One Month Left to Submit Comments on HIPAA Request for Information

January 10, 2019 Alerts and Newsletters

Last month, the Office for Civil Rights ("OCR") within the U.S. Department of Health and Human Services ("HHS") published a Request for Information ("RFI") looking for recommendations and public input regarding the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security and Breach Notification Rules (the "HIPAA Rules"). In particular, OCR is interested in how the HIPAA Privacy Rule might be modified to better encourage coordinated care as the country's health care system shifts from volume-based to patient-centered, value-based care.

The HIPAA Rules were developed to safeguard the privacy and security of individually identifiable health information and to provide certain rights with respect to that information. As health care delivery has evolved with innovation in technology, OCR has heard calls from HIPAA-covered providers, payers, and others in the health care and health care technology industries to eliminate regulatory obstacles and lessen regulatory burdens so as to not hinder information-sharing, an integral part of providing high-value, coordinated care.

The RFI seeks information about how current HIPAA provisions may be impeding information-sharing goals, and requests input on potential modifications to the HIPAA Rules. Although such modifications could ease burdens on all HIPAA-covered entities, the focus of much of the RFI is on HIPAA-covered health care providers. Along with requesting input on the HIPAA Rules more generally, the RFI seeks specific feedback on the HIPAA Privacy Rule through over 50 detailed questions, including in the following areas:

  1. Encouraging or requiring sharing of protected health information ("PHI") for treatment, care coordination and/or case management between HIPAA-covered entities and also with certain non-covered entities such as social service agencies, including potentially expanding exceptions to the minimum necessary standard for certain permitted disclosures of PHI (e.g., care coordination, utilization reviews, formulary management);
  2. Facilitating parental and caregiver involvement in care to address challenges in treatment for opioid addiction and serious mental illness;
  3. Implementing the Health Information Technology for Economic and Clinical Health ("HITECH") Act[1] requirement that an accounting of disclosures of PHI include disclosures for treatment, payment, and health care operations purposes if made through an electronic health record (the "HITECH Act Requirement")[2]; and
  4. Changing current recordkeeping requirements related to acknowledgment and receipt of Notices of Privacy Practices ("NPP") and other requirements related to content and provision of the NPP in order to reduce burden on HIPAA-covered entities while preserving transparency.

The RFI presents a key opportunity to inform future modifications to the HIPAA Rules and to also provide strategic policy recommendations. Covered entity and other stakeholder organizations still have time to submit comments on the RFI, as comments are due on or before February 12, 2019. Comments can be submitted here. Verrill Dana has been analyzing the RFI and will continue to review developments in this area. For assistance with questions regarding the RFI or with preparing responses, please reach out to your regular Verrill Dana attorney.

[1] Pub. L. No. 111-5, 123 Stat. 226 (2009).

[2] 42 U.S.C. § 17935(c). Notably, the HIPAA Privacy Rule has always excluded disclosures made for treatment, payment and health care operations from the accounting requirement, see 45 C.F.R. § 164.528(a)(1)(i), and to date, OCR has not finalized a May 2011 proposed rule designed to implement the HITECH Act Requirement which would have created a new individual right to receive a PHI "access report." See76 Fed. Reg. 31426 (May 31, 2011). Through this RFI, OCR announced that it intends to withdraw that proposed rule and it is interested in other alternatives for implementing the HITECH Act Requirement in a manner that affords individuals meaningful information about how their PHI is being disclosed without creating disincentives to use electronic health records.

Firm Highlights


The Boston Globe on Federal Prosecutor Joining Verrill


65 Verrill Attorneys Recognized by Best Lawyers® 2022, Including Eight Named Lawyers of the Year

(August 31, 2021) – 65 Verrill attorneys were recognized as "Best Lawyers" by Best Lawyers® 2022 , including 8 attorneys named “Lawyer of the Year,” a distinguished recognition for only a single lawyer in...


Verrill's Strategic Growth in Key Areas Shared in Mainebiz

On Monday, November 15th Verrill was listed as a Maine law firm who is innovating ways to hire talent in the Mainebiz article "Remote Work Changes Hiring Strategies for Some Maine Law Firms." The...


High-Profile Former U.S. Department of Justice Prosecutor, David Lazarus, Joins Verrill’s Health Care and Life Sciences Practice

(November 29, 2021) – Verrill is pleased to welcome David Lazarus to the firm’s Boston office as a Partner in its nationally recognized Health Care & Life Sciences Group. Lazarus is a former Department...


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...

Contact Verrill at (855) 307 0700