Three Changes Potentially Coming to HIPAA
The Department of Health and Human Services (HHS) recently published its semi-annual regulatory agenda. In addition to proposed rules on fraud and abuse, drug pricing, digital health, and devices, the agenda included topics that could bring significant changes to HIPAA regulations and other health care privacy rules. The National Law Review outlined three changes potentially affecting HIPAA:
1) The U.S. Department of Health and Human Services (HHS) plans to release a proposal requesting that a percentage of money paid by health care organizations through civil monetary penalties or settlements resulting from data breaches be paid to affected individuals. There is currently no clear methodology for determining when an individual is harmed by a data breach and how much money any one individual would deserve for the resulting harm.
2) HHS’s list also includes a request for information on whether HIPAA regulations are stalling progress toward increased care coordination and value-based payment systems, both of which require sharing of patient information. As providers are encouraged to work together more to improve patient outcomes and decrease costs, the flow of information between them can be restricted due to HIPAA concerns.
3) Finally, the list includes another topic seen as an impediment to coordination of care: 42 CFR Part 2. Congress failed to pass a bill aligning 42 CFR Part 2 with HIPAA. The legislation would have permitted providers to share information about patients for the purpose of treatment, payment, and operations, and would have promoted patient treatment and outcomes. This is particularly important in light of the current opioid epidemic. But Congress decided not to add it to the final opioid package passed in September.
HIPAAcraticRx will be monitoring these proposals and will report again as they progress.