HHS Unveils Proposed HIPAA Changes

The move is just one of many regulatory tweaks being made amid the looming presidential transition.

In a landmark move made amid a flurry of other regulatory revisions affecting the healthcare industry, federal officials announced that they are proposing changes to the Health Insurance Portability and Accountability Act’s (HIPAA’s) Privacy Rule.

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced the proposed changes to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry,” the Department said in a press release. The Notice of Proposed Rulemaking (NPRM) is one part of HHS’s Regulatory Sprint to Coordinated Care initiative, which officials said seeks to promote value-based healthcare by scrutinizing federal regulations that hold back providers from making improvements for patients.

The proposed changes include “strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA-covered healthcare providers and health plans, while continuing to protect individuals’ health information privacy interests,” HHS said.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of common-sense care coordination and value-based arrangements for far too long,” HHS Secretary Alex Azar said in a statement. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

OCR is now encouraging comments from stakeholders, including patients and their families, HIPAA-covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities.

The American Health Information Management Association (AHIMA) was quick to voice an opinion.

“We are pleased to see the long-awaited release of the Office of Civil Rights’ (OCR) proposed modification to the HIPAA Privacy Rule that aims to empower patients and enhance care coordination,” AHIMA Chief Executive Officer Wylecia Wiggs Harris said in a statement. “In particular, we are pleased the rule proposes strengthening the individual right of access under HIPAA. We are also pleased it seeks to clarify how an individual’s right to direct their protected health information (PHI) to a third party should be treated. In certain instances, this has led to delays in individuals being able to access their medical record.”

“We also look forward to reviewing OCR’s proposal to clarify the scope of covered entities’ ability to disclose PHI to social service agencies or community-based support programs,” Harris added. “As social determinants of health (SDoH) increasingly become a priority for many providers, the sharing of information across clinical and non-clinical settings may include PHI. This makes it critically important to prioritize the privacy, security, and confidentiality of this sensitive information.”

Public comments on the NPRM will be due 60 days after publication in the Federal Register. The NPRM can be downloaded in its entirety from HHS’s website at https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf – PDF.*

* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at 800-368-1019, toll-free at 800-537-7697, or by emailing OCRMail@hhs.gov.

The announcement came on the heels of a Centers for Medicare & Medicaid Services (CMS) announcement that they were making the most significant changes to the Physician Self-Referral Law, better known as the “Stark Law,” since its passage in 1990 (HIPAA was signed into law in 1996).

The Stark Law prohibits physicians from making referrals to any entities for certain healthcare services if the physicians have any form of a financial relationship with such entities. But after first outlining concerns last year, federal officials said the industry’s ultimate move toward value over volume meant the law burdened providers with unnecessarily added administrative costs while inhibiting progress in the transition.

CMS noted that the provisions of the Stark Law constituted one of the top concerns voiced by providers when the agency held listening sessions in 2017 as part of its “Patients over Paperwork” initiative.