February 12, 2019
Roger Severino, JD
Director Office for Civil Rights
Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
RE: Request for Information on Modifying HIPAA Rules To Improve Coordinated Care
Dear Director Severino:
The Medical Group Management Association (MGMA) is pleased to submit the following comments in response to the request for information entitled, “Request for Information on Modifying HIPAA Rules To Improve Coordinated Care,” published on Dec. 14, 2018. We believe modification of the current HIPAA requirements have the potential of significantly improving the ability of physician practices to facilitate efficient care coordination and promote the transformation to value-based healthcare. At the same time, we caution the Office for Civil Rights (OCR) not to proceed with initiatives that create additional administrative burden on practices with little or no benefit to the patient.
MGMA is the premier association for professionals who lead medical practices. Since 1926, through data, people, insights, and advocacy, MGMA empowers medical group practices to innovate and create meaningful change in healthcare. With a membership of more than 45,000 medical practice administrators, executives, and leaders, MGMA represents more than 12,500 organizations of all sizes, types, structures and specialties that deliver almost half of the healthcare in the United States.
An increasing number of physician practices are acquiring certified health IT and leveraging technology to improve care coordination for their patients and to participate in value-based care arrangements. The deployment of effective federal policies that assist practices in those endeavors is critical if practices are to take full advantage of their EHRs and patients are to reap the benefits of streamlined sharing of clinical data. The HIPAA Privacy and Security Rules laid out a framework to ensure that protected health information (PHI) would be kept confidential and secure. These rules, however, were finalized (HIPAA Privacy 2003, HIPAA Security 2005) prior to the widespread use of EHRs in physician practices and prior to the advancement of value-based care arrangements. Certain provisions of these rules now can act as impediments to the efficient communication of PHI.
MGMA supports the efforts of OCR to identify and modify those provisions which serve as roadblocks to PHI movement. In this RFI, OCR lays out a number of critical issues with the HIPAA Privacy rule and asks a series of questions. We appreciate the opportunity to provide input on these critical issues and urge the agency to fully engage impacted stakeholders, including physician practices, patient advocates, EHR software vendors, and other critical stakeholders, in a formal outreach process prior to release of the next iteration of the regulation. The goal of this outreach should be to ensure that any future regulation appropriately balances the need to adequately protect PHI and provide patients access to the information they need while not overly burdening physician practices and their business associates.
Summary of Key Recommendations
MGMA supports OCR’s efforts to modify the HIPAA Privacy and Security Rules to allow practices to receive and transmit patient data more efficiently in support of patient care delivery. MGMA highlights the following high-level recommendations to ensure that OCR ultimately meets the needs of practices and the patients they serve:
Download the full letter
- First do no harm. Any modifications to the HIPAA Rules should not impose additional administrative burdens on physician practices. In fact, modifications should reduce barriers to care coordination, case management, and value-based care.
- Do not move forward with accounting of disclosures for treatment, payment, and healthcare operations (TPO). Accounting for TPO disclosures would be excessively burdensome and unnecessary. MGMA surveys show that very few patients are asking for these reports, and current EHR technology cannot produce these reports.
- Do not require paper records and oral communications in an accounting of disclosures report. While reporting on electronic TPO disclosures itself would extremely challenging, reporting on disclosures made on paper and by practice clinical and administrative staff orally would be next to impossible.
- Maintain the current response times for practices to respond to patient requests for a copy of their PHI. Currently, practices have up to 30 days to provide the patient their PHI (with the potential of a one-time 30-day extension). As there is tremendous variation in practice technology, medical record formats, and location of medical records, this maximum time is necessary.
- Remove the requirement for practices to obtain or make a “good faith effort” to obtain written acknowledgement of the Notice of Privacy Practices (NPP). Obtaining the written acknowledgement of the NPP or making a good faith effort to obtain it is an unnecessary burden on practices and of little value to the patient. Less burdensome options for sharing the NPP with patients should be allowed.
- Do not move forward with a mandate requiring a covered provider to disclose PHI to business associates or another covered entity. Clinicians should be permitted to use their professional judgement and determine when it is necessary and appropriate to disclose a patient’s health information.
- In the case of ransomware attacks, educate clinicians, don’t penalize them. OCR should not “blame the victim” by considering a ransomware attack an automatic data breach. Rather, the agency should seek to leverage the collective intelligence from these attacks to educate physician practices on how to prevent them from happening and what steps to take should they experience a cyberattack.
- Enhance education for both patients and physician practices. A better understanding of the regulations will assist both communities in better understanding their rights and obligations.