As part of the Trump administration’s push to simplify regulations, changes to the Health Insurance Portability and Accountability Act (HIPAA) rules are in the works. In 2019, the Department of Health and Human Services (HHS) is expected to propose HIPAA privacy rules that would ease information sharing and to revoke other rules that had called for health plans to obtain and use unique identifying numbers.
Proposed HIPAA Privacy Rules
The HHS Office for Civil Rights (OCR) last December issued a request for information, asking for input on changing HIPAA’s privacy and security rules to promote value-based and coordinated healthcare, while preserving the privacy and security of individuals’ protected health information (PHI). The request specifically seeks comments on several aspects of the HIPAA privacy rules, including how to:
- Promote information sharing for treatment and care coordination and/or case management by amending the privacy rule to encourage, incentivize or require covered entities to disclose PHI to other covered entities
- Encourage covered entities to share treatment information with parents, loved ones and caregivers of adults facing health emergencies, with a focus on the opioid crisis and serious mental illnesses
- Implement the HITECH Act’s requirement to include electronic health records when supplying an accounting of PHI disclosures so the information is helpful to individuals but minimizes regulatory burdens and disincentives to use electronic health records
- Eliminate the requirement for providers to make a good-faith effort to obtain written acknowledgement of their privacy practices from their patients
Regulators are likely to propose revised rules later this year.
Health Plan Identifier (HPID) Rules Soon Gone
Late last year, HHS proposed revoking the burdensome final rule that called for most health plans to obtain unique identification numbers, known as HPIDs, to use in HIPAA-covered transactions. Related proposed rules that would have required covered health plans to certify compliance with electronic transaction standards that would use the HPID under HIPAA were withdrawn in 2017.
Shortly before the HPID rule took effect, HHS issued a nonenforcement policy that spares covered entities that don’t comply from any penalties. That policy remains in place until HHS issues a final rule revoking the HPID requirement. Regulators are likely to release that rule later this year.
Employers and other stakeholders may want to file comments to let the OCR know how the HIPAA privacy rule may have impeded different types of innovative, value-based case-management and care-coordination programs. For example, some employers may have experienced difficulties obtaining or sharing claims data and other information when working with the various vendors that help manage health plans. Once the proposed HIPAA privacy rule is issued, employers should review the rule’s potential impact on their health plans and programs, consider commenting on the proposal, and prepare to make any changes that the new rule — once finalized — might require.
While HHS never enforced the HPID requirement, employers will welcome formal revocation of that rule. Nevertheless, employers may still want to review how their vendors conduct e-transactions and keep tabs on any future efforts to regulate health plans in this area.
- HIPAA Administrative Simplification Information Bulletin (CMS, Dec. 20, 2018)
- Proposed Rule Rescinding the Standard Unique Health Plan Identifier and Other Entity Identifier (Federal Register, Dec. 19, 2018)
- Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (HHS OCR, Dec. 14, 2018)
- Withdrawal of Proposed Health Plan Certification of Compliance (Federal Register, Oct. 4, 2017)
- Unique Identifiers — Overview and Enforcement Discretion (CMS, July 26, 2017)
- Final Rule Adopting a Standard for Unique Health Plan Identifiers (Federal Register, Sept. 5, 2012)