HIPAA Regulations and Value-Based Care: What Employers Need to Know

Although Medicare and commercial payers have started to reward providers for delivering high-quality, low-cost care, HIPAA regulations that restrict data-sharing have remained largely unchanged since 2013. This presents a barrier for employers who want to coordinate care and play an active role in the industry’s value-based transformation.

Even if employers and providers can ultimately exchange protected health information (PHI) for treatment, is it ethical to do so without informing employees? And could it lead to discrimination based on medical conditions? These questions haven’t been settled yet, but their answers could have far-reaching implications.

How HIPAA Regulations May Hinder Value-Based Transformation

HIPAA — otherwise known as the Health Insurance Portability and Accountability Act of 1996 — is the complex regulation that establishes privacy and security standards for safeguarding PHI. Although its aim is to protect patients, the unintended consequence is that the regulation makes it difficult to share data between health plans and employers. Under HIPAA, covered entities are permitted to share PHI with other covered entities and business associates without having to obtain individual authorization, but only for treatment, payment or operations. For example, a physician can share PHI with a specialist to refer a patient to them or conduct a consultation. A hospital might also share PHI with a care planning company to develop a comprehensive post-acute care plan.

Employers aren’t generally considered covered entities, which means they don’t have access to PHI unless employees permit it. This restriction makes it more difficult to collect information that enriches effective population health management programs. You may already know that some of your employees have diabetes, for instance, but understanding the finer points of employees’ health in terms of blood sugar levels and weight could help you develop targeted interventions to address diabetes and a whole host of other chronic conditions. Under current HIPAA regulations, these types of disclosures don’t happen often, and most of the time, they don’t happen at all.

Value-based transformation requires collaboration among many entities — employers, community-based organizations, social service agencies — not just health care providers and payers. It must also include employers, community-based organizations and social service agencies. If these entities have to obtain explicit patient authorization for each and every disclosure, this could stall the expansion of value-based initiatives.

Addressing Barriers Through Potential Revisions to HIPAA Regulations

The U.S. Office for Civil Rights (OCR) recently published a request for information (RFI) asking for public input on how it can modify HIPAA to remove obstacles to value-based care while also preserving patient privacy. Among the many changes suggested is encouraging covered entities to share PHI with noncovered entities, when needed, to coordinate care and provide health care services. This change would theoretically allow employers to access employee health information for the purposes of population health management. However, the OCR admits many questions remain:

  • Would covered entities receiving requests from employers need or want to set up new administrative processes to confirm the identity of the requester? And what would it cost covered entities to meet these requests?

  • Do the risks associated with disclosing PHI to noncovered entities outweigh the benefits of sharing the PHI?

  • Should a noncovered entity requesting PHI from a covered entity provide a verbal or written assurance that the request is for an accepted purpose?

  • Should the OCR create exceptions or limitations for noncovered entities requesting PHI from a covered entity?

Comments on the RFI were due in February 2019, and the OCR recently published the more than 1,300 public comments it received. Comments were submitted by payers, physicians and patient advocates, among others. Some individuals also submitted comments anonymously. The industry currently awaits additional information from OCR.

In the meantime, employers can use other data-driven strategies to support value-based care. For example, with employee permission, they can collect any health-related data from fitness trackers and other wearables, and then aggregate it through digital wellness platforms to target personalized wellness interventions. They can also simply ask employees themselves for information with biometric screenings and health risk assessments. It’s critical that employers’ intentions for the data be completely transparent. All of that effort adds up to more effective, more personalized wellness.

Achieving positive health outcomes requires clear strategies. The transition to value-based care isn’t always going to be smooth — but removing any obstacles can go a long way.

COVID-19 Resources: Managing Your Business During a Crisis