--CONSULTATION REPORT-- Ethics Advisory Group. HIPAA and the Ethics of Health Information Privacy. September 25, 2003

Transcription

1 --CONSULTATION REPORT-- Ethics Advisory Group HIPAA and the Ethics of Health Information Privacy September 25, 2003 Customer for the Ethics Advisory Group The customer for the September 25 meeting was Jack Burke, Vice President for Corporate Compliance Programs and HPHC Privacy Officer, along with Dee Chouinard, Project Manager for the HIPAA Privacy Project Implementation, Natalie Cunningham, Director of the HIPAA Program Office, Earl Manz, Senior Associate General Counsel, Ken Patterson, HPHC Security Officer and Maggie Singleton. Background In 1996 Congress recognized the need for national standards for health information privacy with the enactment of the Health Insurance Portability and Accountability Act (HIPAA). In response to increasing public demand for safeguarding of the privacy of medical information, the Department of Health and Human Services (DHHS) issued its final Privacy Rule in December Most covered entities had until April 14, 2003, to comply. Major Highlights of the HIPAA Privacy Rule Covered Entities. Covered entities are the entities that must comply with HIPAA's Privacy Rule. These include health plans like HPHC, employer sponsored Group Health Plans, health care clearinghouses (billing and coding services), and health care institutions, medical offices and providers that conduct HIPAA electronic transactions. Protected Health Information. HIPAA protects health information that relates to a) an individual s past, present, or future physical or mental health conditions, b) health care provided to the individual or c) past, present, or future payment for the provision of health care to the individual that can d) reasonably be associated with a specific person. HIPAA s Privacy Rule covers all protected health information (PHI) used or disclosed by a covered entity in any form, whether electronically, on paper, or verbally. Boundaries on the use and disclosure of Protected Health Information. With few exceptions, such as appropriate law enforcement needs and regulatory requirements, a member's Protected Health Information may only be used or disclosed for a) treatment, b) payment or c) health care operations. Any use or disclosure that falls outside of these domains requires a written member authorization. In general, the use and disclosure of PHI is limited to the minimum necessary for the task at hand. HIPAA requires covered entities to establish systems to verify the identity and authority of the persons to whom PHI is disclosed. It is important to note that although the HIPAA Privacy Rule sets standards for the use and disclosure of PHI, it does not obligate a covered entity to make disclosures.

2 Individual rights to control their Protected Health Information. Under the Privacy Rule, individuals have significant new rights with regard to how their health information is used. Covered entities are required to give members (or patients) a clear written explanation ( Notice of Privacy Practices ) about how they may use and disclose individual health information. HIPAA gives individuals the right to request access to and amendments of their PHI, to request restrictions on the use and disclosure of their PHI, to request that they receive communications in a confidential manner, and to request an accounting of all non-authorized disclosures not made for treatment, payment or health care operation purposes. (HPHC s Notice of Privacy Practice can be accessed via ) Covered entities and the safeguarding of Protected Health Information. HIPAA's Privacy Rule establishes the privacy standards that covered entities must meet, but it gives covered entities the flexibility to design their own policies and procedures to meet those standards. The requirements are flexible and scalable to account for the nature of each entity's business, and its size and resources. Covered entities are required to: Designate a privacy officer Adopt written privacy policies and procedures Evaluate physical security measures in place to safeguard PHI Contract only with Business Associates who agree to appropriate safeguards of any Protected Health Information that might be shared with them. Train employees on privacy policies and procedures Comply with any state confidentiality regulations that are more stringent than HIPAA requirements. (HIPAA sets a floor, not a ceiling. ) Special rules for Self-Insured Group Health Plans. For the most part Self-Insured Group Health Plans must implement all of the privacy safeguards that Health Plans are required to implement. Fully Insured employer plans can rely on many of the privacy safeguards implemented by the Health Plan (or Insurer) that they contract with to provide health benefit coverage to their employees. Along with this reliance, special rules exist limiting the amount of information (enrollment data and summary information for the purpose of rate shopping only) that can be disclosed to Fully-Insured Group Health Plans. HIPAA does, however, allow Fully-Insured Group Health Plans to have access to detailed member PHI if they certify that they have met all of the HIPAA Privacy Rule requirements. HPHC history. HPHC has relied on confidentiality policies throughout its history beginning with its inception as a provider of medical care. The key fact of HPHC history as discussed below in the section on questions is that historically many of HPHC s privacy practices have been stricter than those mandated by the HIPAA Privacy Rule. (For those who want more detail, HPHC s confidentiality policies and procedures are revised periodically and posted on HPHC's Intranet site) Questions for the Ethics Advisory Group 2

3 The HIPAA Privacy Rule provides a common floor by mandating standards and definitions that all covered entities are required to follow. The Privacy Core Team sees these standards as excellent guardrails within which to implement solid business practices that protect the privacy of individuals interacting with HPHC and its business partners. HIPAA s Privacy Rule, however, clearly states that these standards are a floor, not a ceiling. More stringent state privacy policies may preempt the rules. Likewise, covered entities may wish to create their own more stringent policies. Historically, HPHC s strongly held position has been that information about members should be shared on a minimum necessary basis even when the entity to which the data is being disclosed has the authority to receive more detail. Whenever possible HPHC has shared only summarized, de-identified data. In a number of cases, HPHC has refused to disclose requests for data without member authorization when in its view doing so would represent an inappropriate disclosure. Additionally, HPHC has been particularly careful with the disclosure of information in categories protected by state mandates such as mental health, HIV status, abortion, genetic testing and sexually transmitted diseases, going so far as to automate the removal of this data from materials that it shares with others unless members give authorization. Shared standards such as those embodied in the HIPAA Privacy Rule simplify the complex US health care system. While development of the Privacy Rule was bureaucratic, slow and cumbersome, the process involved enormous stakeholder participation and the standards reflect a national consensus. HIPAA standards make transactions between covered entities easier and more predictable, and reliable, predictable experiences for our constituents is part of HPHC s Value Proposition. At the same time, HPHC aspires to being the most trusted and respected name in health care. Arguably, its distinctively stringent historical confidentiality practices contribute to enhancing trust. There is a potential conflict, however, between the values of simplification, which points to following HIPAA standards, and enhancing trust, which might point to following HPHC s historically distinctive privacy rules. The Ethics Advisory Group was asked to suggest a framework of values HPHC could use in its decision-making when faced with requests for disclosures of PHI that are permitted (but not obligated) under the HIPAA Privacy Rule but have been historically prohibited under HPHC privacy policy. The following disguised scenarios exemplify situations in which a framework of values would be useful for the Privacy Core Team. 1) Acme Corporation is seeking an exclusive relationship with one of its two current regional health insurance plans. In order to decide on network adequacy, Acme is trying to determine the level of duplication between the two networks and has requested that each plan identify the primary care physician (PCP) for each of its 3

4 enrollees. When HPHC, in accord with its historical privacy policies, proposes giving summary information (a listing of PCPs and the number of Acme Corporation s members each is caring for), Acme declines, saying that it is particularly interested in the PCP choices of a certain subset of their employee population. Acme reports that HPHC s competitor has already agreed to provide the detailed data as requested. The reason for HPHC s historical practice is its belief that identification of a member s PCP could indirectly suggest a condition for which the member was being treated. If Dr. Jones is renowned for skill at HIV treatment and Mr. Smith is listed as one of his patients, this might reasonably be seen as a violation of privacy. 2) Orange Company, a Self-Insured Group Health Plan that contracts with several regional health plans, has certified full compliance with HIPAA regulations. Orange has recently purchased the services of a Data Warehousing vendor that will consolidate its claims data from all its health plans and provide both cost and preventive treatment analyses of this data. The vendor claims that for the analysis to be effective it needs all claims data including data for services related to protected conditions, including mental health, abortion and HIV status. Historically, HPHC would not release information about protected conditions without member authorization. As a HIPAA compliant covered entity, however, Orange and its HIPAA compliant data warehousing business associate contend that under HIPAA regulations they are entitled to this information. 3) HPHC s pharmacy database makes it possible to identify all medications an HPHC member has filled under HPHC insurance. Since patients especially the elderly and those with multiple health conditions often receive prescriptions from many different physicians, there is significant potential for harmful interactions among medications. Improved technology would make it possible for providers to have immediate access to a patient's prescription history via a secure Internet connection. A tool of this kind would help providers manage high-risk patients and highlight contraindications, particularly when prescribing in emergent situations. The HIPAA Privacy Rule allows for sharing of Personal Health Information like medication history with other covered entities involved in the care of the member for purposes of treatment. Enhanced safety of prescribing is clearly an important value. But patients may not want all providers to know about all their medications, and patient preference is also an important value. A full medication list might disclose the existence of a medical condition the patient prefers to keep confidential. And, beyond the issue of medication, patients may not want one provider to know that they are seeing another provider. 4

5 Relevant precedents At its July 30, 1997 meeting, the Ethics Advisory Group considered Confidentiality and Fair Information Practices. The case centered on a request for claims data from the consultant for a large, fully insured account. The data requested would include a unique identifier for each HPHC member/account employee. The EAG was asked to consider how ought HPHC treat the employer s legitimate interest in health information in relation to the member s right to privacy? Larry Gostin, director of the Georgetown and Johns Hopkins University Center for Law and the Public s Health and an expert on health information privacy, was a guest at the meeting. The EAG identified a challenging ethical tension. The employer was seen as having legitimate interests in obtaining information to support decisions about [several important areas, including quality of care, plan design, cost control, audit and fraud and more]. At the same time, members/employees were seen as entitled to a high level of confidentiality. The EAG felt that members might have particular concerns about confidential information going to their employers. The EAG recommended that a task force on confidentiality that HPHC had formed should seek to work proactively with employers to establish principles that will enable both parties to achieve their goals. If we can build common understandings, we can avoid future situations where we face the possibility of turning away requests in ways that are damaging to good business relations. EAG DISCUSSION/RECOMMENDATIONS The three case vignettes presented above in the Questions for the Ethics Advisory Group section anchored the EAG s discussion in the real world/real time issues HPHC Privacy Officer Jack Burke and the Privacy Core Team regularly face. Therefore, although the discussion ranged widely, I have organized the minutes around the three cases, followed by a summary statement of central themes. Case # 1 ( Acme Corporation ). In this case the hypothetical Acme Corporation wanted a list of the primary care physician for each of its employees (by name). It plans to use this list in deciding about the adequacy of the network offered by the insurers it is considering for a sole source (exclusive) contract. Acme explained that it wanted to know not only how many employees were in each primary care physician s practice, but also which physicians had been chosen by influential employees. An insurer whose network did not include an influential employee s PCP would be a difficult to contract with because of the potential negative impact on the employee. While the EAG recognized the practical issues Acme was trying to address in making its decision about which vendor to contract with, the group was decidedly uncomfortable with the idea of releasing the name of each employee s PCP. If the PCP was known for working with AIDS patients, Acme might draw conclusions about an employee s HIV status. If the PCP was an oncologist who also did primary care, Acme might infer that the 5

6 employee had cancer, which could lead to that employee not being given a leadership role out of fear about the individual s health status. And, apart from these considerations, the EAG was uncomfortable about HPHC participating in a process that treated its members/acme s employees in a discriminatory manner the influential employee s PCP relationship would be protected, whereas a lower status employee, who might suffer more from disruption of the PCP tie, would not be given the same consideration. Several EAG members suggested that in cases like this HPHC through its Privacy Officer should interact with Acme in an educative, option-building manner. Acme is a customer, and HPHC needs to understand the purposes that lie behind its request in detail. Perhaps Acme could address its concerns without violating its employees reasonable expectations about privacy. The EAG encouraged dialogue about options and clear statement of HPHC s values with regard to the privacy issues. In discussing the Acme case the group anticipated that in all likelihood exploratory, option-building, educative dialogue would lead to a mutually acceptable outcome, in which Acme would feel that it could address its own internal management concerns in ways that did not violate privacy values. But suppose this outcome were not achievable? One EAG member commented that HPHC s values might require it to say giving the names of each employee s primary care physician would violate something we hold sacred and decline to do it, even if that meant losing Acme s business. Case # 2 (Orange Company). In this case the hypothetical Orange Company, a self insured employer, wants HPHC to release health information including information about protected conditions to its data warehouse vendor, who will perform analyses relevant to cost modeling and preventive interventions. EAG members felt that the values considerations relevant to the Orange Company turned on the presumed facts of the case. The employers who were present indicated that it could reasonably be expected that Orange would maintain an arms length relationship with the data warehouse vendor. Insofar as the information going to the data warehouse would be disguised such that while an individual s conditions and care episodes could be tracked, individuals would themselves not be identifiable, the EAG felt that giving the requested information to the data warehouse was consistent with HPHC s values re privacy. The EAG made a clear distinction between the Acme case and the Orange case. In Acme, sensitive private information would go to the employer in undisguised form. In Orange, sensitive private information would go a) in disguised form b) to a data warehouse with c) a presumed arms length relationship to the employer. Case # 3 (Pharmacy information). This case reflects the potential for deriving real time pharmacy data from the HPHC pharmacy database. Except when patients come to appointments with all of their medications in a paper bag, physicians are dependent on their patients memories in assessing what agents their patients may be taking. The attendant uncertainties and inaccuracies create significant clinical risks. 6

7 The EAG was impressed with the safety and quality promoting potential of making more accurate information about the prescriptions their patients had actually filled available in real time to treating physicians. One EAG member commented, if HPHC is more than a claims processing shop, this is just the kind of information it should provide to the physicians who care for its members. Purchasers commented that using the database to promote quality and safety is exactly the kind of value added activity they look to HPHC to provide. The important values served by improved real time pharmacy information were readily apparent to all. In the context of clearly recognized benefits, HPHC staff asked the EAG to advise about ethical risks. What were the EAG s perspectives on the unhappiness some members might feel about what they perceived to be privacy violations in making their prescription history so readily available. The central observations included the following: The risk of backlash is real. One participant imagined that a member might conclude the only reason HPHC revealed this information about me is to control its costs it s all about money! Others expressed the view that privacy rights could be given too much weight. One participant commented, if we let privacy trump potential clinical benefits, quality improvement and research we will be making a big mistake. Another added that the member who complained that it s all about money could be told that attention to cost control is an ethical responsibility for the health plan, not something to be ashamed of. The discussion pointed to the importance of weighing competing values. How great a risk of violating a member s sense of privacy would the pharmacy program create? How substantial would the benefits be? The EAG did not suggest a specific metric for this process of weighing the competing values, but its consistent view was that as important as privacy is, it is one value among many, not an automatic trump card. The EAG suggested that different program configurations could improve the ratio of potential ethical benefit to potential ethical risk. There was broad support for the idea that drug information should ideally be available to emergency rooms, and that information about potentially dangerous drug interactions should be made available. There was general comfort with drug information being accessible to the member s primary care physician. One participant suggested that if patients don t want their primary care physicians to know what medicines they are taking there is something very wrong with the doctor patient relationship! The group emphasized, however, the vital importance of security measures and audit trails. HIPAA compliance is a necessary but not always sufficient condition for confidence that privacy interests will be protected in accord with HPHC s privacy values. Information such as the full range of prescriptions should only be available to treating clinicians with a reasonable need to know. Members should be told what kinds of information sharing will occur and what kinds of security measures HPHC is applying. Throughout the discussion the EAG recurrently cited transparency as a central value and emphasized the importance of education about its privacy practices. Thus in circumstances like those envisioned in the pharmacy information case, members should 7

8 be told about HPHC s procedures and the values that underlie the actions that HPHC takes. With regard to its interactions with purchasers and vendors like the data warehouse in the Orange case, the EAG supported the kind of dialogue that already occurs between HPHC s Privacy Office and those who request personal health information. Insofar as is consistent with HPHC s strong historical commitment to protecting member privacy, the HIPAA Privacy Rule should be used as the standard. But in specific situations like the Acme case, the EAG felt that if educational, option-building dialogue does not lead to mutually acceptable options, setting a higher standard than the HIPAA Privacy Rule would be an acceptable course of action. Summary 1. With regard to the question of whether HPHC should be open to setting the bar for protecting information at a level higher than that set by the HIPAA Privacy Rule, the EAG endorsed this as a possibility. HIPAA sets excellent standards. Deviating from HIPAA creates the risk of confusing HPHC s constituents and creating additional work for all involved parties, but the EAG accepted the possibility that in specific circumstances (such as the Acme case ), raising the bar might be necessary to protect privacy values. 2. As important as individual privacy is, it is not the only value to be considered in HPHC s information management practices. The EAG encouraged HPHC to identify the specific values at stake in situations like those in the three cases presented today and to weigh the relative importance of those values. There is no simple metric for the weighing process. It is important to track precedents, as these create a body of something like case law, which can increase consistency and predictability. 3. The EAG strongly endorsed educative conversations between HPHC and its key constituents. In cases like Acme and Orange the key constituents are purchasers and their business partners (such as the data warehouse in the Orange case). In the pharmacy information case the key constituents are network providers and members. The value weighing process that the EAG envisioned is ideally done in dialogue among the concerned parties. 4. The EAG thanked Jack Burke and the Privacy Core Team for bringing these important and complex issues to the EAG for discussion. Jim Sabin 8