Main Content

ASAN Comments on HIPAA Privacy Rule

February 11, 2018

U.S. Department of Health and Human Services
Office for Civil Rights
Attention: RFI, RIN 0945-AA00
Hubert H. Humphrey Building, Room 509F
200 Independence Avenue SW
Washington, DC 20201

Re: Department of Health and Human Services, Office for Civil Rights RIN 0945-AA00, Docket HHS-OCR-0945-AA00, “Request for Information on Modifying HIPAA Rules to Improve Coordinated Care”

The Autistic Self Advocacy Network[1] appreciates this opportunity to offer information and comments to the Department of Health and Human Services (DHHS) Office for Civil Rights as part of its Request for Information (RFI)[2] regarding whether or not there are provisions of the Health Insurance Portability and Accountability Act (HIPAA)’s privacy and security-related regulations that should be modified in order to improve care coordination.

ASAN opposes any modifications that might weaken HIPAA’s Privacy and Security Rules, as these rules protect individuals from unwanted disclosures of their protected health information to outside parties and ensure that they are aware of who their information is shared with and how it is used.

ASAN is a disability rights organization that primarily serves adults with cognitive disabilities. ASAN has published multiple resources that help adults with cognitive disabilities understand and take control of our own health care, including our “Healthcare Transition Toolkit”[3] and “A Self Advocate’s Guide to Medicaid.”[4] ASAN therefore has a strong interest in bolstering, rather than undermining, protections that ensure that only individuals with disabilities — rather than any unspecified family member or service provider — have the right to decide how our own protected health information is shared.

We outline our responses to the questions posed by DHHS’ Office for Civil Rights in its RFI in further detail below.

With respect to Section (b), “Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness,” ASAN strongly supports the current provisions of HIPAA’s Privacy Rule, which properly protect persons with disabilities from unwanted disclosures of protected health information to parents and caregivers.

In Section (b) RFI requests comments on whether DHHS should make any modifications to the Privacy Rule in order to “ensure that family members and other caregivers can be involved in an individual’s care” when an individual has a substance use disorder related to opioids or a “serious mental illness.”[5] The RFI states that anecdotally, DHHS has heard that covered entities have been “reluctant” to inform family members or caregivers that one of their family members is experiencing a mental health crisis or substance abuse related health crisis for fear of violating HIPAA.[6]

There is no need for DHHS to modify the Privacy Rule in order to address these concerns. The Privacy Rule does not in any way prohibit the disclosure of protected health information to the family members and caregivers of any individual. Instead, the Privacy Rule merely requires that the individual agree to the disclosure of their protected health information, or be provided with an opportunity to object to the disclosure.[7] Indeed, the Privacy Rule directly states that covered entities may “disclose to a family member, other relative, or a close personal friend of the individual,” with the individual’s permission as required, protected health information directly related to their involvement in the individual’s health care.[8]  The Privacy Rule even allows covered entities to disclose protected health information without consulting the individual during an emergency, if the individual is not present, or in a situation where the individual is incapacitated.[9] To rectify any anecdotal confusion, DHHS would merely need to provide further information or guidance on how the Privacy Rule impacts covered entities in specific situations where such entities might be reluctant to provide information to parents and caregivers.

In fact, the only situation in which a covered entity would not be able to disclose protected health information to parents or caregivers is if the individual objects to the covered entity doing so. ASAN strongly opposes any change to the Privacy Rule that would allow disclosure of protected health information under these circumstances. All individuals, regardless of what kind of disability they have or the circumstances they are in, should have the unequivocal right to the privacy of their own health records.

ASAN’s opposition is firmly grounded in the experiences of our constituents. Many autistic adults and others with intellectual and developmental disabilities (I/DD) are denied control and agency over the most basic aspects of our own lives, including our health care, through restrictive legal arrangements called guardianships and conservatorships. Those of us who are not under guardianship may have nonetheless been denied opportunities for self-determination and self-advocacy, or coerced into institutions, group homes, and other restrictive living situations. Protections like the notification and permission requirements of the HIPAA Privacy Rule are invaluable in part because they ensure that we cannot as easily be denied control over our own health and autonomy over our own lives.

Autistic people are much more likely to have mental health disabilities than members of the general population.[10] We are particularly likely to have anxiety and depression.[11] These co-occurring disabilities may indeed harm our health if we lack access to proper services and supports that can help us manage them, and ASAN is in firm support of research, training, and development related to these supports. What we oppose is the abrogation of rules and regulations that allow us to determine how these supports are delivered.

Modifications to the Privacy Rule’s protections in this area would also be disproportionately harmful to disabled individuals who are LGBTQ. More autistic people are LGBTQ than members of the general population.[12] Some of these individuals are separated from family members and caregivers who neither acknowledged nor supported their identities. Other individuals have chosen not to inform their parents that they are LGBTQ. These individuals might be harassed or even threatened if family members were readily able to obtain their protected health information without their consent. The presence of a co-occurring mental health condition or substance use disorder does not change this concern.

Finally, and most fundamentally, ASAN objects generally to the framing of this section of the RFI. The language used in this section of the RFI implies that DHHS considers mental health and opioid use disorders to be special circumstances, and that the privacy of individuals with these disabilities is less important than allowing their family members to be involved with their care.[13] This framing is offensive, and denies the agency, privacy, and dignity of people with these disabilities. People with disabilities have the same legal rights and deserve the same privacy protections as people without disabilities. If a regulatory change might undermine those rights, it should not be pursued.

With respect to Section (a), “Promoting Information Sharing for Treatment and Care Coordination,” ASAN strongly opposes modifying the Privacy Rule to allow for automatic disclosure of protected health information to social service agencies and community-based support programs.

Question 18 and its supporting preamble ask whether “express regulatory permission should be created for HIPAA covered entities to disclose PHI to social service agencies or community-based support programs.”[14] ASAN opposes such a modification. As the RFI itself explains, the Privacy Rule already allows covered entities to disclose protected health information to facilitate treatment and care coordination.[15] There is no need to modify the Privacy Rule to allow covered entities to disclose automatically. The only reason such a modification would be necessary, as ASAN mentioned in its comments on Section (b), would be to allow the covered entity to disclose protected health information without the individual’s knowledge or consent, and ASAN strongly objects to modifying the rule to allow for such disclosures.

Modification to allow this kind of disclosure would be particularly dangerous for people with I/DD, as we frequently rely heavily on social service agencies to receive the services and supports necessary for us to live in our communities. There is often a power imbalance between us and the provider agencies that support us. Our ability to control who can access our PHI becomes only more important in these circumstances. ASAN encourages HHS Office for Civil Rights to leave this provision of the regulations unchanged.

With respect to Section (d), “Notice of Privacy Practices,” ASAN strongly supports the provisions of the Privacy Rule which require covered entities to obtain a written acknowledgement from an individual showing that the individual understands the entity’s Privacy Policy.

Specifically, HIPAA’s Privacy Rule requires that covered entities provide individuals with a Notice of Privacy Practices, which describes the individual’s privacy rights and to whom the covered entity might disclose protected health information.[16] Covered entities must also display this notice prominently in their offices.[17] Additionally, covered entities must “make a good faith effort to obtain a written acknowledgement of receipt of the provider’s NPP.”[18] The RFI requests comments on the degree to which this imposes a burden on covered entities and what the consequences would be if the requirement were removed.[19]

ASAN believes that removing these requirements may have unintended consequences for individuals with I/DD and other cognitive disabilities. HIPAA waivers are often treated as a mere formality during visits to doctors and clinicians, and few individuals seeking treatment have a comprehensive knowledge of the law. Such a situation is even more likely for individuals with I/DD, as information is rarely provided in a way that is cognitively accessible to us. This provision of the regulations, while not perfect, at least helps to prevent situations in which we unknowingly sign a waiver allowing a covered entity to disclose our protected health information to another person, or situations in which providers assume that we consent to disclosures that we did not consent to. ASAN recommends that HHS in fact enhance this requirement by requiring that the Notice of Privacy Practices and related disclosure acknowledgement be written in cognitively accessible language, such as plain language or Easy Read.

ASAN strongly supports leaving the HIPAA Privacy Rule regulations untouched. ASAN encourages HHS’ Office for Civil Rights to reach out to individuals with I/DD with respect to how HHS can enhance care coordination and improve the quality of our health care, without sacrificing privacy. For more information on ASAN’s positions with respect to HIPAA please contact Julia Bascom, our Executive Director, at

[1] ASAN, a 501(c)(3), non-profit organization, is the nation’s leading self-advocacy organization by and for autistic people ourselves. Our mission is to advance the social and civil rights of Autistic people and other individuals with disabilities. For more information on ASAN, go to

[2] Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, 83 Fed. Reg. 64302, 64302 (December 14, 2018).

[3] Autistic Self Advocacy Network, Healthcare Transition Toolkit (July 2014),

[4] Autistic Self Advocacy Network, A Self Advocate’s Guide to Medicaid (May 2017),

[5] 83 Fed. Reg. at 64306.

[6] Id.

[7] 45 C.F.R. § 164.510 (b)(2).

[8] 45 C.F.R. § 164.510 (1).

[9] 45 C.F.R.§ 164.510 (b)(3); 45 C.F.R. § 164.510 (b)(4).

[10] Jessica Wright, “Depression common among men with autism, study finds,” Spectrum News(August 24, 2015),; Luigi Mazzone et. al., Psychiatric comorbidities in asperger syndrome and high functioning autism: diagnostic challenges, 11 Annals of General Psychiatry 1, 5-8 (2012) (finding that, based on a systematic review of relevant scientific studies, autistic people were more likely to have many mental health disabilities); Ovsanna T. Leyfer et al., Comorbid Psychiatric Disorders in Children with Autism: Interview Development and Rates of Disorders, 36 J. Autism & Dev. Disord. 849, 855 (2006) (finding that 72 percent of the autistic children in the study had an additional psychiatric disability).

[11]  Jessica Wright, “Depression common among men with autism, study finds,” Spectrum News(August 24, 2015),

[12] R. George and M.A. Stokes, Sexual Orientation in Autism Spectrum Disorder, 11 Autism Research133, 133-141 (2018).

[13] 83 Fed. Reg. at 64306.

[14] 83 Fed Reg. at 64303.

[15] 83 Fed. Reg. at 64303; 45 C.F.R. § 164.506(b)(1).

[16] 83 Fed. Reg. at 64308.

[17] Id.

[18] Id.

[19] Id.

This entry was posted in Uncategorized, Policy and tagged , , , , , . Bookmark the permalink.
Skip to top

More information