State of Play: COVID-19 waivers from OCR have been released this Spring. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. The exercise of discretion applies to widely available communication applications, such as FaceTime or Skype, when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19. Additionally, OCR issued guidance to help ensure first responders and others receive protected health information about individuals exposed to COVID-19. Congress passed the Coronavirus Aid Relief and Economic Security Act which includes a provision to align 42 CFR Part 2, with the Health Insurance Portability and Accountability Act (HIPAA), with initial patient consent.
- On April 28, the Coalition sent comments to the FDA regarding modernization of the agency’s data strategy
- On April 16, HLC’s Confidentiality Coalition sent a letter to HHS Secretary Alex Azar, CMS Administrator Seema Verma and the U.S. National Coordinator for Health Information Technology, Dr. Don Rucker, requesting an extension of the time period for implementation of the CMS Interoperability and Patient Access Final Rule and the ONC Cures Act “Information Blocking” Final Rule. The rationale for the request was based on members’ inability to implement these rules due to their singular focus on COVID-19 emergency activities.
- In April, the Confidentiality Coalition communicated with ONC and CMS, requesting an extended time period — a minimum of 12 months — for compliance with and enforcement of each requirement specified in the interoperability rules, in light of the COVID-19 pandemic.
- On March 4, the Confidentiality Coalition presented at the Annual HIPAA Summit. “Can the Tension Between Treatment Coordination and Privacy Protection Goals be Harmonized?”
- Members of Confidentiality Coalition met with OCR staff to discuss the Telephone Communications Protection Act (TCPA) and its affect on HIPAA covered entities’ ability to communicate non-marketing health alerts to individuals.
- On March 19, Diane Sacks, counsel to the Confidentiality Coalition, walked members through privacy and security provisions in the final interoperability rules from the HHS Office of the National Coordinator of Health Information Technology (ONC) and the Centers for Medicare and Medicaid (CMS).
- Written testimony from Confidentiality Coalition Chair, Tina Grande to House Committee on Veterans’ Affairs Subcommittee on Technology Modernization hearing “Data Privacy and Portability at VA: Protecting Veterans’ Personal Data.”
- Confidentiality Coalition comments on the House Energy and Commerce Committee’s draft privacy legislation.
- The Confidentiality Coalition met with the Office of Management and Budget to discuss privacy-related concerns with the CMS and ONC interoperability rules.
- Submitted a statement for the record on the Senate Commerce, Science, and Transportation Committee hearing, “Examining Legislative Proposals to Protect Consumer Data Privacy.” The coalition shared its “Beyond HIPAA” Privacy Principles that convey views on the protection of health information that is not subject to HIPAA.
- Signed a multistakeholder letter in response to SAMHSA’s proposed rule related to the confidentiality of substance use disorder patient records. The letter supported alignment of 42 CFR Part 2 with HIPAA for treatment, payment, and health care operations and urged SAMHSA to make additional modifications within its authority.
- The coalition continues to hold meetings with staff in the House and Senate as Congress considers national privacy legislation. In these meetings, the coalition emphasizes the coalition’s privacy principles and the importance of streamlining privacy laws across states to ensure the flow of appropriate health information necessary to improve health and healthcare.
- Drafted principles on privacy and security of health data not regulated by HIPAA. These principles are being shared with federal policymakers
- Presented at The Data privacy Conference USA sponsored by Forum Europe.
- Presented on the privacy and security implications of draft 2 of the Trusted Exchange Framework and Common Agreement (TEFCA 2.0) at the Workgroup for Electronic Data Interchange (WEDI) Summer Forum.
- Wrote the Office of the National Coordinator for Health Information Technology commenting on the Trusted Exchange Framework and Common Agreement (TEFCA) Draft 2.
- Wrote the Centers for Medicare and Medicaid Services responding to a Notice of Proposed Rulemaking on interoperability and patient access.
- Wrote the Office of the National Coordinator for Health Information Technology responding to a Notice of Proposed Rulemaking on interoperability and information blocking.
- The Coalition submitted a statement for the record for the U.S. House of Representatives Committee on Energy and Commerce hearing on “Oversight of the Federal Trade Commission: Strengthening Protections for Americans’ Privacy and Data Security.” The coalition supported the Federal Trade Commissions’ oversight of personal health records that reside in non-HIPAA covered entities.
- Hosted staff from ONC who presented on TEFCA.
- Submitted a statement for the record for the U.S. House of Representatives Committee on Energy and Commerce hearing on “Protecting Consumer Privacy in the Era of Big Data.”
- Submitted a statement for the record for the U.S. Senate Committee on Commerce, Science, and Transportation hearing on “Policy Principles for a Federal Data Privacy Framework in the United States.”
- Wrote the HHS Office for Civil Rights responding to a request for information on identifying provisions of the Privacy and Security Rules, promulgated pursuant to the Health Insurance Portability and Accountability Act, that impede the transformation to value-based healthcare or that limit or discourage coordinated care among individuals and Covered Entities without meaningfully contributing to the protection of the privacy or security of individuals’ PHI.
- Wrote the National Institute of Standards and Technology (NIST) responding to a request for information on Developing a Privacy Framework.