January 4, 2021

By: Jennifer Guerrero

On December 10, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.

The Notice of Proposed Rulemaking (NPRM) proposes significant changes including “strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA-covered healthcare providers and health plans, while continuing to protect individuals’ health information privacy interests,” HHS said.

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of common-sense care coordination and value-based arrangements for far too long,” HHS Secretary Alex Azar said in a statement. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

Several of the proposals modify provisions related to individuals’ right of access to protected health information (“PHI”), including strengthening individuals’ rights to inspect their PHI in person (e.g., allowing individuals to take notes or use other personal resources to view and capture images of their PHI). Another change shortens covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).

Other notable proposed changes include:

  • Clarifies the form and format required for responding to individuals’ requests for their PHI. Covered entities would be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy. The proposed rule also specifies when electronic PHI (ePHI) must be provided to the individual at no charge; amends the permissible fee structure for responding to requests to direct records to a third party; requires covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization; and, upon patient request, requires covered entities to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.

 

  • Reduces the identity verification burden on individuals exercising their access rights by requiring providers and health plans to submit an individual’s access request to another provider and to receive back the requested electronic copies of the individual’s PHI in an EHR. The proposed rule also requires providers and health plans to respond to certain records requests received from other providers and health plans when directed by individuals pursuant to the right of access.

 

  • Creates an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.

 

  • Clarifies the scope of covered entities’ abilities to disclose PHI to third parties that provide health-related services in order to facilitate coordination of care and case management for individuals. As social determinants of health work become more central to population health, the proposed rule also clarifies the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service providers, and other similar third parties that provide health-related services in order to facilitate coordination of care and case management for individuals.

 

  • Replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.

 

  • Expands the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.

 

  • Eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP) and modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.

Without a doubt the most significant part of the proposed regulatory revisions to the HIPAA regulations involve a reduction in the barriers that the HIPAA rules have created in the past to the development and operation of coordinated, multi-disciplinary care and value-based reimbursement systems.

OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.

HHS is proposing a compliance date of 180 days after the effective date of a final rule, and the Office for Civil Rights would begin enforcement of the new and revised standards 240 days after publication of a final rule. Public comments on the NPRM will be due 60 days after publication of the NPRM in the Federal Register. The NPRM may be viewed or downloaded from HHS’s website HERE.


This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.