HHS seeks input to modify HIPAA rules, expert says proceed carefully

The U.S. Department of Health and Human Services is seeking the public’s input on how Health Insurance Portability and Accountability Act (HIPAA) rules should be modified to promote better patient care.

HIPAA rules were developed to protect patient information and enable information sharing when necessary. But in recent years, the Office for Civil Rights (OCR) has fielded calls to revisit the rules, claiming they limit the very information sharing that’s needed for coordinated care and impede standing up a payment model that rewards providing quality care to patients, also known as value-based care.

The Department of Health and Human Services (HHS) is now asking what HIPAA rules make accomplishing those goals challenging.

“In addressing the opioid crisis, we’ve heard stories about how the privacy rule can get in the way of patients and families getting the help they need,” Eric Hargan, HHS deputy secretary, said in a press release. “We’ve also heard how the rule may impede other forms of care coordination that can drive value.”

While changes have occurred within the healthcare field that could warrant some changes in regulation, HIPAA tends to be “everybody’s favorite bogeyman,” said David Harlow, a Boston lawyer who specializes in healthcare law and regulations.

“The danger in rewriting the regulations anytime something changes in the technical environment in the real world is it’s going to be different by the time the regulations are finalized, so you’re perpetually playing catch up,” he said.

Harlow said HIPAA isn’t always to blame for data-sharing issues, which instead can stem from an organization’s misunderstanding of HIPAA rules. For example, nothing in HIPAA prohibits information sharing between providers or between providers and payers, which Harlow said could indicate that healthcare providers or payers that engage in value-based payment arrangements can’t get data from their partners.

To be involved in care coordination and case management, partners, which include providers and payers, have to negotiate agreements that include data sharing, according to Harlow.

“I’m scratching my head why is this an issue,” he said.

However, Harlow believes some HIPAA rules should be modified such as shortening the length of time for an insurance company or provider to deliver a patient’s protected health information (PHI) once requested, as well as adjustments to rules regarding parental involvement in children’s care.

Harlow said some regulations have not kept up with the times that may need revisiting, but there are also rules written flexibly enough that don’t need tinkering with. He said it’s up to OCR to figure out which is which.

Seeking public input for modifying HIPAA rules is part of the Regulatory Spring to Coordinated Care initiative, which is led by HHS’ Hargan. He said in a press release that the initiative’s goal is to take a closer look at how regulations such as HIPAA can be fine-tuned to incentivize care coordination while protecting patients.

While HHS is seeking broad input on HIPAA rules, the department is also seeking comments on specific areas of the HIPAA privacy rule, such as facilitating parental involvement in patient care, accounting for patient protected health information disclosures as required by the HITECH Act, and information sharing for care coordination.

Public comments on HIPAA rule modifications are due by Feb. 11, 2019. You can submit public comments here.