Modernizing HIPAA to Pave the Way for Value-Based Care

HHS has taken the first step in the process to make changes to the HIPAA privacy and security regulations.  The HHS Office for Civil Rights (OCR) seeks comment on modifying the Health Insurance Portability and Accountability Act (HIPAA) regulations as part of HHS’ “Regulatory Sprint to Coordinated Care” initiative. OCR issued a request for information (RFI) this week that asks for public input on how HIPAA can be modified to remove obstacles to value-based care and care coordination while preserving patients’ privacy.

Responses must be submitted on or before February 12, 2019.

The RFI reflects HHS’ interest in modernizing HIPAA regulations to account for the evolving landscape of health care, and the evolution of electronic health records and digital health innovations, since the last major regulatory update in 2013. Since then, there have been a number of significant innovations in technology and reimbursement strategies that are fundamentally changing the delivery of health care. We anticipate that responses received from the RFI are likely to inform future rulemaking.

OCR asks that stakeholders provide feedback on how it may revise the HIPAA Privacy Rule to better incentivize care coordination and support the goals of value-based care and asks for public input on specific provisions. OCR also requests information and perspectives about covered entities’ and business associates’ technical capabilities, individuals’ interests, and methods to achieve these goals. Stated goals are:

• Promoting information-sharing for treatment and care coordination;
• Encouraging covered entities to share treatment information to allow patient family involvement in care, with a particular focus on the opioid crisis and serious mental illness;
• Implementing provisions of the HITECH Act to include accounting for disclosures of protected health information (PHI) for treatment, payment, and health care operations from an EHR, without disincentivizing the adoption and utilization of interoperable EHRs; and
• Modifying or eliminating the current requirement for providers to make a good faith effort to obtain an acknowledgement of receipt of the Notice of Privacy Practices.

The RFI expands on each of these areas and many of the solicitations contain common themes. With an overarching focus on modifications that would improve the regulation while protecting patient privacy, the RFI’s 54 questions ask stakeholders to consider the advantages and disadvantages of each suggestion and include policy proposals, examples, and costs for many of the changes. The questions include improvements to the regulation in the following areas:

• Access and Disclosures: OCR seeks input on improving processes to provide individuals with access to their PHI and imposing prescribed timelines for providers and other covered entities to disclose records through electronic access. These timelines may apply to instances where the individual has requested access to his or her records or when providers and other covered entities request PHI to coordinate patient care. Several questions focus on individual privacy measures that would allow patients to “opt out” or place restrictions on certain types of required disclosures, such as for health care operations.
• Sharing Information with Caregivers: OCR seeks information on how to improve information access processes for parents, personal representatives, and caregivers for patients with substance abuse issues (with a particular focus on opioid dependency) or serious mental illness. OCR asks that stakeholders provide feedback on whether existing permissions are adequate to allow caregivers access to information about minor and adult family members (including parents and spouses) when seeking treatment for these issues, as well as expanding access to parents, caregivers and spouses more broadly.
• Minimum Necessary: OCR requests comments on whether it should expand the exceptions to the minimum necessary rule to promote care coordination and/or case management.
• Sharing Information with Non-Covered Entities: OCR requests input on how to improve information access for social service agencies or community-based support programs in order to facilitate care coordination and comprehensive support, particularly for individuals experiencing homelessness, chronic conditions, or serious mental illness.
• Role and Responsibility of Clearinghouses: OCR seeks input on changes to rules related to health care clearinghouses, including individual access requirements and reclassification that would treat clearinghouses only as covered entities. OCR notes that this may change current processes that require clearinghouses to enter into business associate agreements with other covered entities to perform activities on their behalf.
• Utility of the Notice of Privacy Practices (NPP) Acknowledgement Process: OCR invites the public to provide comments on whether the signature and recordkeeping requirements for NPPs should be eliminated and alternate approaches to promoting patient awareness of their rights under HIPAA. OCR seeks to decrease regulatory burdens on providers and specifically requests anecdotal evidence of current provider processes for collecting patient signatures and the economic burdens of the current requirement.
• Accounting of Disclosures: OCR seeks input on modifying HIPAA’s accounting of disclosure provisions to incorporate HITECH Act requirements. Under the HITECH Act, individuals may request an accounting of disclosures of PHI for treatment, payment, and health care operations purposes (TPO) from an EHR. OCR seeks to implement that requirement to allow individuals to obtain a meaningful accounting of disclosures without impeding the adoption and use of interoperable EHRs.

Public feedback on the RFI may be submitted until February 12, 2019 via https://www.regulations.gov, hand-delivery, or mail. Stakeholders should analyze the potential impact of the RFI’s solicitations and take the opportunity to submit comments for OCR consideration. Crowell & Moring has significant experience with HIPAA regulations and can advise you on understanding the implications of these potential changes and considering responses to OCR.  For further assistance, please contact Jodi Daniel.