On January 21, 2021, the HHS Office for Civil Rights (OCR) published a notice of proposed rulemaking (the Proposed Rule) proposing modifications to the HIPAA Privacy Rule to address standards that might impede the transition to value-based care. On March 10, 2021, OCR announced that the comment period on the Proposed Rule is being extended until May 6, 2021, from the original date of March 22, 2021.
The Proposed Rule is intended to solicit public comments on proposed modifications to the HIPAA Privacy Rule that would remove barriers to coordination of care and decrease regulatory burdens associated with compliance with patient privacy protections while continuing to protect patients’ individual health information and privacy interests. The extension of the public comment period on the Proposed Rule is being made in conjunction with the Biden Administration’s plan to manage the federal regulatory process by providing the President’s new designees and appointees time to review all new and pending rules prior to implementation.
The Proposed Rule would change current HIPAA and HITECH Act protections in order to reduce barriers to the implementation of value-based care models by, among other things:
- Strengthening individuals’ rights to inspect their PHI in person;
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of 15 calendar days;
- Requiring covered entities to inform individuals that they retain their right to obtain, or direct copies of PHI to a third party, when a summary of PHI is offered in lieu of a copy;
- Reducing the identity verification burden on individuals exercising their access rights;
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual's access request to another health care provider and to receive back the requested electronic copies of the individual's PHI in an EHR;
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures that would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations;
- Clarifying the scope of covered entities' abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals;
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity's good faith belief that the use or disclosure is in the best interests of the individual;
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety;
- Eliminating the requirement to obtain an individual's written acknowledgment of receipt of a direct treatment provider's Notice of Privacy Practices (NPP);
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights;
- Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers; and
- Expanding the Armed Forces’ permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
The full text of the Proposed Rule can be accessed here. The extension of the comment period for the Proposed Rule is noted in the Federal Register here.