- Privacy revisions under the Health Insurance Portability and Accountability Act (HIPAA) may be on the horizon, with some potential changes that could benefit both patients and the healthcare industry. Other changes, if finalized, could require significant cost and effort, at least initially, for covered healthcare entities to implement.
- The Notice of Proposed Rulemaking (NPRM) by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) includes a number of proposed changes regarding patients' rights to access their own protected health information (PHI), facilitating certain information sharing and reducing administrative burdens.
- The proposed changes focus on federal regulations that could potentially impede a move to value-based healthcare, including an aim to amend the HIPAA Privacy Rule provisions that may "present barriers to coordinated care and care management – or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections."
- Comments on the NPRM will be due 60 days after the document is published in the Federal Register.
Privacy revisions under the Health Insurance Portability and Accountability Act (HIPAA) may be on the horizon, with some potential changes that could benefit both patients and the healthcare industry. Other changes, if finalized, could require significant cost and effort, at least initially, to implement.
On Dec. 10, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM), the provisions of which were developed in support of HHS' "Regulatory Sprint to Coordinated Care," led by HHS Deputy Secretary Eric Hargan. The goal of the proposed changes is to look at federal regulations that could potentially impede a move to value-based healthcare, including an aim to amend the HIPAA Privacy Rule provisions that may "present barriers to coordinated care and care management – or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections." The NPRM includes a number of proposed changes regarding, among other things, patients' rights to access their own protected health information (PHI), facilitating certain information sharing and reducing administrative burdens.
The NPRM proposes changes to a patient's right to access records. Currently, covered entities generally have up to 30 days to act on a patient's request to access records. Under the proposed rule, covered entities would have 15 days, in most cases, to produce the records. The proposed rules include the possibility of a single 15-day extension. The 15-day requirement would apply regardless of whether the PHI is in paper or an electronic format.
The proposed rules would also modify a patient's ability to direct certain PHI to a third party. The 15-day timeframes would apply to an individual's request to send PHI in an electronic health record (EHR) to a third party, but the ability to direct PHI to a third party without using an authorization form would be limited to PHI in an EHR.
Covered entities would not be permitted to impose unreasonable measures on individuals requesting access. Unreasonable measures would include accepting only paper requests or requiring patients to come in person to the facility to obtain records. Unreasonable measures would also include requiring patients to obtain access only through an online portal. OCR also proposes to prohibit imposing unreasonable identity verification requirements.
The proposed rules would provide a number of options for individuals to access their PHI free of charge. For example, they could copy PHI in person using their own devices. OCR has specifically asked for comments regarding any new costs that covered entities would incur when offering individuals the in-person option to inspect PHI. There would also be no charge to view or obtain a copy of records through use of an "internet-based method," such as a personal health application that connects to application programming interfaces (APIs). Fees for other types of access would be limited to the cost of labor for copying, supplies if non-electronic copies are made, actual postage for mailing and shipping copies that are not electronic, and preparing a summary of PHI if agreed to by the individual. When fees are permitted, OCR noted that the "Privacy Rule does not prohibit a covered entity from requiring individuals to pay a fee for copies of PHI 'upfront' before receiving such copies," but HHS does encourage covered entities to waive fees for individuals who are unable to pay upfront.
The Privacy Rule requires a covered entity to verify the identity and authority of the person requesting PHI. The proposed rules would prohibit a covered entity from instituting "unreasonable identity verification measures" on an individual seeking to access the individual's own PHI. Examples of what OCR deems to be potentially unreasonable measures include requiring individuals to notarize a request, to "fill out a form with the extensive information contained in a HIPAA authorization," to require third parties that are not business associates to enter into a business associate agreement, or to provide proof of identity in person if there is a more convenient option that can be achieved remotely.
The proposed rule would provide greater flexibility to disclose PHI as needed to provide important services to patients. For example, the proposal would expressly allow covered entities to disclose PHI to social service agencies and other third parties that may not themselves be healthcare providers, but that would provide health-related services to individuals for care coordination and case management. It would also allow disclosures to third parties that provide services that address health risks, such as agencies that deal with needs for food or shelter.
HHS also recognizes the need for patients experiencing serious mental illness (SMI) or substance use disorder (SUD) to receive assistance from family, friends and caregivers. The proposed rule would change five provisions of the Privacy Rule to enable disclosures of PHI to those who need to receive the PHI for purposes related to the best interests of the SMI or SUD patient who may be incapacitated or who cannot otherwise express a preference about a PHI disclosure. Currently, the rule allows covered entities to exercise "professional judgment" in determining whether to make certain disclosures. This standard would be changed to allow certain PHI disclosures "based on a 'good faith belief' about an individual's best interests." Additionally, covered entities could disclose an individual's PHI in certain situations based on a "serious and reasonably foreseeable threat" standard, rather than the current "serious and imminent threat" standard. The NPRM would also allow a covered entity to satisfy its obligations to verify a requestor's identity in emergencies or other situations if the covered entity acts with a good faith belief that the disclosure is relevant to the requestor's involvement with the individual's healthcare or payment for care.
The NPRM would amend the definition of "health care operations" to clarify its relationship to case management and care coordination. OCR notes that "health care operations" are not limited to population-based case management and care coordination, and can instead involve these activities for individual patients. Health plans do not provide treatment, but they could provide these care coordination services for individual enrollees under the "health care operations" definition. The NPRM would modify HIPAA's standards regarding use and disclosure of the "minimum necessary" PHI to indicate that, as with treatment uses and disclosures, the minimum necessary standard does not apply to care coordination and case management related to individuals.
The proposed regulatory changes would make it clear that disclosures may be made to the Telecommunications Relay Service (TRS), which assists certain individuals, including those who are deaf, with telephone calls. OCR has provided guidance, through a FAQ on the HHS website, that a covered entity does not need a business associate agreement with a TRS provider in order to disclose PHI to the TRS provider when the TRS provider is facilitating communications between the covered entity and an individual. The FAQ indicates that the TRS is not acting on behalf of the covered entity, so it is not a business associate of the covered entity. HHS now recognizes that advances in technology mean that individuals using the TRS may not always know a communications assistant is being used. Additionally, the TRS is used to assist with communications between workforce members of entities subject to HIPAA. Therefore, the NPRM includes a provision that would allow covered entities and business associates to disclose PHI to TRS communications assistants to perform covered functions. Additionally, the definition of "business associate" would exclude TRS providers.
Currently, the Privacy Rule allows covered entities to use and disclose PHI of individuals who are U.S. armed forces personnel for activities necessary to assure proper execution of the military mission. Appropriate military authorities must publish information in the Federal Register, including the purposes for which the PHI may be used or disclosed. The proposed rules would expand this to all Uniformed Services.
Reducing Regulatory Burdens
Currently, covered healthcare providers with direct treatment relationships with individuals must provide patients with a Notice of Privacy Practices (NPP). They must also make a good faith effort to obtain the individual's written acknowledgement that the NPP was received and, if the individual does not provide written acknowledgement, document why. To reduce confusion and paperwork burdens, HHS proposes to eliminate the requirement for covered healthcare providers treating individuals to obtain written acknowledgement that the individual received the NPP. This requirement would be replaced with giving individuals the right to discuss the NPP with a person the covered entity designates. The NPP would also have to be modified by changing the header to provide individuals with information about how to access their PHI, how to file complaints, and the right to receive a copy of the notice and discuss it with the designated person. All covered entities would have to change their NPPs.
If the changes are finalized, the "total time frame for compliance from date of finalization would be 240 days." Covered entities would have to engage in a number of activities to come into compliance if the changes are finalized, including changing policies and procedures, changing the NPP and training workforce members in the new requirements. Comments on the NPRM will be due 60 days after the document is published in the Federal Register.