One Month Left to Submit Comments on HIPAA Request for Information

January 10, 2019 Alerts and Newsletters

Last month, the Office for Civil Rights ("OCR") within the U.S. Department of Health and Human Services ("HHS") published a Request for Information ("RFI") looking for recommendations and public input regarding the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security and Breach Notification Rules (the "HIPAA Rules"). In particular, OCR is interested in how the HIPAA Privacy Rule might be modified to better encourage coordinated care as the country's health care system shifts from volume-based to patient-centered, value-based care.

The HIPAA Rules were developed to safeguard the privacy and security of individually identifiable health information and to provide certain rights with respect to that information. As health care delivery has evolved with innovation in technology, OCR has heard calls from HIPAA-covered providers, payers, and others in the health care and health care technology industries to eliminate regulatory obstacles and lessen regulatory burdens so as to not hinder information-sharing, an integral part of providing high-value, coordinated care.

The RFI seeks information about how current HIPAA provisions may be impeding information-sharing goals, and requests input on potential modifications to the HIPAA Rules. Although such modifications could ease burdens on all HIPAA-covered entities, the focus of much of the RFI is on HIPAA-covered health care providers. Along with requesting input on the HIPAA Rules more generally, the RFI seeks specific feedback on the HIPAA Privacy Rule through over 50 detailed questions, including in the following areas:

  1. Encouraging or requiring sharing of protected health information ("PHI") for treatment, care coordination and/or case management between HIPAA-covered entities and also with certain non-covered entities such as social service agencies, including potentially expanding exceptions to the minimum necessary standard for certain permitted disclosures of PHI (e.g., care coordination, utilization reviews, formulary management);
  2. Facilitating parental and caregiver involvement in care to address challenges in treatment for opioid addiction and serious mental illness;
  3. Implementing the Health Information Technology for Economic and Clinical Health ("HITECH") Act[1] requirement that an accounting of disclosures of PHI include disclosures for treatment, payment, and health care operations purposes if made through an electronic health record (the "HITECH Act Requirement")[2]; and
  4. Changing current recordkeeping requirements related to acknowledgment and receipt of Notices of Privacy Practices ("NPP") and other requirements related to content and provision of the NPP in order to reduce burden on HIPAA-covered entities while preserving transparency.

The RFI presents a key opportunity to inform future modifications to the HIPAA Rules and to also provide strategic policy recommendations. Covered entity and other stakeholder organizations still have time to submit comments on the RFI, as comments are due on or before February 12, 2019. Comments can be submitted here. Verrill Dana has been analyzing the RFI and will continue to review developments in this area. For assistance with questions regarding the RFI or with preparing responses, please reach out to your regular Verrill Dana attorney.

[1] Pub. L. No. 111-5, 123 Stat. 226 (2009).

[2] 42 U.S.C. § 17935(c). Notably, the HIPAA Privacy Rule has always excluded disclosures made for treatment, payment and health care operations from the accounting requirement, see 45 C.F.R. § 164.528(a)(1)(i), and to date, OCR has not finalized a May 2011 proposed rule designed to implement the HITECH Act Requirement which would have created a new individual right to receive a PHI "access report." See76 Fed. Reg. 31426 (May 31, 2011). Through this RFI, OCR announced that it intends to withdraw that proposed rule and it is interested in other alternatives for implementing the HITECH Act Requirement in a manner that affords individuals meaningful information about how their PHI is being disclosed without creating disincentives to use electronic health records.

Firm Highlights


Michael K. Fee to Lead Verrill’s Nationally-Recognized Health Care and Life Sciences Practice Amidst Recent Changes

(August 31, 2020) – Verrill is pleased to announce Michael K. Fee as the new leader of Verrill’s nationally-recognized Health Care & Life Sciences Group. The Group has a long history of representing a...


EU-U.S. Privacy Shield Invalidated: Does Your Company Have a Plan B?

On Thursday, July 16, 2020, the Court of Justice of the European Union (“CJEU”) invalidated the EU-U.S. Privacy Shield (“Privacy Shield”) in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18...


Nearly 80 Verrill Attorneys Recognized by Best Lawyers® 2021, Including a Dozen Named Lawyers of the Year

(August 24, 2020) – Nearly 80 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2021 , including 12 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer...


European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...


Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.


Common Rule

Guided multiple clients through the implementation of the revised HHS regulations (the "Common Rule"), including reviewing and revising policies and procedures, and assisting with institutional approaches to implementation.


News Flash: HHS Issues Statement Removing Premarket Review Requirements for Laboratory Developed Tests (“LDTs”), Including COVID-19 LDTs

What happened? On August 19, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a single paragraph statement rescinding U.S. Food and Drug Administration (“FDA”) guidance documents concerning premarket review of Laboratory...


Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...


Hospital Price Transparency Rule: Full Steam Ahead

Neither COVID-19 nor continued legal challenges appear likely to derail the Centers for Medicare & Medicaid Services ( CMS) Hospital Price Transparency Rule from going into effect on January 1, 2021. Hospitals therefore should...


“If I've told you once, I've told you eight times…” HHS OIG Issues Another Audit Report on Hospitals’ Failure to Report Credits for Explanted Cardiac Devices and Lays the Groundwork Collection of Overpayments

Contact Verrill at (855) 307 0700