HHS Weighs Changes to Health Data Privacy RegulationsPrivacy and Security Experts Offer Insights on What Changes Make Sense
The Department of Health and Human Services is considering making changes to federal privacy regulations governing health data - including the HIPAA Privacy Rule and the 42 CFR Part 2 law, which pertains to substance abuse and mental health information.
While regulatory experts are already debating whether changes to HIPAA are, indeed, needed, many say changes to the 42 CFR Part 2 are long overdue.
In a July 26 speech to the conservative think tank the Heritage Foundation, HHS Secretary Alex Azar explained how the Trump administration is looking to reform the American healthcare system, including reducing the regulatory burden on the healthcare sector.
"That is why HHS is beginning a comprehensive review of regulations that impede the ability of doctors, hospitals and payers to coordinate in delivering better care at a lower cost," he said.
In the coming months, HHS will be releasing requests for information, seeking comments regarding potential changes in HIPAA and also 42 CFR Part 2, a federal privacy law that governs confidentiality for individuals seeking treatment for substance use disorders from federally assisted programs.
"Following those requests for information, we will be taking regulatory action to reform these rules," Azar said. Current interpretations of those two privacy laws, he said, "are not just impeding value-based arrangements in healthcare. They can also get in the way of communities and families working together to combat our country's crisis of opioid addiction, another top priority for President Trump."
Call from Congress
Congress is also awaiting word from HHS about its work to address "Compassionate Communications on HIPAA" provisions that are authorized under the 21st Century Cures Act, which was signed into law in 2016.
In a July 26 letter, six members of Congress asked HHS for an update regarding the status of the department implementing the 21st Century Cures provision that calls for HHS to develop "model programs and training" for healthcare providers to clarify when patient information can be shared.
"HIPAA regulations allow health professionals to share information with a patient's loved ones in emergency or dangerous situations," the letter notes. "However, widespread misunderstandings persist and create obstacles to family support that is crucial to the proper care and treatment of persons experiencing a crisis. To enhance the quality of behavioral health and medical/surgical services, we believe it is essential that model programs and training materials be developed for health care professionals regarding permitted uses and disclosures of protected health information through HIPAA."
As of Aug. 1, the legislators who had sent the letter had not yet receive a response from HHS, a Congressional source tells Information Security Media Group.
HHS did not immediately respond to an ISMG request for comment about the Congressional letter or for additional information regarding the agency's plans for potential changes to HIPAA and 42 CFR Part 2.
HIPAA Changes: Pros and Cons
Some regulatory experts argue that no changes to the HIPAA Privacy Rule are needed, while others say that changes could prove helpful.
"I generally think that the HIPAA rules are fine to provide information in many contexts where we hear of difficulties; healthcare professionals have reasonable discretion to act in the best interests of the patients," says privacy attorney Kirk Nahra of the law firm Wiley Rein.
"I don't know that 'mandating' disclosure would be a good idea."
—Kirk Nahra, Wiley Rein
"More education and guidance would help - or at a minimum wouldn't hurt. Also, many providers and others are either confused or simply being cautious," he says, arguing that the HIPAA rules are flexible enough to accommodate information sharing. "I don't know that 'mandating' disclosure would be a good idea," he adds.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says he's pleased that HHS is potentially looking to revise - and "hopefully lessen" - HIPAA requirements surrounding acknowledgment of receipt of the notice of privacy practices.
"Patients rarely understand what they are being asked to sign, and the requirements can be challenging in online care delivery," he notes. "I would like to see [HHS'] Office for Civil Rights pull back on the documentation requirements under the regulations.
"For most laws, it is sufficient to just comply with the law. But under HIPAA, you are required to create extensive policies and procedures regarding your compliance. ... The result is that covered entities and business associates that seek to comply are drowning in HIPAA policies and procedures."
Changes to the even more restrictive 42 CFR Part 2 regulations could prove to be more helpful than major changes to HIPAA, Nahra contends.
"I do think that additional changes and clarification to Part 2 would be useful. That is a statute that has largely outlived its usefulness - it was passed when there were no national privacy laws at all - and it now creates complications and challenges for desirable information sharing," he says.
That law generally requires a federally assisted substance use program to have a patient's consent before releasing information to others, according to the Substance Abuse and Mental Health Services Administration, the unit of HHS that administers 42 CFR Part 2.
For Better or Worse?
Greene notes SAMHSA in 2017 made some changes to the regulations that potentially made it even more difficult to comply.
The changes "required consents to name specific individuals [at healthcare provider organizations], rather than entities - unless the disclosure is to a treating provider or a third-party payer. With [healthcare] staff turnover, this is extremely impractical," he says.
"It also is unclear whether the named individual can further disclose to others within the same organization. I would like to see HHS remove the requirement to designate an individual and instead permit designation of an entity or - better yet - a class of entities. This will still preserve patient privacy while giving both the patient and the Part 2 program needed flexibility."
The biggest changes to the Part 2 rule must be done through changes to its statute, Greene argues. "Congress is considering changes to the statute that would permit disclosure of substance use disorder information for treatment, payment and healthcare operations, consistent with HIPAA. I hope such much-needed legislation passes, so that healthcare providers can better integrate substance use disorder information into treatment and care coordination."
Need for Harmony
Some experts say potential changes could bring 42 CFR Part 2 regulations closer to what's already expected under HIPAA.
"I believe that Secretary Azar's remarks were referring to concerns with the confidentiality protections provided for substance abuse treatment information and that he discussed them as being part of the broader protections provided by the HIPAA Privacy Rule," notes privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek.
"I believe the HIPAA Privacy Rule provides an appropriate balance providing patients with rights to control how and when their protected health information is disclosed for purposes outside of treatment while allowing healthcare providers flexibility to use and disclose PHI in order to treat that patient or coordinate the continuation of that care with family members and partners."
Nonetheless, any substantial potential changes to HIPAA would require HHS to go through a rulemaking process, Holtzman notes.
"The administrative simplification provisions of the HIPAA statute anticipated that the regulations to implement standards might need to change from time to time," he notes. "Congress delegated to HHS the authority to develop and administer a set of interlocking regulations establishing standards and protections for health information systems that became the present day HIPAA Privacy and Security Rules. However, the Administrative Procedures Act requires HHS to go through a lengthy rule-making process in order to change or do away with the HIPAA privacy or security standards."
Filling the Gaps
Privacy attorney Stephen Wu of Silicon Valley Law Group says he would like to see HHS address what he portrays as holes in HIPAA as a result of technology advances.
A good starting point, Holtzman suggests, would to be to use the National Institute of Standards and Technology's Cybersecurity Framework as the baseline standard for developing a security program and selecting controls to safeguard electronic PHI.