One reader questioned whether reporting CQMs using the Physician Quality Reporting System and reporting patient level data in the Quality Reporting Data Architecture (QRDA) format would require sending protected health information to CMS in violation of the HIPAA Privacy Rule.
The QRDA format does require some identifying information.
However, Paula Stannard, a health care attorney at Alston & Bird in Washington, D.C., and a former HHS deputy general counsel and acting general counsel, doesn’t believe such reporting of CQMs that include PHI would be a violation of the Privacy Rule. She indicates it is likely that such reporting would fall under the Privacy Rule’s permission in 45 CFR § 164.512(d) for disclosures of PHI to health oversight agencies.
Here are some facts Stannard highlights in support of this conclusion:
- The Privacy Rule permits a covered entity to disclose PHI to a “health oversight agency” for “oversight activities authorized by law.” 45 CFR § 164.512(d)(1).
- “Oversight activities” include audits, investigations, inspections, disciplinary action, court or administrative proceedings and other activities needed to oversee entities participating in regulated programs for which health information is necessary to verify compliance with program standards. 45 CFR § 164.512(d)(1) &(d)(1)(iii). The requirement of submitting CQMs to CMS as part of the demonstration of meaningful use in the Medicare meaningful use incentive program would fit the definition of “oversight activities authorized by law.”
- CMS, which administers the Medicare meaningful use incentive program, is clearly a health oversight agency. The Privacy Rule defines a health oversight agency to include entities “authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.” 45 CFR § 164.501.
Stannard notes that the HHS Office of the National Coordinator for Health IT (ONC) issued an FAQ in December 2013 stating that ONC Authorized Certification Bodies (ONC-ACBs) are health oversight agencies and, thus, that covered health care providers are permitted under the Privacy Rule to allow ONC-ACBs to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB where PHI may be accessible to the ONC-ACB during the surveillance. See #45 Question [12-13-045-1].
So, providers have some grounds to believe they are not violating HIPAA regulations by complying with meaningful use requirements for reporting.
