CONFIDENTIALITY COALITION ACTIVITY

Data breaches and cyberattacks continue to plague the healthcare industry and, given the value of this information on the black market, will continue to do so for the foreseeable future. Significant steps are underway to improve security, including the implementation of the national cybersecurity threat information-sharing legislation passed in December 2015 and continued updates to the National Institute of Standards and Technology (NIST) cybersecurity framework. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) continues to regulate the protection of individuals’ medical information, as well as their right to gain access to that information under the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Recently, HHS has increased efforts to promote the sharing of information, in order to support broader interoperability and consumer uses, such as patient-powered research networks. OCR is engaged in “phase II” of its audit program to review the policies and procedures adopted and employed by HIPAA-covered entities and their business associates. The Federal Trade Commission (FTC) and the Federal Communication Commission (FCC) continue to take a more active role in regulating health information that is not regulated under the auspices of OCR.

The Confidentiality Coalition works to ensure that policymakers strike the right balance between the protection of confidential health information and the information-sharing needed to provide the very best quality of care. The coalition is active with Congress and the administration on policies related to data exchange, privacy, data security, and cybersecurity. Members believe that regulatory clarity is key to securing health information flow and support efforts to create a uniform national privacy standard, based on the HIPAA privacy rule, rather than the inconsistent and conflicting state laws that currently supersede federal regulation.

2017

  • On May 3, the Health Care Industry Cybersecurity Task Force created by the Cybersecurity Information Sharing Act (CISA) in December 2015 reported back to Congress. Recommendations in the report included revising anti-kickback laws to allow organizations to share cyber resources, phase out old, insecure technologies, build better cyber into medical devices through FDA, better assure the authenticity of workers, patients, devices and EHRs, think about small- and medium-sized providers who cannot afford technical resources, establish and implement good “cybersecurity hygiene” across healthcare, develop educational resources, and ensure the protection of large data sets.
    • The Confidentiality Coalition was active in the creation of this task force and continues to provide feedback and input when appropriate. Several HLC and coalition members participate as members of the task force. Statutory authority for the task force has expired now that its recommendations have been made to Congress.
  • On May 25, Confidentiality Coalition members were joined by leaders from the office of the Chief Information Security Officer at HHS. The office is adopting a new, public-facing role to assist health organizations in resisting cyberattacks. It aims to be the single point of contact at HHS for cybersecurity.
  • On April 4, HLC and other organizations wrote House and Senate Appropriations Committee leaders, encouraging them to include language in the FY 2018 Labor-HHS appropriations bill explicitly allowing HHS to provide technical assistance to private-sector initiatives promoting patient safety by correctly matching patients with their health information. Similar language was included in a 2017 draft bill, but was not included in the continuing resolution that funded the government.
    • In early May, House and Senate draft appropriations report language included the request of HLC and other organizations to specifically encourage ONC to provide technical assistance to private sector-led initiatives to develop a coordinated national strategy that will promote patient safety by accurately identifying patients with their health information.
  • On April 27, HLC moderated a panel at the annual Datapalooza conference titled “Getting Privacy and Security Right from the Start(up).” Experts from OCR, the FTC, IMS Health, and HLC spoke about educating entrepreneurs on how to protect health information and share it with consumers, all while ensuring the security of the data.
  • On March 16, Confidentiality Coalition members met to hear a presentation from Columbia University Professor Daniel Barth-Jones, Ph.D., M.P.H., a noted expert on health information deidentification under HIPAA. He educated members regarding the risk of reidentifiying already deidentified information and refuted ongoing work by other researchers that undermines the HIPAA standard of deidentification.
  • HLC continues to distribute to HHS Secretary Tom Price and Congress its playbook of policy recommendations for the new presidential administration and Congress, including recommendations for the harmonization of health information protection laws and modernization of consent requirements.
  • In March, the Confidentiality Coalition spoke at the annual HIPAA Summit conference, focusing on research and health information flow.
  • HLC continues to work with a coalition of healthcare stakeholders committed to aligning federal confidentiality regulations for substance abuse (42 CFR Part II) with the Health Insurance Portability and Accountability Act (HIPAA) to allow appropriate access to patient information that is essential for providing comprehensive care. The group advocates with Congress and the administration to apply HIPAA standards to a patient’s entire medical record, including addiction records, to ensure that providers and organizations have all the information necessary for safe, effective, high-quality treatment and care coordination.
    • On February 17, stakeholders wrote in response to the Substance Abuse and Mental Health Services Administration’s (SAMHSA) supplemental notice of proposed rulemaking regarding 42 CFR Part II. Members welcomed the administration’s efforts to modernize Part II, but encouraged SAMHSA to further align addiction information with HIPAA.
    • On February 16, an expert from NORC at the University of Chicago presented to Confidentiality Coalition members on the SAMHSA final rule for 42 CFR Part II.
    • HLC and other stakeholders are working with congressional offices on a legislative solution to align this information with HIPAA standards.
  • On January 26, Deven McGraw, deputy director for health information privacy at OCR and acting chief privacy officer for the National Coordinator for Health Information Technology, joined Confidentiality Coalition members to speak about OCR’s plans for 2017. She solicited ideas and feedback from members on regulatory reforms for health privacy that would align with the new administration’s overall goals of reducing regulatory burden.
  • HLC and the Confidentiality Coalition continue to monitor increasing FTC and FCC involvement in healthcare, particularly around data breaches and regulation of non-HIPAA data.
  • The Confidentiality Coalition is convening stakeholders to discuss action on modernizing the Telephone Consumer Protection Act (TCPA) for health organizations. Members believe that the TCPA should allow greater flexibility and regulatory clarity for healthcare organizations to communicate to consumers important health-related information.
  • HLC discussed health information flow and confidentiality issues at in-district meetings HLC held with incoming and returning members of the 115th Congress. These meetings educate incoming members of the 115th Congress about this issue and have allowed us to continue being a resource for those members.

2016

  • HLC produced a playbook of recommendations for the new presidential administration and Congress, including recommendations for the harmonization of health information protection laws and modernization of consent requirements.
  • In November and December, HLC applauded the passage and signing into law of the 21st Century Cures Act. Throughout 2015 and 2016, HLC worked closely with the Senate Health, Education, Labor, and Pensions (HELP) Committee and House Energy and Commerce Committee on drafting and revising this bipartisan law.
  • HLC contributed to and supported a variety of provisions in the law, including a framework for expediting the interoperability of electronic health records and improvements to health information confidentiality rules that will facilitate the flow of data while protecting patient privacy.
  • On December 9, the National Governors Association (NGA) Center for Best Practices released a state interoperability roadmap, detailing steps states can take to increase information flow among healthcare providers. HLC and the Confidentiality Coalition actively encouraged and supported this effort — which could lead to greater harmonization of state health information laws and regulations.
  • NGA will fund implementation of roadmap recommendations in three states – Illinois, Louisiana, and Michigan.
  • On April 21, HLC participated in a roundtable on the issue of interoperability hosted by NGA, during which HLC advocated for consensus among states to mitigate the challenge of many conflicting and burdensome state privacy laws that undermine the delivery of healthcare. These recommendations are reflected in the final roadmap.
  • HLC’s Confidentiality Coalition provided feedback to the Health Care Industry Cybersecurity Task Force created by the Cybersecurity Information Sharing Act (CISA). The comments addressed top cybersecurity risks and concerns, best practices, gaps and challenges for health information sharing, and needed efforts to prepare the healthcare industry.
    On November 17, HLC’s Confidentiality Coalition met with the FTC to discuss the agencies ongoing activity in the healthcare arena. The FTC has been particularly active in monitoring wearable devices and other non-HIPAA health data sources. >HLC and the Confidentiality Coalition continue to monitor increasing FTC involvement in
  • The coalition monitors federal cybersecurity activities after having convened major healthcare organizations and playing a key role in the enactment of CISA. HLC has emphasized the importance of avoiding duplicate or conflicting privacy and security rules with efforts already underway in the health sector.
    • In March, the coalition successfully assisted several HLC members with nominations to the task force.
  • On October 4, HLC co-led a letter to House Appropriations Committee leaders thanking them for the inclusion of language enabling HHS to provide technical assistance to private-sector initiatives promoting patient safety by correctly matching them with their health information. Nearly two dozen healthcare organizations joined, including key trade associations.
  • On September 30, HLC submitted a statement for the record in connection with the House Energy and Commerce Subcommittee on Communications and Technology hearing on “Modernizing the Telephone Consumer Protection Act (TCPA).” The letter recommended that Congress amend TCPA to allow greater flexibility and regulatory clarity for healthcare organizations to communicate with patients.
  • In September, HLC was joined by Office of the National Coordinator for HIT Chief Privacy Officer Lucia Savage to discuss the agencies recent privacy-related work. Of particular note was the July report, “Examining Oversight of the Privacy and Security of Health Data Collected by Entities Not Regulated by HIPAA.”  This report is intended to be a clear and detailed analysis of the regulatory structure for health data not covered by HIPAA.  The report does not provide recommendations for legislative or regulatory action, but does identify perceived gaps in the regulation of health information privacy and security.
  • HLC published a compendium of private sector innovation efforts led by HLC members, including initiatives relating to confidentiality and security.
  • HLC discussed confidentiality issues in many of the 81 meetings held with Congressional candidates. These meetings educate incoming members of the 115th Congress about this issue.
  • HLC continues to work with a coalition of healthcare stakeholders committed to aligning federal confidentiality regulations for substance abuse (42 CFR Part 2) with HIPAA to allow appropriate access to patient information that is essential for providing comprehensive care. The group advocates with Congress to allow access to a patient’s entire medical record, including addiction records, to ensure that providers and organizations have all the information necessary for safe, effective, high-quality treatment and care coordination that addresses all of a patient’s health needs.
  • On August 4, HLC’s Confidentiality Coalition was joined by an expert from OCR, who spoke about the agency’s recent ransomware guidance, as well as OCR’s regulatory approach to ransomware attacks. The guidance, published last summer, describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role of HIPAA-covered entities and business associates in preventing and recovering from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
  • Throughout 2016, HLC worked closely with the Senate Health, Education, Labor, and Pensions (HELP) Committee on revising its bipartisan draft legislation to improve health information technology and medical innovation.The Confidentiality Coalition regularly educates regarding key health privacy issues at conferences, such as the “National HIPAA Summit” and the “Privacy and Security Forum.”
    • HLC has successfully driven changes on health information privacy provisions, including provisions on privacy and deidentification of genetic information, and the accounting of disclosures and data segmentation provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • In July, the Confidentiality Coalition held its annual “HIPAA 101” congressional briefing, joined by experts from Medtronic and IMS Health. Speakers discussed the HIPAA privacy rule, security rule, cybersecurity, and other topics.  The event had record congressional staff turnout and discussed important issues, such as data breaches, ransomware, and the sharing of information across state lines.
  • On May 10, HLC President Mary R. Grealy moderated a panel of ONC executive staff at the annual Health Datapalooza conference. ONC efforts to address a number of HLC and consumer priorities related to privacy and the use of HIT were discussed.
  • On April 21, HLC participated in a roundtable hosted by the National Governor’s Association, “Getting the Right Information, to the Right Health Care Providers, at the Right Time – How States Can Improve Data Flow.” During this event, HLC advocated for consensus among states to mitigate the challenge of many conflicting and burdensome state privacy laws that undermine the delivery of healthcare.  NGA plans to issue a state-level “interoperability roadmap” this summer.
  • In April, the Confidentiality Coalition was joined by leaders from the HHS OCR for a discussion of ongoing OCR activity in health privacy. In addition to HIPAA enforcement, patient access, and the ongoing audit program, OCR also spoke with the coalition about its work on the White House Precision Medicine Initiative Privacy and Trust Framework and ongoing work on the security framework for the initiative.
  • In April, HLC’s Confidentiality Coalition commented on the Substance Abuse and Mental Health Services Administration’s (SAMHSA) SAMHSA Notice of Proposed Rulemaking on the “Confidentiality of Substance Use Disorder Patient Records.” The comments commended SAMHSA for its effort to create an additional patient consent pathway for providers involved in the consenting patient’s care.  The comments also expressed concerns that the proposal may remain too restrictive and may still lead to barriers in the integration of substance use disorder treatment records into health information exchanges, accountable care organizations, or clinically integrated networks.
  • On March 22, HLC Executive Committee member Neil de Crescenzo of Change Healthcare testified before two House Oversight and Government Reform subcommittees on “Opportunities and Challenges in Advancing Health Information Technology.” Highlighted were some of the recommendations of HLC’s NDHI report, including challenges with burdensome and conflicting state privacy laws and the need for greater federal leadership on patient matching efforts.
  • In February, HLC publicly launched its NDHI report, VIable Solutions: Six Steps to Transform Healthcare Now. The NDHI initiative convened senior leaders from all healthcare sectors and engaged patient groups to develop the recommendations over a period of several months, following a national summit on innovation and value in 2015. Several of the report recommendations focused on challenges related to health information privacy.  Specifically, the report identified support for patient matching/patient identifiers, harmonizing legal requirements for research, greater government data sharing, and efforts to harmonize overly burdensome and conflicting state privacy laws.
  • In January, the Confidentiality Coalition commented on the Notice of Proposed Rulemaking on Federal Policy for the Protection of Human Subjects. The coalition commended HHS proposals designed to streamline and improve the internal review board process, while expressing concerns that certain consent proposals would lead to confusion and may delay research studies.

Use the menu on the right to view activity from prior years.