HIPAA update inches closer to reality

HHS said it is looking to remove regulatory barriers to health information sharing and the plan just took a first step.
By Diana Manos
09:06 AM

Federal regulatory efforts to upgrade HIPAA have taken a step toward reform. The Department of Health and Human Services’ Office of Civil Rights (OCR) passed the HIPAA request for information (RFI) on to the Office of Management and Budget, appearing on the OMB docket for review on Nov. 13, 2018.


This is just one step in many for HIPAA reform’s long march from its origin in the days of paper medical records to the accommodation of the electronic data-sharing needed to coordinate care under today’s value-based payment models. 

Yale researchers last month, for instance, said that even despite HIPAA's intent, hospitals wind up being roadblocks to patients trying to access data in EHRs, and calls to overhaul the law for the digital age have grown louder recently. 

“The HHS Deputy Secretary recently launched an initiative called the Regulatory Sprint to Coordinated Care. The goal of the Regulatory Sprint is to remove regulatory barriers that impede coordinated, value-based health care. This RFI is being produced to support the Regulatory Sprint,” according to the OMB docket.

The docket does not say when the RFI will be approved by OMB and released to the public, but it does explain that the RFI will solicit public views on how HIPAA poses barriers to or discourages coordinated care. It will also seek comments on:

  • Methods of accounting of all disclosures of a patient's protected health information;
  • Patients' acknowledgment of receipt of a providers' notice of privacy practices;
  • The creation of a safe harbor for good faith disclosures of personal health information for purposes of care coordination or case management;
  • Disclosures of protected health information without a patient's authorization for treatment, payment, and health care operations; and
  • The minimum necessary standard or requirement.


Though the federal government is looking to loosen the regulatory constraints that make sharing-data difficult, the enforcement aspect related to HIPAA security is not likely to loosen up.

OCR Director Roger Severino has repeatedly said the agency is looking for “big, juicy, egregious cases for enforcement.”

Already, from January 2017 to October 2018, OCR has reported collecting $45 million in HIPAA enforcement actions.

Healthcare providers are keen on sharing data to improve population health, despite the perceived HIPAA impediments. The trend is to move forward with more liberal data-sharing. A report from de Beaumont Foundation and Johns Hopkins Bloomberg School of Public Health, titled "Using Electronic Health Data for Community Health," said senior public health officials have shown interest in using electronic health data “to both guide action and geographic 'hot spotting' of both communicable and chronic diseases not included in statutory reporting requirements."


“The agency is importantly taking a fresh look at the practicality for providers versus benefit to patients,” according to the law firm Wyrick Robbins. “However, the message was also clear on the security side: the Security Rule will not be changed; covered entities and business associates need to implement scalable controls appropriate to risks within their organizations; and OCR enforcement initiatives are not slowing down.”

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.