The Department of Health and Human Services (HHS) has drafted a Request for Information (RFI) to assess HIPAA Rules may be hindering patient information sharing. The move is in repose to complaints that healthcare providers are unable to efficiently coordinate patient care due to restrictive rules regarding the sharing of potentially confidential information.
The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.
HHS is seeking opinions from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.
The RFI is part of the “Regulatory Sprint to Coordinated Care” initiative. The initiative hops to identify and remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.
The HHS will use the information received to influence future decisions on HIPAA updates. The comments will also shape which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.
One particularly vocal critic of HIPAA is the American Hospital Association. The organisation has previously issued statements about some of these issues that its members face with HIPAA and has urged the HHS to take action.
It is widely acknowledged that some areas of HIPAA should be updated to improve the sharing of patient health information. It is recognised that in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.
Currently, HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment and healthcare operations. Furthermore, there is no clear guidance on the best practices for sharing PHI, and when it is permissible to share PHI with entities other than healthcare providers.
Many critics state that the update is urgently needed, as HIPAA was originally written in a time in which most of the records were on paper, and the legislation did not date well with updates in technology. Dealign with electronic patient records is very different from dealing with paper records, and each have unique security risks. Clear guidance on the sharing of electronic records is expected in the next HIPAA update.
While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.
In addition to a general request for information, the HHS will specifically be seeking information on:
- The methods of accounting of all disclosures of a patient’s protected health information
- Patients’ acknowledgment of receipt of a providers’ notice of privacy practices
- Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
- Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
- The minimum necessary standard/requirement.
While the HHS has opened itself up to comments and opinions from different healthcare organisations, it has not yet guaranteed that any change will come to affect following the RFI.