Copy of Potential HIPAA Rule Changes

From HIPAA Safe Issue 18

Roger Servino, the Office of Civil Rights (OCR) Director, recently briefed three policy proposals being considered:

• how OCR might distribute a percentage of the funds it collects from settlements and civil monetary penalties to patients affected by breaches

• changing or dropping the current “notices of privacy practices” (NPP) HIPAA Privacy Rule requirement

• clarifying when "good faith" PHI disclosures are permitted without patient consent.

The HITECH Act opened the door for OCR to supplement enforcement actions with monies collected through settlements and civil monetary penalties. These funds can also be used to

compensate breach victims, but some are concerned that the potentially small amount of available dollars per person will worsen a breach event.

The benefit provided by the notices of privacy practices is being questioned. Servino has received feedback that the requirement often causes confusion among patients that read the form, or that patients sign the form without understanding its contents. Patients and physicians want processes that better patient health, so the NPP may not remain an OCR requirement.

The opioid abuse frequency is one catalyst of the desire to improve guidance to CEs that are hesitant to share PHI for crisis treatment cases. Families are often unaware when a person has repeated drug overdoses and many people believe that patient outcomes can be improved when the patient can benefit from an informed support team helping with treatment and recovery. We hope that common and reasonable examples are included to aid

physicians’ decision making.

The OCR is seeking public and healthcare industry comments before advancing the three policy initiatives. While not directly a HIPAA security issues, these ideas if enacted would become significant news to share with all healthcare providers.