Comment Period Extended for Extensive Changes to HIPAA Privacy Rule
On March 9, 2021, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced a 45-day extension of the public-comment period for the Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
OCR first released the NPRM to the public on the HHS website on Dec. 10, 2020, and it was published in the Federal Register on Jan. 21, 2021. The 45-day extension moves the current deadline for the public to submit comments from March 22, 2021, to May 6, 2021. The notice of extension of the comment period is available here.
The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA-covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
We previously wrote on these potential changes that were released in the OCR-HHS Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (the RFI), issued in 2018. The proposals contained within the NPRM originate from the comments received by OCR-HHS in response to the RFI.
The following are the key proposed changes within the NPRM:
Notice of Privacy Practices (NPP) Changes
The NPRM proposes to eliminate the requirement for a covered entity to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s NPP, and the associated requirement to retain copies of such documentation for six years. This proposal will result in a significant reduction of administrative burden for covered health care providers. OCR-HHS believes that removing this requirement will reduce paperwork and time spent away from the care of individuals
Additionally, the content requirements of the NPP would be modified to clarify individuals’ rights with respect to their protected health information (PHI) and how to exercise those rights, related to required language regarding (1) how to access health information; (2) how to file a HIPAA complaint; and (3) individuals’ rights to receive a copy of the notice and to discuss its contents with a designated person.
Care Coordination Clarifications and Exceptions to Minimum Necessary Standard
The NPRM proposes to change the definition of “health care operations” to clarify that the term includes care coordination and case management for individuals. According to HHS, the current definition is sometimes interpreted to cover only population-based activities, with the result that some entities believe that health plans are not permitted to use and disclose PHI to coordinate care for individuals.
Additionally, the NPRM proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management for individuals. According to OCR-HHS, this proposed exception would promote beneficial disclosures of PHI for care coordination and case management. However, the exception would apply only to those care coordination and case management activities that are at the individual level, and covered entities would still be required to meet the minimum necessary standard in other instances as outlined in the Privacy Rule. To illustrate the exception, OCR-HHS provides the following example. If a health plan that has care coordinators on staff to help link individuals to specialists or other health services requests PHI from a health care provider for this purpose as part of the plan’s health care operations, then the health care provider could disclose the PHI without having to make its own determination of whether the plan’s care coordinator has requested only the minimum necessary PHI to accomplish the purpose.
The NPRM clarifies that covered entities are expressly permitted to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
Disclosures to Prevent Harm or Lessen a Threat of Harm
The NPRM also proposes to expand the ability of covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. According to OCR, adopting the “serious and reasonably foreseeable” standard can enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is “imminent.” Additionally, this expansion of the disclosure to avert a threat to health and safety can be used to help combat the ongoing COVID-19 pandemic. For example, An emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19, without delay caused by the need to assess whether the threat is sufficiently “imminent” to permit the disclosure.
Right of Individuals to Access PHI
An individual’s right to inspect PHI in person would be strengthened, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI. A covered entities’ response time to an individuals’ request to access PHI would be shortened to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30 days).
The NPRM clarifies the form and format required for responding to individuals’ requests for their PHI, including for electronic copies. For example, If an individual requests that a covered entity transmit PHI securely to the individual’s personal health application, and the covered entity has the technical capability to so, this form and format are considered readily producible.
The NPRM also includes reduced requirements for identity verification of individuals requesting access rights and expressly prohibiting a covered entity from imposing unreasonable identity-verification measures (such as requiring an individual to obtain notarization on an access request) on an individual requesting access under the Privacy Rule.
Under the NPRM, individuals would be allowed to direct the sharing of PHI in an electronic health record (EHR) among covered health care providers and health plans, as the NPRM requires covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
Moreover, the NPRM provides that the individual right of access to direct the transmission of PHI to a third party would be limited to electronic copies of PHI in an EHR. Requests to direct to a third party non-electronic copies of PHI in a designated record set (whether from an EHR or other source) and electronic copies of PHI that are not in an EHR, would no longer fall within the right of access. However, covered entities would be required to provide electronic PHI to individuals at no charge under certain circumstances. For example, when a doctor adds a health note about an individual to their electronic system that provides view-download-transmit (VDT) capabilities for individuals, the patient cannot be charged for the costs associated with allowing access to the VDT system, because entering individual patient record information into the system as part of the normal course of providing care is not presumed to introduce any labor costs.
Further, covered entities would be required to post estimated fee schedules on their websites for right-of-access requests and for valid authorization disclosures and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
Telecommunications Relay Service (TRS)
Telecommunications Relay Service (TRS) facilitates telephone calls for individuals who are deaf, hard of hearing, deaf-blind, or have a speech disability by using a communications assistant who transliterates conversations (or, in some cases, interprets using ASL).The NPRM proposes to expressly permit disclosures to TRS communications assistants, and to modify the definition of business associate to exclude TRS providers.
Currently, the HIPAA Privacy Rule permits covered entities to disclose PHI to TRS communications assistants to facilitate communication with individuals (patients or beneficiaries) who are deaf, hard of hearing, deaf-blind, or who have a speech disability, but does not address the situation where members of a covered entity’s or business associate’s workforce might be deaf, hard of hearing, deaf-blind, or have a speech disability and need TRS communications assistants to help them communicate. For example, under the NPRM, a hospital nurse who is deaf can use a TRS communications assistant to facilitate a call with a health plan representative about pre-authorization for a patient’s procedure, or to coordinate post-discharge care for an individual with another health care provider, without obtaining the individual’s authorization and without the hospital having a business associate agreement with the TRS provider.
Public comments on the proposed rule will be due on May 6, 2021, according to the press release issued by OCR-HHS. The full NPRM is available here. A fact sheet summarizing the key aspects of the NPRM is available here.