On December 10, 2020, the Department of Health and Human Services (HHS) announced proposed revisions to the HIPAA Privacy Rule. HHS stated that the revisions would “address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens.”
The Notice of Proposed Rulemaking (NPRM) sets forth significant changes that would impact day-to-day operations of HIPAA covered entities and require revisions to numerous policies and procedures of covered entities. The revisions in the NPRM largely stem from the public input received in response to the Request for Information on Modifying HIPAA Rules to Improve Coordinated Care issued in 2018.
Highlights of the proposed revisions include:
Right of access
- An individual’s right to inspect protected health information (PHI) in person would be strengthened to allow individuals to take notes or use other personal resources to view and capture images of their own PHI.
- Time to respond to a request would be shortened to no later than 15 calendar days (currently 30 days) with the opportunity for an extension of no more than 15 calendar days (currently a 30-day extension).
- For the purpose of requested electronic access, it would be clarified that if a covered entity is required by other federal or state law to implement a technology or policy that would provide an individual with access to his or her PHI in a particular electronic form and format (e.g., if a federal law required the provision of access via secure, standards-based API), such form and format would be deemed “readily producible” for purposes of compliance in fulfilling requests for electronic access.
- Requirements for identity verification of individuals exercising their access rights would be reduced to expressly prohibit a covered entity from imposing unreasonable identity verification measures on an individual (or his or her personal representative) exercising a right under the Privacy Rule.
- Individuals would be permitted to direct the sharing of PHI in an electronic health record (EHR) among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
- Health care providers and health plans would be required to respond to certain records requests received from other health care providers and health plans when directed by individuals pursuant to the right of access.
- The individual right of access to direct the transmission of PHI to a third party would be limited to electronic copies of PHI in an EHR, consistent with the decision in Ciox v. Azar. Requests to direct to a third party non-electronic copies of PHI in a designated record set (whether from an EHR or other source) and electronic copies of PHI that is not in an EHR, would no longer fall within the right of access.
- The revisions would amend the permissible fee structure for responding to requests to direct records to a third party. And, covered entities would be required to provide electronic PHI to individuals at no charge under certain circumstances.
- Covered entities would be required to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization.
Notice of Privacy Practices
- The requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices would be eliminated.
- The content requirements of the Notice of Privacy Practices would be modified to clarify individuals’ right with respect to their PHI and how to exercise those rights, related to required language regarding (1) how to access health information; (2) how to file a HIPAA complaint; and (3) individuals’ right to receive a copy of the notice and to discuss its contents with a designated person.
Health care operations / Care coordination and case management
- The definition of “health care operations” would be amended to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
- An exception to the minimum necessary rule would be created for individual-level care coordination and case management uses and disclosures. The minimum necessary standard would not apply to uses by, disclosures to or requests by a health care provider or health plan for care coordination and case management activities with respect to an individual, even if such activities were considered health care operations (instead of treatment activities).
- It would be clarified that covered entities are expressly permitted to disclose PHI to social services agencies, community-based organizations, home and community based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
Disclosures to avert a threat to health or safety
- The standard for when covered entities could disclose PHI to avert a threat to health or safety would be relaxed to when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
Public comments on the proposed rule will be due 60 days after the NPRM is published in the Federal Register.