OCR Issues Request for Information on Potential Updates to HIPAA Rules to Improve Data Sharing

Share this article on:

The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a request for information (RFI) seeking comments from the public on potential modifications to Health Insurance Portability and Accountability Act (HIPAA) Rules to promote coordinated, value-based healthcare.

OCR is seeking suggestions about changes to aspects of the HIPAA Privacy and Security Rules that are impeding the transformation to value-based healthcare and provisions of HIPAA Rules that are discouraging coordinated care between individuals and their healthcare providers.

HIPAA was first enacted 22 years ago at a time when few healthcare providers were using digital health records. While there have been updates to HIPAA over the years, many industry stakeholders believe further updates are necessary now that the majority of healthcare organizations have transitioned to digital health records.

Recently, the American Medical Informatics Association (AMIA) and American Health Information Management Association (AHIMA) explained to Congress that changes to HIPAA are required to improve patients’ access to their health data and to make it easier for that information to be shared with other healthcare providers and research organizations. Currently, aspects of the HIPAA Privacy Rule are discouraging providers from sharing data and patients are still have difficulty accessing their health information in a format that allows them to easily use and reuse their data.

OCR is encouraging the public to submit their comments to help OCR identify problem areas and remove regulatory obstacles that are hampering the transformation to value-based healthcare as well as aspects of HIPAA Rules that place an unnecessary burden on covered entities and their business associates which impede their ability to conduct care coordination and case management. However, changes can only be made to HIPAA Rules if they do not jeopardize the privacy and security of protected health information.

Specifically, OCR is seeking feedback on the following aspects of HIPAA Rules:

  • Changes to the HIPAA Privacy Rule to promote information sharing for treatment, care coordination, and/or case management which encourages, incentivizes, or requires HIPAA-covered entities to disclose PHI to other covered entities.
  • Changes to the HIPAA Privacy Rule to encourage healthcare providers and other covered entities to share treatment information with patients, their loved ones, and caregivers of adults in health emergencies, especially related to opioid misuse.
  • Implementing the HITECH Act requirement to include, in an accounting of disclosures, disclosures for treatment, payment, and health care operations (TPO) from an electronic health record (EHR) in a manner that provides helpful information to individuals, while minimizing regulatory burdens and disincentives to the adoption and use of interoperable EHRs.
  • Changes to the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices.

Comments are also being sought from healthcare providers, business associates, and other covered entities along with answers to 54 questions detailed in the RFI.

The RFI will be published on December 14, 2018 and comments will be accepted for 60 days after the publication date. The RFI can be downloaded on this link.

Author: HIPAA Journal

Share This Post On