On December 14, 2018, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) published a Request for Information (RFI) about ways to modify the HIPAA Privacy and Security Rules to promote the transition of the health care industry to a value-based Medicare payment model and improve care coordination for patients. See “Request for Information on Modifying HIPAA Rules to Improve Coordinated Care,” 83 FR 64302 Page:64302-64310. OCR will accept responses to the RFI until February 12, 2019.
OCR seeks information about four broad topics, but also welcomes information about other aspects of the HIPAA Privacy and Security Rules that may have proven burdensome or ineffective for HIPAA Covered Entities (e.g. health care providers that transmit data electronically in connection with a HIPAA standard financial or administrative transaction, health plans, and health care clearinghouses). The specific topics are:
- Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, or require covered entities to disclose PHI to other covered entities. OCR is interested in industry experience with the individual’s right of access, the minimum necessary rule, the role of health care clearinghouses and other business associates in information sharing, and whether information sharing should extend to social services agencies assisting patients in addressing the social determinants of health.
- Encouraging covered entities, particularly providers, to share treatment information with parents of minor children and with parents, loved ones and caregivers of adults facing health emergencies, particularly opioid use disorder and serious mental illness.
- Implementing the HITECH Act requirement to account for disclosures for treatment, payment, and health care operations from an electronic health record. OCR is particularly interested in the capacity of EHRs to produce this information, what information would be useful to patients, and what the role of business associates should be in generating these accountings. OCR seeks to avoid the burdens upon the industry contained in its 2010 Notice of Proposed Rulemaking on this subject, which it now officially withdraws.
- Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices (NPP). OCR additionally seeks information about the content and utility of the NPP, including its model NPP.
One area that HIPAA Covered Entities may wish to raise with OCR is pre-emption of state law. As currently structured, HIPAA establishes a minimum floor of privacy protection, but states can enforce stricter standards. It is often difficult to determine whether a state privacy law or HIPAA controls. This is a particular problem with mental health, HIV/AIDs, and genetic information which often receives heightened protection via state laws. OCR could significantly decrease the burden on Covered Entities by clarifying pre-emption in a more robust way than is presently available in its regulations or secondary guidance.
Whatever your concerns about the HIPAA Privacy or Security Rule, do not miss your chance to make them known to OCR. They appear ready to entertain all suggestions to reduce burden while still protecting individual privacy and security.