Privacy and Security

State of Play:  In December, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) released a request for information (RFI) to solicit views on barriers to coordinated care imposed by the Health Insurance Portability and Accountability Act (HIPAA) rules and on proposed changes to the HIPAA privacy rule regarding uses and disclosures of protected health information in an effort to address the opioid epidemic. Additionally, OCR is considering an RFI on the distribution and disclosure of civil monetary penalties to those harmed by HIPAA violations. In Congress, privacy continues to be a top priority. The Senate Committee on Commerce, Science, and Transportation has held several hearings on consumer privacy and has begun work on a new national privacy framework. The Food and Drug Administration (FDA) has made efforts to strengthen the agency’s medical device cybersecurity program, issuing draft guidance for medical device cybersecurity.

HLC Position:  HLC leads a broad group of organizations, collectively known as the Confidentiality Coalition, to ensure that policymakers strike the right balance between the protection of confidential health information and the information-sharing needed to provide the very best quality of care.  The coalition is active with Congress and the administration on policies related to data exchange, privacy, data security, and cybersecurity.  Members believe that regulatory clarity is key to securing health information flow and support efforts to create a uniform national privacy standard, based on the HIPAA privacy rule, rather than the inconsistent and conflicting state laws that currently supersede federal regulation.

HLC Recent Activity:

  • On December 31, the Confidentiality Coalition wrote the National Institute of Standards and Technology (NIST) responding to an RFI on the NIST Privacy Framework: An Enterprise Risk Management Tool.
  • On November 9, the Confidentiality Coalition wrote to the National Telecommunications and Information Administration (NTIA) responding to a request for comment on Developing the Administration’s Approach to Consumer Privacy.
  • On November 1, the Confidentiality Coalition wrote to the Federal Communications Committee (FCC) urging the FCC to consider modernizing the Telephone Consumer Protection Act (TCPA), seeking alignment between the TCPA and HIPAA on what constitutes a permissible communication based on the type of consent or authorization given.
  • The Confidentiality Coalition remains actively involved in discussions with Congress on aligning federal confidentiality regulations for substance abuse (42 CFR Part 2) with HIPAA to allow appropriate access to patient information that is essential for providing comprehensive care.
  • On October 10, the Confidentiality Coalition wrote the Senate Committee on Commerce, Science, and Transportation supporting its hearing on “Consumer Data Privacy: Examining Lessons From the European Union’s General Data Protection Regulation and the California Consumer Privacy Act.” Technology experts and privacy advocates testified before the committee.
  • In October, the Confidentiality Coalition met with majority and minority staff of the Senate Commerce Committee to discuss its plans to address healthcare-related privacy policies as they relate to the committee’s work on a new national privacy framework.
  • In August, the Confidentiality Coalition recirculated its 2011 HIPAA Accounting of Disclosures survey questions to steering committee members. The survey questions seek to calculate the impact of a broadened requirement to account for all disclosures of protected health information by HIPAA-covered entities (i.e., hospitals, clinics, health plans, and pharmacies).  Certain results of the survey will be shared with the HHS Office for Civil Rights (OCR) as the agency promulgates the revised proposed rule on HIPAA Accounting of Disclosures.
  • In anticipation of a forthcoming OCR request for information (RFI) on HIPAA, the Confidentiality Coalition has been gathering feedback on suggested ways to simplify the HIPAA Notice of Privacy Practices, as well as to suggest if and how to best address the sharing of monetary rewards with consumers harmed by a HIPAA violation (a requirement of the 2009 HITECH Act).
  • HLC wrote the Senate Health, Education, Labor, and Pensions (HELP) Committee regarding its hearing on “Reducing Healthcare Costs: Decreasing Administrative Spending.” The letter supported modernizing substance abuse confidentiality regulations to increase data flow and access to necessary medical information.
  • In July, the Confidentiality Coalition hosted Leavitt Partners, a cofounder of the CARIN (Creating Access to Real-time Information Now) Alliance, a nonpartisan, multisectoral alliance dedicated to uniting industry leaders to advance consumer access to digital health information. CARIN Alliance focuses heavily on non-HIPAA covered digital outlets generating health data, which have few standards and/or guidelines specifying a governance process for apps.
  • In July, the Confidentiality Coalition met with the staff of HHS’s Office for Civil Rights (OCR), including Tim Noonan, OCR’s acting deputy director for health information privacy, to discuss the coalition’s policy priorities and OCR’s regulatory priorities.
  • HLC updated its “Data Policy Principles” to outline a vision for public and private sector healthcare organizations to share accessible and useable information with stakeholders. The principles address governance and data privacy protections for health information.
  • On September 18, the Confidentiality Coalition cosigned a letter from the Partnership to Amend 42 CFR Part 2 urging Senate and House leaders to include provisions that would align 42 CFR Part 2 with existing HIPAA laws governing patient privacy and access to medical information in the final opioid legislative package.
  • On June 21, the Confidentiality Coalition submitted a statement for the record for the House Energy and Commerce Subcommittee on Communications and Technology hearing on the Telephone Consumer Protection Act (TCPA). The coalition emphasized that the TCPA often serves as an obstacle to improved patient care coordination because the TCPA does not reflect the changes in how health plans, providers, patients, and other stakeholders communicate through text messaging.  The coalition seeks alignment between TCPA and HIPAA on what constitutes a permissible communication based on the type of consent or authorization given.
  • On June 13, HLC cosigned a letter from the Partnership to Amend 42 CFR Part 2 in support of H.R. 6082, the “Overdose Prevention and Patient Safety Act (OPPS),” in advance of the full committee vote. R. 6082 would align federal privacy standards for substance use disorder patient records more closely with standards under HIPAA.
  • On June 6, HLC cosigned a letter from the Partnership to Amend 42 CFR Part 2 to Representatives Markwayne Mullin (R-OK) and Earl Blumenauer (D-OR) thanking them for their support for H.R. 5795, the “Overdose Prevention and Patient Safety Act (OPPS),” before the Energy and Commerce subcommittee vote. R. 5795 would align federal privacy standards for substance use disorder patient records more closely with standards under HIPAA.