HIPAA covered entities (CEs) longing for the opportunity to dispense with what some would call the more nettlesome aspects of notices of privacy practices (NPPs) will just have to be patient. For how long, no one is saying. But the HHS Office for Civil Rights (OCR) has put finalizing these and other changes to the Privacy Rule—proposed in 2021 after more than five years in development—on the back burner.
The delay also means families who begged OCR to revise the rule to allow better access to health information about their loved ones, particularly those with serious mental illness, will have to keep waiting.[1]
Expanding protections for reproductive health information, as detailed in a new proposed rule, and harmonizing safeguards for substance use disorder records with HIPAA requirements, are OCR’s regulatory priorities now. And, like the rest of the federal government, OCR also will be grappling with the end of the COVID-19 public health emergency.
The agency formally began the process of revising the Privacy Rule in December 2018 under then-Director Roger Severino, with the publication of a request for information.[2] A proposed rule followed on Jan. 21, 2021, the day after President Joe Biden was inaugurated. Drafted by the Trump administration, publication under Biden was seen as a tacit endorsement of the proposed rule.[3]
When asked for updates on when a final rule might be published, Lisa Pino, who served as OCR head prior to the appointment of Melanie Fontes Rainer in September, said in February 2022 that staff was analyzing comments from 1,400 individuals and organizations. It remains to be seen if the final rule, when it emerges, is like the proposed rule or reflects Biden’s take.
The proposed rule addressed a range of topics, many more than the typical rule—problems OCR officials said at the time were long-standing. As the federal rulemaking website reginfo.gov describes, it “will address proposals to modify the HIPAA Privacy Rule to strengthen individuals’ rights to access their own protected health information [PHI], including electronic information; improve information sharing for care coordination and case management for individuals; facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; address disclosures in emergency or threatening circumstances; and reduce administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.”[4]
OCR Priorities Have Shifted
However, in two speeches at health care conferences, most recently at the 27th Annual Compliance Institute sponsored by the Health Care Compliance Association, publisher of RPP, Rainer said simply that completing the proposed rule “is not a top priority for us this year with our limited resources.”[5]
Rainer was responding to a question from Adam Greene, a partner with Davis Wright Tremaine LLP. RPP asked Greene if he thought the delay was attributable to the leadership switch from Pino to Rainer.
“I think that it is less of a change from the prior director and more of a reflection of the administration’s top priorities—issues such as reproductive health rights and addressing substance use disorders,” he told RPP.
Greene personally “was looking forward to the likely removal of the requirement to obtain acknowledgments of receipt of the [NPP]. In practice, many people do not understand what they are signing, and so I believe the burden has historically far outweighed the benefit.”
But Greene also wasn’t sure of the level of anticipation in the HIPAA community for the final rule, saying it contrasts with “monumental…changes that came out of the HITECH Act,” for example.
“I have not gotten the impression that many entities are particularly focused on the 2021 [proposed rule] and are overly concerned about its timeline,” Greene said. He noted the possible change to the NPP requirement was among the “potential benefits” but said it also would have imposed “some new burdens.” These include a 15-day turnaround for patients who request medical records; the current requirement is 30 days for a response.
Some Disclosures Could Require an Attestation
Despite the proposed rule’s kitchen-sink approach to HIPAA, the 2021 regulation couldn’t have contemplated the U.S. Supreme Court’s June 24, 2022, overturning of Roe v. Wade, which OCR officials say necessitated the new reproductive health draft regulation. However, it is not the first time OCR (or HHS) has weighed in on the topic. This proposed regulation follows and formalizes related guidance OCR issued five days after the court’s Dobbs vs. Jackson decision (it had been leaked two months earlier).[6]
HHS and OCR announced the proposed rule on April 12; it was published in the Federal Register on April 17, with a 60-day comment period.[7]
In her talk, Rainer called attention to the new proposed rule, which “extend[s] additional privacy protections for providers, insurers, patients and others to safeguard protected health information when that information otherwise would be disclosed or used to identify, investigate, sue, or prosecute someone for seeking, obtaining, providing, or facilitating lawful reproductive health care.”
Examples of reproductive health care are “prenatal care, abortion, miscarriage management, infertility treatment, contraception use, and treatment for reproductive-related conditions such as ovarian cancer,” OCR said.
The proposed rule requires a CE “when it receives a request for PHI potentially related to reproductive health care, to obtain a signed attestation that the use or disclosure is not for a prohibited purpose. This attestation requirement would apply when the request is for PHI in any of the following circumstances:” health oversight activities, judicial and administrative proceedings, law enforcement purposes and disclosures to coroners and medical examiners, as the accompanying fact sheet explains.
OCR said it would issue a sample authorization form.
Compliance would require a number of steps. CEs will need to revise their business associate agreements, as well as any contracts with medical records release companies and others that perform such functions for them.
The proposed rule also asks a series of questions, signaling how the final rule might differ. One is whether CEs should seek authorization from the person whose information is being released in addition to the attestation from the person or organization requesting it.
Rainer pointed out that, as a proposed rule, the draft regulation is not in force, but the guidance is.
The guidance, she said, “makes very clear that they’re permissible disclosures,” although this “doesn’t mean that…if you go to a state court and fight over whether or not you have to disclose information based on a subpoena that you are going to win, but it does mean that you don’t necessarily have to give it out.”
States May Raise Objections
Under the proposed rule, when finalized, these disclosures would go from permissible to prohibited, she said, in certain circumstances and with the exceptions as noted.
Greene told RPP this proposed rule is “a good middle road. Operationally, it does not require a complete segmentation and lockdown of reproductive health care information, which would have been nearly impossible to implement.”
OCR officials, “from a preemption standpoint…generally did not preempt state law other than when there was already a conflict with federal law (such as when federal law requires or authorizes the reproductive health care services) or when a state is reaching across state lines,” he said.
However, “there will be some places…where health care providers are stuck between a rock and a hard place because complying with HIPAA could cause them to be held in contempt of a state court because the court is unwilling to defer to HIPAA’s limits on disclosure,” Greene added.
OCR “anticipates that states that restrict access to reproductive health care are likely to seek an exception to the proposed requirements of this rule that would preempt state law,” the proposed rule states.
Expect Part 2 Final Rule ‘This Year’
Rainer also reviewed the Nov. 28 proposed rule OCR and the HHS Substance Abuse and Mental Health Services Administration (SAMHSA) issued that would revise 42 C.F.R. Part 2, which governs the confidentiality of substance use disorder records, also known as Part 2.
The changes would modify “Part 2 to increase coordination among providers in treatment for substance use challenges and increase protections for patients concerning records disclosure to avoid discrimination in treatment,” according to Rainer’s presentation.[8] “Proposed changes include: “permitted use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures for treatment, payment, and health care operations”; “permitted redisclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions”; and “new patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.”
Rainer described Part 2 as historically “very restrictive with respect to how medical records are shared amongst providers or care coordination teams,” noting that harmonizing it with HIPAA was required under COVID-19 legislation. Congress “told HHS to address this because these were things that needed statutory fixes.” Although OCR “worked closely with SAMHSA, my team wrote this reg because we are the privacy experts in the building.”
Agency staff are “working to finalize” the proposed rule, Rainer said, adding, “I hope to have it done this year.” She called it a “priority for the administration, as it’s tied to the behavioral health agenda overall.”
Telehealth Gets 90-Day Extension
Turning to the end of the COVID-19 public health emergency scheduled to occur May 11, Rainer noted that OCR’s notification of enforcement discretion regarding “telehealth remote communications” would remain in effect for 90 days, or until Aug. 9.
As Rainer explained, “We’re giving covered entities an additional 90 days, from May 11 to Aug. 9, to become compliant again” with HIPAA rules. Adding that OCR gets a “lot of questions” about telehealth, Rainer pledged that OCR would also do its part. “Expect more from us…we’ll do more outreach,” she said. A future issue of RPP will address strategies for CEs to ensure their telehealth services meet HIPAA requirements once the extension ends.
However, OCR’s other three enforcement discretions expired this month. These address business associates’ sharing information for public health oversight purposes and lack of HIPAA compliance at community-based COVID-19 testing sites and online COVID-19 vaccination scheduling systems.
“OCR will continue to exercise enforcement discretion consistent with the Notifications for violations of the HIPAA Rules that occurred during the period that each Notification was in effect,” the agency said.[9]
Contact Green at adamgreene@dwt.com.
1 Theresa Defino, “Families Detail Years of Anguish, Pain As They Plead for Changes to Privacy Rule,” Report on Patient Privacy 21, no. 7 (July 2021), https://bit.ly/3HGjNjK.
2 Jane Anderson, “HHS Looking for Input on Changes to Privacy Rule Affecting Care Coordination,” Report on Patient Privacy 19, no. 1 (January 2019), https://bit.ly/30jdoGi.
3 Theresa Defino, “Awaiting New Leader, OCR Collects NPRM Feedback, Closes Breach, 14th Access Case,” Report on Patient Privacy 21, no. 2 (February 2021), https://bit.ly/3IP2sET.
4 Office of Information and Regulatory Affairs, “HIPAA Privacy: Changes to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” RIN 0945-AA00, Fall 2022 publication, https://bit.ly/44BFY4A.
5 Melanie Fontes Rainer, “OCR Update and 2023 Priorities,” Compliance Institute, Health Care Compliance Association, April 24, 2023.
6 Jane Anderson, “OCR Emphasizes Privacy Rule as Impact of Abortion Decision Spreads,” Report on Patient Privacy 22, no. 7 (July 2022), https://bit.ly/3hg04gr.
7 HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 88 Fed. Reg. 23,506 (April 17, 2023), https://www.federalregister.gov/d/2023-07517.
8 Melanie Fontes Rainer, “An Update on HIPAA Compliance and Enforcement,” Compliance Institute, Health Care Compliance Association, April 24, 2023, https://bit.ly/3B5ENwt.
9 Notice of Expiration of Certain Notifications of Enforcement Discretion Issued in Response to the COVID-19 Nationwide Public Health Emergency, 88 Fed. Reg. 22,380 (April 13, 2023), https://www.federalregister.gov/d/2023-07824.
[View source.]