January 9, 2019

Healthcare organizations and medical practices that have been working for years to comply with the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) undoubtedly have valuable thoughts and insights regarding how the rules could be tweaked and improved to reflect changes in the delivery of care since they went into effect.  According to many in healthcare, the Request for Information (RFI) issued in December giving hospitals, clinicians and other stakeholders the opportunity to comment on HIPAA revisions has not come too soon.

“Much has changed in healthcare since HIPAA was first enacted,” said Lauren Riplinger, JD, senior director of federal relations at the American Health Information Management Association (AHIMA), in a statement.  “The RFI is a welcome sign that the need to revise and modernize HIPAA is on OCR’s [the Health and Human Services Office of Civil Rights’] radar.”

The RFI comes in response to concerns within the healthcare community that some aspects of the HIPAA rules “may limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care,” HHS noted in a statement.  The RFI requests information on any provisions of the HIPAA Rules that may hinder these goals without meaningfully interfering with protected health information (PHI) privacy and security and/or patients’ ability to exercise their rights with respect to their PHI.

The request followed a Congressional briefing in December in which health IT stakeholders and others discussed the impact of current federal policies, notably HIPAA, on patients’ ability to access and use their health data.  Specifically, in the briefing, organizations called for modernization of HIPAA regulations in order to expand the law’s record access provisions to non-covered entities and improve the definition of HIPAA’s “designated record set” (DRS).

AHIMA and the American Medical Informatics Association also proposed that OCR either create a new term, “health data set,” encompassing all clinical, biomedical and claims data maintained by a covered entity or business associate, or revise the existing HIPAA definition of “designated record set” to require certified health information technology to provide the information to patients in a way that enables them to use and reuse their data.

One ongoing area of concern regarding the HIPAA rules is information-sharing related to the opioid crisis and serious mental illness.  OCR issued new guidance on opioid overdoses and updated guidance related to mental health in 2017.  Still, more work is needed, said HHS Deputy Secretary Eric Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need,” he said.  “We’ve also heard how the Rule may impede other forms of care coordination that can drive value.”

In addition to the opioid crisis and mental health issues, OCR has requested comments regarding the following specific areas:

• Encouraging information-sharing for treatment and care coordination
• Facilitating parental involvement in care
• Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
• Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

Comments on the RFI must be submitted by February 11, 2019.  The RFI may be downloaded from the Federal Register at: https://www.federalregister.gov/public-inspection/