OCR Asks for Your Feedback: The Request for Information on Reducing Regulatory Burdens to Improve Care Coordination
On December 14, 2018, OCR issued a Request for Information (“RFI”) asking how HIPAA can be revised to better promote care coordination and value-based care while preserving privacy and security protections. The RFI is relatively short, and easily digestible. It categorizes its requests into four topic areas, asking more specific questions under each of those categories. The RFI has 54 numbered questions, many of which include sub-questions.
The summary below provides a high-level overview. The requests that are highlighted have been shortened and consolidated with similar requests.
1. Promoting information sharing for treatment and care coordination. OCR is interested in information about how to better encourage, incentivize, or require covered entities to disclose PHI to other covered entities. The requests include, among others:
- The length of time it takes to respond to individuals’ requests for access, and the feasibility and burdens of responding in a more rapid manner, especially for ePHI.
- The difficulty in obtaining records from other providers for treatment purposes, and whether treatment, payment, and health care operations disclosures should be mandatory. If deemed mandatory, OCR asks whether there should be exceptions, limitations, or “opt out” options for such disclosures, and whether it should implement a timeliness requirement.
- Whether there should be exceptions to the minimum necessary rule for care coordination purposes, such as case management, claims management, utilization review, etc.
- Whether a covered entity should be permitted to disclose PHI to social service agencies for community support and care coordination purposes.
2. Promoting parental and caregiver involvement and addressing the opioid crisis and serious mental illness. OCR would like input on how it could modify HIPAA to encourage providers and other covered entities to share treatment information with parents, loved ones, and caregivers of those facing health emergencies, especially those dealing with the opioid crisis. The requests include, among others:
- What changes can be made to help address the opioid epidemic or to treat patients with serious mental illnesses, and if such changes would discourage individuals from seeking needed health care.
- Issues faced by parents/guardians of minor patients who are treated for substance use disorder, and whether there should be changes permitting an individual to more easily access their adult child’s or spouse’s PHI.
3. Accounting of disclosures. The HITECH Act required providers to provide an accounting of disclosures of treatment, payment, and health care operations (“TPO”) made from an electronic health record. In 2011, OCR issued a Notice for Proposed Rulemaking where it proposed modifications to the Privacy Rule in order to implement the HITECH TPO accounting requirement. A final rule was never published, and OCR notes that it withdraws the NPRM in favor of soliciting new feedback on this requirement. OCR now asks for information about how to implement this requirement in a manner that both provides individuals with useful information and minimizes the burden on providers. The requests include, among others:
- The frequency, and purpose, of accounting requests and how long it takes to respond to such requests.
- If a covered entity’s system captures and maintains TPO-related accounting, how many TPO disclosures are made per year.
- Whether EHR systems are able to distinguish between uses and disclosures, as the terms are defined by HIPAA, and what information is maintained about access, what data collection is automated versus inputted manually.
- The time and expense of adding a TPO accounting function to new or existing EHRs.
- Alternatives to a system-generated accounting of TPO disclosures.
4. Notice of Privacy Practices. OCR is considering eliminating or modifying the requirement for providers to make a good faith effort to have individuals sign an acknowledgement of the receipt of the Notice of Privacy Practices. The requests include, among others:
- An estimate of the costs providers incur in obtaining the written acknowledgement and for a percentage of individuals that do not sign the acknowledgement.
- How the Notice fits within the provider’s intake process and other paperwork.
- The purpose for which acknowledgment forms are used by providers.
- The benefits and drawbacks of removing the acknowledgment requirement.
- Whether covered entities use a model Notice, and if the use of a model Notice should deem a covered entity compliant with Notice requirements.
The RFI’s final question is open-ended, inviting additional recommendations to revise the HIPAA rules to reduce regulatory burdens and promote coordinated care.
We encourage those interested in these topics to read and respond to the RFI. We also encourage those who experience pain points with HIPAA compliance to use the RFI as an opportunity to provide feedback to OCR on how HIPAA can be modified to ease these burdens.
Individuals or organizations who are interested in submitting information in response to the RFI should follow the instructions under the heading “Addresses.” Comments are due on or before February 12, 2019.