Comments on RFI: “Modifying HIPAA Rules” 


Docket No. HHS-OCR-0945-AAOO

February 11, 2019

Thank you for the opportunity to provide comments on the “Request for Information on Modifying HIPAA Rules to Improve Coordinated Care”  Docket No. HHS-OCR-0945-AAOO

The Association of American Physicians & Surgeons (“AAPS”) is a non-profit membership organization of physicians and surgeons who are mostly in small, independent practices.  Founded in 1943 (and celebrating our 75th year), AAPS defends and promotes the practice of private, ethical medicine.  AAPS has members in virtually every specialty and State.

We speak out frequently about issues concerning patients and medical practice and have been a longstanding critic of the HIPAA Privacy and Security rules. In 2001 AAPS sued HHS over the agency’s implementation of these rules and our suit helped solidify protections for “non-covered entities,” and their patients, from harmful aspects of the regulations.

HIPAA Privacy and Security Rules have imposed costly bureaucracy on the practice of medicine that detracts from patient-centered care, without meaningfully protecting patient privacy. 

In fact, these rules overall have been destructive of patient control over their personal medical history and records.

Unfortunately, the policies HHS-OCR indicates it is considering in the RFI, rather than moving in a more patient and physician friendly direction, would do further harm.

HHS-OCR states its interest in facilitating “the transformation to value-based health care” and “coordinated care.”  In practice such objectives are often being implemented in ways contrary to the best interests of patients.

“Value-based” frequently means saving resources for the system, and isn’t measured in terms of value to patients. Affordable Care Act penalties tied to hospital readmission are just one recent example. The policy reduced readmission rates but resulted in more patient deaths.  “Coordinated Care” often brings in third parties to the physician-patient relationship who have no business interfering in medical care decisions.

Accordingly,  from a high-level perspective, we object to the stated goal of the RFI because it conflicts with our mission of putting patients first.

More specifically, AAPS comments on the following items raised in the RFI:

Section a. “Promoting Information Sharing”:

  • HHS-OCR asks if HIPAA rules should be modified to further “incentivize, encourage, or require,” disclosure of Personal Health Information (PHI) to essentially any entity involved in “care coordination” or “health care operations” without express patient consent.  “Care coordination” and “health care operations” are broadly  defined meaning that such changes would further improperly exacerbate harm to patient privacy and we would object to any such expansion of non-consented disclosure. (Preamble to section a)
  • HHS-OCR asks if HIPAA rules should be modified to “require covered entities to disclose Personal Health Information (PHI) to other covered entities” without express consent of the patient. Currently, the only required disclosures are to the individual patient or to HHS itself.  PHI should only be disclosable with the patients’ consent except in very limited circumstances.  We object to the current HIPAA policy requiring disclosure to HHS-OCR without patient consent. Further we object to any new requirements mandating that patient data be handed over without consent of the patient. (Question 7)
  • HHS-OCR asks whether the ability to disclosure PHI without express patient consent to “multi-agency teams” or “social service agencies” should be expanded. No, the patient should need to consent to such disclosures. (Question 19)
  • HHS-OCR raises the possibility of imposing paperwork requirements on physicians who are currently non-covered entities.  It also asks whether “the risks associated with disclosing PHI, to health care providers not subject to HIPAA … outweigh the benefit of sharing PHI.”
  • Here, HHS has it upside down. Since HIPAA widely permits the disclosure of PHI without patient consent, it is riskier, from a medical privacy perspective, to have the data in the hands of a HIPAA-covered entity than one that is not covered by HIPAA.  In the same light, it would not be productive to impose additional requirements on non-covered entities that serve no protective purpose and that would facilitate data sharing without patient consent. Patient data should not be shared without the patient’s consent whether the physician is covered by HIPAA or not. However, data should be released, with patient consent, to persons or entities approved by the patient. (Questions 9 and 10)
  • The RFI also asks whether “population-based case management,” “review of service for appropriateness,” “utilization review “ activities, or “formulary development” should be exempt from the  limited protections on patient privacy that do exist in HIPAA.  It would be improper to give a virtual army of administrators even more access to patient information than they already have.  (Question 17)
  • HHS-OCR asks if patients should have the ability to “opt-out” of certain disclosures. An opt-out provision would be better than no control, but ideally patient data should not be disclosed without consent, i.e. an “opt in”  would be required to share patient data. (Question 15)

Section b. “Promoting Parental and Caregiver Involvement”:

  • While HIPAA grants unconsented access to PHI, access is simultaneously improperly blocked in circumstances where it should be allowed. HHS-OCR gives a nod to this problem by asking, “Are there circumstances in which parents have been unable to gain access to their minor child’s health information… because of HIPAA?”  Parents should not be blocked from knowing about care provided to their minor children. (Question 24)

Section c. “Accounting of Disclosures”:

  • HHS-OCR discusses moving forward with delayed implementation of a HITECH provision requiring that patients have the ability to request a report listing to whom disclosures of PHI from EHRs for “treatment, payment, or healthcare operations (TPO) were made.” It would be far more meaningful for patients to be able to restrict disclosure than to see a list of who their data was disclosed to after the fact. This HITECH measure has something in common with many other HIPAA requirements: they add bureaucratic burdens without actually protecting patient privacy. (Question 42)

Section d. Notices of Privacy Practices:

  • In fact, Section d., raises another example of a regulation that increases costs but does little for patients: the requirement that practices “make a good faith effort” to obtain a patient’s signature on a Notice of Privacy Practices (NPP).   HHS-OCR asks about the implications of removing this requirement.   To the extent that eliminating this mandate would cut red tape, we favor it, especially since the NPP is not generally protective of patient privacy. In fact, patients are reportedly often asked to sign it on a digital signature pad where the text is not readily visible. In addition, staff at medical facilities sometimes incorrectly conclude that a signature on the NPP is a condition of treatment and refuse treatment without a signed form. Given the overall confusion and lack of protection offered by the NPP, we agree it is time for related requirements to end. (Question 45 and 47)

Section e. Additional Ways to Remove Regulatory Obstacles:

  • In Section e. HHS asks for other suggestions “to remove regulatory obstacles … while preserving the privacy and security of PHI.” 
  • One suggestion is to expand the HITECH provision allowing patients to request restrictions when paying out of pocket for care. In previous rulemaking HHS stated that Medicare patients are able to make use of this provision notwithstanding other regulations that impede their ability to pay for care outside of Medicare. HHS should also grant this same flexibility to Medicaid patients and enrollees in other health plans that may limit their ability to self-pay. Patients should have a clear right to privacy of care they are paying for.
  • Another suggestion we would ask HHS-OCR to consider is increasing the ability of physicians and other medical professionals to become HIPAA non-covered entities. As we previously stated, HIPAA non-covered entities and their patients have a greater ability to protect patient data than HIPAA covered entities.  Unfortunately, physicians claiming non-covered status are increasingly under the impression that they become trapped in HIPAA covered entity status simply because they are helping their patient file prior authorization requests or by receiving payment electronically from an insurer. We would particularly welcome the opportunity to discuss with HHS-OCR  bureaucratic burdens non-covered entities encounter and cooperate on solutions. (Question 54)

Thank you for this opportunity to comment. In conclusion, HIPAA regulations are inherently at odds with the principles of patient-centered medicine and patient privacy. We are concerned the RFI signals that further harm to medical privacy rights is forthcoming and ask HHS-OCR to not proceed in a manner that moves in the wrong direction.  It is time to re-empower patients with policies that protect them and not empower third parties at their expense.


Jane M. Orient, M.D.
Executive Director

PDF version of comments: