Late last week, the United States Department of Health and Human Services (HHS), Office for Civil Rights issued a Notice of Proposed Rulemaking (NPR) to make significant revisions to the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA. HIPAA was first enacted in the late 1990s and the health care system has seen significant changes since that time. Many of these changes, such as the emergence of the opioid problem and the increase in availability of digital health information, have resulted with many in the health care system advocating for revisions to the regulations that balance patient privacy against the needs for information sharing as part of the collaborative health care system.
According to HHS, the primary goal of the proposed regulatory revisions is to remove some of the impediments that HIPAA imposes on the expansion of value-based reimbursement and coordination of care between clinically integrated providers. In addition to changes addressing value-based and coordinated care, the proposed regulatory revision also expands the right of patients to access their own health care information.
The proposed modifications attempt to reach a balance between the need to maintain the confidentiality of Protected Health Information (PHI) and the need to enhance the ability of providers to coordinate care between them. HHS has been concerned that HIPAA rules may have been unnecessarily impeding the transition to value-based health care by limiting or discouraging care coordination and case management communications among the various components of the health care system involved in the coordination of patient care.
In addition to new provisions for value-based care, the proposed regulations further HHS’ recent enforcement focus on patient and family access to the patient’s own health care information. HHS proposes to expand and strengthen a patient’s individual right of access to their own digital health information in a number of ways described in the nearly 400 plus page notice. We will be reviewing the entire release in more detail over the coming days. We initially identified a few of the proposed requirements including:
- Expanding ways that patients may access their records such as permitting note taking, image capturing and other resources to ensure patient access to their records.
- Reducing the time that covered entities have to respond to record access requests from 30 to 15 days.
- Liberalizing standards of disclosure to focus on whether the disclosure is made “in good faith belief that the use or disclosure is in the best interests of the individual,” rather than based upon the higher standard involving the professional judgement of the releasing provider. Provider “good faith” is presumed in the absence of contrary evidence.
- Changing the standards for disclosure of PHI that is meant to avert a “serious and reasonably foreseeable” risk to health or safety. The current standard requires a “serious and imminent” threat before a disclosure is permissible.
- Changes to requirements that providers, obtain written acknowledgment of receipt for Notice of Privacy Practices from patients as well as modification of the required contents of Notices of Privacy Practices.
- Providing additional details about the required contents and form of response to a patient request for record access.
- Reducing the identity verification requirements for a patient requesting their own records.
- Creating greater flexibility for sharing PHI through electronic health records.
- Creating new obligations for covered entities regarding submission of access requests to other health care providers, and requiring responses to provider-initiated requests in certain instances.
- Indicating the circumstances under which electronic records must be provided to requesting patients free of charge and creating changes to the requirements related to fee schedules for third party records requests.
- Requiring covered entities to post estimated fee schedules on their websites and provide individualized estimates of fees applicable to requests for copies of PHI, and provide itemized bills when requests are completed.
The proposed regulatory revision would also reduce at least some of the administrative burden placed on providers when the disclosure or use is for individual-level care coordination and case management. In these cases, a new exception would be implemented to relieve covered entities of the minimum necessary requirement for disclosures to a health plan or covered health care provider for care coordination and case management activities. This will greatly reduce the compliance risk associated with making disclosures by obviating the need to make a “minimum necessary” determination with respect to each disclosure. Regulatory comments indicate that at least some of the goal is to enhance information sharing between providers and social service agencies and community-based service providers. These organizations are typically involved in the health care/social issues involved in opioid and other addiction and recovery.
Without a doubt the most significant part of the proposed regulatory revisions to the HIPAA regulations involve a reduction in the barriers that the HIPAA rules have created in the past to the development and operation of coordinated, multi-disciplinary care and value-based reimbursement systems.
Stay tuned as we continued to review the regulatory proposal. We will likely post more detailed articles on many of the issues addressed by the proposed regulatory revision.