Download as PDF

May 6, 2021 

Robinsue Frohboese
Acting Director and Principal Deputy
Office for Civil Rights
U.S. Department of Health and Human Services
Attn: RIN 0945-AA00
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue, SW
Washington, DC 20201
Re: RIN 0945–AA00; Docket HHS-OCR-2021-0006-0001

Dear Ms. Frohboese:  

The National Association of Accountable Care Organizations (NAACOS) is pleased to submit comments in response to the Notice of Proposed Rulemaking "Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement," as published in the January 21, 2021 Federal Register1. We appreciate the Department of Health and Human Services’ (HHS) efforts to remove barriers that limit care coordination. We share the administration’s goal to accelerate the transformation to value-based care and appreciate the opportunity to provide our views on how to clarify or modify the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule to further that goal. 

The ACO model is a market-based solution to fragmented and costly care that empowers local physicians, hospitals, and other providers to work together and take responsibility for improving quality, enhancing patient experience, and reducing waste. Importantly, the ACO model also maintains patient choice of clinicians. Medicare ACOs have a bipartisan history with their origins dating back to the George W. Bush administration and the Medicare Shared Saving Program (MSSP) launching during Barack Obama’s administration. There are more than 500 ACOs in Medicare today, caring for nearly 12 million beneficiaries. ACOs have been instrumental in the shift to value-based care, and a central part of the ACO concept is to improve patient care and reduce unnecessary expenditures through well-coordinated care. Being able to receive patient records in a timely manner, which is permissible under the HIPAA Privacy Rule, is imperative to proper coordination, improved patient outcomes, and ACOs’ success. ACOs must also know where patients receive care outside of their organizations if they are accountable for patients’ total cost of care.  

As the largest association of ACOs, NAACOS and its ACO members serve more than 12 million beneficiary lives through hundreds of organizations participating in population health-focused payment and delivery models in Medicare, Medicaid, and commercial insurance. NAACOS and its members are deeply committed to the transition to value-based care. NAACOS is an ACO member-led and member-owned non-profit organization that works on behalf of ACOs across the nation to improve the quality of Medicare delivery, population health and outcomes, and health care efficiency. 

While not a part of this proposed rule, NAACOS understands HHS is drafting rules updating privacy and sharing requirements for records governed by 42 CFR Part 2, as required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020. NAACOS urges HHS to issue a proposed rule as soon as possible since creating uniformity between HIPAA and Part 2 is of utmost importance. Substance use disorder (SUD) records should be shared for the purposes of treatment, payment, and health care operations without unnecessary administrative burdens, to ensure patients receive the treatment they need without delays or gaps in care. Specifically, we urge you to address claims-data access for providers practicing in alternative payment models, such as ACOs, to help support their work in population health management. ACOs are provided claims data at least monthly, and sometimes weekly, but these data lack SUD-related information because of limits of Part 2. The lack of data limits their work in improving the care for their patient populations. The CARES Act and subsequent rulemaking provides an opportunity to address this limitation. 

Furthermore, NAACOS reiterates its call for HHS to specifically name ACOs and care coordination efforts in definitions of permissible uses and disclosures.2 Such a recognition would benefit the transition to value-based care, which has been a priority of HHS in every administration since President George W. Bush. ACO programs have grown considerably since the last time HIPAA Rules were updated in 2013, and regulations need to be updated to reflect the substantial role ACOs play in care coordination. ACOs could point to regulatory language that certain sharing of protected health information (PHI) is allowed if they were specifically mentioned in regulation. The addition of this precise use case of PHI would not preclude the existing broad language of permissible disclosures. 

Below are recommendations specific to the proposed rule at hand. 

Clarifying Covered Entities’ Abilities To Disclose PHI for Individual-Level Care Coordination and Case Management (45 CFR 164.506) 

Proposal:A new subsection in 164.506(c)(6) would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations (CBOs), home- and community-based service (HCBS) providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity or as a health care operations activity. Under this provision, a health plan or healthcare provider could disclose PHI without patient authorization to a third party that provides health-related services to individuals. However, the third party does not have to be a healthcare provider but may be providing health-related social services or other supportive services—e.g., food or sheltered housing needed to address health risks.

Comments: As HHS states in the proposed rule, much confusion exists over what PHI providers can share with social services and CBOs, even if it is for care coordination and case management. Despite the Office of Civil Rights guidance on the topic, covered entities continue to either not share information as needed or to request patient authorization. Either risks slowing needed actions to help patients by bridging gaps between their health and social needs. 

For these reasons, NAACOS supports the addition of the new subsection 164.506(c)(6). The proposed change has the power to remove perceived barriers to disclosure of PHI, as appropriate, to social services agencies, CBOs, and HCBS providers to better enable care coordination and case management. It should ease confusion over providers sharing PHI, even if it’s currently allowed. 

ACOs have the flexibility and accountability that allow them to address social determinants of health more easily at the population level. For example, in Massachusetts, Medicaid ACOs are required to partner with CBOs and receive capitated, per-member-per-month payment to offer behavioral health, social needs screening, and medical care. In Rhode Island, Medicaid ACOs must demonstrate capacity to screen and address areas of social need in order to receive infrastructure incentive funds. As such, HHS should allow PHI sharing at the population level, not just individual as proposed, in order to facilitate care coordination and case management between CBOs entities like ACOs, that are well positioned to care for patients’ needs. 

HHS should draft rules that create as little burden as possible on covered entities. As such, HHS should not require that a particular service be identified in an individual’s care plan and/or for which a social need has been identified. While patient privacy is a priority, requiring this identification, as HHS seeks feedback on in the proposed rule, risks weakening the effectiveness of the proposed new subsection. This adds an administrative complexity, which should be avoided. So long as referral to social services falls within the boundaries of treatment and health care operations, including identification of this need in patient care plans would be unnecessary.

Amending the Definition of Health Care Operations To Clarify the Scope of Care Coordination and Case Management (45 CFR 160.103) 

Proposal: HHS proposes to clarify the definition of health care operations in 45 CFR 164.501 to encompass all care coordination and case management by health plans, whether individual-level or population-based. The new definition proposed in paragraph (1) of the definition of ‘‘Health care operations’’ in 45 CFR 164.501 would read as follows: 

. . . population-based activities relating to improving health or reducing health care costs; protocol development; case management and care coordination; contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment.

Comments: The current definition of health care operations includes care coordination and case management. Despite CMS guidance from 2000, some covered entities interpret the definition of health care operations to include only population-based care coordination and case management. This limits the reach of individual-focused care coordination and case management by health plans since health plans do not perform treatment functions as defined by HIPAA. 

NAACOS supports this revision but suggests some modifications. We have heard from ACOs that health plans do not always share necessary patient information with ACO providers, even when it may benefit and improve patient care. Those plans cite HIPAA as the reason for not sharing patient information. NAACOS believes a revision to clarify health plans’ ability to share PHI under the Privacy Rule for these purposes would help address this issue and better ensure that health plans share PHI with ACO providers consistent with the definition of health care operations. 

NAACOS believes HHS should clarify that this ongoing permission to share information for these health care operations purposes includes health plan sharing of data with ACOs. This clarification can be made in the preamble of the final rule, clarifying that ACOs are among the types of providers with whom PHI may be shared for health care operations purposes. Issues of care coordination and case management are important for entities beyond traditional health plans and providers. ACOs are an important tool in bridging care gaps and managing healthy patient populations. As such, their importance should be recognized by HHS in the final rule. 

Modifications to Individual Right of Access (45 CFR 164.524) 

ProposalHHS proposes several changes to improve the ability for individuals to access their health information. This includes adding definitions for electronic health record (EHR) and personal health application and allowing individuals the right to direct a copy of their PHI, including electronic PHI, to a third party. This section also proposes several changes to individuals’ rights to access their medical records. 

Comments: The proposed rule better aligns the HIPAA Privacy Rule with HHS’s information blocking rule that was finalized in 2020. NAACOS was generally supportive of that rule and its goals of creating a more interoperable health system.3 As such, we support the proposed additions of definitions for electronic health record and personal health application. However, we encourage HHS to consider a broad definition of "health care clinicians and staff" so that it includes members of patients' care coordination teams. These include nurses and medical assistants who check in on patients during and after care transitions and for chronic disease management. These are vital members of patient care teams whose involvement can reduce negative outcomes such as avoidable admissions and readmission. 

The proposed rule also would require covered providers to send electronic copies of PHI in an EHR to a third party at an individual’s request. The request must be "clear, conspicuous, and specific." NAACOS supports HHS’s efforts to strengthen individuals’ right of access to their health information, and this includes electronic health information. However, the proposed regulation assumes that application programming interfaces (APIs) are ready to easily transfer such data between EHRs. In reality, such API capabilities aren’t robust or ready for such a requirement. Without additional time to make EHRs ready to handle such requests, providers won’t be capable to fulfill these new requirements. In an ideal world, this should be a realistic ask, and HHS should use this requirement as a reason to make such requests a reality. Robust EHR-to-EHR data exchange will improve patient care and care coordination. However, NAACOS asks for latitude in enforcing this requirement. Furthermore, HHS should consider minimizing provider burdens in its final rule. This includes covered providers notifying patients of the privacy and security concerns with transmitting such data electronically, which HHS inquires about in the proposed rule. 

Creating an Exception to the Minimum Necessary Standard for Disclosures (45 CFR 164.502(b)(2)) 

Proposal: This proposal would add an express exception to the minimum necessary standard for disclosures to or requests by a health plan or covered health care provider for individual-level care coordination and case management activities that constitute treatment or health care operations.

Comments: The Privacy Rule generally requires that covered entities use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. As stated in the proposed rule, covered entities must make a determination on how much information is needed for individual-level care coordination and case management, and many may provide too little information as a result. 

HHS’s proposal would remove disincentives to disclose too little information or worry if a request falls under the scope of treatment or health care operations out of fear being subject to penalties for violating patient privacy. If finalized, this proposal would enable providers to more easily and efficiently share PHI for care coordination and case management for individuals. It would also complement changes to health care operations for health plans, which NAACOS comments on above. Too often, considerations around what’s “minimally necessary” information limit care management. Therefore, NAACOS supports this proposal and recommends it be finalized. 

NAACOS further believes that HHS strikes an appropriate balance with patient privacy by relaxing the minimum necessary standard, where doing so increases the ability of providers and plans to better coordinate care, consistent with broader HHS goals to transform the health care system. We believe these goals can be accomplished by balancing the need to better share patient information to facilitate better health care outcomes, while also protecting patient privacy.  The proposed changes to the minimum necessary standard appropriately balance those needs. 


The HIPAA Privacy Rule provides important protections for patients while allowing reasonable sharing of PHI for treatment, payment, and health care operations. We urge HHS to make small tweaks in its rulemaking and guidance to acknowledge the increasing importance of ACOs and population-based payment models. Such work is a growing part of the health care delivery structure and should be recognized in HIPAA rulemaking and guidance. NAACOS appreciates HHS’s work to address the important issue of care coordination and welcomes the opportunity to work with you to further the goals of well-coordinated care, which align with the goals of ACOs. Should you have any questions about this letter or the ACO program, please contact David Pittman at [email protected].  



Clif Gaus, Sc.D.
President and CEO