As part of the Trump administration’s push to simplify regulations, changes to the Health Insurance Portability and Accountability Act (HIPAA) rules are in the works. In 2019, the Department of Health and Human Services (HHS) is expected to propose HIPAA privacy rules that would ease information sharing and to revoke other rules that had called for health plans to obtain and use unique identifying numbers.
The HHS Office for Civil Rights (OCR) last December issued a request for information, asking for input on changing HIPAA’s privacy and security rules to promote value-based and coordinated healthcare, while preserving the privacy and security of individuals’ protected health information (PHI). The request specifically seeks comments on several aspects of the HIPAA privacy rules, including how to:
Regulators are likely to propose revised rules later this year.
Late last year, HHS proposed revoking the burdensome final rule that called for most health plans to obtain unique identification numbers, known as HPIDs, to use in HIPAA-covered transactions. Related proposed rules that would have required covered health plans to certify compliance with electronic transaction standards that would use the HPID under HIPAA were withdrawn in 2017.
Shortly before the HPID rule took effect, HHS issued a nonenforcement policy that spares covered entities that don’t comply from any penalties. That policy remains in place until HHS issues a final rule revoking the HPID requirement. Regulators are likely to release that rule later this year.
Employers and other stakeholders may want to file comments to let the OCR know how the HIPAA privacy rule may have impeded different types of innovative, value-based case-management and care-coordination programs. For example, some employers may have experienced difficulties obtaining or sharing claims data and other information when working with the various vendors that help manage health plans. Once the proposed HIPAA privacy rule is issued, employers should review the rule’s potential impact on their health plans and programs, consider commenting on the proposal, and prepare to make any changes that the new rule — once finalized — might require.
While HHS never enforced the HPID requirement, employers will welcome formal revocation of that rule. Nevertheless, employers may still want to review how their vendors conduct e-transactions and keep tabs on any future efforts to regulate health plans in this area.