Stuck on Stupid: The FINAL 2021 Privacy & Purported Experts

In February 2022 our webinar had over 250 of your colleagues participate. It was 1.5 hours long and not a single attendee complained that they did not get value from it. Quite the contrary. You can find a link to the webinar at the bottom of this article.

 We discussed the enterprise implications of the proposed Privacy Rule (“Rule”) and how the healthcare industry, writ large, had little knowledge of the unintended consequences (giving OCR the benefit of doubt), that the massively disruptive expansion of a patient’s right to access and inspect PHI may cause. All of these are contained in §164.524. There are changes to other parts of the Rule, namely: 164.502; §164.506; §164.510; §164.512; §164.514; §164.520; §164.524 (monstrous); and §164.525 (new). Other than the changes to §164.524 (monstrous), the other sections contain relatively minor changes that are Provider (read Covered Entity) friendly.

Our webinar focused on the three most insidious and disruptive rights found in §164.524. These are the ones that are most likely to lead to civil monetary penalties (“CMPs”) and OCR Audits if mismanaged by front office point of care (“POC”) staff.

  1. The right to inspect at the time of appointment (“TOA”) and the point of care (“POC”) enables patients to enter your facility "to view, create videos, take photographs and use other resources.“
  1. The right to enter your facility to inspect at a “convenient time and place” (“CP&T”) (e.g., OCR uses the example of a medical records facility) to perform the same actions described above.
  1. The reduced time to provide patient’s access to their PHI (i.e., like the old Rule) except with the amount of time cut in half from thirty (30) to fifteen (15) days, with the extension remaining intact.

There are other expansive rights contained within this section, but they are mostly business-to-business transactions and only indirectly touch the patient (e.g., a patient may now ask a consumer company like Fitbit to request all PHI from a provider stored electronically and the provider is mandated to disclose it).

After the passage of the HITECH Act over a decade ago, and the final Omnibus Rule (circa 2013), all the attention turned to the HIPAA Security Rule, and rightfully so, because of the implications of the Breach Notification Rule that was promulgated and revised at approximately the same time. So once again the HIPAA Privacy Rule, like similar privacy rules (GDPR, CCPA, 24 CFR Part2, etc.) resumed its status as one of a growing number of “red-headed stepchildren” of privacy legislation. It should be self-evident that until recently, and the tide is only slowly changing, despite all the fanfare, U.S. Courts and government agencies have been timid in their enforcement of same.

However, this time, in part because it appears that OCR has a high degree of interest in underpinning the Health Plan’s initiative to transform the U.S. healthcare system from one of sickness to wellness (more than likely it was COVID that made the Plans finally begin to see the light), it has proposed, but as of yet, failed to promulgate, a 2021 Privacy Rule that is massively disruptive with the focus being on patient’s expanded rights to access and inspect PHI. OCR expressly states in its NPRM that it believes that better-educated patients will lead to better health outcomes, and again this supports the Plan’s massive investments in care coordinators, care managers, and what we call as MEGA EHR (i.e., one that can collect PHI via an HL7 API which can receive medical data from all of the patient’s providers). Care coordinators and managers cannot be effective in their jobs if they only have partial PHI from a patient.

The proposed changes to the Rule are qualitatively different from those imposed on the HIPAA Security Rule because of Breach Notification concerns (e.g., post the Omnibus Rule circa 2013). The Security Rule, as non-trivial as it is, is essentially information technology (“IT”) 101. There were Workforce members within your staff, and tens of thousands of qualified individuals that worked for managed services providers, technology consulting companies, and independent contractors that had the requisite skillset to help; not to mention all the outsourced technical talent that U.S. companies now have access to.

The changes to the Privacy Rule are not technology centric. Certainly, enabling technology can contribute to the solution, but compared to the healthcare process and legal issues implicated by the mandated changes in the Rule, enabling technology’s role pales by comparison. For example, when developing our Enterprise MVPs™, in preparation for the new Rule’s promulgation, we spent hundreds of hours making process/legal recommendations that met the NPRM’s Balancing Act Standard. We paraphrase the standard as a continuum where process/legal decisions must be made within the legal space that spans “What is reasonable and appropriate to the patient and not overly disruptive to a provider’s practice/operations.”

First, you are not going to find anything named the Balancing Act Standard within the 2021 Privacy Rule NPRM. Neither are you going to find it paraphrased the way we have done in the preceding paragraph. We inferred this standard from scouring the NPRM looking for what little guidance OCR had to offer, to arrive at it. We did the same thing for the other legal standards that were identified within the Rule: (1) EHR is readily available as a Standard; (2) Impeding a Patient’s Expanded Rights is "willful neglect" Standard; (3) Right to inspect at TOA cannot be Denied Standard; (4) Scope of patient PHI requested cannot be Controverted Standard; and finally (5) Physical Space Must Be Configured to Prevent Breaches of PHI during patient review Standard. These are all covered exhaustively in our Enterprise MVPs™.

Any organization required to comply with the Rule is going to require the advice of counsel to assist them with this effort. 3LP’s CEO is a licensed attorney, who has litigated intellectual property and other issues in federal courts across the U.S. focused on “all things Internet.” However, from a transactional perspective, and as CEO of 3LP, he focuses on Privacy & Security, helps practitioners comply at the most compelling price point possible. The legal recommendations contained in 3LP’s Enterprise MVPs™ emanated from having spent the last decade educating thousands of stakeholders on privacy, security, breach, and ransomware issues through free webinars, newsletters, and making significant contributions to the lexicon of agile compliance such as the Compliance Equation®, and the Compliance Manifesto®.

A quick anecdote about attorneys in Silicon Valley. The VCs and the entrepreneurs only bring the attorneys into the room once the deal is done, and the financials have been worked out. They are brought into the room to review the term sheets, dot “I’s” and cross “t’s.” Why? Because attorneys are often viewed as deal-killers. Law schools teach us to be risk-averse and attempt to eliminate or mitigate all possible risks; the real world teaches us other lessons. However, that may be, those law school habits linger. You can’t eliminate all risks because that would be a deal killer. You can’t even mitigate all possible risks. Capitalism after all is based on risk-taking.

A quick anecdote on doctors turned health care executives (most healthcare executives come from the physician ranks as far as I can tell). We once had a Chief Medical Officer (“CMO”) who was also the Chief Compliance Officer, at a major hospital in the Tampa Bay area. He told us that he would rather go to prison or practice in Mexico than comply with HIPAA. This was in a room filled with his direct reports who numbered about 10. Further, this was just after the HITECH Act had become law in 2009. Now this wasn’t some “grumpy old doc” on his way out the door. The CMO was approximately in his mid-forties and appeared by all accounts to be a rising star, given his command of the room. Now over a decade later, perhaps his attitude has changed, but this happened not that long ago, and the healthcare pecking order where physicians rule the roost has not changed all that much.

What does the have to do with the new Rule? Counsel, if they do not have a fundamental understanding of the healthcare industry, and especially what goes on at the POC, may be inclined to favor the patient more than the provider under the Balancing Act Standard, causing too much disruption to a provider’s operations. The process that we went through iterating through hundreds of use cases was in part due to the fact that the legal and business decisions are so intertwined that a change in one affects the other and vice versa.

Getting the Balancing Act Standard and the remaining standards identified above proved to be a monumental task. The decisions are captured in our Enterprise MVPs™ and reflected in our SwimLane diagrams, a depiction of one follows:

Each lane/box combination has explanatory prose capture in our Enterprise MVPs™, along with the legal/process recommendations contained therein.

Of course, the opposite could just as likely occur. From our perspective, this is the single largest POC business model change that has occurred in the healthcare industry since post WWII. You may have a “Type A” healthcare executive that believes he or she knows the industry, and the law, better than counsel; therefore, may make enterprise process recommendations that increase the likelihood of liability instead of reducing it.

Given decisions of this magnitude it is likely to take months just to gather the right team and appropriately frame the problem, and that is when the push and pull will start. Finally, because 3LP believes that this is the first significant business model challenge the healthcare industry has undergone since then end of WWII, there are few healthcare executives with expertise in leading this kind of enterprise-wide change. The real enemy here is time. After the new Rule is promulgated, it will become law 60 days hence. After it becomes law, covered entities will have 180 days to comply. That’s a very short period to define the requirements for an enterprise-wide project and to execute, especially wherein many of the requirements have legal implications.

Over the last decade we have grown our subscribers significantly and thousands have purchased individual products. We attribute most of that to our ability to rapidly innovate, using a combination of legal, healthcare, and technology expertise, in ways our competitors can’t; and we also attribute it to our willingness to be brutally honest and transparent with our audience (e.g., in our webinars, newsletters, and other communications) in ways others won’t or can’t, and thereby acquiring a degree of authenticity that we believe is unmatched by competitors both large and small.

The silence from our competitors on the massively disruptive nature of the proposed Rule is deafening. Form a review of the websites, they have absolutely nothing to say on the topic that we could find. Frankly, we don’t find that surprising. They are still stuck on stupid with the HIPAA Security Rule, which is not passe considering the importance of protecting PHI, and other critical infrastructure, but is not where the greater part of the liability is going to lie going forward.

They consist mostly of professional services organizations posing as product companies. We have attempted, as a pure product play, to put the professional services in-the-box. However, because of the disruption almost certainly to be caused by the new Rule, we have developed a three-week-elapsed time (less than that in billable hours) to help some of our customers get Jump Started with this new initiative.

Finally, as is self-evident from this article, we are not constrained by any social mores that mandate that it is verboten to shamelessly plug one’s offerings while at the same time communicating value add to the market. For some odd reason, the healthcare, and the legal industries, although both engage in more marketing and sales efforts more than most, yet their practitioners often take offense when a vendor does it openly because the former are “professions” and not businesses. To say that this sort of attitude is hypocritical would be an understatement.

This is especially true now that HHS/OCR is placing patients at the center of the healthcare universe from a consumer perspective. Transforming the healthcare industry into a consumer industry (e.g., transparent pricing) is the real challenge, however laudable, and in agreement we are, with the Plans’ attempt to transform the industry form sickness to wellness. Consumers, as perverse as this may sound, have historically been left out of the healthcare industry’s “business considerations” (i.e., as opposed to “patient care” which is clearly its mission). Why? Because patients did not, and still do not, pay the bills. There are only two payers: (1) the Plans; and (2) government (federal, state, and local).