January/February 2020
HIPAA Challenges: SDoH Raise Interesting Privacy Questions
By Hants Williams, PhD, RN
For The Record
Vol. 32 No. 1 P. 28
Industry discussions related to social determinants of health (SDoH) have moved to center stage as health care stakeholders recognize the impact these nonclinical factors have on clinical outcomes and costs. SDoH are providing new insights into environmental influences that can hinder or promote a patient’s ability to follow through with care plans and make healthful lifestyle choices.
The opportunity is not lost on the industry. Both government and private payers have launched initiatives aimed at addressing social barriers to health. For example, Project Link was initiated by America’s Health Insurance Plans earlier this year to advance the use of SDoH in payer care management strategies. In addition, Medicare and Medicaid are both expanding coverage to address SDoH.
As movements to prioritize SDoH advance rapidly, one critical area that the industry has not adequately addressed is how this information fits into the realm of patient privacy. This leaves the interpretation of whether SDoH are defined as protected health information (PHI) up to individual stakeholders, which are already challenged with working with social service agencies and other community groups to help patients access the services they need.
It’s one reason why groups such as the National Alliance to Impact the Social Determinants of Health have requested guidance and clarification from the Office for Civil Rights (OCR). Following a recent request from OCR for comments on how HIPAA could better promote value-based care and the specific question of whether HIPAA should be modified to clarify the scope of disclosing PHI to community-based support programs, the organization noted: “While our recommendation is not to make fundamental changes to the HIPAA Rules, we do encourage OCR to provide clarity on what is currently allowed under the law with respect to sharing information with noncovered entities. Specifically, we would suggest OCR release clarifying guidance and/or facilitate greater education on what specifically the law allows.
“Providing greater education to stakeholders regarding the provisions of the HIPAA Rules will help covered entities, social service agencies, and community support programs avoid any misinterpretation or misapplication of the law and allow all stakeholders and individuals to utilize, and benefit from, the broad applicability permitted under the law.”
How Do SDoH Factor Into the PHI Equation?
Many organizations are taking steps to expand the use of SDoH data, whether it is partnering with pharmacies to offer health screenings or working with local food pantries to provide nutritious and reliable meals. For example, Humana set a goal to make the communities it serves 20% healthier by 2020 in part by addressing food insecurity—a primary barrier to health across many of its member regions. The organization partnered with Feeding South Florida and Continucare medical centers to help launch a food insecurity and referral pilot program that is open to all patients regardless of insurance coverage.
The reality is that SDoH cover a broad range of information—everything from socioeconomic status, education, and employment to cognitive ability and access to reliable transportation and medical care. On the macro level, consider industry stakeholders’ use of zip codes to understand how SDoH can impact health. In Chicago, babies born on one part of the Transit Authority’s Green Line face a 16-year difference in life expectancy compared with those born in other zip codes on nearby parts of the line. On an individual member level, a health plan may identify a patient with diabetes living in a low-income area without access to reliable transportation and intervene to improve the situation.
While this sort of analysis can help inform strategies for improving population health, the question is: What happens when SDoH information is paired with individual health data?
When HIPAA was originally enacted, the industry was not working within the electronic framework of EHRs and cloud-based technologies that enable rapid transmission of data across networks. Revisions to the rule in recent years have addressed the need for protecting PHI across electronic lines, but it has not evolved to clearly define how emerging forms of nontraditional data used in care delivery can be shared with other vendors and community resources. As such, the vast scope of SDoH is not adequately covered by the 18 identifiers that compose HIPAA’s definition of PHI.
Consider, for example, a region that has been identified as a “food desert” or a community with low high school pass rates. Once these identifiers are attached to a person’s health record, are they protected? Equally important is the question of how payers and providers collaborate with social service agencies to improve patient health while safeguarding PHI.
Need for Oversight
Fundamentally, defining the scope and boundaries of how SDoH factor into the PHI equation will require federal intervention. Oversight of how nonclinical and nontraditional data are protected is not something that health plans and providers are likely to take up on their own in terms of self-regulation. It will necessitate that the industry come together with input from all stakeholders—including the HIT vendor community—to determine the best way forward to both protect and help patients.
As industry discussions evolve, one important first step will be to garner an understanding of what SDoH are truly relevant to care management and better decision making. The buzz around social determinants is still new, but as more evidence emerges in terms of how stakeholders are extracting significant value from SDoH initiatives, the industry will be better positioned to narrow and define the factors that truly move the needle on outcomes.
HIT vendors—especially those operating in the care management and population health space—are wise to start discussions of their own in terms of capturing SDoH and potentially addressing the data as PHI going forward. Most solutions are built around capturing structured diagnostic and procedure codes such as ICD-10 and CPT, but that paints only a sliver—20%—of the patient story as it relates to overall health.
New Z codes introduced through ICD-10 are a step in the right direction. These codes identify several SDoH factors related to potential health hazards in socioeconomic and psychosocial circumstances. Yet, they are limited in what they address, and the reimbursement criteria remains unclear, making it difficult to implement them.
The ability to pair that information with an understanding of a person’s environment, financial status, or access to care will become increasingly important as the industry continues its shift to whole-person, patient-centered care. For example, VirtualHealth currently partners with Aunt Bertha, an SDoH referral platform, to support SDoH functionality in its HELIOS care management platform. This collaboration enables care managers to find publicly available resources for members. The idea is to proactively lay the groundwork to ensure members’ SDoH information is protected even though HIPAA has not laid out processes and regulation for bringing those data into an EHR and subsequently sharing them with other health care entities.
In addition, clinicians will increasingly be asked to consider SDoH as part of care planning. Because physicians, nurses, and allied health professionals have not traditionally been trained to work with this information, education will become critical. These professionals’ expertise revolves around human physiology and pharmacology, not how to help someone manage his or her finances. They will need to understand how to engage with this information as part of patient encounters and when dealing with it in EHRs.
The health care industry is wise to invest resources into learning more about SDoH and how they can significantly improve costs and outcomes. However, in tandem with these efforts, stakeholders must also consider how emerging forms of nonclinical data will be protected and covered under HIPAA, as well as the far-reaching impact these decisions will have on processes and systems.
— Hants Williams, PhD, RN, is director of clinical operations at VirtualHealth.