HHS Plans Request for Information to Discover Issues Hampering Patient Information Sharing and Care Coordination

The HHS has prepared a Request for Information (RFI) to find out how HIPAA Rules are obstructing the sharing of patient information and hampering the coordination of patient care.

HHS is seeking public comments on any elements of HIPAA Rules that are discouraging or restricting coordination of patient care and case management among hospitals, doctors, payors and patients.

The RFI is one component of a new initiative named Regulatory Sprint to Coordinated Care. The aim is to eliminate obstacles that are stopping healthcare organizations from sharing patient data, while ensuring privacy and security protections remain in place. The HHS will use the feedback obtained through the RFI as a guide when considering possible improvements to HIPAA Rules to help the healthcare industry switch to coordinated, value-based health care. The RFI was submitted to the Office of Management and Budget for evaluation on November 13, 2018 and it is expected to be authorized this fall.

The comments HHS receives will be used to:

  • Evaluate the areas of HIPAA that are causing issues
  • Determine whether certain restrictions need to be removed to aid information sharing
  • Identify areas of misunderstanding of HIPAA Rules that should be tackled with further guidance.

HIPAA already allows healthcare providers to disclose patients’ PHI to another healthcare provider for treatment purposes or healthcare operations without patient authorization. However, due to the complexity of HIPAA, some healthcare organizations err on the side of caution and choose not to share health data out of fear of a HIPAA fine.

Simplifying HIPAA Rules and creating a safe harbor for good faith PHI disclosures cold certainly improve patient case management and care coordination. The HHS is willing to establish an environment where patients’ health data may be shared more freely, but there won’t be any changes to the HIPAA Security Rule. Healthcare providers, health insurers, and business associates of HIPAA-covered will still be required to implement appropriate safeguards to manage risks to PHI.

Besides the general request for information (RFI), the HHS is also seeking comments on:

  • The methods of accounting for PHI disclosures
  • Patients’ acknowledgment of receipt of a healthcare providers’ notice of privacy practices
  • Creating a safe harbor for good faith PHI disclosures for patient care coordination or case management
  • Disclosures of PHI without a patient’s consent for treatment, health care operations and payment
  • The minimum necessary standard