Proposal for HIPAA Modifications Coming by Year's EndInterview: HHS OCR's Timothy Noonan on Potential HIPAA Changes, Other Agency Initiatives
The Department of Health and Human Services’ Office for Civil Rights plans to issue a notice of proposed rulemaking before the end of the year to modify the HIPAA rules, says Timothy Noonan, the agency’s deputy director for health information privacy.
Back in December 2018, OCR issued a request for public input on potential changes to HIPAA to improve the coordination of care, he notes in an in-depth video interview with Information Security Media Group (see HHS Seeks Feedback on Potential HIPAA Changes).
Many of the questions OCR posed in its RFI revolved around the perceived obstacles in sharing patient information among healthcare providers, as well as the burdens often put on patients and their families to have that information exchanged, he notes.
Also complicating those issues are the challenges involved in sharing mental health and opioid addiction information, including balancing better care coordination with patient privacy concerns.
“We got really great feedback - 1,300 comments and close to 4,000 pages of response,” Noonan says. “And we read every comment and try to balance the interests of everyone [regarding] the privacy and security of the health information vs. the desire to have flexibility to share it where the circumstances are warranted.”
Addressing the timing of the release of a proposal, he says, “We’re near the end of the review and clearance process and anticipate to issue a notice of proposed rulemaking on the HIPAA Privacy Rule later this year. And again, the public will have the opportunity to comment on it and we'll consider if any of the proposed modifications should be made permanent.”
Telehealth Regs Update
In the meantime, because the use of telehealth has grown substantially during the COVID-19 pandemic, OCR is also assessing whether there are potential benefits in making permanent any aspect of the telehealth notice of enforcement discretion that was issued in March “and if so, how that best might be accomplished,” Noonan says. “Would that require modification to the [HIPAA] rules through rulemaking? Is this something we could do through guidance?”
To help guide those decisions, OCR will also consider feedback that the agency gets through its enforcement program and the emails and other input it receives from healthcare organizations, medical professionals and the public about their experiences with telehealth, he says.
In the interview, Noonan also discusses:
- Health data breach trends;
- The status of OCR’s HIPAA enforcement program activities;
- HIPAA compliance advice for covered entities and business associates;
- Other OCR plans for the months ahead.
Noonan is deputy director for health information privacy at HHS OCR. Previously, he served in OCR headquarters as the acting associate deputy director for operations and the acting director for centralized case management operations. Prior to joining OCR in 2013, Noonan was a supervisory general attorney for the U.S. Department of Education, Office for Civil Rights, and a shareholder in a Michigan law firm.