Changes Ahead for HIPAA?
As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.
On the enforcement side, HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals. The request was supposed to be issued in November but has been pushed to January. There is currently no clear methodology for determining when an individual is harmed by a data breach and how much money any one individual would deserve for the resulting harm. This determination would be particularly difficult for large data breaches involving hundreds, if not thousands, of unspecified victims whose information may have been left vulnerable but not actually exploited.
HHS’s list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information. As providers are encouraged to work together more to improve patient outcomes and decrease costs, the flow of information between them can be restricted due to HIPAA concerns.
Finally, the list includes another topic often seen as another impediment to coordination of care: 42 CFR Part 2. HHS plans to release a notice of proposed rulemaking in March 2019. This move comes after Congress failed to pass a bill aligning 42 CFR Part 2 with HIPAA. The legislation would have permitted providers to share information about patients subject to 42 CFR Part 2 for the purpose of treatment, payment, and operations such patients, similar to HIPAA. The change would have promoted patient treatment and outcomes, which is particularly important in light of the current opioid epidemic, but Congress decided not to add it to the final opioid package passed in September.
We will be closely monitoring these proposals. Stay tuned.