September 22, 2020

Volume X, Number 266

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

Changes Ahead for HIPAA?

As we discussed last week, the Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda.  In addition to the proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda includes topics that could bring significant changes to HIPAA regulations and other health care privacy rules.

On the enforcement side, HHS plans to issue a request for information on a proposal to share a percentage of money paid by health care organizations through civil monetary penalties or monetary settlements resulting from data breaches with the affected individuals.  The request was supposed to be issued in November but has been pushed to January.  There is currently no clear methodology for determining when an individual is harmed by a data breach and how much money any one individual would deserve for the resulting harm.  This determination would be particularly difficult for large data breaches involving hundreds, if not thousands, of unspecified victims whose information may have been left vulnerable but not actually exploited.

HHS’s list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information.  As providers are encouraged to work together more to improve patient outcomes and decrease costs, the flow of information between them can be restricted due to HIPAA concerns. 

Finally, the list includes another topic often seen as another impediment to coordination of care: 42 CFR Part 2.  HHS plans to release a notice of proposed rulemaking in March 2019.  This move comes after Congress failed to pass a bill aligning 42 CFR Part 2 with HIPAA.  The legislation would have permitted providers to share information about patients subject to 42 CFR Part 2 for the purpose of treatment, payment, and operations such patients, similar to HIPAA.  The change would have promoted patient treatment and outcomes, which is particularly important in light of the current opioid epidemic, but Congress decided not to add it to the final opioid package passed in September.

We will be closely monitoring these proposals. Stay tuned.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 303


About this Author

Sarah Beth S. Kuyers, Mintz Levin, nonprofit affiliation lawyer, health care systems attorney

Sarah Beth’s practice involves a variety of regulatory, transactional, and enforcement defense matters for clinical laboratories, hospitals, pharmacies, insurers, and other health care clients.

Sarah Beth routinely advises clients on a wide variety of federal and state health care regulatory issues, including anti-kickback and self-referral laws, licensure and scope of practice rules, telemedicine, certificate of need applications, food and drug law, and HIPAA compliance. She also handles licensure and regulatory filings for clinical laboratories and other health care providers....