HHS Hopes to Tackle Long-Stalled Regulatory TasksA Look at What's on Agency's Privacy, Security Agenda
The Department of Health and Human Services’ privacy and security regulatory priorities for the rest of this year include tackling some long-stalled projects.
Some of the items listed on HHS’ regulatory agenda for the second half of 2020 have appeared on its to-do list for years. That includes carrying out a 2009 HITECH Act requirement calling for HHS’ Office for Civil Rights to implement a HIPAA rule for the “accounting of disclosures” of electronic heath information.
Revisiting Delayed Rule
HHS’ Office for Civil Rights first issued a notice of proposed rulemaking for an accounting of disclosures rule in 2011, but that was met with mostly negative feedback. That’s mainly because the proposal contained an "access report" provision that would have required healthcare organizations to provide patients, upon request, with a complete list of everyone who has electronically viewed their information. That proposal has been sitting on government shelf for the last nine years (see OCR Plans Do-Over for Accounting of Disclosures Proposal.)
HHS OCR now apparently plans to begin working on a new notice of proposed rulemaking for an accounting of disclosures rule this year, with a goal of releasing it in April 2021, according to the latest agenda update.
What Else on To-Do List?
Another holdover item dating back to at least 2011 that will be addressed this year is a proposed rule to establish a method for the distribution of HIPAA civil money penalties and monetary settlements to those harmed by HIPAA privacy and security violations.
Meanwhile, HHS’ Office of the National Coordinator for Health IT and HHS’ Office of Inspector General both have regulatory items on their agendas pertaining to the slow rollout of provisions contained in the 21st Century Cures Act, which was signed into law in 2015.
For instance, HHS ONC is slated to take “final action” on health IT interoperability, information blocking and health IT certification program provisions of the Cures Act.
Back in March, ONC and HHS’ Centers for Medicare and Medicaid Services unveiled “final” versions of the health IT interoperability and information blocking rules. But after the pressures put on the healthcare sector by the COVID-19 pandemic, HHS in April announced a delay in implementing those final rules (see HHS Delays Enforcement of New Info Sharing Rules).
Watch Dog Items
The regulatory agenda notes that the HHS Office of the Inspector General is slated to take action on its proposed rulemaking issued in April pertaining to enforcement of the information blocking provisions of HHS' final rules from ONC and CMS.
The proposed enforcement regulations, which include civil monetary penalties, are intended to encourage information sharing among healthcare providers as well as ensuring patients have access to their health data, OIG has said.
OCR also has on its agenda plans to issue a notice of proposed rulemaking pertaining to possible HIPAA Privacy Rule changes “to support, and remove barriers to coordinated care and individual engagement.”
Back in December 2018, OCR issued a request for information seeking comments from healthcare stakeholders on potential changes to the HIPAA rules to reduce the "regulatory burden," including ways to improve secure health data sharing for patient care coordination (see HHS Seeks Feedback on Potential HIPAA Changes).
Another coordination-of-care related agenda item comes from HHS’s Substance Abuse and Mental Health Services. SAMHSA is planning to issue a final rule in September pertaining to changes to the Confidentiality of Alcohol and Drug Abuse Patient Records, 42 Code of Federal Regulations - also known as 42 CFR part 2.
The changes aim to remove regulatory barriers that prevent certain healthcare providers from sharing substance abuse information about patients with their other healthcare professionals.
So what’s the potential impact of these regulatory moves?
”In terms of potential significance, the potential changes on coordinated care could be important and of meaningful impact – but it isn’t at all clear what [HHS agencies] are going to propose” in the next round of rulemaking, notes privacy attorney Kirk Nahra of the law firm WilmerHale.
“Remember, the time between a notice of proposed rulemaking and a final rule can be several years,” he adds.
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine is betting that the two most likely regulatory moves to gain traction this year are the proposed HIPAA Privacy Rule changes and the SAMHSA final rule on coordinating care.
”Removing obstacles to care coordination has been a priority for the administration for a while now, and there has been time - if not resources - for OCR and SAMHSA to develop the next stages of their rulemaking,” he says.
Time for Action?
With an impending presidential election in November, is there any extra incentive for current HHS leadership to finally push through some of these long-lingering regulatory changes?
”Administrations inherit these rules and do feel pressure to move them forward,” says Greene, a former senior adviser at OCR during the Obama administration.
“The challenge is that with HITECH Act provisions about distributing penalties to individuals or amending the accounting of disclosures requirements, there are not necessarily good solutions available,” he says.