April 2015

What a Patient Wants
By Julie Knudson
For The Record
Vol. 27 No. 4 P. 18

The best disclosure management strategies involve helping patients navigate difficult access questions.

Patients have a right to receive an accounting of disclosures of their protected health information. However, it's a limited right. In fact, large swaths of routine disclosures are not reportable to patients. These generally fall into three categories: treatments, payments, and operational disclosures.

There is a notable irony in those categories, says Katherine Downing, MA, RHIA, CHPS, PMP, director of HIM practice excellence at AHIMA. "It's almost counterintuitive to what you think a patient is actually asking for," she says while noting that's what makes the accounting of disclosure requirements one of the more difficult aspects of HIPAA management.

Treatment refers to clinicians and others in the continuum of care discussing a patient's condition, prognosis, and course of treatment. Some of that same information is shared with insurance carriers to facilitate payment. "It's a disclosure because it's going from the covered entity, the hospital, to the insurance company (also a covered entity), but it's under the umbrella of payment to get your bill paid, so again, it's not tracked as a disclosure," Downing says.

Health care operations are "things that the hospital or covered entity need to do in order to maintain certification, quality reviews, and risk management," Downing explains. Some of these functions are obvious while others are subtler. "There are a lot of things under the health care operations umbrella that are not included in the accounting of disclosures," Downing says. For example, if a patient falls, the risk management group likely will have access to that record under the auspices of operational activities.

The problem with the accounting of disclosures, according to Downing, is that most patients making requests actually want to know who accessed their information. "That is not something that's currently required for us to provide patients under HIPAA," she says, adding that the situation is a recipe for patient confusion.

To help guide the development of regulations to carry out the intent of the HITECH Act's accounting for disclosures provision, the Health IT Policy Committee in 2013 held hearings to consider what information should be included in an accounting of disclosure and how best to approach the new provisions requiring that individuals be provided with an access report.

"HIPAA clearly contemplates that individuals have a right to know how their information is being used, disclosed, and accessed," explains Linda Kloss, president of Kloss Strategic Advisors. "It ensures that individuals have the right to receive an accounting of disclosures. Proposed regulations added access reporting as a new obligation for covered entities and businesses."

She says the HIT Policy Committee recommended "a pragmatic roadmap" that called for an initial focus on disclosures outside the covered entity that included only the entity names rather than employee names. It was concluded that the proposed access report requirement was unworkable at this time given the lack of standard tools and processes. It did reinforce the right of individuals to request investigations of potentially inappropriate access. "Importantly, it also recommended that accounting for disclosure reporting be pilot tested before being mandated across the industry," Kloss adds.

Although an individual's right to disclosure and investigation is a fundamental provision of HIPAA, Kloss says the issue is how best to carry it out. "Greater transparency can be expected to advance along with better technology and tools to accomplish it," she says.

Patients whose personal health information is disclosed have a right under HIPAA to know how it's being used and who's seeing it. "Greater openness and transparency, with corresponding accountability requirements will continue to evolve in law and regulation," Kloss says.

Interpretations and Assumptions
As with many health care laws, provider organizations may run into trouble when interpreting disclosure regulations. For example, Downing has received questions about disclosures tied to research activities. "If you've got a disclosure that's made for research and it's not under a patient authorization, that has to go into the accounting of disclosures," she explains. Hospitals may become confused if situations don't fit one of the garden-variety molds, including disclosures made to governmental agencies. "We do have to track disclosures to public health authorities, the FDA, health oversight agencies, and law enforcement," Downing says.

If there's one constant in health care, it's change. Kloss says there are likely many situations that come up in the course of day-to-day business that require hospitals to judge whether a disclosure falls into an existing provision or if it's a new use of data that isn't well covered. "I think we're seeing a growing number of new uses that certainly weren't contemplated in the original HIPAA era, and were not even fully clarified in the update in the HITECH Act," she says.

One example of time marching forward is the lack of accounting requirements when limited data sets are used under a data use agreement. "What does that mean?" Kloss asks. "What's a limited data set? And what's a data use agreement? Who are we agreeing to share data with?" Exchanging data as an extension of treatment, payment, and health care operations may be fairly clear in most instances, but sharing data for the purposes of further analysis and secondary use may fall outside that normal scope.

Other situations uncommon enough that they aren't part of normal operational procedures also may confuse patients and even providers. "A recent one we've seen is subpoenas and how they're handled in each state," says Karen Gallagher Grant, RHIA, CHP, chief operating officer of Medical Record Associates (MRA), a corporate member of the Association of Health Information Outsourcing Services. Not only is this something hospitals may not deal with on a daily basis, it is just one more example of regulations varying from one state to another. "In Massachusetts, if the opposing council was ordering my records, there would be an opportunity for me to understand and know that," Grant says, adding that this is one area where hospitals may not understand where such a disclosure falls.

Proposed Changes Contribute to Confusion
Although the accounting of disclosures regulations have been in place since 2003, Downing says proposed changes may have led to puzzled patients and providers. For example, the current rules say an accounting of all disclosures outside the exceptions must cover six years. "The idea was that, under HITECH, there might be a change where the accounting of disclosures would only be for three years and you would have the ability to get to your access reports," says Downing, who believes those proposed rules led to some confusion. "They've been misunderstood by patients, hospitals, and health care entities, but they were just proposed. We have not seen any final changes related to accounting of disclosures since the original rule in 2003."

In addition, Kloss says, "The draft rules would have required patients the right to an access report indicating who has accessed their individual protected health information in the electronic health record."

Today, there are myriad formats for audit reports and logs, each with little or no standardization. "That that kind of new access reporting could be baked into the existing regulations seems premature," Kloss says. That was also the conclusion of the Health IT Policy Committee.

Fuller accounting disclosures may be on the horizon, making it important for covered entities and business associates to prepare now, Kloss says. "They should be working with vendors to improve access and audit logs so they are more useful and interpretable," she says. "They should also be ensuring they have approaches in place to investigate disclosures when requested to do so."

But how these changes will be implemented still is being debated. "What health care organizations are running into are the real situations that those new regulations were to have addressed," Kloss says.

Baseline disclosure regulations may not have changed in recent years, but the environment that encompasses data sharing certainly has. As HIEs have popped up across the country, new consent language is working its way into the realm. Charlie Saponaro, president and CEO of MRA, says the Massachusetts HIE requires patient consent, which causes patients and hospitals alike to wonder how the exchange fits into traditional information sharing regulations. "Some people are interpreting that law to mean that the provider—because of the treatment, payment, and operations exclusion—can just send the information over the highway and they don't need to get consent," Saponaro says. Even if that turns out to be the case, to address potential misunderstandings he encourages hospitals to err on the side of asking the patient if they want to participate.

Two Perspectives
Given the intricacies of reportable disclosure regulations, it's little surprise there are occasional disconnects between what patients believe to be reportable disclosures and what is actually reportable according to the regulations. One factor that may inadvertently contribute to the turmoil is the Notice of Privacy Practices. "We put forth the patient's right to an accounting of disclosures and we explain it to them in that notice," Downing says. "But a lot of patients are not taking the time to read it or they don't really comprehend it."

Many hospitals rely on the notice to explain when the patient will be informed of a reportable disclosure. Unfortunately, it's likely an ineffective vehicle if it's going unread or if the organization isn't ensuring patients understand what they're reading. "There are certainly patients who are keenly aware of their rights," Kloss says. "They care a lot about them, they understand the distinctions and all the nuances of the law. But I would say most patients don't."

In this era of online patient portals, an increasing number of consumers are becoming more comfortable with having access to their own information. However, they may be questioning who else has access. "I think it's still a point that needs a lot more light shed on it for patients to really understand the scope of the complexity here," Kloss says.

States Matter
Patients may not only be confused about which disclosures are and aren't reportable, Grant says they also may be upset with the regulations themselves. "One problem is that you're dealing with federal laws and you're dealing with state laws," she says.

In the Boston area, like other parts of the country, patients come from outside the region. "We have patients from all over, and they may have heard privacy laws in the state of Ohio, which are very different than in Massachusetts," Grant says. For example, in Massachusetts, all cancer cases are reported. "It isn't necessarily the release of information regarding cancer patients, but we do report things to the state," Grant says. Discrepancies such as these may be confusing or even downright irritating to patients who are trying to not only understand the regulations but also remember where each rule applies.

As health care organizations continue to expand, they're more likely to bump up against administrative issues related to differing disclosure regulations in multiple states. It adds an additional layer of complexity when determining how the hospital handles disclosure reporting. "I think we err on the side of where the provider is located," Grant says. "In our situation, Massachusetts' rules and regulations are more protective of the patients, so we would err on that side to protect the patient."

Not only do providers need to know these regulations, they also must be prepared to explain them to patients who may not even realize state-level rules exist.

The Fulcrum of Education
When it comes to helping patients understand disclosure regulations, hospitals are on the frontlines. Downing recommends organizations create a dedicated form to handle patient requests for an accounting of disclosures. "You have that form when they request that patient right, just like they would request their record or request an amendment," she says.

The form also doubles as an educational tool. "Patients are going to read and understand that education or they're going to come to you as the privacy officer and they are going to say, 'This isn't what I wanted,'" Downing says. The hospital then can work with patients to determine the exact nature of their concerns. For example, a patient may be referencing a specific situation, such as wanting to know if her ex-husband's new wife, who happens to work in the nursing unit, has access to her records. "A lot of it is working with the patient to figure out if instead of getting this big report and handing it to them, you can get down to the real issue of why they're asking for this," Downing says.

Because regulations will always be a step or two behind reality, Kloss says organizations shouldn't build disclosure management guidelines solely around the current regulatory environment. "If an organization has principles and great transparency with patient communication, then they'll be proactive in reaching out and helping patients understand this," she says, suggesting hospitals use patient portals to deliver pertinent information and focus on service-oriented customer interactions to explain data exchange. "It requires working hard on very understandable privacy policies."

Andrew B. Wachler, a managing partner at the Michigan law firm Wachler & Associates, says it may be prudent for hospitals to make compliance with disclosure regulations a higher priority than educating patients on which disclosures are reportable. "You can have all different kinds of patients, some litigious, some not," he explains.

Any number of different issues and data disclosure questions may arise from a typical hospital's diverse patient population. "From a provider perspective and a risk reduction perspective, I think it's less about educating patients about disclosures and more about meeting your own responsibilities," Wachler says.

Nevertheless, Grant says educating patients about disclosure regulations shouldn't wait until they walk in the door. "It's consumer education before the patients even arrive at the hospital," she says. "Maybe it's a little e-alert saying, 'You're coming to the hospital, this is how we handle privacy.'"

It even may be feasible to present consent information upfront, such as via a website that authenticates patients with a unique personal identification number, Grant says.

This type of preadmission education may streamline issues such as how data sharing is affected by self-pay care. Plastic surgery patients, for example, could be handled prior to arrival, making intake significantly more efficient. "It's just a little bit too complicated to have patients walk in the door and try to understand all of it," Grant says of disclosure scenarios such as self-pay. "Patients could make disclosure decisions before they went to the hospital."

Innovative hospitals also may investigate employing a marketinglike approach, similar to that of pharmaceutical companies. "Maybe there's some kind of short video that says, 'Hey, just so you know, we're going to be sharing your information,'" Saponaro explains. "You could give a brief overview of where this information could go or what it will be used for so that people are more aware."

As health care consumers become more accustomed to being educated through Web videos and tutorials, this may be a natural—and easily assimilated—evolution for providers to embrace.

— Julie Knudson is a freelance writer based in Seattle.