HIPAA Privacy Rule changes that have the potential to significantly impact patients, covered entities, and business associates were proposed by the Department of Health and Human Services (HHS) in a Notice of Proposed Rulemaking (NPRM) on December 10, 2020. If these changes are adopted, it would reflect the largest regulatory change to HIPAA since the Omnibus HIPAA Final Rule. The future of these proposed modifications, however, is uncertain given the coming change in Administration. Many of the proposed changes are focused on the patient right of access requirements and processes, while others impact how covered entities may share patient information and how privacy practices must be documented.
These proposed regulations build upon earlier agency action, through the 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule and the CMS Interoperability and Patient Access final rule, in an effort to reduce barriers to access to patient records.
Key changes include:
- Expanding the right of access for protected health information (PHI) in an electronic health record (EHR)
- The proposed rule makes clear that the right of access includes individuals’ right to access electronic copies of their PHI and that a request for access can be fulfilled by transmitting an electronic copy of an individual’s PHI to a personal health app used by the individual.
- When electronic PHI (ePHI) is readily available through a standards-based API, such as those consistent with the requirements for certified health IT under the 21st Century Cures Act regulations, the covered health care provider must provide API access to individuals, including their delegees, who request it. The NPRM requests input including on whether to require health care providers to implement APIs if it would cost little to do so.
- Shortening individual access timelines and modifying requirements for responding to access requests
- The NPRM would reduce the timeframe within which a covered entity must provide access to PHI from 30 days to as soon as practicable and no longer than 15 days; it also reduces the possible extension of time from 30 days to 15 days.
- The NPRM would prohibit covered entities from imposing unreasonable measures that would impede the right of access—for example, requiring extensive information that is unnecessary to fulfilling a patient request; requiring notarization of an individual’s signature; requiring requests only in paper form, in person, or through an online portal; or imposing unreasonable identity verification procedures.
- Fees could vary based on the type of access requested (e.g., in-person inspection vs. electronic copies) and the intended recipient of the PHI (e.g., the individual vs. a third party). Covered entities would be required to provide advance notice of approximate fees for copies of PHI, including by posting a fee schedule online and at the point of service.
- Codifying an individual’s right to direct disclosure of PHI to third parties
- The NPRM would codify certain parts of individual rights guidance released by the agency several years ago. Specifically, if an individual directs a covered health care provider to transmit an electronic copy of the PHI in an EHR to a third party, the covered health care provider would be required to provide a copy of the requested PHI to the third party. The NPRM also proposes that requests by individuals would need to be clear, conspicuous, and specific, but would no longer be required to be in writing and signed by the individual.
- Expanding permissible uses and disclosures for individual-level care coordination and case management
- The proposed definition of health care operations would expand care coordination and case management by health plans to include not just population-based coordination, but also individual-level coordination.
- An express exception to the minimum necessary standard would be added for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management at the individual level.
- The NPRM creates a new pathway to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other third parties providing health-related services to specific individuals.
- Encouraging disclosures of PHI to help individuals with substance use disorders or serious mental illness, or who are in emergency circumstances
- The NPRM proposes several changes intended to allow covered entities to more easily disclose PHI to families and other caregivers to better assist with individuals’ care under these types of circumstances.
- Eliminating certain requirements related to Notices of Privacy Practices
- Health care providers would no longer be required to obtain a written acknowledgement of receipt of a Notice of Privacy Practices (NPP) or document good faith efforts and reason for not doing so if they have a direct treatment relationship with an individual.
Public comments will be due 60 days after the NPRM’s official publication in the Federal Register, which has not yet occurred. HHS has made an unofficial version of the NPRM available on its site pending the official publication. HHS has requested comments on several specific issues throughout the proposed rule. After comments on the NPRM are received and considered, HHS will publish a final rule that will establish the final requirements and timelines. HHS states that it believes that covered entities and business associates will be able to comply within 240 days of the official publication of a final rule, including revising policies and practices and completing training and implementation. Organizations that believe a longer compliance period will be needed to fully implement the required changes are encouraged to submit comments to the NPRM. The comment period will be only 60 days and so interested parties are encouraged to organize comments as soon as possible.