On December 12, 2018, the Department of Health and Human Services (HHS) announced a request for information (RFI) on how the current HIPAA Privacy and Security Rules may burden or complicate the increasing shift and trend toward value-based health care. The RFI comments include a call for information on how the Rules could be modified to promote value-based health care, while preserving and protecting the privacy and security of protected health information under HIPAA. The RFI seeks information such as:
- Encouraging information-sharing for treatment and care coordination;
- Facilitating parental involvement in care;
- Addressing the opioid crisis and serious mental illness;
- Accounting for disclosures of PHI for treatment, payment, and health care operations (TPO) as required by HITECH; and
- Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices.
“This RFI is another crucial step in our Regulatory Sprint to Coordinated Care, which is taking a close look at how regulations like HIPAA can be fine-tuned to incentivize care coordination and improve patient care, while ensuring that we fulfill HIPAA’s promise to protect privacy and security,” said Deputy Secretary Hargan. “In addressing the opioid crisis, we’ve heard stories about how the Privacy Rule can get in the way of patients and families getting the help they need. We’ve also heard how the Rule may impede other forms of care coordination that can drive value. I look forward to hearing from the public on potential improvements to HIPAA, while maintaining the important safeguards for patients’ health information.” HHS has designated February 11, 2019 as the deadline for responses to the RFI.
This RFI is in line with other recent requests for information issued by HHS under an initiative currently being called the "Regulatory Sprint to Coordinated Care." In the summer of this year, HHS issued a request for information seeking comment on the anti-kickback statute and the beneficiary inducement prohibition to the civil monetary penalty law as potential barriers to coordinated and value-based care. These RFIs demonstrate that HHS is serious about aligning its regulatory framework with the ongoing shift to value-based systems.
Ironically, but not surprisingly, the current trend in health information is to move forward with more liberal data-sharing. However, the enforcement activity related to HIPAA under the Office of Civil Rights (OCR) is not likely to loosen up. Notably, OCR Director, Roger Severino, is on record in saying that the agency is looking for “big, juicy, egregious cases for enforcement.” Since 2003, OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of over $78 million. Significantly, between January 2017 and December 2018, OCR has reported collecting over $45 million. In other words, over 50% of the money collected by OCR since 2003 was collected in the last two years of the program. These enforcement details, released annually by HHS, clearly support the view that enforcement actions will continue in strength into the future.
It is always a best practice to regularly review your HIPAA policies and procedures and conduct regular risk assessments to determine your organization’s level of compliance with HIPAA and HITECH.