Recently, the Department of Health and Human Services (HHS) announced a request for information on how the current Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules may impede the transformation to coordinated, value-based health care. HHS welcomed comments on “how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals’ rights with respect to it.” Responses to the RFI are due February 11, 2019.
HIPPA
The HIPAA Privacy and Security Rules protect individuals’ medical records and other individually identifiable health information, known as “protected health information,” or “PHI”. The Privacy and Security Rules limit the circumstances under which covered entities may use and disclose PHI and require covered entities to implement safeguards to protect the privacy and security of PHI. The Privacy Rule also gives individuals rights with respect to their PHI.
RFI
“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”
The RFI has a specific focus on the HIPAA Privacy Rule, including:
- Encouraging information-sharing for treatment and care coordination;
- Facilitating parental involvement in care;
- Addressing the opioid crisis and serious mental illness;
- Accounting for disclosures of PHI for treatment, payment, and health care operations (TPO) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 (HITECH Act); and
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices