Healthcare Information Security

HIPAA and Compliance News

HHS Pushes for Changes to HIPAA Privacy Rule, 42 CFR Part 2

HHS will soon issue requests for information about changing the HIPAA Privacy Rule and 42 CFR Part 2 to make it easier for doctors, hospitals, and payers to coordinate in delivering value-based care and fighting the opioid addiction crisis.


Source: Thinkstock

By Fred Donovan

- In the next few months, HHS plans to issue requests for information (RFIs) about changing the HIPAA Privacy Rule and 42 CFR Part 2 to make it easier for doctors, hospitals, and payers to coordinate in delivering value-based care and fighting the opioid addiction crisis.

“Current interpretations of the two privacy laws…are not just impeding value-based arrangements in healthcare. They can also get in the way of communities and families working together to combat our country’s crisis of opioid addiction,” HHS Secretary Alex Azar told an audience at the Heritage Foundation July 26.

Azar did not specify what specific changes would be proposed in the RFIs.

Major changes to HIPAA rules last occurred back in 2013 when HHS issued the Omnibus Final Rule implementing the HITECH Act of 2009. Among the many changes made in that rule, business associates were required for the first time to comply the HIPAA Privacy and Security Rules.

There has also been a push by the American Hospital Association (AHA) and others in healthcare to amend 42 CFR Part 2 so that certain information about substance abuse patients could be shared with other providers without patient consent. The groups want to bring the statute in line with HIPAA rules, which allow sharing of information without patient consent for the purposes of treatment, payment, and operations.

To protect the confidentiality of people who seek treatment for drug or alcohol abuse, 42 CFR Part 2 prevents healthcare providers from sharing information on a patient’s substance abuse history unless the patient gives consent.

AHA and other groups argue that the stricter confidentiality requirements under 42 CFR Part 2 have a negative effect on medical treatment of individuals being treated for addiction.

A bill, the Overdose Prevention and Patient Safety Act (HR 6082), incorporating these changes to 42 CFR Part 2 was passed by the House on June 20.

HR 6082 would authorize the disclosure of substance abuse patient records without the patient’s written consent to a covered entity for the purposes of treatment, payment, healthcare operations and to a public health authority, if the disclosure is in line with HIPAA.

Under the HIPAA Privacy Rule, health information may be used or disclosed by covered entities for the purposes of treatment, payment, and other healthcare operations without patient consent.

On a related issue, a bipartisan group of House lawmakers, led by Rep. Adam Schiff (D-CA), sent a July 26 letter to Azar seeking updates on implementation of a provision in the 21st Century Cures Act that would clarify when providers could share information with patients’ caregivers about mental health and substance abuse.

The lawmakers noted that HIPAA rules allow healthcare professionals to share information with a patient’s “loved ones” in emergencies. Other signatories included Representatives John Katko (R-NY), Grace Napolitano (D-CA), Gus Bilirakis (R-FL), Jimmy Panetta (D-CA), and Salud Carbajal (D-CA).

“However, widespread misunderstandings persist and create obstacles to family support that is crucial to the proper care and treatment of persons experiencing a crisis. To enhance the quality of behavioral health and medical/surgical services, we believe it is essential that model programs and training materials be developed for health care professionals regarding permitted uses and disclosures of Protected Health Information through HIPAA,” they wrote.

The lawmakers noted that health providers often misintepret or do not understand what HIPAA permits them to communicate with family members.

“As long as misconceptions or ignorance of the rights and responsibilities associated with the privacy rule persist, HIPAA may continue to hinder necessary communication with significant implications for patient care and public safety in circumstances in which providers are legally allowed to share information,” they wrote.

The lawmakers stated that providers should work with families who want information about a family member with serious mental illness to protect their health or safety, particularly where that individual lacks judgment to make an informed decision regarding their need for treatment, care, or supervision.

“Therefore, we respectfully request an update on your progress in implementing the Compassionate Communication on HIPAA provision within the 21st Century Cures Act,” they concluded.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...