On December 14, 2018, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published in the Federal Register a request for information (RFI) titled “Modifying HIPAA Rules to Improve Coordinated Care.” The RFI seeks public input on a broad range of potential reforms to Health Insurance Portability and Accountability Act (HIPAA) regulations with a focus on enhancing care coordination. Though only a preliminary step on the path to potential regulatory reform, the RFI’s scope is significant, as is the opportunity it affords stakeholders interested in sharing early input as HHS considers reforms to key health information privacy requirements.
The RFI is the latest installment in HHS’s “Regulatory Sprint to Coordinated Care,” a department-wide regulatory reform initiative that aims to identify and remove regulatory barriers to value-based care. It broadly seeks to examine potential modifications to the HIPAA rules that would “facilitate efficient care coordination and/or case management and  promote the transformation to value-based healthcare, while preserving the privacy and security” of individuals’ protected health information (PHI).
Through a series of 54 detailed questions, OCR seeks specific feedback on a range of issues, including:
- amending the privacy rule to encourage or require covered entities to disclose PHI to other covered entities for purposes of treatment and care coordination and/or case management;
- encouraging covered entities to share treatment information with parents, loved ones, and caregivers of adults experiencing health emergencies, particularly individuals affected by the opioid crisis;
- implementing the Health Information Technology for Economic and Clinical Health Act (HITECH Act) requirement that an accounting of disclosures include disclosures for treatment, payment and healthcare operations from an electronic health record in a manner that provides helpful information to individuals but minimizes regulatory burdens for covered entities; and
- eliminating or modifying the requirement that providers seek to obtain individuals’ written acknowledgement of receipt of the provider’s Notice of Privacy Practices while ensuring transparency and individuals’ awareness of their rights.
OCR also announces in the RFI that it intends to withdraw its May 2011 proposed rule to implement the HITECH Act requirement that an accounting of disclosures include disclosures for treatment, payment or healthcare operations purposes through an electronic health record during the three years before the request and grant individuals a right to receive an access report. OCR did not finalize the proposal after the comment period for the proposed rule closed and now concludes that the proposal “would create undue burden for covered entities without providing meaningful information to individuals.”
The RFI devotes significant attention to the sharing of PHI for treatment and care coordination and/or case management. On this topic, OCR requests additional information on a number of related issues, including:
- whether covered entities (all or a subset of them) should be required to disclose PHI to other covered entities or non-covered healthcare providers for treatment purposes and for payment and/or healthcare operations purposes generally (or only for specific payment or healthcare operations purposes);
- whether disclosures of PHI to non-provider covered entities for care coordination and/or case management as part of treatment and/or healthcare operations should be excepted from the minimum necessary standard and, if so, to what extent;
- whether any new requirement that covered healthcare providers (or all covered entities) share PHI when requested by another healthcare provider (or covered entity) require the requesting provider/entity to obtain explicit affirmative authorization from the patient prior to initiating the request or, alternatively, allowing the request to be based on the provider’s/entity’s professional judgment as to the best interest of the patient, the good faith of the provider/entity or some other standard;
- whether revisions to the privacy rule should address the timeliness with which a covered entity shall disclose records when requested by another healthcare provider or covered entity for purposes of coordinating or managing care; and
- whether the privacy rule should be modified or clarified to encourage covered entities to share PHI with non-covered entities (e.g., social service agencies and community-based support programs) when needed to coordinate and provide healthcare services and support.
This is an important opportunity for stakeholders to shape reform of the HIPAA rules to better reflect technological innovation and improvements in care coordination that have occurred since the HIPAA rules were first promulgated. Stakeholders should consider strategic policy recommendations that will support the government’s goals of accelerating care coordination in the U.S. healthcare system. Comments are due by February 12, 2019.