HHS Issues Proposed Changes to HIPAA Privacy Rules to Empower Patients and Enhance Coordinated Care
On December 10, 2020, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) issued proposed changes to the HIPAA Privacy Rule in furtherance of HHS’s Regulatory Sprint to Coordinated Care. In its Notice of Proposed Rulemaking (NPRM), OCR seeks comments on proposed changes to a number of the Privacy Rule’s provisions to reduce regulatory barriers to coordinated care and case management, as well strengthen patients’ rights regarding their own health information. These Proposed Rules follow on the heels of changes to the Stark Law, Anti-Kickback Statute and Civil Monetary Penalties Law issued on November 20, 2020, by HHS’ Centers for Medicare and Medicaid Services (“CMS”) and Office of Inspector General (“OIG”) to promote coordinated care.
Among the Proposed notable rules are the following:
- Modifications to provisions related to individuals right to access their PHI, including:
- strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
- shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
- clarifying the form and format required for responding to individuals’ requests for their PHI;
- requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
- reducing the identity verification burden on individuals exercising their access rights;
- creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
- requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
- limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
- specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
- amending the permissible fee structure for responding to requests to direct records to a third party; and
- requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
- Modifications to the “minimum necessary” requirements to allow for greater access to PHI by covered healthcare providers and health plans to further coordinated care and case management activities.
- Clarifying the scope of covered entities’ authority to disclose PHI to third parties, such as social service agencies, community-based organizations home and community based services (HCBS) providers, to facilitate coordinated care and case management activities.
- Expanding covered entities’ ability to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
- Replacing the “professional judgment” standard for certain uses and disclosures with a more permissive but rebuttable “good faith” standard.
- Changes to the Notices of Privacy Practices (“NPP”) rules, including eliminating the requirement to obtain an individual’s written acknowledgement of receipt of a direct provider’s NPP and modifying the NPP content requirements regarding patient rights to PHI.
- Expressly excluding Telecommunications Relay Services (“TRS”) from the definition of a “business associate” to allow disclosures of PHI to TRS communication assistance for persons who are deaf, hard of hearing, deaf and blind or have a speech disability.
- Expanding the Armed Forces permission to include the US Public Health Services Commissioned Corps (“USPHS”) and the National Oceanic and Atmospheric Administration (“NOAA”).
In its Press Release, OCR encourages comments from all stakeholders, including patients and their families, HIPAA covered entities, business associates, consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities.
The Public comment period will be open once the NPRM is published in the Federal Register and will remain open for 60 days. Individuals and entities that wish to submit comments will be able to submit them online at http://www.regulations.gov or by mail to the U.S. Department of Health and Human Services, Office for Civil Rights, Attention: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945- AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.
If you are interested in submitting comments and need assistance, please contact the authors of this Alert or your regular Butzel attorney.
Debra Geroux, CHC, CHPC
Mark R. Lezotte
Robert H. Schwartz