For the first time in eight years, covered entities (including health centers) have an opportunity to provide input on modifying HIPAA and should seize this opportunity to include their point of view in the process.

In what could be the first step to revising HIPAA, the Office for Civil Rights (OCR) has requested comments on whether to change the HIPAA Rules and, if so, how they should change. In the Request for Information (RFI), OCR seeks both broad input on the HIPAA Rules and input on specific provisions of the HIPAA Privacy Rule.

While the RFI includes over fifty questions, health centers should consider responding to those requests for information related to:

• Information-sharing for treatment and care coordination: OCR includes questions about clarifying the scope of permitted disclosures of protected health information (PHI) to social services agencies and community-based support programs to facilitate treatment and coordination of care and to multi-disciplinary/multi-agency teams tasked with ensuring patients can access available health and social services.

For health centers, social service agencies and community-based support programs are key partners in coordinating patient care. OCR is contemplating the extent to which covered entities should be permitted to disclose PHI to such agencies and programs, the limitations that should apply to such disclosures and whether the covered entity and the agency/program should enter into a business associate (or similar) agreement.

Health centers regularly participate in multi-disciplinary/multi-agency teams to combat the opioid epidemic, ensure appropriate use of the emergency room and coordinate care.  Health centers should share their experiences and insight working with these teams, including recommendations for including law enforcement and whether the teams should enter into a business associate (or similar) agreement.

• Accounting of disclosures of PHI: The RFI includes fifteen questions on the accounting of disclosures requirement, including the HITECH Act requirement to include disclosures for treatment, payment, and operations purposes through an electronic health record. OCR requests information about the frequency of requests for an accounting of disclosures, the resources needed to respond, the typical timeframe for responding, and the reasons patients request an accounting of disclosures.

It is important that OCR hear directly from covered entities about the real costs associated with responding to such requests. As many health centers know, responding to these requests is resource intensive and often involves the care team, medical records department, business associates, and legal counsel. It is also important that OCR hear from health centers that have experience with patients requesting an accounting of disclosures not for their own benefit, but to harass the covered entity.

• Notice of Privacy Practices (NPP): OCR includes several questions on the NPP, from challenges related to obtaining the patient’s written acknowledgment of receipt, to the frequency of updates, to the use of OCR’s model NPP.  This is an opportunity for covered entities to let OCR know what is working and not working when it comes to the NPP requirements.

Changing the HIPAA Rules requires a formal rule-making process and OCR makes clear that the RFI is solely for information and planning purposes. Comments to the RFI must be submitted on or before February 12, 2019.

For more information, please visit: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.

Feldesman Tucker Leifer Fidell LLP’s Privacy and Confidentiality Team will watch developments closely and will continue to post relevant updates. If you have any questions about this or other HIPAA or patient privacy and confidentiality issues, please contact Dianne Pledgie (dpledgie@feldesman.com).