HHS Issues Proposed Modifications to the HIPAA Privacy Rule

HHS Issues Proposed Modifications to the HIPAA Privacy Rule

Issue Date: January 2021

Download as Word.doc
Download as PDF

Introduction

On December 10, 2020, HHS of Health and Human Services (HHS) released a pre-publication version of a proposed rule (the “proposed rule”) that would modify the HIPAA Privacy Rule to better support care coordination and case management. The proposed rule builds upon public input solicited by HHS in 2018 as part of its “Regulatory Sprint to Coordinated Care.” The goal of the sprint was to reduce regulatory barriers that impede the delivery of coordinated, value-based health care and to “promote care coordination and facilitate a nationwide transformation to value-based health care.”

Background

The 2018 RFI solicited public input on 53 questions asking whether and how HHS could modify the HIPAA Rules to support care coordination and case management, and promote value-based care, while preserving the privacy and security of PHI. HHS received over 1,300 comments in response to the RFI, and the proposed rule represents its effort to address those comments and make proposed modifications to address the issues and concerns raised, including the individual right of access to PHI and the impact of use and disclosure requirements on care coordination activities/substance use disorder and mental illness.

Summary

Individual Access Rights
The proposed rule includes several provisions aimed at strengthening an individual’s right under HIPAA to access their own medical records, including reducing the identity verification burden prior to permitting access to records; allowing individuals to direct a covered entity to send their records to another covered entity; clarifying when ePHI must be provided to an individual free of charge; requiring covered entities to post fees for producing records on their websites; and strengthening an individual’s right to inspect their records in person. Importantly, the proposed rule would also shorten the response time for covered entities to respond to an individual’s request for access to PHI from the current 30 days to 15 calendar days (with the ability to request one 15-day extension).

Finally, the proposed rule would incorporate the findings of Ciox v. Azar (see Benefit Comply summary of this case here) to limit the scope of the right to direct the transmission of copies of PHI to a third party to ePHI in an electronic health record, and would place modified fee limitations for this access right into the regulatory text.

Reducing Identity Verification Burden
To address complaints HHS has received about covered entities imposing burdensome verification requirements on individuals seeking to access their own PHI (e.g., requiring in-person access or notarized written requests), the proposed rule would modify the Privacy Rule to specifically prohibit overly burdensome verification measures. Specifically, the regulatory text would make it clear that unreasonable measures include those that “require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable.” Examples of unreasonable measures given include requiring notarization of requests and requiring individuals to provide proof of identity in person when remote verification is more convenient and practicable.

Promoting Information Disclosure for Care Coordination and Case Management
The proposed rule also addresses concerns that health plans are not able to effectively use PHI for purposes of individual-level care coordination and case management activities because of fear that these activities do not fall under the “treatment, payment, and healthcare operations” exception. It would therefore modify the definition of “health care operations” to clarify that the term includes not only population-based care coordination/case management, but individual-level care coordination and case management activities as well.  For this purpose, the proposed rule would also create an express exception to the minimum necessary standard under HIPAA for disclosures to or requests by a health plan or provider for individual-level care coordination or case management activities that constitute treatment or health care operations.

The proposed rule would also make it clear that covered entities are able to disclose PHI to social service agencies, community-based organizations, HCBS providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination and case management with respect to an individual.

Promoting Parental and Caregiver Involvement and Addressing the Opioid Crisis and Serious Mental Illness
HHS notes that covered entities are reluctant to disclose PHI to family members and other caretakers of individuals facing health crises, including mental illness and substance use disorder because they are afraid of violating the Privacy Rule. This impedes the ability to assist in treatment/recovery and better coordinate care for individuals experiencing these issues and health related emergencies. The proposed rule would amend the Privacy Rule to replace the existing “exercise of professional judgment” standard for such disclosures with “a good faith belief” standard by the covered entity that uses and disclosures are in the best interest of the individual. This new standard would apply to verifying identities and to disclosures made to parents/guardians who are not the individual’s personal representatives, emergency contacts, and in emergencies/when the individual is incapacitated. It would also replace the existing “to lessen a serious or imminent threat” standard with a “serious and reasonably foreseeable threat” standard for making a disclosure to lessen a threat.

Changes to the Notice of Privacy Practices
HHS proposes to modify the required content of the Notice of Privacy Practices (NPP) to:

1. Specify to individuals that the NPP provides information about how to access their information; how to file a complaint; and the right to receive a copy of the notice and discuss its contents with a designated person. (The language would need to specify whether the designated contact person is available onsite and must include a phone number and email address.)
2. describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge.
3. Inform individuals of alternatives for obtaining or requesting to send copies of PHI to a third party when the individuals seek to send PHI to a third party in a manner that does not fall within the access right.

Permitting Disclosures by Telecommunication Relay Services (TRS)
HHS proposes in 45 CFR 164.512(m) to expressly permit covered entities (and their business associates, acting on the covered entities’ behalf) to disclose PHI to TRS communications assistants to conduct covered functions. This permission would cover all disclosures to TRS communications assistants, including communications necessary for care coordination and case management, relating to any covered functions performed by or on behalf of covered entities. HHS also proposes to add a new subsection (v) to 45 CFR 160.103(4) to expressly exclude TRS providers from the definition of business associate.

Armed Forces
To address concerns that the Privacy Rule limits the ability of the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps to facilitate health care coordination and case management for Commissioned Corps personnel, which is important for ensuring that personnel meet medical readiness standards, the proposed rule would expand the Armed Forces permission to use or disclose PHI to all uniformed services, including the USPHS and NOAA Commissioned Corps.

Conclusion

Comments on the proposed rule will be accepted for sixty (60) days following publication of the rule in the Federal Register, which is scheduled for January 21, 2021. The effective date of the regulations would be 60 days after publication of the final rule, followed by a 180-day compliance period. Employers should watch for the final rules and pay attention to any required compliance steps. While many of the proposed changes would primarily impact covered entities such as providers and health insurers, there are certainly potential impacts (e.g., changes to response timeframes for individual access requests and changes to the content of the NPP) that would also impact employer-sponsored group health plans.