Roger Severino, director of the Office for Civil Rights (OCR) with enforcement powers over the HIPAA Privacy Rule and breaches of protected health information (PHI), announced he is looking to make some changes to both and will issue Notices of Proposed Rulemaking (NPRMs) and Requests for Information (RFIs) before proceeding.
OCR Director Roger Severino
Specifically, he told a HIPAA meeting in Arlington, Va., on March 27 that he would:
- Issue a Request for Information regarding sharing some of the proceeds from data breach violations with the victims themselves
- Issue a Notice of Proposed Rulemaking to suggest dropping the requirement that health care providers issue and patients sign notices of HIPAA privacy practices
- Issue another NPRM so health care providers can act in “good faith” and disclose private health information, under certain circumstances as when the patient is incapacitated, to the patient’s family
On the first point — sharing monies from breach penalties with victims (which currently go 100 percent back into enforcement) — he told his audience:
OCR is interested in hearing from industry advocates and patients about what would be the proper approach for … creating a system though regulation in providing compensation to those hurt by breaches and HIPAA violations. A lot of breaches do end up causing significant stress, trauma and anxiety to people.
On the second point, he noted that patients, especially new ones, are often handed a pile of forms to sign, and the whole episode can be confusing and upsetting about whether they’re signing away their rights.
“People are uncertain if signing the acknowledgement of privacy practices is some type of contract or a waiver of privacy rights, or [something] required to be signed in order to be treated,” he said. In today’s “deregulatory environment,” he suggested that posting a conspicuous notice in the waiting area might be sufficient.
On the third issue, Severino offered the example of parents who had no idea their adult children were on opioids — until it was too late and they had overdosed. Therefore, he wants to add a “good faith” component to medical disclosures so that health care professionals can use their own better judgment when something needs to be disclosed to immediate family.
Severino gave no timetable on the issuance of these notices and requests.
OCR is an agency within the Department of Health and Human Services (HHS). HIPAA refers to the Health Insurance Portability and Accountability Act.