Proposed changes to federal health privacy rules intended to encourage information sharing with social services agencies could pose unacceptable privacy risks, provider groups and privacy advocates say.
The goal of the changes to the HIPAA privacy rule (RIN 0945–AA00) is to encourage health-care providers and social services agencies to work together to address social challenges that affect health outcomes, such as housing, nutrition, transportation, and neighborhood safety.
Expanded sharing of information with the social services sector will allow health challenges to be addressed at the source rather than in the doctor’s office, and could help reduce overall health-care spending, supporters say.
The Covid-19 pandemic, with its disproportionately large impact on underserved and marginalized communities, has drawn new attention to how health outcomes are shaped by these social determinants of health.
But critics say information sharing beyond the reach of HIPAA’s privacy protections shouldn’t be accelerated until guardrails are put in place to protect patients and clients from unwanted data exposure and misuse.
“We are very concerned about the sharing of information with entities that aren’t covered by HIPAA,” said
The Department of Health and Human Services published the proposed rule, which also includes provisions addressing patients’ right of access to their own health information, in December. The public comment period closed May 6.
HIPAA Privacy Rule
The HIPAA Privacy Rule establishes standards to protect medical records and personal health information. It applies to health plans, health-care clearinghouses, and most health-care providers.
The rule requires safeguards to protect the privacy of personal health information, and sets limits on the uses and disclosures of health information without patient permission. Violations can bring significant fines and onerous oversight requirements.
The upshot is a widespread “safety-first” mentality among health-care providers that has discouraged information sharing with the social services sector out of fear of enforcement action, attorneys say.
This is despite the fact that sharing information with social services agencies to help with care coordination is already allowed under HIPAA—at least in theory, said Phoebe Ramsey, senior regulatory analyst with the Association of American Medical Colleges.
“The Office for Civil Rights in HHS issued guidance a few years ago that said that disclosures of personal health information to social services agencies without patient authorization was permitted, but they’ve found that most providers aren’t using the guidance or aren’t aware of it,” Ramsey said.
“So they saw this rulemaking as a vehicle for improving on care coordination and case management for addressing these social factors that impact health, by making it part of the rule rather than being tucked away in guidance.”
The push to increase information sharing with social services agencies reflects a growing awareness that housing, nutrition, transportation, and other social needs can have a significant impact on health outcomes, said Deven McGraw, a co-founder of Ciitizen Corp., which helps patients collect and share their health information.
“The goal is ‘whole-person care,’ care that’s not limited to clinical health-care needs but extends to these other needs,” said McGraw, who also is a veteran of the HHS Office for Civil Rights and of the Office of the National Coordinator for Health Information Technology. Social services providers need access to health-care information in order to provide that level of care, she said.
But encouraging this kind of data sharing could put patients at risk, privacy advocates say. That’s because social services agencies aren’t subject to HIPAA’s privacy and security requirements.
“HIPAA allows the exchange of health-care information between health-care providers without the patient’s permission in order to allow them to coordinate the patient’s care, but the provider receiving the information needs to have their own HIPAA compliance program,” said
“And I can’t see any reason why the social services sector shouldn’t be subject to the same high standard as the health-care providers.”
In the absence of federal privacy standards, the sector is likely to set its own standards, she said. That is “worrisome because the social services sector is a limited resources sector that doesn’t have a lot of money flowing through it to deal with protecting health information,” she said.
Information Blocking Rules
Health-care providers have responded to the lack of privacy protection in the social services sector by refusing to share information, or by insisting on negotiating contracts with social services providers that effectively bind them to HIPAA’s privacy standards.
They’ve been able to do this because HIPAA gives health-care providers permission to share information, but doesn’t require them to do so, said McGraw.
Recently finalized federal rules intended to remove obstacles to data sharing within the health-care sector could interact with the proposed privacy rule change to flip that script and make the sharing of information with the social services sector mandatory, or close to it, she said.
The new “information blocking” rules create a presumption in favor of data sharing by health-care providers, health information exchanges, and developers of health information technology.
The information blocking rules became final in May 2020, and began to take effect April 5, 2021.
“The new HIPAA rule makes it clear that the health-care provider has permission to disclose health information to the social services sector,” McGraw said. “But with the information blocking rules, if a social services provider is having trouble getting information from reluctant providers, they potentially have a complaint they can file with the Office of the National Coordinator for Health IT.”
The information blocking rules and the proposed HIPAA privacy rule change could end up working together as a “one-two punch” in favor of information sharing, she said.
“The HIPAA rules create a legally permitted pathway for information sharing,” she said. “And the information blocking rules create, not exactly a must-share mandate, but additional ammunition to help this information get out the door.”
Health-care providers don’t have responsibility—or authority—under HIPAA to monitor how entities with whom they share information, including social services agencies, use and protect that information, said Kirk Nahra, co-chair of the cybersecurity and privacy practice at WilmerHale.
“The result of sharing with social services agencies is that information will be released and will no longer be controlled be HIPAA,” Nahra said.
The benefits of data sharing for social needs are real, but so are the risks, he said.
One possible fix would be to include social services providers among the entities that need to be contractually bound to abide by HIPAA rules, through a “business associates agreement,” he said. But that could raise significant compliance challenges for small providers, he said.
Another option would be to allow patients to opt out of information sharing with social services providers, McGraw said.
“There are other provisions of the HIPAA privacy rule allowing patients to opt out of some disclosures,” she said. “This provision could be housed within that bucket.”
The AAMC would like to see limits on the scope of data disclosures, and tighter definitions of what kind of social services providers can receive health information, Ramsey said.
Disclosures also could be limited to matters included in the patient’s plan of care, Savickis said.
“This is sensitive information we’re talking about here,” Datta said. “Much of it is the kind that receives heavy protection under the law. And to think that you would promote the sharing of this information without some sort of minimum HIPAA standards in place—that’s something that needs to be addressed.”