HIPAA Happenings: Should Clearinghouses Be Allowed to Use PHI?
By Douglas Peddicord, PhD
For The Record
Vol. 30 No. 3 P. 28
From the beginning, claims clearinghouses have been something of an odd character in the HIPAA family. In 1996, HIPAA defined a health care clearinghouse as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
While clearinghouses were neither providers of nor payers for health care, they were included in the list of the key players in the health care/health insurance ecosystem—the covered entities (CEs) required to follow HIPAA regulations.
Although the original HIPAA legislation and subsequent regulations lumped them with health care providers and payers, clearinghouses were, of course, fundamentally different from the other two. They did not create, receive, use, disclose, or otherwise maintain or transmit protected health information (PHI) for purposes of treatment or payment. Rather, they were switch points whose purposes were to standardize health data and thereby facilitate not only payment but also the delivery of care.
Mere switch points or not, an enormous amount of claims, eligibility, payment, and other data flowed through health care clearinghouses, and from the beginning some argued that all that data could be used for individual and population health outcome assessment, payment and other economic analyses, and a wide variety of research purposes.
But the PHI received, standardized, and used by the clearinghouses was created or received by another CE. The clearinghouse did not have a treatment or payment relationship with the patients whose PHI they were handling. Rather, they were performing their function—producing "standard data elements"—on behalf of other CEs. Thus, clearinghouses were, for all intents and purposes, not really CEs at all but business associates (BAs). The drafters of HIPAA regulations stipulated in a number of places that "a clearinghouse is prohibited from using or disclosing protected health information other than as permitted in the business associate contract under which it created or received the protected health information."
Since at least 2002, when the HIPAA privacy rule was finalized, the question of whether clearinghouses can independently use the PHI that flows through them has been settled—they cannot.
But the promise of using all those data to improve health care quality and efficiency remains. For clearinghouses, the hope of being able to use PHI springs eternal.
Which brings us to H.R. 4613, the Ensuring Patient Access to Healthcare Records Act, introduced by Rep Cathy McMorris Rodgers (R-WA) on December 11, 2017. (Similar bills were introduced by Rep McMorris Rodgers and Sen Bill Cassidy [R-LA] in 2016.) Aiming to modernize the role of clearinghouses in health care, the legislation would first redefine clearinghouses as CEs, regardless of the fact that they collect/receive PHI not from patients but from providers and payers (other CEs) in order to execute their principal function: "translation of data into and out of standard format."
Starting with the goal of providing "patient access to information related to their care," H.R. 4613 expands the boundaries of what would currently be considered health care operations and would allow CEs, including clearinghouses, to use PHI without individual consent (a HIPAA authorization) to develop "patient engagement tools" that would allow individuals to better understand topics such as potential treatment outcomes and the actual costs of their health care, as well as to be recruited into clinical trials.
In addition to using PHI to produce reports and analyses that could be of value to patients, H.R. 4613 would allow a clearinghouse to aggregate the PHI that flows through it and combine that with PHI flowing through other clearinghouses to produce reports, analyses, and presentations—for example, that would benchmark health plan or health care provider performance—and to sell those products. Clearinghouses would also be permitted to deidentify PHI at their own initiative and develop analytics and other tools with massive deidentified data sets.
Finally, H.R. 4613 would allow clearinghouses to provide to individuals, upon request, a "comprehensive record" of their health information "across health care providers and health plans and longitudinal in scope" unless the clearinghouse determines that providing such a comprehensive record is not technologically feasible.
Pros and Cons
Proponents of the Ensuring Patient Access to Healthcare Records Act argue that the new uses of PHI that would be permitted to clearinghouses and other CEs would provide greater transparency and understanding of health care to patients, and take advantage of the enormous amounts of claims, eligibility, payment, and other data generated by health plans and provider organizations that flow through clearinghouses each day to improve health care quality, delivery, and even cost.
Who would object to that?
Let's start with providers and payers, the HIPAA-covered entities that are the source of the health data the clearinghouses would like to use. These CEs transmit health data to the clearinghouses under business associate agreements (BAAs) that stipulate the clearinghouse will provide a service, namely, processing PHI on behalf of the CE. CEs transmitting data would never envision a clearinghouse making independent use of (and profiting from) the PHI disclosed for the purpose of purchasing a service.
To use an analogy coined during the early days of HIPAA, that would be like saying that because the information that flows through the US Postal Service could be valuable for solving lots of problems, it should be OK for mail carriers to read—and use—the mail.
However, H.R. 4613 overrides that concern by invalidating provisions in existing contracts (BAAs) between CEs and clearinghouses that would prohibit or conflict with the clearinghouse's ability to use PHI in any of the ways the bill would allow.
Besides objecting to allowing clearinghouses to independently use "their" data, CEs are concerned about the prospect of allowing clearinghouses—which do not have a treatment, payment, or any other relationship with patients—to release health records to individuals. CEs are also worried about an increased potential for breaches and other HIPAA privacy or security violations if clearinghouses are allowed broad discretion to use and disclose the PHI that comes to them from providers and health plans that are attuned to their own HIPAA obligations and always on guard against possible downstream risks in the flow of health data.
At this time, it is unclear whether the Ensuring Patient Access to Healthcare Records Act will make any progress during the current Congress. Regardless of how far it advances, its introduction raises several interesting questions, including whether the current system of siloed data—in which each CE can use its own data for health care operations purposes, such as quality improvement, but the data cannot be used across CEs—makes optimal use of mountains of claims, eligibility, payment, and other data generated by the health care system.
Whether health care clearinghouses are the best vehicle for making better use of big data is unclear, but there's little doubt that how to take advantage of health data is an issue top of mind with lawmakers and health care leaders alike.
— Douglas Peddicord, PhD, is president of Washington Health Strategies Group, a boutique health policy and lobbying firm.