Tues 2/12: Cocktail-hour comments – Tell HHS why HIPAA privacy rights should be protected. Deadline tonight!

(From Indivisible San Francisco)

Action:  Stop Erosion of HIPAA Patient Healthcare Rights — Deadline TONIGHT, by 11:59 pm EST. 

HHS has proposed changes to HIPAA under the guise of “easing regulations,” so that patients diagnosed with serious mental illness (SMI) or opioid use disorder (OUD) could have their medical records released without their consent.

Post a comment with the HHS opposing this change by 11:59 EST  TONIGHT, Feb. 12th!

Sample Comment 

“I strongly oppose the proposed changes to HIPAA because the proposed changes extend far beyond the known benefits of coordinated care and will make patient healthcare less safe. [LIST ADDITIONAL PERSONAL OR POLICY REASONS WHY YOU FEEL HIPPA SHOULD BE PROTECTED. THEY SHOULD BE UNIQUE TO YOU.]

[Insert reason why you or a family member or a friend might be negatively impacted by the changes to the rules. Or insert a personal story.]

I urge you to not change existing HIPAA regulations on patient confidentiality.”


HIPAA is the Health Insurance Portability and Accountability Act of 1996, and one of its functions is to establish policies for how patient information may be shared. Ranking Democratic Senators Murray and Wyden sent a letter to HHS expressing reservations about these proposed changes, calling it a “dangerous precedent”.

HHS has proposed changes to HIPAA under the guise of “easing regulations,” so that patients diagnosed with serious mental illness (SMI) or opioid use disorder (OUD) could have their medical records released without their consent.

Specifically, HHS wants to know if you think it’s OK to allow your highly personal health information to be read by companies and agencies that are NOT HIPAA-covered entities, like social service agencies, community-based support programs and family members other than chosen by the patient, be they parents, spouses and/or adult children.

No, we don’t think it’s OK.

They also want to know if it’s OK if they take out the wording “minimum necessary”  in the sharing requirement, and force covered entities to share records when requested instead of deciding on a case-by-case basis.

No, we don’t think it’s OK.

Some protections at stake include: A doctor may be required to release information to other doctors without patient consent. Private and sensitive health information about mental health and substance use, and even genetic information, could be shared with friends or family without consent. The patient’s right to know who is getting this health information may be limited, as well as getting a copy of patient civil rights and how to enforce them.

Awesome resource!

For a deeper dive into the subject, check out this in-depth blog post which concisely covers, with great real-world examples, the proposed changes for each of these categories.

Included here are the 5 categories involved in this rule change and some brief examples from the post to help to understand each. For more examples and subplots, click here for this eminently readable post.

  • Sharing information between doctors

Example: A patient sees a psychiatrist but does not want their primary care physician (PCP) to know because they are afraid of stigma. The patient tells the psychiatrist not to share the notes with other doctors and they agree that’s in the patient’s best interest. The PCP finds out the patient saw a psychiatrist and asks for the record from the psychiatrist. The psychiatrist has to provide them and at the next appointment the patient receives biased care based on their stigma.

Example: An insurer is looking at whether to approve a prior authorization for a medication your doctor ordered. The insurer requests information from the doctor that is more information than the insurer needs to know (more than the minimum necessary) to make this determination. The insurer finds a note in the chart that they use to deny your prior authorization.

  • Sharing substance use and mental health information with friends and family

Example: A patient in a long-term abusive relationship had an abortion and hid it from her husband to avoid angering him. She put her mom down as her HIPAA contact, but an incident with an accidental overdose now gives her husband, under the new rules, access to her complete medical history.

  • Accounting of Disclosures is a list of entities that received information about your care. Currently, your doctor doesn’t have to include who they gave your information to for treatment purposes.

Example: Knowing where my information goes is important because it gives me an active role in my care – including how my care is coordinated or if information is shared that I did not want shared.

  • Notice of Privacy Practices – Patients get a Notice of Privacy Practices (NPP) at check in with their doctors and hospitals. It outlines your rights and how your health information might be used. Providers are supposed to get a signature saying you received a copy of the NPP. The RFI would like to make it so providers don’t have to get a signature. In other words, they don’t have to prove that they gave you a copy of your rights.

Example: Many patients don’t know they can make a complaint if they think their rights under HIPAA have been violated. They don’t know where to go or who to talk to. This information should probably come first including a link to the OCR’s portal for complaints.

  • HIPAA “burdens” that prevent policy goals around Value-Based Care – The current administration would like us to think that HIPAA rules are currently limiting care coordination and case management but they are NOT. Doctors and hospitals misunderstanding how HIPAA works is the primary issue preventing things like care coordination.

Example: Making changes to HIPAA in the other 4 areas above under the guise that HIPAA provisions are a burden or just too hard to implement are how patients will lose their rights.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s