HHS Seeks Feedback on Potential HIPAA ChangesModifications Could Affect Certain Privacy, Security Provisions
Will the Department of Health and Human Services' request for feedback on potential changes to HIPAA eventually result in modifications to the regulation, including certain provisions that touch on privacy and security issues? There's a long road to travel before any changes actually might get made.
HHS says it's seeking public input on potential changes to the HIPAA rules to reduce the "regulatory burden," including ways to improve secure data sharing for patient care coordination.
The request for information by HHS' Office for Civil Rights, published Thursday in the Federal Register, also seeks feedback on dropping the requirement for healthcare organizations to obtain patients' written acknowledgment of receiving notices of privacy practices.
"I'm excited about the possibility of the elimination of the 'acknowledgment of notice of privacy practices' requirement. The elimination of that requirement seemingly alone could save a few rainforests."
—Adam Greene, Davis Wright Tremaine
The agency is also seeking input on potential ways to implement - "while minimizing regulatory burdens and disincentives" - the HITECH Act requirement to providing patients with an accounting of disclosures from an electronic health record for treatment, payment and healthcare operations.
"We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them," said OCR Director Roger Severino.
"We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals' health information."
In recent years, OCR says it has heard calls to revisit aspects of the HIPAA rules that may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based healthcare, the HHS statement notes.
"The RFI requests information on any provisions of the HIPAA rules that may present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information and/or patients' ability to exercise their rights with respect to their PHI."
Looking for Feedback
A recent entry on the Office of Management and Budget's regulations agenda website foreshadowed OCR's plans to issue the RFI (see: Do HIPAA Rules Hamper Coordinated Patient Care?).
The RFI notes that OCR is soliciting public comments until Feb. 11, 2019, "that offer recommendations for modifying existing regulations or guidance, or developing new guidance, that could further several goals."
Those goals include:
- Promoting information sharing for treatment and care coordination and/or case management by amending the HIPAA Privacy Rule to encourage, incentivize or require covered entities to disclose PHI to other covered entities;
- Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis;
- Implementing the requirement to include an accounting of disclosures of patient information for treatment, payment and healthcare operations from EHRs "in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs;
- Eliminating or modifying the requirement for covered healthcare providers to make a good faith effort to obtain individuals' written acknowledgment of receipt of providers' notice of privacy practices to reduce the burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual's awareness of their rights.
There are no guarantees that the RFI will, indeed, lead to new or modified regulations.
"This is an RFI, meaning that it is a precursor to a potential proposed rule, which would then lead to a final rule. So we are just starting a long, involved process," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"With that said, they are exploring a number of possibilities of expanding the ability of providers and others to share PHI for 'coordinated care' purposes. This is largely driven by both the changing pricing structure of the healthcare industry - the move to "value pricing" - and the opioid crisis, he notes.
HHS has a sense that the HIPAA rules are impeding data sharing and wants want to explore how to expand this sharing, Nahra says. "It's not clear to me how much of this is needed," he contends.
"Providers have lots of ability to share now, for broad treatment purposes and in specific other situations. Educating them and giving them guidance certainly would be useful if there are problems now. However, I am not sure how much you want to open up this sharing, and I certainly would be hesitant to mandate more sharing."
Applying HIPAA More Broadly
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, believes that HHS will get some feedback calling for an expansion of the scope of the HIPAA standards to more organizations that handle health-related personally identifiable information.
The American Medical Informatics Association and the American Health Information Management Association have already called for extending the HIPAA provision on an individual's right to access their health data to include organizations that are not currently considered HIPAA covered entities or business associates - such as companies that offer mobile health apps and health-related social media (see: Does HIPAA Need to be Modernized?).
Accounting of Disclosures
Plans for HHS to revisit how to implement the HITECH Act's accounting of disclosures regulation have been on the shelf for several years.
HHS' previous proposal for an accounting of disclosures was published in May 2011, but feedback from the healthcare sector was mostly negative.
Many of the more than 400 commenters complained that the proposed rule's "access report" provision would prove to be technically unfeasible, complex and expensive to implement, particularly with EHR technology available at that time (see: EHR Access Report Objections Pour In).
The "access report" provision in the original proposal would have required healthcare organizations to provide patients, upon request, with a complete list of everyone who has electronically viewed their information.
"Now, they [regulators] are starting over and looking for a way to implement the HITECH requirements in a manageable way," Nahra says.
"This will be challenging. I hope they will limit this as much as reasonable, since it has been hard to identify clear patient interests, so that this obligation is limited to disclosures from certified EHRs, where the ability to collect this information is supposed to be relatively easy."
Some observers are hopeful that the ongoing HHS efforts could result in the elimination of one regulatory compliance burden.
"I'm excited about the possibility of the elimination of the 'acknowledgment of notice of privacy practices' requirement," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "The elimination of that requirement seemingly alone could save a few rainforests," he says.
The expense far outweighs the benefits, Greene argues. "Most individuals don't know what they're signing," he contends. "They don't know if they are signing away rights - or they don't even receive a copy of the notice they're being asked to acknowledge receiving. I welcome revisiting that requirement."
But how likely is it that HHS' collection of feedback will result in any new or changed regulations?
"They have made a pretty general and open-ended request for further thoughts from the industry on data sharing," Nahra says. "HHS did something similar during HITECH - where they said they would be reviewing the overall rule to improve it based on their experience, but that resulted in very little change at that time.
"I'm not expecting too much now - and that isn't really a problem. The HIPAA rules work pretty well, in general, from my perspective."