On May 6, 2021, the comment period for the proposed modification to regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) closed. The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued its initial request for information in December 2018, subsequently released the Notice of Proposed Rulemaking (“NPRM”) to the public on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021 (the “Proposed Rule”). After a significant degree of public interest in providing input on the proposals, OCR extended the comment period from its original end date of March 22, 2021 to May 6, 2021.
Comments to the Proposed Rule reveal a common thread: stakeholders support the Proposed Rule’s goals, such as increasing patient access to their health information and removing barriers to care coordination, but stakeholders are concerned about compliance in an already-complex regulatory framework and urge HHS to ensure HIPAA requirements take precedence over other potentially overlapping requirements. Additionally, Covered Entities who would be subject to the Proposed Rule also face additional hurdles due to inconsistent and potentially more restrictive state law requirements as further described herein.
The proposed changes to the Privacy Rule are part of HHS’s Regulatory Sprint to Coordinated Care, launched in support of HHS’ transformation to value-based care, which has a focus on removing “unnecessary obstacles” to coordinated care and has spurred regulations from several HHS agencies, such as the Office of the Inspector General and the Centers for Medicare and Medicaid Services, in addition to OCR. Further, the Proposed Rule has been timed to coincide with the implementation of regulations to promote interoperability on April 5, 2021 (the “Interoperability Rules”) pursuant to the 21st Century Cures Act as we have described in prior blog posts.
Proposed Changes to the HIPAA Privacy Rule
The Proposed Rule aims to change provisions of the Privacy Rule that impede the transition to value-based health care since they have resulted in barriers to coordinated care and case management communications among individuals and covered entities (including hospitals, physicians, and other healthcare providers, payors and insurers). It requires covered entities and business associates to update their policies, procedures, security standards, notices of privacy practices (“NPP”), authorization and disclosure forms, and business associate agreements, among other things. It aims to give providers more flexibility in disclosing protected health information (“PHI”) to provide care to patients.
Key proposed changes include the following:
Comments Express Support for Goals, Concern for Implementation
As of March 18, 2021, OCR had already received 772 comments on the Proposed Rule before it granted a 45-day extension of the comment period. As of May 6, 2021, the comment period closed. Key stakeholders submitted comments that largely expressed support for the goals and ideals of the Proposed Rule, but also expressed concern for the potentially complex and burdensome requirements when considered in the broader regulatory framework.
The Association of American Medical Colleges (“AAMC”) submitted a comment that emphasized its support for the provisions of the Proposed Rule that remove barriers to the exchange of health information for coordinating care among providers, payers, and others. In its comment, AAMC emphasized its support for “giving patients greater access to and control over their own health records,” and “expanding permitted disclosures of PHI to facilitate individual care coordination and case management.” However, it expressed concern about increasing the ability of non-HIPAA entities to access and use sensitive information about a patient’s health until such entities are subject to privacy and security standards commensurate with HIPAA rules. Finally, AAMC requested HHS harmonize rules addressing access to health data and interoperability, including regulations under HIPAA, the Interoperability Rules, and Title 42 of the CFR: Confidentiality of Substance Use Disorder Patient Records (Part 2) in order to improve compliance and reduce operational burden on providers.
The California Hospital Association (“CHA”) submitted a comment that praised the Proposed Rule’s aim to improve patients’ access to their health information, reduce barriers to care coordination, and decrease administrative burden in privacy regulations. However, CHA also expressed its concern that the Proposed Rule will introduce additional regulatory complexity to a changing and complex regulatory web. It noted that that the Interoperability Rules, already represents a new complex regulatory environment in this field. In addition, the Coronavirus Aid, Relief, and Economic Security (CARES) Act presents another layer of complex confidentiality requirements. Finally, Part 2 of Title 42 of the CFR represents yet another layer of information blocking and sharing restrictions. Therefore, CHA urged HHS to acknowledge the overlapping regulations and not implement any proposed changes to HIPAA that would be enforced prior to the availability of technologies essential to responding to patient requests, such as those that depend on the widespread adoption of application programing interface capabilities.
The American Hospital Association (“AHA”) echoed CHA’s sentiments: “The HIPAA regulations do not operate in a vacuum. It is imperative that HHS acknowledge in the final regulations the intersections of the regulations under HIPAA, the [ONC] Cures Act Interoperability and information blocking requirements, and Part 2 regulations….” The AHA similarly suggested that HIPAA, as the most comprehensive of the three federal regulatory regimes, should take preeminence for health privacy protections and the other rules should defer to a conform with its privacy obligations. In particular, the Interoperability Rules should align with the obligations created under HIPAA and not create overlapping requirements.
Finally, the American College of Radiology (“ACR”) expressed a similar sentiment. While it concurred with the NPRM’s stated goals, ACR felt concern that the introduction of new complex topics could be unduly complex and burdensome in the medical imaging context.
Implications of the Proposed Rule
As expressed above, while there is broad acknowledgement of the merits of the Proposed Rules’ goals, as expressed by several commenters, there are significant concerns with the complexity that is added by the rule and the general issues related to overlapping regimes created by various departments/agencies with HHS. By way of example, OCR has created definitions for PHA and EHR and expanded individual access rights; however, the Interoperability Rules attempted to create standards regarding such access through references to the United States Core Data for Interoperability (USCDI). If the Proposed Rule is finalized, entities will be required to navigate multiple layers of overlapping and potentially conflicting regulations.
A second key issue is the impact of state laws on the Proposed Rule and other regulations being issued by HHS pursuant to the “Regulatory Sprint to Coordinated Care.” Since HIPAA does not pre-empt state law that is more protective of PHI, health care providers and other covered entities need to examine to what extent they will be able to rely on the more liberal disclosure requirements around coordinated care if such disclosures are restricted by state law. Several states such as California and New York have more restrictive laws that may prohibit such disclosures.
We will continue to monitor and provide relevant updates regarding the Proposed Rule as HHS provides additional guidance.
 85 FR 25642 (May 20, 2020) (as corrected at 85 FR 43711 (July 20, 2020) and 85 FR 4709 (August 4, 2020)); and 85 FR 25510 (May 1, 2020)
 Pub.L. 114 – 255 (December 13, 2016)
 Association of American Medical Colleges, Comment re: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement [RIN 0945-AA00], May 6, 2021.
 California Hospital Association, Comment re: RIN 0945–AA00; Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement; Notice of Proposed Rulemaking, Federal Register (Vol. 86, No.12), January 21, 2021; April 26, 2021.
 American Hospital Association, Comment re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, March 20, 2021.
 American College of Radiology, Comment re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement; March 15, 2021.