OCR Considering HIPAA Privacy Rule, Enforcement ChangesBut Agency Will Seek Public Input First
Federal regulators are considering potential changes to HIPAA privacy rule and enforcement regulations, but aim to first engage the healthcare sector and public for input, says the nation's top HIPAA enforcer, Roger Severino.
See Also: HIPAA Audits: A Revised Game Plan
Three key HIPAA policy initiatives are being examined by officials at the Department of Health and Human Services' Office for Civil Rights, and the HIPAA enforcement agency is planning to seek the public's input through notices of proposed rulemaking and a request for information before making possible changes, said OCR director Severino during a March 27 presentation at a HIPAA summit in Arlington, Virginia.
Specifically, OCR is considering issuing:
- A request for information on how the agency might distribute to victims a percentage of the funds it collects from HIPAA settlements and civil monetary penalties;
- A notice of proposed rulemaking for potentially changing or dropping the current HIPAA privacy rule requirement that patients sign - and healthcare organizations keep - forms acknowledging the individuals received the entities' notices of privacy practices;
- A notice of proposed rulemaking involving "good faith" disclosures of patient information, clarifying that healthcare providers in certain circumstance are permitted - without patient authorization - to share information, such as with a patient's family when a patient is incapacitated.
Severino did not specify a timeline for when OCR plans to issue its notices for proposed rulemaking and request for information.
Sharing Funds with Breach Victims
Under the HITECH Act, money collected by OCR through HIPAA breach settlements and civil monetary penalties can be used by the agency to supplement its enforcement activities.
However, the law also allows OCR to distribute an unspecified percentage of those collections to the victims of HIPAA breaches and violations "for damages or the equivalent of damages," he says.
"A lot of breaches do end up causing significant stress, trauma and anxiety to people."
—Roger Severino, director of OCR
So far, the agency hasn't done that. However, it is working on the matter, with plans to issue a request for information from the public, Severino says.
"OCR is interested in hearing from industry advocates and patients about what would be the proper approach for ... creating a system though regulation in providing compensation to those hurt by breaches and HIPAA violations," he says.
"A lot of breaches do end up causing significant stress, trauma and anxiety to people," he says.
Examples of such situations include an enforcement case OCR settled last year with a New York hospital that impermissibly disclosed the HIV status of a patient to the individual's employer, he notes. (See Big Settlement in Privacy Case Involving 2 Patients' HIV Data).
"There are cases that are very heart-wrenching .... where we see ... a way to quantify the harm that people have suffered through breaches," he says. "We see this in private practice a lot when you have class action settlements, [and] you get identity theft protection for a certain amount of time or other damages," he says.
But not everyone thinks it's a great idea for OCR to potentially distribute a portion of HIPAA settlement and penalty collections to affected individuals.
"Settlement amounts and fines were designed to be a way for the OCR to fund itself to continue to conduct audit and investigate breaches," says Susan Lucci, privacy officer and senior consultant at consultancy Just Associates.
"The amount of money that might be available for distribution to individuals might be so low in cases of large breaches, that it could be perceived as grossly inadequate, and individuals might even be insulted by a small dollar award," especially if the victim suffered identity theft, she notes.
For example, in a 2016 OCR enforcement case with Minnesota-based North Memorial Health Care involving a HIPAA breach affecting 10,000 individuals, the agency collected a $1.55 million settlement.
In that case, "even if OCR didn't keep any of the settlement amount, that [potential distribution] would only be $155 per individual impacted," Lucci notes. "This is a complex process and a slippery slope that might not have the intended outcomes," she says.
Changes to Privacy Practice Notice Requirements
OCR is also considering how to streamline some of the regulatory burden that HIPAA puts on healthcare providers, Severino notes.
In that spirit, OCR will be issuing a notice of proposed rulemaking on changing the current HIPAA privacy rule regulation that requires a covered entity to obtain from each patient a signed acknowledgment that the individual has received the healthcare provider's notice of privacy practices, Severino says.
"When you go to the doctor, you get a big stack of forms ... especially when you're going to a practice for the first time. Very few people know what in the world they're signing," he notes.
"Patients just want to see the doctor ... and most will sign whatever is put in front of them, not reading closely what it is," he says.
"We've heard from folks that this is causing a lot of confusion. People are uncertain if signing the acknowledgement of privacy practices is some type of contract or a waiver of privacy rights, or [something] required to be signed in order to be treated," he notes.
"What is the net benefit of having to sign and collect this form? We're going to be looking at these questions."
So, in an upcoming notice of proposed rulemaking, OCR will be examining "the question of necessity for having medical providers actually get their patients sign the acknowledgement and retain the signed form as opposed to other alternatives," he says.
Other possible options to requiring a patient sign an acknowledgement - and having the entity keep it - include the healthcare provider posting the notice of privacy practices "in a very prominent place and leaving it at that," or getting verbal acknowledge from the patients that they've seen the notice, he says.
"We're in a deregulatory environment generally as an administration, so this is one opportunity to see if we can address a question of [regulatory] burden [but] also keeping in the mind the value of informing folks of their rights to have their health information privacy protected."
Some experts say OCR's proposed plans to streamline processes around the notice of privacy practices make sense.
"I think it's a good idea to change the requirement because the collecting and retention of these forms has been an administrative burden since the beginning," says Joe Gillespie, a former healthcare privacy officer who is currently a security and privacy consultant at tw-Security.
"I agree that patients do not always understand what they were signing. And from personal experience, I know that some healthcare staff members were not sufficiently trained to explain the acknowledgement form or to correctly answer questions about it."
'Good Faith' Disclosures
OCR is also planning to issue a proposal aimed at clarifying circumstances when healthcare providers can disclose information to a patient's family and friends - especially in cases involving opioid drug abuse, Severino says.
"You've all heard about the opioid crisis - the president has declared it a national public health emergency," Severino says. "We've heard stories about mothers who have lost their children and had not known that their children had suffered repeated overdoses. Far too often we see examples where medical providers err so far on the side of caution [with disclosures], that the patient doesn't necessarily get the best treatment," he says.
Medical providers are currently allowed to make disclosures - without a patient's authorization - to law enforcement and a patient's family and friends if there is an imminent threat to the health or safety of the patient or others, he notes.
However, OCR wants to make clear in formal regulations that healthcare providers are also permitted to make disclosures "in good faith" to a patient's family and friends in circumstances where the patient is incapacitated, he says.
"We're looking at a notice of proposed rulemaking to create parity ... So that healthcare providers will have confidence that they will be given the benefit of the doubt if they act in good faith using their reasonable medical judgment" in making disclosures," Severino says. As an enforcement agency, "we won't go after them because the rule will give that presumption of good faith."
Consultant Gillespie says that the decisions healthcare providers make about disclosures during crisis situations with patients are indeed often very difficult.
"In my experience, this has been one of the more challenging areas for physicians and other providers 'on the front lines' because they're dealing with potentially life and death issues," he says.
"They understand the patient's privacy is important to maintain but they know the family may play an vital role in helping with patient treatment and recovery," he says.
However, if OCR issues modification to the disclosure regulations, Gillespie suggests it's also important that the agency provide a related guidance document "with appropriate examples."