The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on December 10, 2020. The goal of the proposed regulations is to support individuals’ engagement in their care, to remove administrative barriers to coordinated care, and to reduce regulatory burdens on the health care industry. OCR also released a fact sheet about the proposed modifications, available here.
The proposed regulations continue the Department’s “Regulatory Sprint,” which seeks to promote value-based health care by updating federal regulations that unnecessarily impede efforts among health care providers, health plans, and other service providers to coordinate care for individuals. The proposal follows the Department’s 2018 Request for Information - calling for comments whether and how to modify provisions under the HIPAA rules that inhibit care coordination, case management, or value-based care.
If the proposed modifications are finalized, they will likely reduce some of the administrative burdens imposed on health care providers and health plans, for example by eliminating the requirements to obtain an individual’s signature for the Notice of Privacy Practices (NPP) and to retain copies of the signature for six years. Further, in an effort to facilitate disclosures of health information to improve patients’ health outcomes, OCR is also proposing significant changes and clarifications to the rules governing an individual’s right of access to health information, as well as additional flexibility to providers in making disclosures to family and caregivers, and to third parties providing case management or care coordination services.
The following is a summary of the key highlights:
Individuals’ Right of Access to Protected Health Information (PHI):
In response to complaints and comments to the 2018 Request for Information that individuals frequently face challenges in obtaining timely access to their PHI, OCR is proposing a number of modifications to strengthen individuals’ rights to access and remove barriers that may limit or discourage coordinated care, including the following:
- Shortening time limits for covered entities to respond to an individual’s request down from 30 to 15 calendar days after receipt, with the opportunity for an extension of no more than 15 calendar days, also down from the current 30-day extension;
- Creating a pathway for individuals to direct the sharing of their PHI in an electronic health record among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an electronic health record. Supporting this new right is a new definition of electronic health record:
Electronic health record means an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.
The definition would include electronic billing and scheduling records, because they contain health-related information. A covered entity would be required to document these electronic health records in the same way that it is currently required to document its designated record sets. The proposed rule does not define “clinicians,” but the commentary indicates that the term would include physicians, nurses, pharmacists and other allied health professionals;
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI (such as by taking photos on their mobile phone);
- Clarifying the form and format required for responding to individuals’ requests for their PHI, including for electronic copies. Under the proposed rule, an individual would be able to request that a copy of his or her health information be made available through a personal health application, if a copy is readily producible to or through the application. The proposed rule would define “personal health application” as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.”
This definition is intended to cover consumer-managed health applications. The regulation would not extend the protections of the Privacy Rule to personal health applications – this is just a means for delivering electronic health records to patients;
- Prohibiting covered entities from imposing “unreasonable measures” on an individual exercising the right of access, such as through burdensome verification or notarization requirements or by demanding extensive and unnecessary information from the individual before fulfilling a request;
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR (to comply with the federal court ruling in Ciox Health, LLC v. Azar, et al.) when the request is clear, conspicuous and specific (including oral or in writing);
- Amending the permissible fee structure for responding to requests to direct records to a third party; and
- Requiring a covered entity to post its approximate fees on its website for copies of PHI requested under the access right and with an individual’s valid authorization, and, upon request, provide individualized estimates of fees to an individual’s request for copies of PHI, and itemized bills for completed requests.
Care Coordination and Exception to the Minimum Necessary Standard:
The rule currently allows covered entities to use and disclose PHI for their own health care operations, including “population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination . . . and related functions that do not include treatment.”
So far as health care providers are concerned, coordinating care for individuals would typically fall under treatment; population-based activities would be health care operations. The proposed regulation would clarify that care coordination by health plans covers both coordinating care for individual enrollees, as well as population-based activities. Because individual care coordination by health plans constitutes health care operations, it is subject to the minimum necessary rule. OCR sees this as a barrier to the exchange of health information for individual care coordination. The proposed rule would create a new exception to the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
Disclosures to Social Services Agencies:
The proposed rule would modify 45 CFR 164.506(c) to add a new subsection 164.506(c)(6) that expressly permits covered entities to disclose PHI to social services agencies, community based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered health care provider or as a health care operations activity of a covered health care provider or health plan. Although these disclosures are already generally permitted under the existing Privacy Rule for treatment or certain health care operations, OCR explained that too many covered entities are either unaware that the Privacy Rule permits the disclosures or are uncertain about the scope of the permission to disclose and therefore often refuse to make the disclosures. Under this provision a health plan or a covered health care provider could only disclose PHI without authorization to a third party that provides health-related services to individuals, but the new subsection clarifies that the third party does not have to be a health care provider and could instead be a provider of health-related social services or other supportive services.
To address concerns that HIPAA too often discourages health care providers from disclosing PHI when families and other caregivers of individuals are attempting to assist with health related emergencies, substance abuse, and other circumstances in which individuals are incapacitated or otherwise unable to express their privacy preference, the proposed rule would amend five provisions of the Privacy Rule to replace “the exercise of professional judgment” standard with a standard permitting certain disclosures based on a “good faith belief” about an individual’s best interests as the standard pursuant to which covered entities would be permitted to make certain uses and disclosures in the best interests of individuals. The professional judgment standard, OCR explains, presupposes that a decision is made by a health care professional, such as a licensed practitioner, whereas good faith may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority. The proposed rule would also include a presumption that a covered entity has complied with the good faith requirement, absent evidence that the covered entity acted in bad faith. Together, the OCR explained, these proposed modifications would improve care coordination by expanding the ability of covered entities to disclose PHI to family members and other caregivers when they believe it is in the best interests of the individual, without fear of violating HIPAA.
Threats to Health or Safety:
The proposed rule would amend the Privacy Rule at 45 CFR 164.512(j)(1)(i)(A) to replace the “serious and imminent threat” standard with a “serious and reasonably foreseeable threat” standard. The amendment seeks to prevent situations in which covered entities decline to make uses and disclosures they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. The proposed modification, OCR explains, would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur. OCR further proposes to define “reasonably foreseeable” using a reasonable person standard. This standard would consider whether a similarly situated covered entity could believe that a serious harm is reasonably likely to occur, and would not require a determination that a majority of covered entities could have such a belief. However, OCR explained in defense of the new rule, the “reasonably foreseeable” standard would not permit the application of assumptions unwarranted by the individual’s diagnosis and specific circumstances.
Notice of Privacy Practices (NPP):
- Written Acknowledgment of Receipt: The proposed rule would eliminate the requirement for a provider to make a good faith effort to obtain an individual’s written acknowledgement of receipt of an NPP. The goal is to reduce paperwork burdens and reduce confusion for individuals and providers. In lieu of the written acknowledgment requirement, the regulations would provide an individual with the right to discuss the NPP with a person designated by the covered entity.
- Modifications to Contents: HHS proposes to modify the required header of an NPP to summarize an individual’s rights at the beginning of the document and provide contact information for a person designated by the covered entity. HHS also proposes to modify the content requirements regarding access rights and the right to discuss the NPP with someone at the covered entity. The goal would be to help individuals better understand how to exercise their rights, including what they can do if they suspect a violation and who to contact with specific questions.
Disclosures for Telecommunications Relay Services (TRS): TRS is a federally mandated service that facilitates calls between individuals who are deaf, hard of hearing, deaf-blind, have a speech disability, and others. TRS facilitates calls through use of a communications assistant who relays information (including PHI) via text or video. HHS proposes to revise the regulations to expressly permit covered entities to disclose PHI to TRS communications assistants, clarify that a business associate agreement is not needed, and exclude TRS providers from the definition of a business associate.
Disclosing PHI of Uniformed Services Personnel: The current regulations permit covered entities to use and disclose PHI of Armed Forces personnel under certain conditions. HHS proposes to expand this provision to include all uniformed services, including the U.S. Public Health Services Commissioned Corps and National Oceanic and Atmospheric Administration Commissioned Corps.
Once the proposed regulations are published in the Federal Register, the public comment period will be open for 60 days. Given this timeline, the incoming Administration will be responsible for finalizing the regulations, though it may want to put its mark on them before doing so.
For more information, please contact Amy Joseph in Boston, Andrea Frey, Steve Phillips or Paul Smith in San Francisco, Linda Kollar or Alicia Macklin in Los Angeles, or your regular Hooper, Lundy & Bookman contact.