Population health is all the rage in health care these days.  The industry consensus is that it will not be possible to contain health care costs, and improve quality, without the ability to capture data from health care providers' records and analyze it to determine whether providers are adhering to clinical practice guidelines or meeting benchmarks, and to track patients across the continuum of care.  However, individually identifiable patient information cannot be disclosed to a central repository without assuring that this disclosure is permitted under HIPAA.

HIPAA permits the use and disclosure of protected health information (PHI) without express patient authorization for the purposes of treatment, payment and health care operations.  The HIPAA Privacy Rule defines "health care operations" as including quality assessment and improvement, including outcomes evaluation and development of clinical guidelines; population-based activities related to improving health or reducing health care costs; and care coordination.  Sounds like what the data repository will be used for.  However, that's not the end of the inquiry.  The Privacy Rule permits one provider to disclose PHI to a second provider (or other HIPAA-covered entity, like a health plan) only if both have a relationship with the patient, or both are part of an Organized Health Care Arrangement (OHCA).

OK, so what's an OHCA?  The HIPAA Privacy Rule defines this as either:

  • a clinically integrated care setting in which individuals typically receive health care from more than one health care provider; or
  • an organized system of health care in which the participating HIPAA-covered entities hold themselves out to the public as participating in a joint arrangement, and participate in joint activities such as utilization review, quality assessment and improvement, or payment if the participants share financial risk.

I don't know if the authors of the HIPAA Privacy Rule had this in mind, but the concept of "clinical integration" has a long history under the antitrust laws.  Why antitrust?  Because networks of health care providers may include parties who are economic competitors (e.g., independent physicians or physician groups who compete, and hospitals or hospital systems which compete with each other for managed care contracts).  Collaboration among competitors can lead to price fixing.  So, these horizontal arrangements are generally illegal unless the participants are either financially integrated (e.g., they are all at risk, like members of an IPA contracting with an HMO) or clinically integrated.  If participating physicians are actively engaged in collaborative clinical activities, such as developing clinical practice guidelines and physician performance measures, conducting peer review, and implementing quality improvement initiatives, then the benefits of the arrangement for improving quality and efficiency will outweigh threats to competition.

So, population health activities using a repository drawn from individual patient records can be permitted under HIPAA if the participating health care providers are part of a clinically integrated health care arrangement.  For more on this, read the whitepaper recently published by the Office for Civil Rights and the Office of the National Coordinator for Health Information Technology.