Possible Changes to HIPAA – What’s this RFI All About (A Summary)

Over the past month, I’ve been tweeting and blogging about possible HIPAA changes that may be in store after the OCR (Office for Civil Rights – HIPAA enforcers) published a Request for Information (RFI). With the deadline for comments about a month away (February 12, 2019), I thought I’d distill the information into a bit of a summary – a sort of tl;dr version of my last 5 posts.

I’d encourage anyone interested in your healthcare privacy rights to read over the information here. I’ve suggested questions at the end of each section for you to consider and will follow up in my next post with how you can submit comments on the RFI.

What is this RFI?

This is NOT a chance to comment on everything we don’t like about HIPAA. While we all know there are many places where HIPAA can be improved, this RFI is about 5 specific areas of HIPAA. The OCR has proposed very specific questions in each area for people to answer and those are what they want feedback on (those questions can be found here).

The 5 areas include:

  • Sharing information between doctors
  • Sharing substance use and mental health information with friends and family
  • Accounting of Disclosures
  • Notice of Privacy Practices
  • HIPAA “burdens” that prevent policy goals around Value-Based Care

There’s a lot here and you certainly don’t have to address every part of the RFI. You can pick and choose what is most important to you.

The rules they are interested in are primarily part of the HIPAA Privacy Rule found at 45 CFR 164, Subpart E (for the nerds who would like to catch up on the current language). In each of my previous posts I’ve taken these areas one by one and answered the questions in detail. I’ve given background on why they matter, examples of how they work now, and concerns as to why and how potential changes will harm patients.

To be clear: Changes suggested in each part will hurt patients.

How Does The RFI Work?

The RFI is a request for information – it’s asking for feedback. In other words: they ask specific questions and we give specific answers. Those answers will then be reviewed by the OCR and they will make recommendations for rule changes (i.e. ways they want to change HIPAA officially). Comments on those rule changes is a separate process.

If this is not going to result in immediate rule changes, and the OCR only wants feedback, why is it important for patients to comment? It is important to comment because your answers will set the basis for which rules they propose, which rules they drop, and how the rules will be written. If we do not comment, the rules they propose to change HIPAA will favor special interests and patients will get hurt.

How This Post Impacts Patients:

I am writing this because YOU have an opportunity to get involved here. You have the opportunity to submit comments in order to protect your rights under HIPAA. Without the patient voice, special interests will submit comments to take away your rights in these 5 areas. Make no mistake, even organizations that you would think might be on our side, are happy to let many of these protections go.

Here are some of the protections at stake:

  • Your doctor may be required to release information to other doctors without your consent.
  • Your private and sensitive health information about your mental health and substance use, and even genetic information could be shared with friends or family without your consent.
  • Your right to know who is getting your health information may be limited.
  • Getting a copy of your rights and how to enforce them may be at stake.

These are serious issues. While the government is touting changes as a way to increase coordination of care and decrease burdens, the truth is they could take away your rights.

In this post, I’ll do a brief summary of each of the 5 areas, give you a few background points on the HIPAA provisions that apply, highlight what might be most important to patients, and give example questions you might consider to write your comments. As I said above, I’ll write a follow up post on how to submit comments yourself.

Sharing Information Between Doctors (Part 1 in-depth analyses found here)

In this part, the OCR says it wants to encourage providers to share information in a timely manner to improve coordination of care. This sounds like a good idea because we often want our doctors to be able to talk to each other to ensure we get the best care. However, the questions in this part make it clear that the aim is to allow sharing without your consent and require sharing between doctors, insurers, other healthcare entities, and community services. The questions also ask about whether patients should have a right to restrict access to their information and what information can be shared.

Here’s what you need to know about HIPAA now:

  • Your doctors can already share your information with other doctors for “treatment purposes,” often without your consent. The OCR has very few restrictions on what information can be shared.
  • Your doctors can refuse to share information. This is helpful for those of us who have sensitive information we may not want shared with other doctors.
  • Your doctor can share information with your insurer for payment purposes and health care operations.
  • Your doctor is only supposed to share the “minimum necessary” (or only what they need to share) for your care.
  • Community services can perform care coordination services with proper HIPAA consents.

Possible Changes to HIPAA and Why They Matter:

  • If a doctor is required to share information with other doctors, you will have no say in it and it will not be the minimum necessary.
    • Example situation: A patient sees a psychiatrist but does not want their primary care physician (PCP) to know because they are afraid of stigma. The patient tells the psychiatrist not to share the notes with other doctors and they agree that’s in the patient’s best interest. The PCP finds out the patient saw a psychiatrist and asks for the record from the psychiatrist. The psychiatrist has to provide them and at the next appointment the patient receives biased care based on their stigma.
    • Example situation: A patient had an abortion a long time ago. They don’t want anyone to know but the doctor who performed the procedure. They now are seeing a new doctor and that doctor sends over a request for records. Now the new doctor will have a copy of the records with notes on that abortion.
  • If a doctor is required to share information with other doctors, their timeline may be prioritized over yours.
    • Example situation: Right now, HIPAA says doctors have to give patients records within 30 days (in some states it’s less). Patients often face heavy delays in getting their records, even if those records are kept in electronic form. If doctors are required to share information within a certain time frame, they may take priority over patients. Patients who are already left waiting and are often coordinating their own care, may face even further delays. In other words, a doctor may get the records in 5 days and a patient request may go to the back of the request pile and it’ll take 29 days for a patient to get their records.
  • If a doctor is required to share all your information with insurers, insurers may discriminate against you or deny you care.
    • Example: An insurer is looking at whether to approve a prior authorization for a medication your doctor ordered. The insurer requests information from the doctor that is more information than the insurer needs to know (more than the minimum necessary) to make this determination. The insurer finds a note in the chart that they use to deny your prior authorization.
  • Patients should have increased rights on restricting who has access to their information and doctors should not have a right to override these rights. In fact, doctors should get an explicit authorization to share records.
    • Example: Currently one of the only ways to restrict is to pay cash or in certain situations for mental health, substance use, genetic, and HIV/AIDS information. But even this is limited. The OCR suggests that even if a patient wants to limit information, new rules could make it so other doctors could override this request. New rules may also suggest that doctors could in their “professional judgment” ask for records without an explicit authorization.
  • If standards for sharing information with social services agencies, community-based support programs, court programs, or others are relaxed, your health information may get into the wrong hands.
    • Ex: (the OCR admits this could happen), information about your health is shared with a drug-court and puts a person at legal risk, including issues with child custody.
    • Ex: Information is shared with a social services program that arranges housing, the landlord finds out about your health issues and denies your application for housing.

Ways you might comment on this section:

  • How would it hurt you if your doctors were required to share information with
    • Other doctors?
    • Your insurer?
    • Community-based support programs or social services?
  • How would you feel if your doctors were required to share more than the minimum necessary for your care?
  • How would it help you if you could restrict access to your information?
  • If you’re getting your own information, how long does it take you to get everything you need/request? What barriers have you faced? How have wait times affected your care?

You can read the specific questions (1-21) for this section here.

Sharing Your Substance Use and Mental Health Information with Friends and Family (Part 2 in-depth analysis found here)

In this part, the OCR says it wants to encourage providers to share information your health information on substance use and mental health with friends and family, particularly in emergencies and in response to the “opioid crisis.” They say that this will help caregivers take an active role in recovery. However, this is dangerous. This is the most concerning part of the RFI. Patients need the protection of this very sensitive information to avoid abuse, trauma, and stigma.

Here’s what you need to know about HIPAA now:

Possible Changes to HIPAA and Why They Matter:

  • If family, friends, or other caregivers have access to substance use or mental health information, people may avoid seeking care.
    • Ex: If a person is worried that their mother may get information about their mental health, that person may go see a therapist or seek help in a crisis.
  • If family, friends, or other caregivers have access to substance use or mental health information, care may be compromised.
    • Ex: If a person with substance use disorder does not have a good relationship with a friend but that friend becomes involved in care, the friend may meddle with care. The friend could tell lies to a provider. The friend could try to direct care in the way the friend feels is best and not what is best for the patient.
  • Abusive family, friends, or other caregivers could become involved in your healthcare.
    • Ex: Many individuals who have mental illness or substance use disorder have experienced abuse in the past. They may not want friends or family to be involved in care. If a patient has a suicide attempt and an abusive family member finds them in the hospital, there is little protection already for a patient because of emergency exceptions. Loosening any standard of privacy for these issues could be dangerous.
  • Minors deserve a high level of protection as they often face many of the same issues adults do – including abuse, stigma, and fear of seeking care. Not all families are supportive of their children.
    • Ex: A 16 year old (or “mature minor”) trans kid wants to seek mental health care. Their religious family is anti-LGBTQQAI and they don’t want their parents to be involved in their care because the parents may try to stop the care, may abuse the kid, or may even kick the kid out of the home.
  • Sharing genetic information (information on “inheritable diseases”) is risky and does not serve the aims of coordinating care.
    • The OCR suggests that adults children should be able to access their parents records to get information on dementia and “inheritable diseases.” There are situations where a parent may not want their child to know this information. Genetic privacy rights should be discussed elsewhere because they are complex.

Ways you might comment on this section:

  • How might involving friends and family hurt your care? Specifically if they have access to
    • Substance use information?
    • Mental health information?
    • Genetic information?
  • How might loosening privacy restrictions impact your willingness to seek care?
  • How can we protect the privacy of the most vulnerable among us (including minors, people who have been abused or faced trauma, or those in vulnerable situations like those being treated in an ER)?

You can read the specific questions (22-26) for this section here.

Accounting of Disclosures (Part 3 in-depth analyses found here)

An Accounting of Disclosures is a list of entities that received information about your care. Currently, your doctor doesn’t have to include who they gave your information to for treatment purposes. The OCR was supposed to update this law in 2013 but has dragged their feet. Most doctors don’t know what an AoD is and most doctors, hospitals, and other covered entities will likely not want to update the law.

Here’s what you need to know about HIPAA now:

  • AoD has to give you info on the date your info was shared, name of who they shared it with, a brief description of what they shared, and a brief description of why they shared it.
  • You have to request an AoD separately from your record and a doctor can take 60 days to get it to you.

Possible Changes to HIPAA and Why They Matter:

  • Doctors and hospitals might say that few patients ask for AoDs and thus they should not be required to provide them. In other words, they will make the case that the AoD is useless and we should get rid of them.
  • Unless AoDs are part of the patient record, patients will continue to not know they have a right to this information. This information should be included in any records request.
  • Without education for providers, providers will not provide HIPAA compliant AoDs and patients will not get the information they have a right to.
  • Patient information is already being tracked and shared through systems patients know nothing about but should.
    • Ex: The Epic electronic health record (EHR) system uses something called “Care Everywhere” to share your health information between different providers. It is usually printed out as an AoD but is not completely compliant with AoD rules. Knowing where my information goes is important because it gives me an active role in my care – including how my care is coordinated or if information is shared that I did not want shared.

Ways you might comment on this section:

  • How can we help patients know they have a right to this information?
  • Should AoDs be part of the patient record?
  • What information do patients want in an accounting of disclosure? And why?
    • Are the current information requirements (date, name, description of what is sent, description of why) enough?
    • Do you want more information added?
    • Do you want to expand the requirement to include sharing information between providers?
    • Why is getting this information important?
  • How might providers get better education about AoDs?

You can read the specific questions (27-42) for this section here.

Notice of Privacy Practices (Part 4 in-depth analyses found here)

Patients get a Notice of Privacy Practices (NPP) at check in with their doctors and hospitals. It outlines your rights and how your health information might be used. Providers are supposed to get a signature saying you received a copy of the NPP. The RFI would like to make it so providers don’t have to get a signature. In other words, they don’t have to prove that they gave you a copy of your rights.

Here’s what you need to know about HIPAA now:

  • The OCR has developed model model NPPs that providers can use, though many offices create their own.
  • Providers are supposed to get you to sign that you received a copy of their NPP or document that they made a “good faith effort” to get you to sign.
  • A provider cannot refuse to see you if you don’t sign that you received an NPP.

Possible Changes to HIPAA and Why They Matter:

  • Providers say that getting a signature may be too hard and is taking up too much time. But this is how they prove you got a copy of the NPP or a chance to look at it.
    • Possible issue: If offices don’t have to document that a patient got a copy of an NPP, they may stop giving them out altogether. Patients already aren’t very aware of their rights. If we aren’t making sure they get a copy, this will only decrease awareness and increase confusion.
  • Getting rid of these pieces of paperwork will not fix the issue of patients having a lot of paperwork at check in. This document is important.
    • Ex: Patients have a lot of papers to sign at a doctors office or hospital and NPPs are part of that. A lot of paperwork is about your care – including allergies, diagnoses, past surgeries, etc. This information is filled out over and over again when it could be shared in multiple systems. This paperwork is more burdensome than a piece of paper letting you know your rights.
  • Instead of getting rid of the requirement to sign that a patient received an NPP, providers and staff should receive training as to its importance.
    • Ex: Some offices may try to refuse care if a patient does not want to sign an NPP. This is illegal. It shows that providers do not understand this document or what it is for and could use training.
  • Instead of getting rid of the requirement to sign the NPP, the NPP could be made more useful.
    • Ex: Many patients don’t know they can make a complaint if they think their rights under HIPAA have been violated. They don’t know where to go or who to talk to. This information should probably come first including a link to the OCR’s portal for complaints.
  • Instead of getting rid of the requirement to sign the NPP, the OCR should focus on ways to help patients understand HIPAA better.
    • Ex: Most patients don’t know about the OCR in general. Using current social media channels, the OCR could help patients understand their rights better. Tweeting out links to sections of their website could be a start.
    • Ex: Engaging patient communities can help disseminate information. Often patients come to these groups when they have questions about health care.
    • Ex: Work with more patients to design a better model NPP.
    • Ex: Ensure the model NPPs are translated into other languages.

Ways you might comment on this section:

  • Do you get an NPP from your doctor and do you read it?
  • What would be most helpful to let you know your rights?
  • What rights are the most confusing to you?
    • How to get your records?
    • What format you can get your records in?
    • Records fees?
    • Who can pick up your records?
    • How your information can be shared?
    • Correcting records?
    • Any of the common issues listed in this separate post?
  • Do you like the model NPP that the OCR already has? (English Version here)
    • How would you improve it?
    • What isn’t clear?
    • Is there information you think that should be in there that isn’t?
  • What training would you like to see for providers to better understand NPPs or HIPAA in general?

You can read the specific questions (43-53) for this section here.

HIPAA Wrongly Seen as a “Burden” (Part 5 in-depth analyses found here)

The last section is a catchall that asks how we might “amend the HIPAA Rules to further reduce burden and promote coordinated care.” The OCR here and in it’s press release would like us to think that HIPAA rules are currently limiting care coordination and case management but they are NOT. Doctors and hospitals misunderstanding how HIPAA works is the primary issue preventing things like care coordination.

To be clear: HIPAA is NOT a burden.

Here’s what you need to know about HIPAA now:

  • As noted above, there are enough exceptions in HIPAA to share the information needed for your care.
  • The OCR does not focus heavily on enforcing the Privacy Rule provisions. Often they only offer providers “informal technical assistance” and allow violations to continue.
  • Providers are not properly trained in HIPAA. There are no training standards.
    • A recent study out of Yale (open access), looked at how hospitals complied with HIPAA. They found that hospitals had issues with many aspects of HIPAA – giving the wrong information or violating HIPAA rules including:
      • What forms patients need to fill out
      • If they had to pick them up in person or could be faxed, emailed, provided on CD, or provided in portals
      • Refusing to provide records in the format requested
      • Charging excessive fees to get records
      • Not meeting processing times

Possible Changes to HIPAA and Why They Matter:

  • Making changes to HIPAA in the other 4 areas above under the guise that HIPAA provisions are a burden or just too hard to implement are how patients will lose their rights.
  • Improving provider training to understand HIPAA – including it’s purpose (which is to ensure trust and improve care) – will ensure better care coordination without compromising patient rights.
  • The questions in the RFI shows that the OCR is not focusing on the patient as the center of their own care. Instead it focuses on what would make it easier for providers, family/friends, and technology companies. The OCR needs to include patient voices and ensure that patients are in control of their own information.

Ways you might comment on this section:

  • How do you feel about the rights you have under HIPAA?
    • Do you think they are properly enforced?
    • Are their rights that you feel you should have but don’t?
  • Have providers misinterpreted HIPAA in a way that’s impacted your care?
  • How do you think care coordination could be improved?

You can read the specific question (54) for this section here.


As I said above, there’s a lot here and you certainly don’t have to address every part of the RFI. You can pick and choose what is most important to you.

I will say that the 2nd section is where I am most concerned and would encourage input from all patients.

As a reminder, I’ll be following up with a post on how to submit comments individually. For now just go through the questions and think about how you might answer them. While personal submissions are the best, if you prefer to send me your examples, email me at HealthAsAHumanRight@gmail.com and I’ll be consolidating some answers and trends with my submission.

And if you want to dig deeper, though I’ve linked them above, I’m also posting the in-depth analyses below:

If you want to comment on the RFI, I’ve written an primer on how you can add your voice, which you can find here.

For questions/comments, email me at HealthAsAHumanRight@gmail.com.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: