Last month, the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS OCR) published the first in a series of guidance materials which are meant to further clarify individuals' core right under HIPAA to access and obtain a copy of their health information. The new guidance, in the form of a Frequently Asked Questions (FAQs), addresses the scope of information covered by HIPAA's access right, the very limited exceptions to this right, the form and format in which information should be provided to individuals, the requirement to provide access to individuals in a timely manner, and the intersection of HIPAA's right of access with the requirements for patient access under the HITECH Act's Electronic Health Record (EHR) Incentive Program.
Among other things, the new guidance explains that, under the Privacy Rule, a health care provider cannot require patients to pick up their records in person if they ask for the records to be sent by mail or email. A provider cannot require an individual to use a web portal for requesting access, as not all individuals will have ready access to the Internet, or to mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and thus, the individual’s access. A health care provider cannot deny a request for access to health information because a patient has failed to pay medical bills. And although a doctor or a hospital may charge a fee to cover the cost of copying, it cannot charge for the cost of searching for data and retrieving it.
The new guidance is available on HHS OCR's website at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. The Privacy Rule is especially important in the era of EHR, which are supposed to empower consumers to easily transfer health information from provider to provider. HHS characterizes this as a right “critical to enabling individuals to take ownership of their health and well-being.” HHS OCR’s press release argues that, with “more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information.” HHS OCR’s stated reason for rolling out a series of explanatory information products concerning the Privacy Rule is its perception that providers have raised unjustified roadblocks to individuals’ access of their own health information.
The Privacy Rule has been an area of heightened enforcement activity for HHS OCR over the last few years. OCR has the power to levy penalties against providers who violate HIPAA, but it doesn’t often do so. And individuals do not have a private right to sue covered entities for violations of HIPAA.
So why should health care providers worry about complying with the Privacy Rule in particular, and HIPPA more broadly? Because individuals have found ways to circumvent the federal statute’s preclusion of private rights of action by filing actions in state courts under state law. HIPAA does not preempt state-law causes of action for the wrongful disclosure of health care information. If an individual were to be harmed by the wrongful withholding of health care information, there’s no obvious reason why a state cause of action wouldn’t lie against the responsible provider.
State courts have allowed plaintiffs to use HIPAA as a standard for measuring the duty to maintain confidentiality in negligence, privacy, and professional liability cases. Due to the broadness of state tort laws pertaining to negligence and the substantial damages awarded by some state courts in lawsuits arising out of conduct that violated HIPAA, covered providers need to make sure that their HIPAA compliance programs are well-designed and working as planned.
Last year, in a rare moment of bipartisanship (especially where health care policy is concerned) Congress enacted Medicare Access & CHIP Reauthorization Act of 2015 (MACRA). MACRA was a response to the growing consensus that double-digit annual growth rates for Medicare outlays under the traditional, fee-for-service delivery model of providing health care in the U.S. simply isn’t sustainable, and that the government should be buying quality care and efficient outcomes, not just volume, when it pays for medical services. The changes MACRA wrought include:
Based on the MIPS composite performance score, providers will receive positive, negative, or no adjustments in Medicare payments they are owed. Positive and negative adjustments will be up to a maximum of 4 percent in 2019, and will grow over time to a maximum of 9 percent in 2022 and beyond.
HHS has already set an aggressive goal for tying Medicare payments to quality and value, even before MIPS takes effect. By the end of 2016, it expects that 85% of Medicare fee-for-service payments will be tied to quality or value, and that 90% of fee-for-service payments will be tied to quality or value by the end of 2018.
Whether HHS’s alternative payment schemes will actually result in quality and value is hotly disputed – perhaps most hotly in the last month by Robert A. Berenson, M.D., of the Urban Institute in Washington, D.C. One of the nation’s most respected health care policy experts, Dr. Berenson served on the Medicare Payment Advisory Commission, headed the Medicare payment policy and private health plan contracting in the Centers for Medicare & Medicaid Services (CMS), and served as an assistant director of the White House Domestic Policy Staff under President Carter. In a JAMA Forum editorial published in January, Dr. Berenson predicted MIPS would fail to improve the quality of US healthcare because of its obsession with what he characterized as a “few, random, and often unreliable measures” of physician performance, at the expense of paying proper attention to such essential qualitative factors as rates of misdiagnosis.
In an interview in the most recent issue of Medical Economics, Dr. Berenson told the publication that only about 50 percent of physicians in private practice currently submit data under PQRS because of the administrative burden and because they don't think the measures are good ones. However, under the current regime, non-cooperating practices only stand to lose only 2 percent of revenue if they don’t participate. Under MIPS, the stakes are higher: Eventually, practices will stand to lose up to lose 9 percent. Dr. Berenson pointed out that in focusing on data production regarding quality, resource use, clinical practice improvement activities and meaningful use of electronic health records systems, MIPS will strain the financial resources of small practices, perhaps to the breaking point. Small physician practices don't have the IT systems they need to collect and report this data, Dr. Berenson argues. They would need to spend the money to hire a consultant to produce the data from their medical records or use a registry option the government is offering, which will also entail expense. Dr. Berenson believes many small practices will decide they can't afford to do that, and simply dissolve.
Forecasts of doom for small practices are premature: Much will hinge on the outcome of CMS’s rulemaking for MIPS. Final rulemaking is scheduled for release this year. Among other things, CMS will define a threshold for low-volume providers who are exempt from MIPS, based on some combination of minimum Medicare patients, service volume, and/or billings. Depending on how the low-volume threshold is defined, it could provide considerable breathing space for small providers, whose air supply might otherwise be cut off by a value-based payment system that demands extensive, expensive data gathering.
Who knows? The low-volume threshold could even make small and solo practice more desirable, by creating a safe haven from the onerous reporting requirements faced by larger groups and institutional providers.