The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Specifically, this entity is charged with ensuring that HIPAA-covered entities adhere to the HIPAA Privacy, Security and Breach Notification Rules.
On Jan. 30, 2017, Pres. Trump issued an order referred to as the “Executive Order for Reducing Regulation and Controlling Regulatory Costs.” This became known as the “2-for-1 Executive Order.” This order required all federal agencies to cut two existing regulations for every proposed new regulation.
Many health care compliance professionals have been interested to learn how HHS OCR would respond to this challenge. There was significant curiosity about how this mandate would change the way HHS OCR was able to protect patient rights and whether they would be able to continue to develop regulations to protect the confidentiality, integrity and availability of patient records during a period of when ransomware scares and identity theft challenges are more and more prevalent.
It appears the industry has received their answer. At the HIPAA Summit, OCR Director Roger Severino announced, “The HHS Office for Civil Rights is planning to make some changes to the HIPAA Privacy Rule and enforcement regulations but will ask first for input from the health care sector and the public before making possible modifications.”
The proposed rule or Notice of Proposed Rule Making (NPRM) is the official document that announces and explains the agency’s plan to address a problem or accomplish a goal. All proposed rules must be published in the Federal Register to notify the public and to give them an opportunity to submit comments. The proposed rule and the public comments received on it form the basis for the final rule.[1]
HHS OCR has not officially posted the notice of proposed rulemaking for 2018, however, compliance professionals have been given a heads up on what to expect this year. HHS OCR is planning to submit notice of proposed rulemaking (NPRM) in at least the following three areas:
Good Faith of Health Care Providers. This would allow health care providers to share information with an incapacitated patient’s family members without patient authorization so long as the health care provider believes in “good faith” that making the disclosure is in the best interest of the patient.
Request for Information on Distribution of a Percentage of Civil Monetary Penalties or Monetary Settlements to Harmed Individuals. Historically, money collected from HIPAA fines and settlements have not been shared with the individual whose information was compromised. HHS OCR will be seeking comments on what the public thinks will be the best way to allow “victims” of HIPAA violations to be able to share in the money the agency receives as a result of enforcement actions.
Changing Requirements to Obtain Acknowledgment of Receipt of Notice of Privacy Practices. HIPAA-covered entities are currently required to have patients sign an acknowledgment form, which confirms they have been provided with a copy of the entity’s Notice of Privacy Practices. Entities are required to keep copies of those acknowledgment forms for a period of six years. However, patients also have the right to refuse to sign the acknowledgment form, and providers cannot refuse service based on a patient’s refusal to sign the acknowledgment. Potentially, this requirement may be stricken from the regulations or altered to alleviate the administrative burden associated with the current requirement.
In addition to proposed rulemaking, HHS OCR intends to provide long-awaited guidance to the health care industry specifically on encryption, social media and texting.
[1] “A Guide to the Rulemaking Process,” Office of the Federal Register.
Article contributed by Samarria Dunson, J.D., CHC, CHPC, attorney/principal of Dunson Group, LLC, a health care compliance consulting and law firm in Montgomery, Alabama. Find more of Ms. Dunson’s contributions on her partnership page.