On December 14, 2018 the Department of Health and Human Services, Office for Civil Rights (“OCR”) formally issued a Request For Information (“RFI”) seeking public input on “ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based healthcare, while preserving the privacy and security of PHI.” OCR is seeking comments for a series of 54 different specific questions (many with additional subparts) corresponding to the following five major topic areas: (1) the promotion of information sharing for treatment and care coordination; (2) the promotion of parental and caregiver involvement in addressing the opioid crisis and serious mental illness; (3) additional ways to remove regulatory obstacles and burdens to facilitate care coordination and promote value-based health care; (4) an effective means to implement the accounting of disclosures requirement of the HITECH Act; and (5) Notice of Privacy Practices operational practices.

While some of the questions ask for factual information (such as the typical time it takes a covered entity to transfer PHI to another covered entity), many of the questions raise larger policy issues. For example, the RFI includes a series of questions on whether it would make sense to have health care clearinghouses play a much more direct role in providing information to individuals, whether health care clearinghouses should be treated only as covered entities, and if so, could other covered entities impose contractual obligations on the health care clearinghouses to protect PHI without the use of a business associate agreement. Similarly, the RFI includes multiple questions on whether the OCR could amend the Privacy Rule to allow for better coordination for patients suffering from a substance abuse disorder or serious mental illness, and how such changes might interact with current state privacy laws and 42 CFR Part 2 that would otherwise prohibit the sharing of such information.

From an operational perspective, the RFI requests comments on how to effectively implement the HITECH Act requirement to provide an accounting of all disclosures made through an electronic health record and whether requiring providers to make a good faith effort to obtain written acknowledgement from a patient that they have received a Notice of Privacy Practices places an unnecessary burden on providers, and perhaps inadvertently confuses patients.

OCR is requesting comments to the elucidated questions on or before February 12, 2019.