Cybersecurity and Data Privacy: New State Guidance Released on Health Care Privacy and Data Sharing

May 31, 2017

On May 11, 2017, the New York State Department of Health ("DOH") issued a new guidance statement ("Guidance Statement") about privacy protections and permissible data sharing under the Health Insurance Portability and Accountability Act ("HIPAA") and other applicable federal and state laws. While addressed explicitly to the extensive data sharing underway in New York State to implement the Delivery System Redesign Incentive Payment Program ("DSRIP"), the Guidance Statement has implications for data sharing outside DSRIP as providers across the State seek to meet incentives for value-based payment established by private payers and Medicare.

In general, the Guidance Statement provides a less restrictive interpretation of federal and state law than draft guidance issued by DOH in January 2017. However, the Guidance Statement is both more restrictive and more permissive of data exchange than applicable federal and state laws and regulations in some instances. Notably, at the outset, the Guidance Statement acknowledges that it is for information purposes, and is not intended as legal advice. As health care providers and plans develop policies and agreements to structure data sharing, it will be important to recognize that the Guidance Statement does not override applicable federal and state law or regulation.

Applying HIPAA. The Guidance Statement notes that health care providers and plans can disclose protected health information ("PHI") without a written authorization by the patient or legally authorized representative for the purpose of "treatment, payment, or operations." As defined by HIPAA, "health care operations" encompasses many of the activities carried out for DSRIP and emerging new care delivery models, including care management and coordination, quality assessment and improvement, and population health activities to reduce cost and improve care delivery. Providers participating in DSRIP can therefore share PHI with the lead entity of a Performing Provider System ("PPS Lead") to carry out DSRIP projects and to receive payment for their participation, consistent with the minimum necessary rule of HIPAA. Notably, the Guidance Statement provides that agreements between participating providers and PPS Leads should specify the disclosures of health information required by participating providers to receive DSRIP payments.

Substance Use Disorder Treatment Information—Part 2. Information that identifies an individual as a recipient of treatment for a substance use disorder by a health care provider that receives federal funding to provide the services and holds itself out to the public as providing such services ("SUD Provider") is governed by federal statute and regulations ("Part 2"). In general, Part 2 requirements are far more restrictive of disclosure than HIPAA, both for initial disclosure of the information as well as re-disclosure. Although amended earlier this year to facilitate data exchange, the Part 2 regulations remain highly prescriptive, with limited exceptions for data sharing in the absence of a written authorization. The Guidance Statement advises that, in general, an SUD Provider must obtain consent to disclose information about substance abuse treatment to other providers or to a PPS Lead, in the absence of an emergency. An SUD Provider may also disclose the information without consent to an organization that provides services to the SUD Provider if the parties have entered into an agreement for services, designating the data recipient as a "Qualified Service Organization" ("QSO") and committing the data recipient to comply with Part 2 restrictions on data sharing. For example, an SUD Provider in a PPS could designate the PPS Lead as a QSO, if the PPS Lead is providing services such as data analytics. Re-disclosure of the information by health care providers, a PPS Lead, a health plan, or any other recipient of Part 2 data or information is subject to the same limitations as initial disclosure.

HIV Information. Article 27-F of the New York State Public Health Law provides specific protections for HIV-related information ("HIV Information"). As recognized in the Guidance Statement, Article 27-F permits providers to share HIV Information with third party payers or their agents without consent. PPS Leads are encompassed as payers for purposes of DSRIP payment, allowing providers to share HIV Information without consent for payment for project milestones and population-based metrics. The Guidance Statement also advises that health care providers may share HIV Information without consent with a contractor if the parties have entered into a Business Associate Agreement that complies with HIPAA. However, it is not clear if DOH intends this broad interpretation, which is not consistent with the restrictions on disclosure set forth in Article 27-F, to apply outside the context of Medicaid. Medicaid patients consent to data sharing for purposes of treatment, payment and operations at the time they enroll in Medicaid.

Exchanging Mental Health Information. New York State law also imposes special restrictions on data generated or held by facilities licensed or operated by the Office of Mental Health ("OMH"). The Guidance Statement notes that while consent is generally required, such mental health providers can share mental health information for purposes of payment and care coordination with other organizations licensed by OMH and DOH, including health homes, managed care organizations, and PPS Leads. Providers and PPS Leads that receive the protected mental health information may not re-disclose the information without meeting the requirements for initial disclosure.

Complying with Department of Education Professional Practice Standards. The New York State Education Law Section 6530(23) defines professional misconduct to include the disclosure of patient information without consent, unless the disclosure is permitted or authorized by law. In its draft guidance statement, DOH set forth a remarkably restrictive interpretation of Section 6530(23), stating that it requires licensed health care providers to seek consent in all instances to share medical information, without recognizing any exceptions. Since HIPAA defers to state laws that are more protective of the privacy of medical information, this interpretation effectively overrode the exception to consent for "treatment, payment and operations" under HIPAA as well as numerous exceptions under other federal and state laws that allow disclosure of health information without consent in a medical emergency or for public health or other purposes.

In the Guidance Statement, DOH sent a mixed signal on how it interprets Section 6530(23). A section labeled "Expanded Guidance," states that health care providers must seek consent to disclose clinical data to third parties "who are not contractors under the basic ethical rule of provider-patient confidentiality" codified in Section 6530(23). While less restrictive than the draft guidance statement, this interpretation is still not broad enough to encompass other exceptions to consent authorized by state and federal law and essential to medical practice, such as the provision of information in a medical emergency or as needed for treatment, even if health care providers do not have a contractual relationship with one another. In a later section of the Guidance Statement referred to as "References," DOH returned to the opinion it offered in the draft guidance that Education Law Section 6530(23) "requires some form of consent to reveal personally identifiable information," although DOH concluded by stating that, "At a minimum, the patient must have knowledge that the patient’s chosen health care provider is making the disclosure." DOH did not provide further guidance about how providers should fulfill that obligation.

For further information about the Guidance Statement and applicable federal and state privacy laws, contact Tracy E. Miller, Deputy Chair, Health Care Practice and Co-Chair, Cybersecurity and Data Privacy Practice.