Health Law (HL)

Pending Amendments to HIPAA Privacy, HIPAA Security, and the HITECH Act

By Lorianne Sainsbury-Wong posted Fri February 08,2019 10:54 PM


It is time to rework certain HIPAA provisions, which Covered Entities (CEs) -- and their Business Associates (BAs) – must implement according to data privacy and security policies and procedures.  While many CEs, BAs, other stakeholders continue to advocate for HIPAA Privacy Rule guidance on the frequency and scope of workforce trainings or necessity of written consents for photograph usage in treatment and clinical trainings, such longstanding issues will remain unsettled and subject to interpretation. However, other significant and more timely HIPAA/HITECH provisions are now under review and will be upgraded through the amendment process under the Office for Civil Rights (OCR) Request for Information (RFI). 

These HIPAA 'modernizations' will likely enhance the delivery and accessibility of treatment records, align technological advancements with the federal laws, and facilitate the necessary shift from a volume to a value-based health care.

The OCR seeks CE, BA, and other informed feedback on certain HIPAA/HITECH modifications to avoid patient care disruptions and regulatory obstacles that CE's and BA's may encounter as the system progresses to a value-based platform and keeps pace with hi-tech advancements.  See Department of Health and Human Services, Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, Vol. 83 Federal Register No. 240, December 14, 2018, 64302-64310.  

Below is a breakdown of key questions and topics that OCR is examining to allow for a more streamlined systemic transition:

  • What HIPAA regulatory obstacles or “burdens” do you know of -- or could reasonably anticipate -- that impede the delivery of efficient patient care coordination, treatment, or case management?  (See OCR question, #54).
  • What modifications to the HIPAA Privacy Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act would remedy the following?
    • Increase PHI disclosure by CEs for treatment and clinically-related purposes among other providers, social service agencies, or other community based support groups; (See OCR questions, #1-21)
    • Increase PHI disclosure by CEs to families/caregivers of adult patients who experience a health emergency and are impacted by the opioid crisis or by “serious mental illness”; (See OCR questions, #22-26 and issues related to parental/guardian access to minor mental health and/or substance use records)
    • Expand a CE's data in response to a patient request for an accounting of disclosures under the HITECH Act to include disclosures made for treatment, payment, and health care operations (TPO) in electronic health records (EHRs); (See OCR questions, #27-42); and
    • Eliminate a CE's need to make good faith efforts to obtain an individual's confirmatory, written receipt of the provider’s Notice of Privacy Practices. (See OCR questions, #43-53).

Although OCR seems to be particularly interested in provider feedback, your comments -- as a lawyer, CE, BA, other stakeholder -- will meaningfully contribute to this much needed HIPAA/HITECH overhaul.  Comments are due February 12, 2019.

Lorianne M. Sainsbury-Wong, Esq., CPCO  
Civil Litigation Section Council Member (2016 – present) 
Health Law Section Member, Chair (2014-2016) and Co-Chair (2013)​​​​​​​​