Time to End ‘Wild West’ of Health Data Usage in HIPAA-Free Zones

By | October 28, 2018

Congress’ sweeping opioids legislation—a bill that includes several important health IT provisions—has created much debate in recent days and weeks, as stakeholders sit on different sides of the table over a key patient privacy element.

For background, two weeks ago, the U.S. Senate passed The Opioid Crisis Response Act of 2018, which has the core purpose to improve the ability of various health departments and agencies to address the opioid crisis—including the ripple effects of the crisis on children, families, and communities—as well as help states implement updates to their plans of safe care, and improve data sharing between states.

The House passed its version of the legislation in June, and then after a committee was convened to reconcile the differences between the two bills, the House passed the latest version by a vote of 393 to 8. The Senate will now need to pass this consensus legislation— the SUPPORT for Patients and Communities Act— before it can go to the President for his signature.

One of the major points of controversy was whether or not the federal law, 42 CFR Part 2—which keeps mental health records separate from other health records and prevents the sharing of these confidential treatment records without a patient’s explicit consent—would be amended and be aligned with HIPAA [the Health Insurance Portability and Accountability Act]—as many have clamored for. Indeed, while some healthcare stakeholders believed that patient privacy laws should be changed so providers could more easily share information about a patient’s history of substance use, others have maintained that the privacy laws ought to remain intact.

While “the House had approved changes in its original legislation, H.R. 6082 (115), they didn’t make it into the Senate version and were ultimately dropped in negotiations,” according to a recent report in Politico’s Morning eHealth Newsletter. As such, the 42 CFR Part 2 patient privacy law will remain intact.

What’s perhaps most fascinating about this debate is the major players that are on each side of it. According to a recent article in STAT News, “The AMA [American Medical Association] said it believed there was a ‘fundamental misunderstanding’ among groups working to incorporate the proposal into a sprawling opioids bill. Relaxing restrictions on patient privacy, the AMA wrote, could prevent individuals with addiction from seeking medical treatment in the first place.”

The AMA wrote in a letter to lawmakers that the intent of 42 CFR Part 2 is to encourage patients to seek treatment for addiction knowing that their health information will not be shared, thereby easing fears of discrimination and negative legal consequences resulting from their substance use. The AMA’s letter continued, “Aligning Part 2 with HIPAA would effectively remove privacy rights from a particular patient population—the very rights that were created to encourage SUD [substance use disorder] treatment.”

Importantly, the AMA also brought up two other key points in its argument. First, the association noted that amending 42 CFR Part 2 laws would impact more than just opioid addiction. For instance, the AMA wrote, “Alignment [with HIPAA] would remove the privacy rights of all patients who seek treatment at a Part 2 program for any SUD and could discourage patients from seeking treatment not only for opioid dependency, but for other addictions as well.”

The second point the AMA brought up was that patient information is simply not as available as some make it out to be. While those who support aligning Part 2 with HIPAA envision a patient’s SUD records being available to all of the patient’s providers at any given time, the AMA said that given the current state of interoperability, this not practical. The group wrote, “A clinician cannot go to his or her electronic health record (EHR) and ‘pull’ a patient’s SUD information upon request—in other words, regardless of whether Part 2 has been aligned with HIPAA, a clinician cannot simply search a patient’s name in his or her EHR and obtain all of the patient’s information. This problem exists even now with information covered by HIPAA…”

As Politico also has reported, Sen. Patty Murray (D-Wash) was very much in the middle of the dispute as well. Its report noted, “Murray, the ranking member of the Senate HELP (Health, Education Labor & Pensions) Committee, has been withholding her support for including a controversial privacy measure in the sweeping bill to address the opioid crisis despite support by other Democrats including her state’s governor. She has reservations about a change that would make it easier for doctors to see a patient’s substance abuse records.”

Politico spoke to three lobbyists who said that Washington Gov. Jay Inslee had lobbied Sen. Murray to include an overhaul in the final opioids legislation. “An aide to Murray said she was willing to negotiate a solution that resulted in improved care coordination while protecting patients’ privacy,” according to that report.

Meanwhile, other health IT groups, such as the College of Healthcare Information Management Executives (CHIME), the American Hospital Association (AHA), and various major health insurers, feel differently about this significant privacy issue. In a letter from CHIME to Senate and House representatives, obtained by Fierce Healthcare, the group’s President and CEO, Russell Branzell, wrote, “It is essential that healthcare providers have a complete medical history with all relevant information that will help them make clinical decisions. To ensure the highest quality of care, information pertaining to substance use disorder is pertinent.”

The CHIME letter continued, “Unfortunately, under current law, 42 CFR Part 2, SUD treatment and diagnoses are kept confidential from providers which can be extremely problematic when a clinician is attempting to treat someone but is unaware of their prior addiction history. Our members strongly support synchronizing these consent policies, which will reduce the burdens imposed by these two different sets of rules and facilitate consent for the purposes of treatment, payment and healthcare operations pursuant to HIPAA.”

And according to the aforementioned STAT piece, “The groups pushing the measure say that the current restrictions inhibit providers from accessing information critical to providing quality treatment—giving a common example in which a doctor, not knowing a patient has a history of addiction, unknowingly prescribing opioids for pain treatment.”

In the end, the privacy advocates were the side who came out on top, since the proposed amendment to 42 CFR Part 2 never got included in the final version. But digging deeper, the big-picture impact of not including this amendment is also worth exploring.  

It was quite interesting to me that the AMA—the largest association of physicians in the U.S.—was leading the charge against the Part 2 amendment. To this point, it’s important to keep in mind how many physicians feel about EHRs—namely that they add to their workdays, thereby causing increased burnout.

Using this logic, if physicians are not keen on EHRs, one could understand why they would be opposed to this type of data sharing without a patient’s explicit consent. And without that physician trust in the technology—which gets extended down to the patient level as well—it’s quite possible that consent would be tough to get. If that were the case, as the AMA believes, patients might be hesitant to seek treatment for SUD in the first place.

As the debate over patient privacy surely will continue, there are many who believe that the 42 CFR Part 2 law is severely outdated. Indeed, the Part 2 regulations restricting how data of patients with substance use disorders is shared were written in 1975 out of concern that the information could be used against individuals, causing them to avoid seeking needed treatment.  As such, since it is required the patient to consent every time their data was shared or accessed, health information exchanges (HIEs) and others have found it challenging to work around these restrictions. Many HIEs have just avoided the issue during their startup phases.

To this end, the Substance Abuse and Mental Health Services Administration (SAMHSA), part of the U.S. Department of Health and Human Services (HHS), did re-write portions of the Part 2 law in a rule that was finalized earlier this year. But still, those who believe that Part 2 should be aligned with HIPAA do not believe that the rule went far enough at all to solve data sharing issues.

So for now, it’s the patient privacy advocates that continue to hold serve in this ongoing match.

Healthcare Informatics Magazine | Health IT | Information Technology