The HHS has put together a Request for Information (RFI) to ascertain how HIPAA Rules are hampering patient information sharing and are making it complex for healthcare providers to coordinate patient treatment.
HHS is seeking feedback from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or restricting coordinated care and case management among hospitals, physicians, patients, and payors.
The RFI is forming part of a new initiative, named Regulatory Sprint to Coordinated Care, the target of which is to take away barriers that are preventing healthcare groups from sharing patient information while maintaining protections to ensure patient and data privacy are protected.
The comments sent through the RFI will guide the HHS on how HIPAA can be bettered, and which policies should be sought in rulemaking to help the healthcare sector change to coordinated, value-based health care.
The RFI was sent to the Office of Management and Budget for review on November 13, 2018. It is, at present, unclear when the RFI will be issued.
Certain aspects of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has been vocal about some of these issues and has urged the HHS to take steps to address this.
While there are certainly factors of HIPAA Rules that would improve with an update to enhance the sharing of patient health information, in some instances, healthcare groups are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other bodies without the need to obtain prior authorization from patients.
The feedback HHS is looking for will be used to assess what aspects of HIPAA are causing issues, whether there is a chance to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further information to be issued on HIPAA Rules.
HIPAA does allow healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without permission from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some instances, how best to share PHI, and when it is permissible to distribute PHI to entities other than healthcare providers. Simplification of HIPAA Rules could help in relation to this, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and treatment co-ordination.
While the HHS is keen to establish an environment where patients’ health information can be sent more freely, the HHS has made it clear is that there will not be any amendments made to the HIPAA Security Rule. Healthcare suppliers, health plans, and business associates of HIPAA-covered groups will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and brought down to a reasonable and acceptable level.
Along with to a general request for information, the HHS will specifically be seeking details on:
- The procedures for accounting for all disclosures of a patient’s protected health information
- Patients’ acknowledgment of receipt of a suppliers’ notice of privacy practices
- Establishment of a safe harbor for good faith disclosures of PHI for purposes of care coordination or treatment management
- instances of sharing protected health information without a patient’s authorization for treatment, payment, and health care operations
- The lowest acceptable standard/requirement.
While the RFI is likely to be published, there are no guarantees that any of the comments sent in will lead to HIPAA rule alterations.