On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced its proposal to make significant changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as part of its Regulatory Spring to Coordinated Care. The proposed rule takes into account public comments OCR received to its December 2018 Request For Information on Modifying HIPAA Rules to Improve Coordinated Care (RFI). Comments to the proposed rule are due 60 days from the date the rule is published in the Federal Register. The effective date of a final rule would be 60 days after publication, and the compliance date would be 180 days after the effective date of a final rule.
Similar to the final rules on interoperability, which we have previously discussed,1 the proposed rule implements the HHS Secretary’s goal of increasing patients’ access to their own health information and improving data sharing for care coordination. The proposed rule also seeks to clarify certain provisions under the Privacy Rule and to reduce administrative burden on covered healthcare providers.
If adopted, the proposed rule would require covered entities to make substantial changes to their HIPAA policies and procedures and related workflows.
The most noteworthy proposed changes are as follows:
Right of Access. OCR noted that it continues to hear—through complaints, comments on the 2018 RFI, reports and anecdotal accounts—that individuals frequently face barriers to obtaining timely access to their protected health information (PHI), in the form and format requested, and at a reasonable cost. Accordingly, the proposed rule would make a number of changes to the Privacy Rule to protect and enable an individual’s right of access.
- Expanding the Right of Access. The proposed rule would allow individuals inspecting their PHI to take notes or use other personal resources to view and capture images of such PHI. The proposed rule would also prohibit a covered healthcare provider from delaying an individual’s right to inspect PHI when the PHI is readily available at the point of care in conjunction with a healthcare appointment. A covered entity would not, however, have to allow individuals to connect personal devices to the covered entity’s information system.
- Shortening the Response Time. The proposed rule would shorten the time frame within which a covered entity must respond to an individual’s request for access to the individual’s records from 30 days (with an option for a 30-day extension) to 15 days (with an option for a 15-day extension). Under the proposed rule, a covered entity may use an extension only if the covered entity has established written policies for prioritizing urgent or other high-priority access requests (especially those related to health and safety).
- Prohibiting Unreasonable Barriers or Delay in Access. OCR noted that many covered entities impose unreasonable measures on individuals seeking to exercise their right to access PHI, such as requiring individuals to have their signatures notarized, or accepting individuals’ written requests only in paper form. The proposed rule would prohibit such measures. Similarly, the proposed rule would prohibit a covered entity from imposing unreasonable identity verification requirements.
- Directing Access to a Third Party. Currently, the Privacy Rule requires covered entities to transmit a copy of PHI directly to another person designated by the individual when directed by the individual, provided that the request is in writing, is signed by the individual, and clearly identifies the designated person and where to send the copy of the PHI. The proposed rule would limit this right so that it applies only to electronic copies of PHI contained in an electronic health record (EHR), which could include PDF and other electronic formats that are accessible, usable and reasonable, such as .doc and .docx format. The proposed rule would require a covered healthcare provider to respond to such a request so long as the request is “clear, conspicuous, and specific”—replacing the current requirement that the request be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI. The proposed rule would add a definition of EHR for the purpose of clarifying the scope of an individual’s right to direct an electronic copy of PHI in an EHR to a third party.
The proposed rule would also create a second mechanism (which is in addition to the treatment, payment and healthcare operations permitted disclosure) for a covered entity to obtain an electronic copy of PHI from another covered healthcare provider.
- Ensuring Individuals Know Their Right to Direct PHI to a Designated Third Party. The proposed rule would require covered entities to inform individuals about their right to direct requested electronic copies of PHI in an EHR to designated third parties when a covered entity offers to provide a summary in lieu of the requested copies of PHI.
Modifying Fee Structure Based on Access Type. To increase an individual’s awareness of the cost of copies of PHI, and to make the access fee requirements more uniform, the proposed rule would require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization. In addition, the proposed rule would modify the access fee provisions to specify when a covered entity may charge fees when responding to an individual’s right to access request.
Clarifying the Scope of Permitted Disclosures for Care Coordination and Case Management.
- The proposed rule would amend the definition of healthcare operations in order to clarify that PHI may be shared with health plans involved in care coordination and care management.
- In addition, the proposed rule would expressly except from the minimum necessary standard2 disclosure of PHI to or requests by a health plan or covered healthcare provider for PHI for care coordination and case management occurring at the individual level (not at the population level), noting that concerns over compliance with the minimum necessary standards have made covered health providers cautious when sharing PHI with health plans for healthcare operations.
- The proposed rule would also expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community- based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management and wraparound support services for individuals. Under this provision, a health plan or a covered healthcare provider would only be permitted to disclose PHI without authorization to a third party that provides health-related services or other supportive services, such as food or housing.
Disclosures to Help Individuals Experiencing Substance Abuse Disorder or Serious Mental Illness and in Emergency Circumstances.
Noting that support from family members, friends and caregivers is key to helping people experiencing substance use disorder (SUD) or serious mental illness (SMI), the proposed rule would replace the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard would presume a covered entity’s good faith, and that presumption could only be overcome with evidence of bad faith.
The circumstances in which the new standard would apply include the following:
- Disclosure of an unemancipated minor’s PHI to parents or guardians who are not the minor’s personal representative if doing so is consistent with state or other applicable law.
- Inclusion of an individual’s name in a facility directory and disclosure of the individual’s location and general condition when the individual is unable to agree or object.
- Disclosure of relevant information to a person involved in an individual’s care or payment for care when the covered entity reasonably infers, based on a good faith belief, that the individual does not object.
- Disclosure of relevant information about an individual to family members and other caregivers who are involved with the individual’s care or payment for care, or who require notification related to the individual, when the individual cannot agree to the disclosure because of absence, incapacity or emergency circumstances.
The proposed rule would also permit covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety.
Changes Relating to Notices of Privacy Practices. The proposed rule would eliminate the requirement that covered entities that are direct treatment providers obtain an individual’s written acknowledgment of receipt of the covered entity’s Notice of Privacy Practices (NPP), and replace it with an individual right to discuss the NPP with a person designated by the covered entity whose name, phone number and email address must be listed in the header of the NPP. In addition, the proposed rule would modify the content requirements of the NPP to notify individuals of their rights with respect to accessing their PHI.
1 “Implementing the ONC Information Blocking Rule: What Providers Need to Know” and “Implementing the ONC Information Blocking Rule: What HIEs/HIT Vendors Needs to Know,” Manatt Health, September and October 2020.
2 The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary to accomplish the purpose of each use or disclosure. This standard has applied to uses and disclosures for healthcare operations and payment purposes.