January 30, 2019 Advocacy Alert
The Department of Health and Human Services recently released a request for information (RFI) about how privacy regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) rules affect care coordination efforts among community-based organizations (CBOs) and service providers.
The Administration is seeking public feedback about whether value-based health care efforts could be enhanced if privacy protection rules were clarified regarding the sharing of health data with CBO partners.
This provides a great opportunity for AAAs to raise the data challenges you’ve faced in your integrated care work because of HIPAA barriers. n4a plans to submit comments in response to this request and will share our letter with our members once finalized. However, we also strongly encourage you and other Aging Network stakeholders you work with to share your experiences with HHS (and n4a, as it will help inform our comments) Read on for background info, talking points and even a sample letter to make it easy to take action!
Comments are due by February 12 and can be submitted online via regulations.gov. The complete RFI notice is also available online.
Background on the HHS Request for Information
According to the RFI, the HHS Office of Civil Rights is seeking input on whether HIPAA provisions—enacted into law more than 20 years ago with the goal of providing data privacy and security safeguards for patient medical information—impede efforts to enhance care integration, coordination and value-based care transformation without meaningfully contributing to individual privacy and security protection. HIPAA requires that medical providers, or “covered entities” as they are referred to here, refrain from disclosing protected health information (PHI) to non-covered entities and maintain safeguards to guarantee the privacy and security of PHI.
HHS is assessing opportunities to “remove regulatory obstacles and decrease regulatory burdens in order to facilitate efficient care coordination and/or case management and to promote the transformation to value-based health care, while preserving the privacy and security of PHI.”
The RFI is not a draft rulemaking or a proposed policy change. Rather, it is an important first step in that direction, informing possible regulatory changes that may be suggested by the Administration in the future. n4a will continue to monitor this process and alert the Aging Network of additional opportunities to weigh in on this discussion.
Input from the Aging Network
As health systems seek to transform service delivery models, n4a has heard numerous accounts of HIPAA regulations preventing or impeding efficient integration and care coordination efforts among health care providers and community-based organizations. We encourage AAAs and other stakeholders to weigh in to share your experiences and solutions to these challenges with HHS and n4a.
While the RFI includes a number of questions, we believe the following are the most relevant to the Aging Network (pages 64305-64306, questions 18-20 in the RFI):
- Should OCR modify the Privacy Rule to clarify the scope of covered entities’ ability to disclose PHI to social services agencies and community-based support programs where necessary to facilitate treatment and coordination of care with the provision of other services to the individual?
- If so, what limitations should apply to such disclosures?
- In order to make such disclosures to social service agencies (or other organizations providing such social services), should covered entities be required to enter into agreements with such entities that contain provisions similar to the provisions in business associate agreements?
- Would increased public outreach and education on existing provisions of the HIPAA Privacy Rule that permit coordination and/or case management, without regulatory change, be sufficient? If so, what for should outreach and education take and to what audience(s) should it be directed?
n4a plans to submit comments on this RFI but we want to ensure that our comments are informed by experiences from the Network, so please send your input to us! We want to hear from you about if and how HIPAA rules have potentially impeded coordinated care efforts in your community, and what solutions you have sought—or think HHS should seek!
How You Can Weigh In
- Draft a letter from your agency sharing your experiences and recommendations regarding the HIPAA Privacy Rules. Use this template letter, but make sure to share your agency’s own information and experiences. All contact information to submit your comments is included, but you will need to fill in specifics.
- Please tell n4a about your experiences. Our comments will be informed by our members, so please share your input with us—even if you choose not to also send comments to HHS. Are there scalable solutions you think we should pursue? n4a has heard anecdotally from members that HIPAA Privacy Rules have impeded integrated care efforts in some communities and we want to know more about these situations, as well as any solutions your agency has implemented. Send your thoughts to firstname.lastname@example.org.
Thank you for your input on this important issue!