Jared M. Bruce

OCR Issues Request for Information on Potential Changes to HIPAA Rules

January 30, 2019Legal Alerts

The Department of Health and Human Services Office for Civil Rights (OCR) has published a Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (RFI). OCR announced the publication of the RFI through a December 12, 2018 press release available here.  OCR Director Roger Severino stated that OCR is “looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them.”  Severino further stated that OCR is “committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

OCR is seeking public comment on whether and how to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (HIPAA Rules) to remove regulatory obstacles that may prevent covered entities from providing value-based health care or discourage coordinated care, while preserving and protecting the privacy and security of PHI and individuals’ related privacy rights. Through this RFI, OCR is requesting covered entities and their business associates, as well as other stakeholders, provide information and perspectives on their technical capabilities, interests, and ways to provide more value-based health care to patients. 

While the HIPAA Rules permit the use and disclosure of PHI for purposes related to treatment, payment, and health care operations (TPO), OCR has noted recent requests have been made to revisit any aspects of the HIPAA Rules that may limit, or at least discourage, covered entities from sharing PHI for purposes of coordinated care. In light of these obstacles and in an effort to promote coordinated, value-based health care, OCR is specifically requesting comments on the following aspects of the HIPAA Rules that OCR has identified for potential modifications:

  • Promoting information sharing for treatment and care coordination;
  • Facilitating parental or caregiver involvement for individuals facing health emergencies, with a particular focus on the opioid crisis;
  • Modifying requirements related to accounting of disclosures to include disclosures of PHI for TPO purposes from an electronic health record, as required by the HITECH Act; and
  • Eliminating or modifying the requirement for certain providers to make a good faith effort to obtain an acknowledgement of receipt of the Notice of Privacy Practices.

Promoting Information Sharing for Treatment and Care Coordination

Currently, the Privacy Rule requires a covered entity to provide an individual with access to his or her PHI within 30 days after receipt of the individual’s request.[1] This requirement applies whether the health records are maintained electronically or on paper. The Privacy Rule does not have a deadline regarding the disclosure of individual’s PHI when requested by another health care provider or covered entity for purposes of coordination of care or case management. OCR notes the absence of such a requirement appears to cause the untimely transfer of records between providers and leads to inefficient coordination of care. 

Within the RFI, OCR has requested comments on how long it takes covered entities to provide individuals with copies of their PHI, and if the length of time varies on whether paper or electronic records are maintained. OCR is requesting covered entities provide feedback on the feasibility of providing the requested PHI within a shorter timeframe (i.e., less than the 30 days currently afforded by the Privacy Rule).  Additionally, OCR is seeking comment on whether covered entities should be required to provide electronic PHI records to individuals faster than paper records. OCR has also requested specific examples, along with cost estimates, of the potential burdens that would be placed on covered entities if the timeframe for responding to PHI access requests is shortened. OCR is also soliciting comments on whether covered entities should be required to transfer PHI records to other covered entities within a specified timeframe to promote the goals of more efficient care coordination and/or case management.

OCR is seeking input on the role health care clearinghouses could play in providing access to individuals’ PHI. OCR suggests health care clearinghouses may maintain PHI from a variety of health care providers and could assist individuals in obtaining their full treatment histories from one source in lieu of separately requesting PHI from each individual health care provider. However, OCR notes health care clearinghouses are only permitted to provide individual access to PHI as permitted by their business associate agreements with covered entities. Accordingly, OCR seeks input on whether health care clearinghouses should be subject to the individual access requirements, which would then require the health care clearinghouses to provide individuals with their designated record set upon request.   Furthermore, OCR solicits comments on if health care clearinghouses should be treated as covered entities, subject to all of the HIPAA Rules and not be considered business associates, or need business associate agreements.

OCR is also considering how the 21st Century Cure Act should interact with HIPAA Rules.  As a result, OCR is requesting comments on what considerations OCR should take into account to ensure a potential Privacy Rule requirement to disclose PHI is consistent with rulemaking by the Office of the National Coordinator for Health Information Technology to prohibit information blocking as defined by the 21st Century Cures Act. 

Within the RFI, OCR has noted that currently, HIPAA covered entities are permitted, but not required, to disclose PHI to a health care provider who is not covered by HIPAA (which are heath care providers that do not engage in electronic billing or other covered electronic transactions) for treatment and payment purposes of either entity.[2] OCR seeks comment on whether HIPAA covered entities should be required to disclose PHI to non-covered health care providers for care coordination and case management, and the administrative processes on establishing such a requirement.

Finally, within this section of the RFI, OCR is soliciting comments on how health care providers should interact with other entities that may provide related non-treatment services or provide other assistance to individuals beyond health care. OCR seeks comment on if disclosures related to non-treatment activities, such as population-based health case management, care coordination, claims management, utilization review, or formulary development should be subject to the minimum necessary standard. If disclosures of PHI to non-provider covered entities for care coordination and/or case management as a part of PTO purposes should be considered exempt from the minimum necessary standard, then OCR would like to determine the extent of the exemption.

Moreover, OCR has recognized that some individuals may also receive services from social services agencies or community-based support programs specifically designed to coordinate the full spectrum of care across multiple socioeconomic determinants of health, including access to housing and other necessities. While the Privacy Rule permits covered entities to share PHI for this coordination of care,[3] OCR notes some covered entities are reluctant to do so for fear of violating HIPAA Rules. OCR requests whether express regulatory permission should be created for HIPAA covered entities to disclose PHI to social services agencies or community-based support programs.  Further, OCR requests input as to the conditions upon which such regulatory permissions should be based, including whether covered entities should be required to enter into agreements for such purposes which contain provisions similar to business associate agreements.

Promoting Parental and Caregiver Involvement in Addressing the Opioid Crisis and Serious Mental Illness

The Privacy Rule allows health care providers to disclose PHI to caregivers in certain circumstances, including certain emergency circumstances.[4] However, OCR has noted that some covered entities are reluctant to share information with caregivers for fear of violating HIPAA Rules. As a result, OCR is seeking comment on whether changes to HIPAA Rules should be made to encourage covered entities, particularly health care providers, to share treatment information with parents, loved ones, and caregivers of adults facing health emergencies, with a particular focus on the opioid epidemic.   Specifically, OCR is requesting suggestions on what changes can be made to the existing HIPAA Rules to help address the opioid epidemic and what risks are associated with encouraging health care providers to make these disclosures in the interest of patient safety. Will individuals suffering from opioid addiction be discouraged from seeking care if information regarding their addiction is encouraged to be shared with loved ones? This is one of the questions OCR seeks input on in order to balance the risks and benefits of any potential changes to the HIPAA Rules to address the opioid epidemic.

OCR is also requesting feedback regarding whether any changes to the Privacy Rule are necessary to help ensure that parents are able to obtain the treatment information of their minor children, especially where the child is suffering from a substance use disorder (including an opioid use disorder) or mental health issues. Alternatively, OCR would like to know if the existing permissions under the Privacy Rule are adequate. If the Privacy Rule does need to be modified to further this goal, OCR is also requesting feedback on the limitations that should apply to parental access with respect to any privacy interests of minor children.

OCR has also solicited comments on if changes should be made to the Privacy Rule to allow parents or spouses more access to the treatment information of their children or spouses who have reached the age of majority.  Moreover, OCR seeks comments to determine if changes should be made to allow adult children to access the treatment records of their parents in certain circumstance (for example, access to basic information regarding a parent’s condition if the parent is being treated for early onset dementia). The Privacy Rule currently defers to state or other applicable law to determine the authority of a person, such as a parent or spouse, to act as a personal representative of an individual in making decisions related to their health care.[5] OCR is seeking comments on how to reconcile changes to a personal representative’s authority under HIPAA Rules with state laws that define the scope of parental or spousal authority for state law purposes.

Accounting for Disclosures of PHI made for Purposes of Treatment, Payment, and Health Care Operations Using an Electronic Health Record System

The Privacy Rule currently requires covered entities to provide, upon request, an individual with an accounting of disclosures of PHI made by a covered entity or its business associate to outside entities in the six years prior to the date on which the accounting is requested, with certain exceptions.[6] One such exception includes disclosures made for purposes of TPO, thus removing any obligation of covered entities or business associates to account for disclosures made for TPO purposes.  

In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) eliminated this exception for TPO disclosures and directed OCR to modify the Privacy Rule to require covered entities to provide an accounting of disclosures made for purposes of TPO, but only such disclosures that were made through an electronic health record (EHR) system. In response to this mandate, OCR issued a Request for Information that solicited feedback on the administrative burden such a modification would cause. Much of the feedback received asserted the burden would be great, largely due to the fact that EHR systems were not capable of distinguishing between internal access of PHI, which under the Privacy Rule constitutes a “use,” or external access of PHI, which the Privacy Rule deems to be a “disclosure.” OCR’s secondary proposal to require covered entities to provide an “access report,” which would show who had accessed the information in an individual’s electronic designated record set for any purpose, also garnered opposition due to the technical limitations of EHR systems and their inability to produce such access reports. 

In light of OCR’s determination that the proposed accounting of disclosures made for TPO purposes would create undue burden for covered entities and provide little meaningful information to individuals, OCR now seeks public input on the best method of implementation of the HITECH Act requirement, which would allow individuals to obtain a meaningful accounting of disclosures and facilitate care coordination, while still placing appropriate limitations on disclosures. With this goal in mind, OCR requests covered entities and business associates to provide data related to the number of requests for an accounting of disclosures received by covered entities, the format of those requests, and how many requests are made for information not currently required to be included in the accounting (e.g., disclosures for TPO). The RFI also solicits information on the burden imposed upon covered entities and business associates when responding to a request for an accounting of disclosures.

The appropriate role of business associates in providing an accounting of disclosures is also of interest to the OCR. The RFI requests feedback on whether covered entities should be permitted to refer an individual to a business associate in order to obtain an accounting of disclosures made for TPO or whether covered entities should be required to account for disclosures made by their business associates. Additionally, information has been requested pertaining to the scenarios where a business associate might make a disclosure of PHI for TPO purposes through an EHR.

Not surprisingly in light of OCR’s previous determination that implementation of the HITECH Act requirement would be unduly burdensome due to the technical limitations of EHR systems, the RFI seeks insight into the current capabilities and uses of EHR systems. Particularly, many questions are directed to ascertain how EHR systems collect the information that would be used in an accounting of disclosures and the cost of implementing an EHR system or feature that would facilitate the accounting of disclosures for TPO purposes. Finally, OCR requests specific information on how the Privacy Rule can be modified to provide individuals with meaningful access to information pertaining to TPO disclosures and whether there may be alternative methods for achieving this goal, such as requiring a thorough investigation of disclosures of PHI upon receiving a request for an accounting of disclosures for TPO in lieu of providing a standard accounting of such disclosures.  

Modifying the Requirement for Certain Providers to Make a Good Faith Effort to Obtain an Acknowledgement of Receipt of the Notice of Privacy Practices

The Privacy Rule requires most covered entities to develop a Notice of Privacy Practices (NPP) that describes how the covered entity may use and disclose individuals’ PHI.[7] NPPs must be made available to any person who asks for it and must be displayed prominently on the covered entity’s website.[8] Additionally, covered direct treatment providers must provide NPPs to individuals no later than the date of first service delivery and, except in emergency treatment situations, make a good faith effort to obtain the individual’s written acknowledgement of receipt of the NPP.[9] If an acknowledgement cannot be obtained, the provider must document his or her good faith efforts to obtain the acknowledgement and the reason for not obtaining an individual’s acknowledgement. This documentation must be retained for no less than six years.[10] While intended to provide an opportunity for individuals to review the NPP and discuss any concerns with the provider, OCR has acknowledged the burden these signature and recordkeeping requirements place on providers and the detrimental impact on resources that could be allocated to care coordination.

Questions in the RFI focus on the content of NPPs and potential modifications to better inform individuals of their HIPAA rights and prevent misunderstandings. Additionally, OCR seeks data on the covered entity’s procedures for dissemination of NPPs, the economic burden on covered providers to obtain written acknowledgement and store NPP-related documentation for the requisite six years, and the frequency of a covered provider’s failure to obtain the required acknowledgement from an individual. Finally, OCR seeks information outlining the barriers to obtaining acknowledgement, the benefits or adverse consequences for removing the signature and acknowledgement requirements, and potential alternatives for documenting the provision of NPPs to individuals.   

In addition to the specific items listed above, OCR has asked for any additional recommendations on how OCR could amend the HIPAA Rules to further reduce administrative burdens and promote coordinated care.  The complete RFI can be accessed here.  Responses to the RFI must be submitted to OCR by February 11, 2019.

If you have any questions regarding the RFI or would like to submit a response to OCR regarding the RFI, please contact your Dinsmore health care attorney.


[1] See, 45 CFR 164.524.

[2] See, 45 CFR 164.506(c)(1)-(3).

[3] This is included in the definition of “treatment” at 45 CFR 164.501.

[4] See e.g., 45 CFR 164.510(b)(3), 45 CFR 164.512(j).

[5] See, 45 CFR 164.502(g)(3).

[6] 45 C.F.R. § 164.528(a).

[7] 45 C.F.R. § 164.520.

[8] 45 C.F.R. § 164.520(c)(3)(i)

[9] 45 C.F.R. § 164.520(c)(2).

[10] 45 C.F.R. § 164.520(c)(2)(ii) and (e).