Sunday, February 8, 2009

Lawmakers Gone Wild: HIPAA, The Stimulus Bill and the Prospect of Making Things Worse for Disease Management and Medical Home Care Management

You’d think the current stimulus bill before Congress would be generally welcomed by the disease management community. There is money to expand the States’ Medicaid programs, help the newly unemployed pay for COBRA-related health insurance and fund the perpetual employment needs of electronic health record consultants everywhere.

Leave it to Congress, however, to let other unrelated interests - that have absolutely nothing to do with the stimulus or anyone's economic hardship - to intrude. For a good example, look to what the Disease Management Care Blog found after noticing this little blurb on the Feb. 4 KaiserNetwork Daily reports:

Sen. Amy Klobuchar (D-Minn.) might propose an amendment that would exempt "quality initiatives," such as disease management and care coordination, from a provision that would require the HHS secretary to issue new health care operations rules. Health care providers have raised concerns that the rules would limit their ability to share information.

‘Huh?’ said the DMCB? ‘New health operations rules?’ So, your intrepid DMCB went to this web site that has all 431 pages of Senate Bill that was before the Senate and searched for the provision. This slightly reworded quote is for your reading pleasure:

Section 13405(d): Not later than 18 months after the date of enactment, the Secretary of HHS shall promulgate regulations to eliminate from the definition of health care operations those activities that can reasonably and efficiently be conducted through the use of information that is deidentified or that should require a valid authorization for use or disclosure. The secretary may choose to narrow or clarify activities that the Secretary chooses to retain in the definition of health care operations.

Confused? So is the DMCB after reading this several times, but think of ‘health care operations ’ as a safe harbor that allows the sharing of detailed patient data between collaborating health insurers, disease management companies, physicians, hospitals and medical homes. The DMCB thinks the language above significantly ‘tilts’ the threshold toward making it harder for patient information sharing in the name of population health activities, favoring the use of ‘deidentified data’ (for example, no birth or service dates or geographic location other than State) or requiring the patient’s personal active permission each and everytime the data moves from one entity to another.

A recent New York Times editorial says increased safeguards are needed to better assure the privacy of medical records. While there have been some examples of egregious breaches of electronic health records, the DCMB, however, is unaware of any resulting from quality improvement activities, predictive modeling, disease management business practices or medical home-based care. Disease management’s colleagues over in the research community have weighed in on the matter, stating HIPAA already adds uncertainty, cost and delay. Tilting things will make it far worse.

While readers may think they should be assured that the legislation leaves it up to the yet-to-be named/confirmed Secretary to be 'reasonable,' the DMCB suspects he or she will instead promulgate wide ranging, confusing, complex, over-lawyered, healthcare-unfriendly, litigation-prone, unrealistic, burdensome and silly regulations that make it all but inefficient or even unreasonably impossible for disease management organizations or patient centered medical homes to assess the health care needs or their populations. Want to know if you should expand your operations into some adjoining counties? Thinking about promoting flu shots but don’t have prevalence data for those over age 65 years? Want to conduct an outreach campaign based on predictive modeling? Well, based on these and other scenarios, thinks the DMCB, you better have two things if this bill passes unchanged: 1) a phalanx of lawyers who are prepared to do more than just tell you what you can’t do, and 2) lots of cash or insurance on hand to deal with a greater likelihood of legal actions or suits.

Egads. The DMCB understands Senator Klobuchar has submitted the amendment. Let’s hope it survives the sausage making.


Anonymous said...

Name one entity that has been sued because of a HIPAA violation.

Jaan Sidorov said...

Good point. I think what's being said by anonymous is that the threat of being sued is being overstated by the DMCB. Either that, or given the high number of data mishaps, the lack of any suits speaks to the relative lack of a credible threat.

But, in its defense, the DMCB has been in many meetings where the THREAT of legal action was enough to make the Administrators go way overboard in protecting data in the conduct of day to day operations. There WAS a phalanx of lawyers peering at everything and there WAS a likelihood of a suit.