Government Considering Modifications to HIPAA Privacy and Security Rules | Blog | MMA

Government Considering Modifications to HIPAA Privacy and Security Rules


Director, Research & Education, Health & Benefits
+1 248 822 6216
February 5, 2019

HHS Requests Feedback 

The Health Insurance Portability and Accountability Act (HIPAA) includes the HIPAA Privacy and Security Rules (the “Rules”) addressing the privacy and security of Protected Health Information (PHI).  In a nutshell, Protected Health Information (PHI) is:

  • Information about a past, present, or future health condition, treatment for a health condition, or payment for the treatment of a health condition;
  • Identifiable to a specific individual;
  • Created and/or received by a Covered Entity or Business Associate acting on behalf of a Covered Entity (as those terms are defined under the Rules); and 
  • Maintained or transmitted in any form.

We earlier addressed the Rules and their impact on employer-provided health plans and third parties providing services to those plans as a two-part series in our October and November 2018 newsletters.  

The U.S. Department of Health and Human Services (HHS) released a Request for Information (RFI) through its Office for Civil Rights (OCR) in December 2018, for the purposes of soliciting feedback to help the OCR identify provisions in the Rules that unnecessarily affect the delivery of value-based health care or the coordination of patient care without meaningfully contributing to the protection of an individual’s PHI.  The ultimate goal is to enable the use of more innovative care and payment models that have developed since the Rules were initially implemented intended to improve cost, effectiveness, and health outcomes.   

This RFI signals the first meaningful change to the Rules in several years is now on the horizon.  The four key areas for which the OCR has provided observations and requested feedback are discussed below.  Interested parties have until February 12, 2019 to provide comments. 
  1. Promote the sharing of Information to health care providers – The current Rules provide individuals the right to access their own PHI, which must generally be made available by a Covered Entity within 30 days of a request.  The Rules contain no explicit requirement for a Covered Entity to disclose records requested by a health care provider.  The OCR believes this is causing issues with care coordination and case management initiatives.  The OCR also notes instances of health care providers refusing to share PHI with each other in the [often mistaken] belief it may be a violation of HIPAA’s Rules.   

    In addition, other parties are often involved in necessary activities not involving direct patient treatment that require PHI to function, such as population health management vendors, claims management, and utilization review.  The OCR believes these activities are being

  2. Sharing PHI with family members – The OCR is concerned that providers are reluctant to share PHI with family members and caregivers in emergency situations out of an abundance of caution even though a patient in an emergency situation may not be able to effectively communicate with the provider, and the Rules generally permit PHI to be shared with an immediate family member or designated caregiver.  This has come to light most dramatically in situations involving opioid overdoses and patients suffering from mental health issues.  
  3. Revising the required accounting of disclosures from an Electronic Health Record – As currently written, the Rules require disclosures of PHI for treatment, payment, and health care operations to be included in a requested accounting of disclosures for PHI maintained in an Electronic Health Record.  The OCR notes that is has proven challenging to Electronic Health Record vendors to identify the difference between PHI that has been “accessed” (i.e. obtained by a user) versus PHI that has been “disclosed” (i.e. proactively shared with a user).  The OCR requests information about whether all such uses and disclosures from an Electronic Health Record should be included in a requested accounting of disclosures.  

  4. Relief for providers with notices of privacy practices – The OCR requests feedback on whether the requirement for health care providers to make a good faith effort to obtain written confirmation that a patient received a notice of privacy practices should be modified or eliminated. 

The information contained herein is for general informational purposes only and does not constitute legal or tax advice regarding any specific situation. Any statements made are based solely on our experience as consultants. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. The information provided in this alert is not intended to be, and shall not be construed to be, either the provision of legal advice or an offer to provide legal services, nor does it necessarily reflect the opinions of the agency, our lawyers or our clients. This is not legal advice. No client-lawyer relationship between you and our lawyers is or may be created by your use of this information. Rather, the content is intended as a general overview of the subject matter covered. This agency is not obligated to provide updates on the information presented herein. Those reading this alert are encouraged to seek direct counsel on legal questions. © 2018 Marsh & McLennan Agency LLC. All Rights Reserved.