Request for Information on Potential Changes to HIPAA Rules to Enhance Patient Data Sharing Issued by OCR


A request for information (RFI) issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) is striving to get feedback from the public regarding prospective changes to the Health Insurance Portability and Accountability Act (HIPAA) Rules to boost coordinated, value-based medical care.

OCR is collecting recommendations regarding adjustments to the HIPAA Privacy and Security Rules that are interfering with the change to value-based healthcare and conditions of HIPAA Rules that are obstructing coordinated care between consumers and their healthcare companies.

HIPAA was introduced 22 years ago when only a few healthcare companies were utilizing electronic health records. Although there have been revisions to HIPAA through the years, a lot of industry stakeholders think that additional updates are required now that most of healthcare organizations have switched to using electronic health records.

Not long ago, the American Health Information Management Association (AHIMA) and American Medical Informatics Association (AMIA) talked to Congress about the required changes to HIPAA in order to enhance the access of patients to their health information and to make it simpler to share that information with other healthcare companies and research institutions. At this time, provisions of the HIPAA Privacy Rule are not encouraging providers to share information and patients still have trouble getting access to their health data in a format that permits them to quickly use and reuse their information.

OCR is inviting the public to send their feedback to help OCR determine the problem areas and eliminate regulatory limitations that are slowing down the development to value-based healthcare and aspects of HIPAA Rules that put a needless burden on covered entities as well as their business associates which hinder their ability to perform care coordination and patient case administration. Nevertheless, changes could just be implemented on HIPAA Rules if they don’t put in danger the privacy and protection of protected health information (PHI).

In particular, OCR want comments on these areas of HIPAA Rules:

  • Adjustments to the HIPAA Privacy Rule to boost sharing of information for treatment, care coordination, and/or case administration which motivates, incentivizes, or necessitates HIPAA-covered entities to share PHI to some other covered entities.
  • Modifications to the HIPAA Privacy Rule to prompt healthcare companies and other covered entities to discuss treatment data with patients, their family members, and caregivers of adults in health emergencies, particularly in connection with improper use of opioid.
  • Working on the HITECH Act requirement to be made up of, an accounting of disclosures, disclosures for treatment plan, payment, and health care operations (TPO) from an electronic health record (EHR) in a way that gives useful data to folks, while reducing regulatory burdens and disincentives to the usage of interoperable EHRs.
  • Modifications to the healthcare providers requirement to make a good faith attempt to get a written acknowledgment of receipt of providers’ Notice of Privacy Practices from individuals.
  • Feedback are likewise being required from healthcare companies, business associates, and other covered entities together with answers to 54 questions specified in the RFI.

The RFI was published on December 14, 2018 and feedback are to be accepted for two months following the publication date. The RFI is available for download here.