, or LDSs in particular, and not limiting costs to "staff time".

Position: For research projects with both "conditioned" and "unconditioned" authorization requirements, AMIA supports the NPRM proposal for one compound authorization.

Related to the development of HIPAA authorizations that would permit future use and disclosure of PHI for research purposes, if an authorization form describes such future research activities or uses in sufficient detail to allow meaningful informed consent, AMIA suggests inclusion of a mechanism to allow an individual to revoke an "unspecified" authorization at any time.

To facilitate health research, currently viewed as impeded due to the enormous burdens related to HIPAA 'enforcement' placed on Internal Review Boards (IRBs), AMIA believes that HHS should provide strong guidance and clear expectations to IRBs regarding HIPAA, perhaps through the development of FAQs that illuminate IRB policies for reviewing and approving, or justification for not approving health information use for information-based research projects.

Position: AMIA opposes the NPRM stipulation that Covered Entities must permit the individual to restrict disclosure of any part or all health care items and services if the individual chooses to self-pay. AMIA expresses concern that adoption of this stipulation will foster negative policy implications to a legislatively-required restriction, encourage individuals to "buy privacy" by not using insurance, and create operational difficulties in trying to ensure that information systems can segregate and restrict data flow to payers.

AMIA does not believe it is possible to develop a system in which self-pay restrictions will flow to downstream providers accurately and consistently.

Position: AMIA opposes any new addition to privacy notice requirements due to the fact that NPPs are already exceedingly long and complicated, increases in NPPs will not serve a "pro-privacy" purpose to effectively convey information to the vast majority of patients and may decrease the likelihood that patients will read and understand their privacy options.

Position: AMIA supports a time requirement of less than 30 days for a patient to receive access to or copies of their individual electronic PHI. However, AMIA cautions HHS to adopt a timeline of reasonable length so as not to negatively affect or divert healthcare provider resources to address such requests.

Position: AMIA opposes adoption of the currently proposed framework for addressing complaints and assigning penalties for Privacy Rule violations without further discussion and definition by HHS of the terms "reputational harm" and "indications of non-compliance".

Position: AMIA supports limiting application of the Privacy Rule to a period of 50 years after death, viewing this term as appropriate for not causing harm to decedents and allowing for the potential use of data for research purposes.

Position: AMIA supports permission for Covered Entities to disclose a child's immunization records to a school, with oral consent, rather than written authorization from a child's parent or guardian in order to facilitate compliance with state laws requiring proof of immunization prior to enrollment.