- The HHS Office for Civil Rights (OCR) has issued a request for information (RFI) on how to improve HIPAA regulations that would foster patient-centered care, care coordination, and patient data access all while protecting patient privacy.
HIPAA regulations were passed in 1996 to create protections for patient health data. Covered entities must now adhere to a certain set of standards that ideally prevent protected health information (PHI) from falling into the hands of unauthorized individuals.
Along with those protections come policies for allowing patients access to their own health data. The HIPAA Privacy Rule mandates that patients are the owners of their own health data, that they may access that data in the form of their choosing in a reasonable amount of time and for a reasonable cost, and that they may authorize other individuals to access that data (such as a family caregiver).
But those intentions did not entirely materialize, some may argue. Patients still have difficulty obtaining their medical records from a healthcare organization, despite modern technology and despite HIPAA protections.
Additionally, relevant providers struggle to access patient data when delivering care. When a new provider is unable to obtain patient data, care may be delayed or inaccurate, posing a threat to patient safety.
HHS and OCR are calling on the healthcare industry to make recommendations about how to improve HIPAA to create better care coordination and value-based care. As a part of the agencies’ Regulatory Sprint to Coordinated Care, HHS and OCR are seeking input about the aspects of HIPAA that limit information sharing.
“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.”
By identifying those challenge areas, HHS and OCR hope plan to consult with the medical industry to set HIPAA on the right path forward toward value-based care.
“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”
The RFI also seeks information on the following:
- Encouraging information-sharing for treatment and care coordination
- Facilitating parental involvement in care
- Addressing the opioid crisis and serious mental illness
- Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices
RFI submissions are due no later than February 11, 2019.
Other organizations have recently flirted with the idea of a HIPAA overhaul. In early December, representatives from AHIMA and AMIA testified in a health IT briefing on Capitol Hill stating that HIPAA updates could create better patient data access.
“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” AMIA president and CEO Douglas B. Fridsma, MD, PhD, FACP, FACMI, said at a health IT briefing on Capitol Hill. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”
Specifically, the language in HIPAA is confusing for patients, who are often unaware of their rights to their own health information.
“AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape,” said AHIMA CEO Wylecia Wiggs Harris said during the briefing. “The language in HIPAA complicates these efforts in an electronic world.”
As the healthcare industry continues to prioritize patient-centered care, care coordination, and value-based care, they will likely continue their debate about patient data access and how regulations enable or limit that access.