HHS seeks public input on HIPAA Privacy Rule

HHS Office for Civil Rights (OCR) has issued a request for information (RFI) seeking input from the public on how the HIPAA Privacy Rule could be modified to meet HHS’s goal of promoting coordinated, value-based care.

According to the announcement, OCR has gotten feedback in recent years calling on it to revisit aspects of HIPAA that may limit or discourage information sharing without compromising the privacy and security of protected health information (PHI) and/or patient rights with respect to their PHI.

The RFI requests broad input on HIPAA, but also seeks comments on specific areas of the HIPAA Privacy Rule, including:

• Accounting for disclosures of PHI (from an electronic health record) for treatment, payment, and health care operations as required by the HITECH Act
• Addressing the opioid crisis and serious mental illness
• Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices (NPP)
• Encouraging information-sharing for treatment and care coordination
• Facilitating parental involvement in care

Currently, HIPAA’s Privacy Rule permits the use and disclosure of the minimum necessary PHI needed for treatment, payment, and healthcare operations (see 45 CFR 164.501). Covered entities (CE) such as medical providers can share PHI with other CEs and their business associates in the course of normal healthcare operations— for example, to treat patients, receive payment for services, conduct audits, or perform quality assessment activities. In certain circumstances information can be shared with parents or other caregivers without the patient’s permission, such as in emergency situations, when a patient is unconscious or incapacitated, or when it is in the patient’s best interest as determined by his or her healthcare provider (see 45 CFR 164.510(b), 45 CFR 164.512(j)). The RFI states that even though such disclosures are permitted, anecdotally some CEs have expressed reluctance to share PHI for fear of violating HIPAA.

OCR requests input on whether the provisions of the Privacy Rule should be modified or clarified in cases such as encouraging CEs to share PHI with non-covered entities or social services and community-based support programs, and whether CEs should be required to enter into agreements with such entities that contain provisions similar to those found in business associate agreements.

OCR also requests input on the current rule for obtaining patient acknowledgement of the NPP, which describe individuals’ privacy rights and how their PHI may be used and disclosed by the CE. The current rule requires those CEs involved with direct treatment of an individual to make a good faith effort to obtain that individual’s written acknowledgement of the NPP (see 67 FR 53182). The RFI seeks input on whether this requirement puts an economic burden on CEs.

In the RFI, OCR provided a list of 54 specific questions on which it requests feedback and asked for information about relevant state or other laws containing standards that are different from or inconsistent with HIPAA.

Public comments on the RFI are due by February 11, 2019. The RFI can be downloaded at: www.federalregister.gov/public-inspection/.