One Month Left to Submit Comments on HIPAA Request for Information
Last month, the Office for Civil Rights ("OCR") within the U.S. Department of Health and Human Services ("HHS") published a Request for Information ("RFI") looking for recommendations and public input regarding the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security and Breach Notification Rules (the "HIPAA Rules"). In particular, OCR is interested in how the HIPAA Privacy Rule might be modified to better encourage coordinated care as the country's health care system shifts from volume-based to patient-centered, value-based care.
The HIPAA Rules were developed to safeguard the privacy and security of individually identifiable health information and to provide certain rights with respect to that information. As health care delivery has evolved with innovation in technology, OCR has heard calls from HIPAA-covered providers, payers, and others in the health care and health care technology industries to eliminate regulatory obstacles and lessen regulatory burdens so as to not hinder information-sharing, an integral part of providing high-value, coordinated care.
The RFI seeks information about how current HIPAA provisions may be impeding information-sharing goals, and requests input on potential modifications to the HIPAA Rules. Although such modifications could ease burdens on all HIPAA-covered entities, the focus of much of the RFI is on HIPAA-covered health care providers. Along with requesting input on the HIPAA Rules more generally, the RFI seeks specific feedback on the HIPAA Privacy Rule through over 50 detailed questions, including in the following areas:
- Encouraging or requiring sharing of protected health information ("PHI") for treatment, care coordination and/or case management between HIPAA-covered entities and also with certain non-covered entities such as social service agencies, including potentially expanding exceptions to the minimum necessary standard for certain permitted disclosures of PHI (e.g., care coordination, utilization reviews, formulary management);
- Facilitating parental and caregiver involvement in care to address challenges in treatment for opioid addiction and serious mental illness;
- Implementing the Health Information Technology for Economic and Clinical Health ("HITECH") Act requirement that an accounting of disclosures of PHI include disclosures for treatment, payment, and health care operations purposes if made through an electronic health record (the "HITECH Act Requirement"); and
- Changing current recordkeeping requirements related to acknowledgment and receipt of Notices of Privacy Practices ("NPP") and other requirements related to content and provision of the NPP in order to reduce burden on HIPAA-covered entities while preserving transparency.
The RFI presents a key opportunity to inform future modifications to the HIPAA Rules and to also provide strategic policy recommendations. Covered entity and other stakeholder organizations still have time to submit comments on the RFI, as comments are due on or before February 12, 2019. Comments can be submitted here. Verrill Dana has been analyzing the RFI and will continue to review developments in this area. For assistance with questions regarding the RFI or with preparing responses, please reach out to your regular Verrill Dana attorney.
 Pub. L. No. 111-5, 123 Stat. 226 (2009).
 42 U.S.C. § 17935(c). Notably, the HIPAA Privacy Rule has always excluded disclosures made for treatment, payment and health care operations from the accounting requirement, see 45 C.F.R. § 164.528(a)(1)(i), and to date, OCR has not finalized a May 2011 proposed rule designed to implement the HITECH Act Requirement which would have created a new individual right to receive a PHI "access report." See76 Fed. Reg. 31426 (May 31, 2011). Through this RFI, OCR announced that it intends to withdraw that proposed rule and it is interested in other alternatives for implementing the HITECH Act Requirement in a manner that affords individuals meaningful information about how their PHI is being disclosed without creating disincentives to use electronic health records.