HHS Considering Changes to HIPAA Privacy, Security, & Breach Notification Rules

The Office of Civil Rights of the U.S. Department of Health and Human Services (the “OCR”) recently issued a Request for Information (the “Request”) to identify HIPAA Privacy, Security, & Breach Notification Regulations (“HIPAA Rules”) that hinder conversion of the payment system in the health care space to a value-based system or the coordination of care between Covered Entities and non-Covered Entities and yet do not significantly contribute to the safeguarding of Protected Health Information (“PHI”).  The OCR seeks comment on HIPAA regulatory roadblocks and suggestions for eliminating them in several areas, including the following:

  1. Promotion of Information Sharing for Treatment Care Coordination
    • Length of time it takes for Covered Entities to provide an individual with a copy of their PHI when requested.
    • Burdens a shortened timeframe for responding to PHI access requests would place on Covered Entities.
    • The barriers Covered Entities find when requesting PHI from another Covered Entity for treatment purposes. 
  2. Promotion of Parental and Caregiver Involvement, Addressing the Opioid Crisis, and Serious Mental Illness
    • Changes to HIPAA Rules to help in addressing the opioid epidemic.
    • Modifications to HIPAA Rules that would facilitate mental illness treatment and care coordination.
    • Circumstances in which the Privacy Rule prevents parents from accessing a child’s records, especially during a substance abuse or mental health crisis.
  3. Accounting of Disclosures
    • The number of accounting disclosure requests Covered Entities receive annually.
    • The time (workers hours) it takes to respond to an individual’s request for a disclosure accounting.
    • Appropriateness for Covered Entities to account for their Business Associates disclosures of PHI for treatment, payment, and operations.
  4. Notice of Privacy Practices
    • The burden in economic terms of obtaining written acknowledgement of receipt of a provider’s Notice of Privacy Practices (“NPP”).
    • The percentage of individuals a provider cannot obtain NPP acknowledgements from and the associated barriers.
    • The frequency a NPP acknowledgement is mistaken as a contract, waiver of rights, or a requirement for receiving healthcare services; and the conflicts that arise because of those misunderstandings.
  5. Additional Healthcare Operational Areas
    • HIPAA Rules that place unnecessary burdens on the ability of Covered Entities and/or Business Associates to conduct care coordination and/or case management; as well value based healthcare development.
    • HIPAA Rule modifications that would facilitate efficient care coordination and/or case management in addition to promoting value based healthcare.
    • Covered Entities’ and Business Associates’ technical capabilities, interests, and goals; and how the HIPAA Rules impeded on healthcare their progress.  

Reponses to the OCR’s Request must be submitted to the OCR by February 12, 2019; click here to link directly to the Federal Register. 

If you have any questions on the OCR’s Request for Information and how possible changes to the HIPAA Rules may impact your operations, please contact the DB Health Law Team at rruizayala@dugganbertsch.com or mhall@dugganbertsch.com.