United States: Deadline Approaching To Submit Comments On Potential Updates To HIPAA In Response To Agency Request For Information

There are less than two weeks left to submit comments regarding potential updates to the privacy, security and breach notification regulations adopted under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (together, HIPAA). On December 14, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a broad request for information (RFI) to help the agency identify and address undue obstacles to the sharing of protected health information (PHI) among health care providers, payers, patients and caregivers. Comments are due February 12, 2019.  

In the RFI, OCR requests comment on potential changes to the HIPAA regulations intended to facilitate efficient care coordination and promote value-based health care, while preserving the privacy and security of PHI. OCR solicits feedback on 54 specific, often multipart, questions related to whether and how it should amend or supplement the HIPAA regulatory framework to, for example:

• Require covered entities to provide copies of PHI maintained in an electronic record more rapidly than records maintained in other media when responding to an individual's request for access.
• Encourage HIPAA covered entities to disclose PHI to other covered entities for purposes of care coordination, such as by requiring timely transfer of PHI under certain circumstances or narrowing the application of the minimum necessary standard.
• Clarify that, under HIPAA, covered entities are permitted to share PHI with non-covered entities, such as social services agencies and community-based support programs, to coordinate care and provide related health care services.
• Subject health care clearinghouses to the individual access requirements, such that they would need to provide individuals with access to PHI in a designated record set upon request.
• Treat health care clearinghouses exclusively as covered entities—and not as business associates—for HIPAA compliance purposes.
• Encourage covered entities to share PHI with family members and caregivers when necessary to promote the health and recovery of a patient suffering from an opioid or other substance use disorder or serious mental illness.
• Allow family members of an adult patient—such as his or her parents, spouse or adult children—greater access to the patient's PHI under certain circumstances.
• Require disclosures for treatment, payment and health care operations made through an electronic health record (EHR) to be included in an accounting of disclosures.
• Eliminate or modify requirements relating to patient acknowledgment of receipt of Notices of Privacy Practices.

Health industry participants should consider taking the opportunity to respond to relevant aspects of this broad RFI and provide OCR with information regarding contemplated updates to HIPAA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.