On December 10, 2020, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) released a notice of proposed rulemaking (NPRM) to amend the Standards for the Privacy of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, Subpart E (the Privacy Rule). In response to its December 2018 Request for Information (RFI) for public input on areas of potential modification to the HIPAA Rules, OCR received over 1,300 comments addressing, among other topics: modifications to promote information sharing to support value-based care; permitting family members and caregivers to receive information to assist in care coordination, particularly for individuals with substance use disorders and mental illness; and reducing the burden on covered entities imposed by certain documentation and administrative requirements.
OCR’s proposals, if finalized, would require policy revision and procedural changes for covered healthcare providers and health plans, as well as their business associates. This alert provides a summary of the more significant changes proposed in the NPRM.
Right of Access
The NPRM includes significant modifications to strengthen individuals’ right to access their own Protected Health Information (PHI) by removing barriers and requiring covered entities to permit more flexibilities to the process. These modifications, if finalized, would be in line with the regulatory shift introduced by the Office of the National Coordinator for Health IT’s Information Blocking Rules, which prohibit practices likely to interfere with access to most electronic PHI.
Proposed changes to the access right provisions include the following:
- The modified rules would allow individuals, in addition to the general right to inspect and make a copy of their PHI, to take notes, videos and photographs of, and “use other personal resources to capture,” their PHI in a designated record set. OCR seeks comment on whether covered entities should be permitted to provide copies of PHI instead of this in-person inspection requirement in the event of a pandemic or other circumstance as necessary to protect the health or safety of the individual or others. OCR requests public comment on how to determine “readily available” in this context, as well as on whether conditions or limitations should apply to this recording right to ensure that a healthcare provider does not experience unreasonable workflow disruptions.
- OCR proposes to modify the “time and manner” implementation provisions to require that when PHI is readily available at the point of care in connection with a healthcare appointment, such as an x-ray or ultrasound performed during or ancillary to an appointment, a provider may not delay the individual’s right to inspect such PHI.
- OCR proposes to amend the timeframe by which covered entities must provide an individual access to inspect or a copy of their PHI. If finalized, the rule would require that covered entities act on a request for access “as soon as practicable,” but no later than 15 days after receipt, regardless of whether the request is for direct access or to transmit PHI to a designated third party. The proposal would preserve a covered entity’s right to an extension if unable to act upon a request within the designated time, but with modification. First, such extension would be only for a maximum of 15 additional days, and second, the covered entity must implement a policy on access requests that prioritizes certain urgent requests to minimize the use of an extension. OCR offers examples of such urgent requests: “when an individual voluntarily reveals that the PHI is needed for urgent medical treatment, or that the individual needs documentation of a diagnosis of severe asthma to be allowed to bring medication to school.”
- The proposed rule, if finalized, would amend the fee provisions of the access right in the following ways:
- No fee may be charged to the individual requesting access to inspect or a copy of their PHI when (1) the individual requests to inspect their PHI in person, including recording or copying PHI with a personal device and (2) when the individual uses an internet-based method to view or obtain a copy of electronic PHI, such as through a patient portal or a personal health application.
- A reasonable, cost-based fee may be charged to the individual in other scenarios, and such fee may include only the cost of labor for copying the PHI, supplies for making non-electronic copy, postage for mailed copies, and the costs of preparing a requested summary of the PHI.
- When an individual requests a copy of electronic PHI to be transmitted to a designated third party, the covered entity may charge a reasonable, cost-based fee consisting only of the cost of labor for copying the PHI and preparing an explanation or summary of the electronic PHI, if agreed to by the requestor.
- A covered entity must post a fee schedule on its website (or otherwise make such fee schedule available to individuals) for access and/or copies of PHI, as well as provide individualized estimates of such fees upon request.
- Individuals have a right, under the access to PHI provision, to direct the covered entity to transmit the requested PHI to a third party designated by the individual. Often covered entities receiving such requests have difficulty distinguishing these from requests for disclosure pursuant to an authorization. In addressing this issue in the NPRM, OCR first states how the access right to direct a copy to a third party (request for third-party access) differs from disclosures pursuant to an authorization. First, under the Privacy Rule, disclosure pursuant to a request for third-party access is required (and must be made within a certain timeframe); disclosure of PHI pursuant to a valid authorization is permitted. Second, an authorization must contain all elements required in 45 C.F.R. §164.508, such as having an expiration date and including certain statements regarding individual rights. Third, the access right contains requirements as to the form and format of the information provided. Fourth, third-party access requests are subject to regulatory limitations on the fees a covered entity may charge for access. To better clarify the requirements applicable to the right to request third-party access, OCR proposes a new subsection 164.524(d) of 45 C.F.R. that would include the following:
- Requests to direct a copy of an individual’s PHI to a third party would be limited to transmitting an electronic copy.
- A covered healthcare provider would be required to respond to an individual’s request for third-party access when the request is “clear, conspicuous, and specific,” although the request need not be in writing. OCR notes that this provision would permit an individual to use an internet-based application, such as a personal health app, to submit an access request.
- A covered healthcare provider or health plan (defined in the NPRM as a Requestor-Recipient), at an individual’s direction, would be required to submit the individual’s access request to another covered healthcare provider (Discloser), requesting that the Discloser transmit the PHI maintained in its electronic medical record (EMR) system to the Requestor-Recipient. This provision would effectively require providers or health plans to assist an individual in submitting to another provider a request for a copy of the individual’s records, such as when an individual is a prospective new patient of the recipient.In addition, the Requestor-Recipient would be required to submit the access request to the Discloser as soon as practicable, but no later than 15 days, after receiving the individual’s direction, and no extension of the time limit would be available. OCR states that this proposal would create a “second mechanism (in addition to the permitted disclosure for [treatment, payment and healthcare operations] TPO) for a covered healthcare provider or health plan to obtain an electronic copy of PHI in an EHR from another covered healthcare provider through a required disclosure initiated by an individual’s exercise of the right of access.”
- The proposed rule would modify the verification requirement to remove barriers to individuals seeking access to their PHI. Under the Privacy Rule, covered entities may rely on their professional judgment in determining what measures are reasonable for fulfilling the requirement to verify the identity and authority of a requestor of PHI. Having received “complaints and heard anecdotal accounts of covered entities imposing burdensome verification requirements” on individuals seeking access to their PHI, however, OCR proposes to introduce a new provision prohibiting a covered entity from imposing “unreasonable” verification measures. Examples of unreasonable measures would include, among others, requiring that an individual’s signature on an access request form be notarized or requiring an individual to furnish proof of identity in person (rather than remotely). The proposed rule would also require covered entities, absent security concerns, to allow every personal health app (or other direct-to-consumer records application) to register with the API that the covered entity makes available through its EMR system.
Clarifying Permissible Disclosures of PHI to Promote Care Coordination, Including to Assist in Treating Individuals Experiencing Substance Use Disorders
The NPRM also clarifies the permissible disclosures of PHI to help promote care coordination, including to assist in the treatment of individuals experiencing substance use disorders. Proposed changes to the permissible disclosures of PHI include the following:
- OCR proposes to amend the definition of “health care operations” under the Privacy Rule to clarify its intent that a covered entity be permitted to disclose PHI without authorization for all care coordination and case management activities, whether for a specific individual or population-based activities. In addition, the proposed rule would create an exception whereby disclosures to health plans and providers for care coordination and case management activities supporting individual-level care would, like treatment, be exempt from the limitations of the minimum necessary rule.
- The Privacy Rule describes circumstances permitting a covered entity to use and disclose PHI without authorization for TPO. To eliminate barriers or perceived restrictions on covered entities’ sharing PHI with (non-covered entity) third parties assisting in an individual’s treatment plan, OCR proposes to expressly permit covered entities to disclose PHI to a social services agency, community-based organization, home and community-based services provider, or other third party providing care (and/or care coordination) at the individual level. Many commenters voiced support for this modification, such as health plans seeking to work with community-based organizations to facilitate members’ care coordination.
- In the 2018 RFI, OCR requested feedback on whether changes to the Privacy Rule were needed to help address the opioid epidemic, including ensuring parents have access to treatment information of their minor children relating to substance use disorders and mental illness. Many commenters supported amendments and provided personal anecdotes where clinicians withheld information relating to a family member’s mental health or drug use due to perceived restrictions imposed by the Privacy Rule. Others, however, including patient advocacy groups, expressed concern over the potential “chilling effect” of permitting increased disclosure of mental health and substance use disorder information. OCR proposes to address the need for greater flexibility while balancing patient privacy in the following ways:
- The proposed rule would replace verbiage in the Privacy Rule employing a “professional judgment” standard to permissible disclosures with a “good faith belief” standard, effectively allowing individuals involved in a patient’s care, including in some cases non-healthcare professionals, to rely on a good faith determination that a disclosure of PHI is in the patient’s best interest. The standard would apply to five specific exceptions in the Privacy Rule, including disclosures to a patient’s family member when the patient is not able to agree or object due to an emergency circumstance, as well as limited disclosures for notification purposes. In addition, the rule would permit a licensed healthcare professional to disclose PHI of a minor to a parent or guardian who is not the personal representative of the minor if the professional has a good faith belief that the disclosure is in the best interest of the minor. OCR also proposes to introduce a presumption that a covered entity has acted in good faith in disclosing PHI in those five scenarios where the standard has been introduced.
- The Privacy Rule contains an exception permitting a covered entity to disclose PHI as necessary to prevent or lessen a “serious and imminent threat” to the health or safety of a person or the public. This language has caused confusion for covered entities and in some cases prevented disclosures where the “imminent threat” standard is perceived as not being met. Recognizing that this standard is difficult to interpret and the need for increased flexibility to share PHI in emergent situations, OCR proposes to amend this exception to permit disclosures of PHI when harm posed by a serious threat is “reasonably foreseeable.” The proposal, states OCR, “would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.” OCR also proposes a presumption that a disclosing healthcare provider has met the “reasonably foreseeable” standard where the provider has the specialized training, expertise or experience regarding the facts and circumstances of the disclosure (such as a mental health professional determining an individual’s likelihood of self-harm in particular circumstances).
- While the Privacy Rule requires covered entities to implement policies and protocols to verify the identity and authority of a requestor of PHI, OCR posits in the NPRM that “certain circumstances surrounding the disclosure itself may accomplish the verification without having to collect additional documents or rely on a pre-established procedure.” Therefore, OCR proposes to amend regulatory text of the verification requirements to provide that a covered entity may satisfy the requirement if relying on a good faith belief that use or disclosure is necessary to avert a serious threat or disclosures for involvement in an individual’s care or notification purposes to a family member or close personal friend.
Reducing Administrative Burden Relating to Requirements for Notice of Privacy Practices
Citing patient confusion and failure to read through the Notice of Privacy Practices (NPP) due to an abundance of paperwork, as well as the administrative burden on healthcare providers, many commenters responding to the 2018 RFI supported eliminating the requirement that covered healthcare providers obtain written acknowledgment from patients of their receipt of the NPP. Others, however, expressed concern that eliminating the NPP requirement would be detrimental to patients’ understanding of their rights under the Privacy Rule. OCR proposes the following modifications to the NPP requirements:
- The proposed rule would modify the required “header” language on the NPP to more clearly describe the contents of the document and inform individuals that they may discuss it with a representative of the covered entity.
- An email address for the designated contact person would be required.
- Healthcare providers with a direct treatment relationship to an individual would no longer be required to obtain and maintain written acknowledgment of the individual’s receipt of the NPP (nor to document the reason why such written acknowledgment could not be obtained, such as in an emergency admission).
Comment Sought on Many Aspects of Proposed Rule
OCR seeks public comment on many specific elements of the proposed rule. Comments may be submitted for up to 60 days following the publication of the NPRM in the Federal Register at www.regulations.gov. Compliance with the rules, if finalized, would be required 180 days following the publication of the final rule. OCR expressly requests comment on whether the standard 180-day compliance period would be sufficient.