OCR REQUEST FOR INFORMATION ON MODIFYING HIPAA RULES
On December 14, 2018 the Office for Civil Rights (OCR) issued a “Request for Information” (RFI)[1]to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals' protected health information.
First, why the “Office of Civil Rights” request for information? Answer: OCR has delegated authority from the Secretary of Health and Human Services to make decisions regarding the implementation, interpretation, and enforcement of the Privacy Rule.
Second, under this authority, OCR also administers and enforces the Security Rule, which requires covered entities and their business associates to implement certain administrative, physical, and technical safeguards to protect [2]ePHI; and the Breach Notification Rule, which requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI, and requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach.
Regarding the “Request for Information on Modifying HIPAA Rules To Improve Coordinated Care”, the OCR sought public input on ways to modify the HIPAA Rules to remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based health care, while preserving the privacy and security of PHI. Specifically, OCR sought information on the provisions of the HIPAA Rules that may present obstacles to, or place unnecessary burdens on, the ability of covered entities and business associates to conduct care coordination and/or case management, or that may inhibit the transformation of the health care system to a value-based health care system. Correspondingly, OCR seeks comment on modifications to the HIPAA Rules that would facilitate efficient care coordination and/or case management, and/or promote the transformation to value-based health care. OCR also broadly requests information and perspectives from regulated entities and the public about covered entities' and business associates' technical capabilities, individuals' interests, and ways to achieve these goals. In addition, OCR sought comment on aspects of the Privacy Rule that OCR has identified for potential modification to further these goals, specifically -
1) Promoting information sharing for treatment and care coordination and/or case management by amending the Privacy Rule to encourage, incentivize, Start Printed Page or require covered entities to disclose PHI to other covered entities.
2) Encouraging covered entities, particularly providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid crisis.
3) Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
4) Eliminating or modifying the requirement for covered health care providers to make a good faith effort to obtain individuals' written acknowledgment of receipt of providers' Notice of Privacy Practices, to reduce burden and free up resources for covered entities to devote to coordinated care without compromising transparency or an individual's awareness of his or her rights
*Part One of Two
[1] https://www.federalregister.gov/documents/2018/12/14/2018-27162/request-for-information-on-modifying-hipaa-rules-to-improve-coordinated-care
[2] EPHI: Electronic Protected Health Information/PHI: Protected Health Informat
Proposed Modifications to the HIPAA Privacy Rule, MArch 2021
On March 10, 2021 the Department of Health and Human Services (the Department) extended the comment period for the proposed rule entitled “Notice of Proposed Rulemaking” (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), published in the Federal Register on January 21, 2021 . The comment period for the proposed rule, was extended to May 6, 2021 . The extension allows the Secretary of Health and Human Services to make decisions regarding the implementation, interpretation, and enforcement of the Privacy Rule. Second, under this authority, OCR also administers and enforces the Security Rule, which requires covered entities and their business associates to implement certain administrative, physical, and technical safeguards to protect ePHI; and the Breach Notification Rule, which requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI, and requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach. Read more here at https://www.linkedin.com/posts/hipaa-analytics_proposed-modifications-to-the-hipaa-privacy-activity-6800854212394700800-fFnO