On December 14, 2018, the Office for Civil Rights (OCR) published a Request for Information (RFI) that seeks public input on how the agency might modify the HIPAA Privacy, Security and Breach Notification Rules to improve care coordination and reduce regulatory burdens.

OCR is accepting comments on all aspects of the HIPAA Rules but requests information on five specific areas:

(1) Information sharing for care coordination and case management;

(2) Parental/caregiver involvement in care in connection with the opioid crisis;

(3) Parental/caregiver involvement in care in connection with severe mental illness;

(4) Accountings of disclosures; and

(5) Notice of Privacy Practices.

Overall, the agency put forth over 50 specific questions to the public for input on these topics.

OCR’s commentary and questions in the RFI reveal some notable insights. For example, OCR’s questions related to information sharing for care coordination suggest that it is considering modifications to the Privacy Rule that would require covered entities to make protected health information (PHI) available to other covered entities within a specified time frame. Currently, the Privacy Rule requires only that covered entities make PHI available to individuals in a set amount of time. OCR also seems to be considering providing additional exceptions to the minimum necessary requirements and additional disclosure permissions under the Privacy Rule, such as to community-based support programs that are not otherwise considered health care providers under the Privacy Rule.

In its commentary on sharing information in connection with the opioid crisis and serious mental illness, OCR indicates it may issue new rulemaking to encourage the sharing of PHI with parents and caregivers for the promotion of the health and safety of individuals struggling with substance abuse (in particular, opioid use) and serious mental illness.

Very notably, with respect to accountings of disclosures, OCR announces its intention to withdraw the 2011 notice of proposed rulemaking that had called for covered entities to make “access reports” available to individuals upon request. Such access reports would have required covered entities to provide individuals with a full listing of who had accessed the individual’s PHI in an electronic record. OCR acknowledges that such an access report would be overly burdensome to covered entities and does not provide meaningful information to individuals. However, OCR does note its obligation under the HITECH Act to modify the Privacy Rule to require that accountings of disclosures include disclosures for treatment, payment and health care operations made through an electronic record. The agency therefore asks for input on how it could accomplish this directive.

Finally, OCR’s commentary and questions related to the Notice of Privacy Practices reveal the agency may be considering removing the requirement for covered entities to make a good faith effort to obtain written acknowledgement of an individual’s receipt of a health care provider’s Notice.