OCR Seeks Feedback for Modifying HIPAA Rules to Promote Efficiency and Reduce Burdens Placed Upon Covered Entities
Last week, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), issued a Request for Information (RFI) seeking public input on modification of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act (HIPAA) to further promote coordinated, value-based healthcare.
Announcing that the OCR is “looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” the RFI seeks broad input on the HIPAA Rules with emphasis on specific areas of the HIPAA Privacy Rule, including:
- Encouraging information-sharing for treatment and care coordination;
- Facilitating parental involvement in care;
- Addressing the opioid crisis and serious mental illness;
- Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act; and
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices.
HHS developed the HIPAA Rules to protect individuals’ health information privacy and security interests while also permitting necessary information sharing. In recent years, requests have been made to revisit the HIPAA Rules to the extent they limited or discouraged information sharing that facilitated coordinated care and value-based health care. In HHS’s press release, Deputy Secretary Hargan noted in particular struggles in the opioid crisis, stating “[i]n addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”
The RFI requests information on any provisions of the HIPAA Rules that may impede the provision of healthcare without meaningfully protecting the privacy and security of protected health information (PHI) or patients’ ability to exercise their rights with respect to their PHI.
Public comments on the RFI are due to the OCR by February 11, 2019.
If you have questions or would like further information, or are interested in submitting comments to the OCR, please contact Joshua Mooney (firstname.lastname@example.org; 215.864.6345) of the Cyber Law and Data Protection Group or Rosemary Schnall (email@example.com; 215.864.6869) of the Healthcare Group.