The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently published a request for information (RFI) regarding the modification of Health Insurance Portability and Accountability Act (HIPAA) Privacy Rules to improve patient coordination of care. The OCR is requesting information from the public on ways to change the Privacy Rules to decrease regulatory burdens or obstacles for providers and promote the coordination of care and value-based health care. The OCR is seeking input on ways to achieve these goals without compromising the privacy and security of protected health information (PHI). The OCR would like the public to provide information on the specific components of the Privacy Rules that generate burden and prevent coordination of care on behalf of patients.
Comments responding to the RFI must be submitted to OCR by or on February 12, 2019. The RFI contains a list of specific questions for each of the four care coordination issues that the OCR outlined. The RFI also requested input on four specific aspects of the Privacy Rule, which include:
1. Promoting information sharing for treatment, care coordination, and case management.
This request would amend the Privacy Rule to “encourage, incentivize, or require” covered entities to disclose PHI to other covered entities to promote information sharing for treatment, care coordination, and case management. The OCR specifically sought information on whether to implement a time requirement for the disclosure of health records to another health care provider in the RFI. The Privacy Rule currently requires covered entities to provide individuals with access to their PHI within 30 days. However, no such requirement exists for disclosing PHI to other covered entities for purposes of coordination of care. The OCR seeks information both generally and in response to specific questions regarding the scope of time delay issues providers face when seeking health records from other providers. The OCR is additionally seeking information on whether providing a deadline for disclosures related to treatment and coordination of care would be helpful or detrimental to providers and patients.
The OCR is also seeking information on whether the Privacy Rule’s minimum necessary requirement should no longer apply to disclosures of PHI to non-provider covered entities when the PHI is disclosed for care coordination/case management purposes in connection with treatment and/or other health care operations. Health care providers are not subject to the minimum necessary requirement if a use or disclosure is made for treatment purposes, including care coordination and case management. However, if a covered entity discloses PHI to another covered entity that is not a health care provider (i.e., a health plan or clearinghouse), the disclosure is still subject to the minimum necessary standard. Similarly, disclosures related to care coordination and/or case management for non-treatment purposes (i.e., population-based case management and care coordination activities) are also subject to the minimum necessary standard, regardless of who is making the disclosure and who is receiving the disclosure.
Finally, the OCR is seeking information on whether it should amend the Privacy Rule for when providers can disclose PHI to non-covered entity social service providers for patient care coordination or case management. This issue is typically seen with homeless patients or patients with chronic conditions who receive both medical care and some sort of social service.
2. Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness.
The OCR’s RFI is attempting to find solutions that encourage providers and other covered entities to share treatment information. Potential solutions would specifically share information on opioid use treatment or serious mental illness with parents, loved ones, and caregivers of adults when an individual is facing a health emergency. The HIPAA Privacy Rule allows covered entities to disclose PHI to caregivers in emergency circumstances or when an individual is incapacitated. To do so, the disclosure must not be contrary to past preferences that the individual expressed and that the covered health care provider determines, according to the provider’s professional judgment that disclosure is in the individual’s best interest. However, anecdotal evidence suggests that some covered entities do not want to disclose PHI in such circumstances out of fear of violating HIPAA. This disconnect between what is allowed and what providers believe is allowed has become particularly relevant because of the opioid crisis in America.
In an effort to decrease care coordination issues related to this knowledge gap, the OCR is considering a separate rulemaking. This solution would seek to encourage covered entities to share PHI with family members, caregivers, or others in a position to avert health and safety threats, particularly threats facing those with substance abuse disorder or serious mental health illness. The OCR is also considering amending the Privacy Rule in a way that would allow parental involvement in the treatment of their children who may be suffering from a substance abuse disorder or serious mental illness. The OCR is requesting information to address questions and issues regarding these specific changes. The OCR is also requesting information on how the Privacy Rule can be amended in general to better address serious mental illness and substance abuse disorders.
3. Accounting of Disclosures.
The RFI is seeking to implement the Health Information Technology for Economic and Clinical Health (HITECH) Act accounting requirement. The requirement amends the HIPAA accounting requirement to also include uses and disclosures of treatment, payment, and health care operations (TPO) from electronic health records (EHR). The included uses and disclosures would provide helpful information to individuals in a way that is not overly burdensome for covered entities and discouraging to the adoption of interoperable EHRs. The accounting provisions of the Privacy Rule require covered entities to provide an individual with an accounting of certain disclosures made by that covered entity and its business associates in the prior six years, if the individual requests. The Privacy Rule currently does not require a covered entity or business associate to include disclosures made for TPO purposes to be included in the accounting. However, section 13405(c) of the HITECH Act directs HHS to amend the Privacy Rule to require covered entities to include TPO disclosures in accountings that individuals requested if those disclosures were made using EHRs and were made in the past three years.
In 2010 and 2011, the OCR released an RFI and a Notice of Proposed Rule Making (NPRM) attempting to implement the new accounting requirements. After receiving public feedback, the OCR did not take further steps to implement a final rule. The OCR feedback stated that many covered entities could not distinguish between internal access to EHRs for TPO purposes and disclosure of EHRs for TPO purposes. Therefore, it would be overly burdensome for the OCR to require covered entities to provide an accurate accounting of TPO disclosures to requesters.
The OCR intends to withdraw the 2011 NPRM and requests information to help it implement the HITECH Act accounting rule requirement. The OCR is specifically seeking information on how the rule change can be implemented to provide individuals with a meaningful accounting while avoiding overly burdensome requirements and obstacles or disincentives to adopting interoperable EHRs.
4. Notice of Privacy Practices.
Finally, the OCR is seeking to eliminate or amend the requirement that covered health care providers make a good faith effort to obtain an individual’s written acknowledgment of the Notice of Privacy Practices (NPP). The Privacy Rule requires covered providers and health plans to develop a NPP to distribute to all patients and/or plan holders. The Privacy Rule also requires that covered providers who have a direct treatment relationship with an individual make a good faith effort to obtain written acknowledgment of the NPP. If providers are unable to obtain written acknowledgement, the provider must document the reason for not obtaining the written acknowledgment. A covered provider must retain either the written acknowledgment or the documentation for six years.
The OCR is seeking information on whether the signature and record keeping requirements should be eliminated from the NPP portion of the Privacy Rule. The RFI is asking whether eliminating the requirement or modifying it in some other way could reduce burdens on physicians. The OCR hopes such burden reductions would allow physicians to spend more time providing treatment without compromising transparency surrounding a provider’s privacy practices.
The RFI is available at: