The Office for Civil Rights (“OCR”) issued a request for information (“RFI”) to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act (“HIPAA”) privacy and security regulations (the “HIPAA Rules”) that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information (“PHI”).

OCR is interested in receiving recommendations for modifying the HIPAA Rules and/or OCR guidance that could further the following goals:

  • Promoting Information Sharing for Treatment and Care Coordination

Noting that the Privacy Rule permits, but does not require, covered entities to use and disclose PHI for treatment, payment and health care operations (“TPO”), and that the Privacy Rule does not establish a deadline for disclosing PHI for TPO purposes, OCR seeks comments on whether these limitations of the Privacy Rule are problematic to the sharing of PHI for treatment and care coordination, and on whether there are potential revisions to the Privacy Rule to support and promote care coordination and/or case management. OCR also seeks input on whether disclosures of PHI to non-provider covered entities for care coordination and/or case management as part of TPO should be excepted from the minimum necessary standard at 45 C.F.R. § 164.502(b)(1), and if so, to what extent.

Another area for requested comment relates to whether OCR should modify the Privacy Rule to encourage covered entities to share PHI with non-covered entities when needed to coordinate care and provide related health care services and support for individuals who are homeless or suffering from chronic conditions, and receive care from a variety of sources including covered entities, social service agencies, and community-based support programs. This request asks whether a regulatory change to expressly permit covered entities to disclose PHI to social service agencies or community-based support programs should be adopted and, if so, the requirements or conditions upon which the regulatory permission should be based.

  • Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness

OCR is considering a separate rulemaking that would seek to encourage covered entities to share PHI with family members, caregivers, and others in a position to avert threats of harm to health and safety, when necessary to promote the health and recovery of those with substance use disorder, including opioid use disorder, and/or serious mental illness.

The RFI does not address the impact of the federal regulations on the Confidentiality of Substance Use Disorder Patient Records at 42 C.F.R. Part 2, or state laws on achieving this goal.

  • Accounting of Disclosures

The Health Information Technology for Economic and Clinical Health Act or the “HITECH Act”, Pub. Law 111-5, directed OCR to modify the Privacy Rule to require that an accounting of disclosures include disclosures made for TPO purposes through an electronic health record during the three years before the request. OCR issued a Notice of Proposed Rulemaking in 2011 to implement the HITECH Act requirement. Among the proposed changes was to create a new right to an access report that would have shown who had accessed the information in an individual’s electronic designated record set. In response to public criticism of the proposed rule, OCR announced in the RFI that it will not finalize the 2011 proposed rule, and seeks recommendations on how OCR could implement the HITECH Act requirement and ensure that individuals can obtain a meaningful accounting of disclosures without erecting obstacles or disincentives to the adoption and use of interoperable electronic healthcare records.

  • Notice of Privacy Practices

The RFI seeks input of how the notice of privacy practices requirements at 45 C.F.R. § 164.520 might be modified to reduce covered entity burden without compromising transparency regarding providers’ privacy practices or an individual’s awareness of his or her rights.

  • Additional Ways To Remove Regulatory Obstacles and Reduce Regulatory Burdens To Facilitate Care Coordination and Promote Value-Base Health Care Transformation

Finally, OCR solicits recommendations for amending the HIPAA Rules in other areas to further reduce burden and promote coordinated care.

Comments are due February 12, 2019.