Latte art and a sign that reads, "Inhale the future and exhale the past"

Photo by Toa Heftiba on Unsplash

HIPAA Rule Changes are Coming Down the (Very Long) Pike

Yes, you read that right. The Office of Civil Rights (OCR — the HIPAA people) have started the ball rolling on changes to HIPAA’s rules that will likely impact mental health professionals in all work contexts.

I know we need new HIPAA rules like we need adult chickenpox, but the OCR seems to have some decent ideas. Who knows what we’ll get in the final wash, but the start looks good?

OCR’s Director, Roger Severino, was making noises about changes to HIPAA’s Privacy Rule throughout much of 2018. The department didn’t publish anything on it until December, however, when they released a Request for Input (RFI) document to the Federal Register. The deadline for input on that document is February 12th, 2019. So if you want to give some input to the OCR (Liath and I are already brainstorming our input!), you can find the RFI here.

The Request for Input document is, essentially, a listing of the things that OCR has observed working poorly and wishes to change. They list a number of questions that they would like stakeholders and/or experts to answer for them. Yes, you can submit your input on their ideas and questions. Mental health professionals are definitely stakeholders in how the HIPAA rules do and don’t change!

What’s on the OCR’s Collective Mind?

Here are some basics of what the OCR seems to be aiming towards with their questions in the RFI. Note that we will write again on this topic with more depth in the future as events unfold. Here we will just give a little info about what the OCR seems to be concerned with and what they seem to be thinking of doing with HIPAA in the future:

1) They are not proposing any changes focused on the Security Rule. This means they likely won’t make changes that impact HIPAA’s security standards for electronic information. No guarantees, though — if a desired privacy change also requires a change to security standards, we’re sure they’ll go for it.

2) They really, really want health care professionals to more freely share records with each other and, where appropriate, with family members and caregivers of people receiving care as well as social service agencies. In Person Centered Tech’s input to the OCR, Liath and I plan to address our various ethics codes’ standards around consent to disclose confidential information.

3) The HITECH Act (enacted in 2009 and resulting in the last substantive change to HIPAA in 2013) required the OCR to make stricter rules requiring that health care pros keep records of what information we’ve disclosed about clients so that we can give clients a list of those disclosures.

The OCR didn’t manage to fully implement that mandate, though, for logistical reasons. They’re hoping to finish meeting the mandate now, and to somehow put a rule in place that causes us to make it much easier for individuals to get a list of the information we’ve disclosed about them. Much of their questioning revolves around the ability of electronic record systems to generate such lists to the HITECH Act’s satisfaction.

4) The OCR wants to make the Notice of Privacy Practices (the “HIPAA form”) less of a barrier/turn-off for people. They’re hoping to find a better way to make sure people receive it than asking the client to sign a form saying they received it.

What Does This All Mean For Me?

Since we’re still in the Request for Input stage, it doesn’t mean a ton. Things have the potential to change wildly between here and any final rule changes.

Our free, informative articles are brought to you by Hushmail,
who is offering our readers 15% off for life!
Wondering why this is here? See our sponsorship policy for details.

Hushmail Image

Roy with coffee mugRoy says: Hushmail is one of several secure email options that serves health care practitioners like us. Hushmail is highly trusted, affordable, includes secure web forms that accept e-signatures, and has earned a recommendation from us for use by mental health professionals. Learn more about Hushmail for Healthcare and get 15% off for life.

That said, the OCR has been wrestling with the issues described in this RFI for years now. They’re unhappy with how slowly health care pros trade information with each other, and they’ve observed that clinics and hospitals are very reticent to share information for fear of violating HIPAA — even in the many cases where HIPAA allows the disclosures that they are avoiding (e.g. to family, caregivers, and other providers.)

One thing that is apparent is that we really need to get on the ball with writing and keeping records in such a way that lets us feel comfortable releasing them to clients and other providers without too much friction. Mental health pros are really good at privacy, except when it comes to releasing records at clients’ requests. (Remember: privacy is about supporting client’s privacy decisions — not just keeping their info away from the wrong people.)

To get an example of what I’m talking about, check out the “Mental Health Centers” section on OCR’s curated list of HIPAA violation case examples. There are two examples there, and both of them are about failures to release records in a HIPAA-compliant manner.

Release of records is our HIPAAchilles’ Heel. (I’ve been waiting sooo long to make that joke!)


It will probably be a really long time before we see any actionable changes come from this round of input. However, the OCR has long had its sites set on increasing the flow of information between health care providers and from providers to their clients/patients. Preparing for that world of increased transparency and record-sharing can certainly start now. Other than that, however, it will likely be most prudent to wait and see what the OCR does with the results of their request for input. We’ll keep you updated.

Learn more about what kinds of information HIPAA protects:

1 CE Credit Hours



Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss