During a Congressional briefing Wednesday in Washington, DC, AHIMA and other health IT stakeholders advocated for the modernization of HIPAA regulations by expanding the law’s record access provisions to non-covered entities and better defining HIPAA’s “designated record set” (DRS).
AHIMA and the American Medical Informatics Association (AMIA) participated in the Capitol Hill briefing titled “Unlocking Patient Data—Pulling the Linchpin of Data Exchange and Patient Empowerment.” The briefing included a panel of health information management and health informatics experts discussing how federal policies are impacting patients’ ability to access and leverage their health data. HIPAA was specifically discussed as needing revisions.
As AHIMA CEO Wylecia Wiggs Harris, PhD, CAE, noted in a statement released prior to the briefing, “AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape. The language in HIPAA complicates these efforts in an electronic world.”
A key topic of discussion during the briefing was AHIMA and AMIA’s proposal for policymakers to modernize HIPAA by either establishing a new term, “health data set,” which includes all clinical, biomedical, and claims data maintained by a covered entity or business associate, or by revising the existing HIPAA “designated record set” definition and require certified health IT to provide the amended DRS to patients electronically in a way that enables them to use and reuse their data.
According to a joint press release from AHIMA and AMIA, a new definition for “health data set” would support individuals’ right of access under HIPAA and guide the future development of the Office of the National Coordinator for Health IT’s Electronic Health Record Certification Program so individuals could view, download, or transmit to a third party this information electronically and access the information via application programming interface. Alternatively, a revision of the current DRS definition would provide greater clarity and predictability for providers and patients.
AMIA and AHIMA suggested other measures they hoped Congress would consider to modernize HIPAA:
- Extend the HIPAA individual right of access to Non-Covered Entities (NCEs). NCEs such as mHealth and health social media applications manage individual health data but are not required by law to make it accessible. The goal of this law extension would be creating a uniform health data access policy, regardless of covered entity, business associate, or other commercial status.
- Encourage note sharing with patients in real-time. Promote efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.
- Clarify existing regulatory guidance on third-party access to patient data. Especially related to third-party legal requests that seek information without appropriate patient-direction and beyond what is part of the DRS.
The briefing included a panel discussion with Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of compliance and HIM policy at MRO; Janelle Burns, JD, CHPS, a HIPAA attorney; Erin Mackay, MPH, associate director health information technology programs at the National Partnership for Women and Families; Thomas Payne, MD, FACMI, medical information director of technology services at UW Medicine; and Trent Rosenbloom, MD, MPH, FACMI, assistant professor of biomedical informatics at Vanderbilt University.
Beyond HIPAA, panelists discussed the success of efforts to share clinical notes with patients during visits, including the successful OpenNotes initiative, and recommended that federal officials look for ways to encourage more providers to share notes with patients through federal policies, such as Medicare and Medicaid payment programs.
Additionally, AMIA and AHIMA recommended federal regulators clarify existing regulatory guidance related to third-party legal requests, such as those by attorneys that seek information without appropriate patient-direction.
“HIM professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI (protected health information),” Harris noted in a prepared statement. “We recognize there are necessary circumstances in which a patient has the right and need to direct their health information to an attorney. However, AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”
Click here for more on the briefing and additional resources.