On December 12, 2018, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a Request for Information (“RFI”) seeking public comment to identify provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) regulations that may impede the transition to value-based care or that limit the coordination of care. This RFI comes as part of the Regulatory Sprint to Coordinated Care, an HHS initiative to identify regulatory hurdles to care coordination.
The HIPAA Privacy and Security Rules (the “Rules”) were implemented to safeguard protected health information (“PHI”) from improper uses and disclosures. However, OCR is now concerned that certain aspects of these Rules may limit and discourage the information sharing needed to coordinated care and facilitate the transformation to value-based care. With this RFI, OCR hopes to identify such problematic provisions of the Rules and potential modifications that would remove limitations to care coordination, while still effectively protecting PHI. It is important to note, however, and to consider when submitting comments, that the HIPAA regulations are only one element that may pose barriers to information sharing. State laws also regulate uses and disclosures of health information and must be considered in this context as well.
In the RFI, OCR is seeking comments on:
- Amending the Rules to encourage or require covered entities to disclose PHI to other covered entities.
- Encouraging covered entities to share treatment information with loved ones and caregivers of individuals suffering from serious mental illness or substance use disorder to promote the health and recovery of the adult patient. OCR noted a particular focus on potential amendments to the Rules that would allow OCR to better address the opioid crisis.
- Implementing the provisions of the HITECH Act that require, in an accounting of disclosures of PHI, disclosures for treatment, payment and health care operations (“TPO”) from an electronic health record (“EHR”). OCR also desires to ensure that individuals can obtain a meaningful accounting of disclosures that gives them confidence that their PHI is being disclosed appropriately, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
- Removing the requirement for covered providers to make a good faith effort to obtain a patient’s written acknowledgment of receipt of the provider’s Notice of Privacy Practices.
Should providers be required to disclose PHI to other providers?
OCR posed a number of questions to the public in the RFI, nearly half of which dealt with potential modifications to the Rules to encourage or require covered entities to disclose PHI to other covered entities. Such a requirement, OCR explained, would enable more timely transfer of PHI between covered entities and, by doing so, would support and promote care coordination. To further support care coordination, OCR sought comment on potential modifications to the requirement that covered entities disclose or request only the minimum PHI necessary to meet the purpose of the use, disclosure or request. Among others, OCR posed the following questions to commenters:
- Should covered entities be required to disclose PHI when requested by another covered entity, and if so, should the requirement be limited to disclosure for treatment purposes only or for all TPO purposes? Further, when responding to a covered entity’s request for PHI, should covered entities have to comply with a timeliness requirement similar to that imposed when an individual requests access to his or her own PHI?
- Should OCR modify the Rules to expressly permit disclosure of PHI to multi-disciplinary/multi-agency teams that help individuals access available health and social services? Similarly, should OCR clarify the ability of covered entities to disclose PHI to social service agencies and community-based support programs to facilitate treatment and care coordination to the individual? OCR believes that such modifications would allow covered entities to work with social support agencies to better serve individuals. As an example, a covered entity could disclose PHI to a local housing agency to make sure that the agency finds housing for the individual to facilitate that individual’s access to health care providers.
How can the rules be modified to address the opioid crisis and mental health concerns?
In an effort to address the opioid crisis and serious mental illness (“SMI”), OCR requested comments on ways to encourage covered entities to share information with caregivers, loved ones and others in a position to avert threats of harm to health and safety, when necessary to promote the health and recovery of the individual struggling with substance use disorder or SMI. Specifically, OCR sought comment on the following questions:
- Is there concern that encouraging more sharing of PHI in these circumstances may discourage individuals from seeking needed health care services?
- Are there potential modifications to the Rules that would assist parents to obtain the treatment information of their minor children with substance use disorders or SMI, or are existing permissions adequate? Conversely, OCR also asked whether, in certain circumstances, adult children should be able to access the treatment records of their parents, who may be suffering from diseases such as early onset dementia, and if so, what limitations should apply.
How can the rules be modified to implement the HITECH Act’s accounting of disclosures requirement?
In relation to the required accounting of PHI disclosures that a covered entity must provide upon request by an individual, OCR requested comment on potential modifications to the Rules to comply with the HITECH Act requirement that covered entities provide an accounting of disclosures that also includes disclosures made for TPO purposes. OCR presented the following questions for comment:
- How much effort and time is required for covered entities to respond to an individual’s request for an accounting of disclosures, and what would be the effect if covered entities were to provide a full accounting of disclosures for TPO purposes?
- What data elements should be provided in an accounting of TPO disclosures, and how important is it to individuals to know the specific purpose of a disclosure, as opposed to a general purpose such as “for treatment”? If EHR systems do not already collect such information or are not capable of accounting for such TPO disclosures, what would be the burden in time and financial cost to implement such a feature?
Should the requirement to obtain written acknowledgment of receipt of a provider’s Notice of Privacy Practices be lessened or otherwise modified?
OCR also solicited comments to determine if the requirement that providers make a good faith effort to obtain from patients a written acknowledgment of receipt of the provider’s Notice of Privacy Practices (“NPP”) creates an undue burden on providers. As part of this solicitation, OCR posed the following questions:
- What is the burden, in economic terms, for providers to make a good faith effort to obtain an individual’s written acknowledgment of the provider’s NPP and to document this effort?
- Are there modifications to the content and provision of NPP requirements that would lessen the burden of compliance for covered entities while preserving transparency about covered entities’ privacy practices and individuals’ awareness of privacy rights?
OCR is accepting comments to the RFI through February 11, 2019. Comments may be submitted electronically, via hand delivery or by mail. The complete RFI, including details on where to submit comments, can be found here.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.