One Month Left to Submit Comments on HIPAA Request for Information

January 10, 2019 Alerts and Newsletters

Last month, the Office for Civil Rights ("OCR") within the U.S. Department of Health and Human Services ("HHS") published a Request for Information ("RFI") looking for recommendations and public input regarding the Health Insurance Portability and Accountability Act ("HIPAA") Privacy, Security and Breach Notification Rules (the "HIPAA Rules"). In particular, OCR is interested in how the HIPAA Privacy Rule might be modified to better encourage coordinated care as the country's health care system shifts from volume-based to patient-centered, value-based care.

The HIPAA Rules were developed to safeguard the privacy and security of individually identifiable health information and to provide certain rights with respect to that information. As health care delivery has evolved with innovation in technology, OCR has heard calls from HIPAA-covered providers, payers, and others in the health care and health care technology industries to eliminate regulatory obstacles and lessen regulatory burdens so as to not hinder information-sharing, an integral part of providing high-value, coordinated care.

The RFI seeks information about how current HIPAA provisions may be impeding information-sharing goals, and requests input on potential modifications to the HIPAA Rules. Although such modifications could ease burdens on all HIPAA-covered entities, the focus of much of the RFI is on HIPAA-covered health care providers. Along with requesting input on the HIPAA Rules more generally, the RFI seeks specific feedback on the HIPAA Privacy Rule through over 50 detailed questions, including in the following areas:

  1. Encouraging or requiring sharing of protected health information ("PHI") for treatment, care coordination and/or case management between HIPAA-covered entities and also with certain non-covered entities such as social service agencies, including potentially expanding exceptions to the minimum necessary standard for certain permitted disclosures of PHI (e.g., care coordination, utilization reviews, formulary management);
  2. Facilitating parental and caregiver involvement in care to address challenges in treatment for opioid addiction and serious mental illness;
  3. Implementing the Health Information Technology for Economic and Clinical Health ("HITECH") Act[1] requirement that an accounting of disclosures of PHI include disclosures for treatment, payment, and health care operations purposes if made through an electronic health record (the "HITECH Act Requirement")[2]; and
  4. Changing current recordkeeping requirements related to acknowledgment and receipt of Notices of Privacy Practices ("NPP") and other requirements related to content and provision of the NPP in order to reduce burden on HIPAA-covered entities while preserving transparency.

The RFI presents a key opportunity to inform future modifications to the HIPAA Rules and to also provide strategic policy recommendations. Covered entity and other stakeholder organizations still have time to submit comments on the RFI, as comments are due on or before February 12, 2019. Comments can be submitted here. Verrill Dana has been analyzing the RFI and will continue to review developments in this area. For assistance with questions regarding the RFI or with preparing responses, please reach out to your regular Verrill Dana attorney.

[1] Pub. L. No. 111-5, 123 Stat. 226 (2009).

[2] 42 U.S.C. § 17935(c). Notably, the HIPAA Privacy Rule has always excluded disclosures made for treatment, payment and health care operations from the accounting requirement, see 45 C.F.R. § 164.528(a)(1)(i), and to date, OCR has not finalized a May 2011 proposed rule designed to implement the HITECH Act Requirement which would have created a new individual right to receive a PHI "access report." See76 Fed. Reg. 31426 (May 31, 2011). Through this RFI, OCR announced that it intends to withdraw that proposed rule and it is interested in other alternatives for implementing the HITECH Act Requirement in a manner that affords individuals meaningful information about how their PHI is being disclosed without creating disincentives to use electronic health records.

Firm Highlights


“If I've told you once, I've told you eight times…” HHS OIG Issues Another Audit Report on Hospitals’ Failure to Report Credits for Explanted Cardiac Devices and Lays the Groundwork Collection of Overpayments


The Regulatory Sprint is Over - What’s at the Finish Line Under the New Stark and AKS Final Rules?

The U.S. Department of Health and Human Services (HHS) completed its “Regulatory Sprint” by finalizing changes to regulations pertaining to two federal fraud and abuse laws. On December 2, 2020, the Centers for Medicare...


340B Providers Get Partial Relief from New Dispute Resolution Regulation

1. 340B ADR Process Established At long last, more than ten years after Congress directed it to do so, HHS has finalized an alternative dispute resolution (“ADR”) process for both providers and pharmaceutical manufacturers...


News Flash: HHS Issues Statement Removing Premarket Review Requirements for Laboratory Developed Tests (“LDTs”), Including COVID-19 LDTs

What happened? On August 19, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a single paragraph statement rescinding U.S. Food and Drug Administration (“FDA”) guidance documents concerning premarket review of Laboratory...


Massachusetts Health Care Bill Makes Several Significant Changes

While you were celebrating the New Year, Governor Baker signed Chapter 260 of the Acts of 2020, an “Act promoting a resilient health care system that puts patients first,” the result of the Legislature’s...


Hospital Price Transparency Rule: Full Steam Ahead

Neither COVID-19 nor continued legal challenges appear likely to derail the Centers for Medicare & Medicaid Services ( CMS) Hospital Price Transparency Rule from going into effect on January 1, 2021. Hospitals therefore should...


Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition.

Health care attorney Paul Shaw co-authored Fraud and Abuse Investigations Handbook for the Health Care Industry, Second Edition with Robert Griffith, published by the American Health Law Association (AHLA). Paul and Robert provide legal...


Verrill Welcomes Jeffrey A. Smagula, Experienced Health Care and Life Sciences Attorney, Former Health Plan Compliance Executive

(May 12, 2021) – Verrill is pleased to welcome Jeffrey A. Smagula to the firm’s Boston office as Counsel in its nationally recognized Health Care & Life Sciences Group. Jeff Smagula brings to Verrill...


HHS Confirms Providers’ Right to 340B Discount Pricing for Contract Pharmacies

As a holiday gift to providers, the U.S. Department of Health and Human Services (HHS) General Counsel recently issued a strongly worded Advisory Opinion indicating that federal law requires drug manufacturers to deliver covered...

Contact Verrill at (855) 307 0700