Government Considering Modifications to HIPAA Privacy and Security Rules

HHS Requests Feedback 

The Health Insurance Portability and Accountability Act (HIPAA) includes the HIPAA Privacy and Security Rules (the “Rules”) addressing the privacy and security of Protected Health Information (PHI).  In a nutshell, Protected Health Information (PHI) is:

• Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
• Identifiable to a specific individual;
• Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity (as those terms are defined under the Rules); and 
• Maintained or transmitted in any form.

We earlier addressed the Rules and their impact on employer-provided health plans and third parties providing services to those plans as a two-part series in our October and November 2018 newsletters.  

The U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) through its Office for Civil Rights (OCR) in December 2018, for the purposes of soliciting feedback to help the OCR identify provisions in the Rules that unnecessarily affect the delivery of value-based health care or the coordination of patient care without meaningfully contributing to the protection of an individual’s PHI.  The ultimate goal is to enable the use of more innovative care and payment models that have developed since the Rules were initially implemented intended to improve cost, effectiveness, and health outcomes.   

1. Promote the sharing of Information to health care providers – The current Rules provide individuals the right to access their own PHI, which must generally be made available by a Covered Entity within 30 days of a request.  The Rules contain no explicit requirement for a Covered Entity to disclose records requested by a health care provider.  The OCR believes this is causing issues with care coordination and case management initiatives.  The OCR also notes instances of health care providers refusing to share PHI with each other in the [often mistaken] belief it may be a violation of HIPAA’s Rules.   
   
   In addition, other parties are often involved in necessary activities not involving direct patient treatment that require PHI to function, such as population health management vendors, claims management, and utilization review.  The OCR believes these activities are being
   
   
2. Sharing PHI with family members – The OCR is concerned that providers are reluctant to share PHI with family members and caregivers in emergency situations out of an abundance of caution even though a patient in an emergency situation may not be able to effectively communicate with the provider, and the Rules generally permit PHI to be shared with an immediate family member or designated caregiver.  This has come to light most dramatically in situations involving opioid overdoses and patients suffering from mental health issues.  
    
3. Revising the required accounting of disclosures from an Electronic Health Record – As currently written, the Rules require disclosures of PHI for treatment, payment, and health care operations to be included in a requested accounting of disclosures for PHI maintained in an Electronic Health Record.  The OCR notes that is has proven challenging to Electronic Health Record vendors to identify the difference between PHI that has been “accessed” (i.e. obtained by a user) versus PHI that has been “disclosed” (i.e. proactively shared with a user).  The OCR requests information about whether all such uses and disclosures from an Electronic Health Record should be included in a requested accounting of disclosures.  
   
   
4. Relief for providers with notices of privacy practices – The OCR requests feedback on whether the requirement for health care providers to make a good faith effort to obtain written confirmation that a patient received a notice of privacy practices should be modified or eliminated.