The U.S. Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently issued a Request for Information (“RFI”) to assist in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations that could be revised to promote the goals of improved care coordination and reimbursement focused on valued-based care. Specifically, HHS is seeking input on how to remove regulatory obstacles facing care coordination while still protecting the privacy and security of patient health information. The RFI seeks input on modifications to HIPAA regulations that may help meet the following goals:
Care Coordination: HHS seeks to promote information sharing for treatment and care coordination by encouraging the disclosure of protected health information (“PHI”) between covered entities and non-covered entities (e.g., social service agencies and community-based support programs). The following are examples of the issues HHS is seeking comments on:
Whether deadlines should be imposed on providers that have been requested to disclose PHI to another provider, such as when a patient switches to a new medical provider and that new medical provider requests the patient’s records.
Whether the minimum necessary standard should be removed when PHI is disclosed to non-provider covered entities for care coordination and/or case management.
Whether a new disclosure exception should be implemented allowing covered entities to disclose PHI to social service agencies or community based support programs.
Whether healthcare clearinghouses should be subject to the individual access requirements thereby allowing individuals to request and access PHI in a designated record set from the clearinghouse.
Should individuals be allowed to restrict disclosures of PHI that would otherwise be allowed? For example, should an individual be allowed to opt-out of their PHI being utilized for health care operations?
Emergency Treatment Information: HHS wants to encourage the sharing of emergency treatment information with family/caregivers of adults and children with a particular focus on opioid addiction and mental health. The following are examples of the issues on which HHS is seeking comments:
How can OCR amend the HIPAA Rules to address serious mental illness?
Are covered entities aware of instances where HIPAA restricted parents from gaining access to a child’s health information that involved a substance use disorder or mental illness?
Should changes be made to allow parents of adult children or spouses greater access to treatment information?
Accounting of Disclosures: Accounting for disclosures of PHI for treatment, payment, and health care operations from an electronic health record (“EHR”) that would minimize disincentives to adoption and use of EHRs. The following are examples of the issues HHS is seeking comments on:
How many requests do covered entities receive annually from patients for an accounting of disclosures and how much time does it take to respond to such requests?
HHS seeks comments on multiple questions aimed at EHR vendors, such as do current EHR systems automatically generate an accounting of disclosures.
Notice of Privacy Practices: HHS proposed to either eliminate or modify the requirement that certain health care providers make a good faith effort to obtain written acknowledgment of a patient’s receipt of the provider’s Notice of Privacy Practices (“NPP”). The following are examples of the issues HHS is seeking comments on:
What is the economic burden in having to obtain an acknowledgment of the NPP?
Do covered entities bundle the NPP with other patient “intake” forms?
Are there modifications to the content of the NPP that would lessen the compliance burden for covered entities?
Do covered entities use OCR’s model NPP?
Responses to the RFI issued by the HHS Office of Civil Rights are due no later than February 11, 2019. The specific questions posed in the RFI can be accessed here. HHS specifically asks that when answering questions, the answers include information about relevant state laws or other laws that may be inconsistent with HIPAA.