HHS Keeps On Sprinting with Proposed Modifications to the HIPAA Privacy Rule
The Department of Health and Human Services (HHS) is pushing ahead in its Regulatory Sprint to Coordinated Care with a new proposed rule, announced by HHS’ Office for Civil Rights (OCR) on December 10, to modify the HIPAA Privacy Rule. This proposed rule follows HHS’ 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (RFI), which sought to identify regulatory impediments to value-based care presented by HIPAA, and comes on the heels of HHS’ recent changes to the rules implementing the Anti-Kickback Statute and Stark Law.
With this proposed rule, HHS aims to “reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that [HHS] uphold[s] HIPAA’s promise of privacy and security,” according to HHS Deputy Secretary Eric Hargan. It would achieve these objectives through a variety of updates to the Privacy Rule, which are listed below, along with initial reactions from our HIPAA privacy team.
Strengthening and Clarifying HIPAA’s Individual Right of Access to PHI
OCR has spent 2020 focused on individuals’ rights to access their protected health information (PHI), as it pursued its “HIPAA Right of Access Initiative,” announced in 2019. This attention to individuals’ PHI access continues with the proposed rule. Notably, among the many right of access changes proposed, the proposed rule would shorten covered entities’ response time upon receiving a request for PHI from an individual. Currently, covered entities are afforded 30 days to address a request, with the option for a 30-day extension. The proposed modifications would decrease the response time to 15 days, with an optional 15-day extension.
The proposed rule would require covered entities to post estimated fee schedules on their websites with respect to right of access requests and for disclosures with a valid authorization. Covered entities also would be required to provide, upon request, individualized fee estimates for an individual’s request for copies of PHI, along with itemized bills for completed requests.
Other right of access modifications proposed include the addition of an express prohibition on covered entities from imposing unreasonable identity verification measures on an individual (or his or her personal representative) exercising a right under the Privacy Rule. Such measures would include, for example, requiring an individual to obtain notarization of a request for access to or a copy of the individual’s PHI.
Mintz HIPAA Team Reaction: The identity verification issue is challenging when an individual, or his or her personal representative, is requesting access remotely. Since remote requests are the preferred approach during the pandemic, and will likely be the norm for the foreseeable future, it would be helpful for OCR to provide examples of acceptable identity verification approaches that will minimize burden on the requestor without creating the opportunity for fraud.
Creating a Minimum Necessary Standard Exception for Care Coordination and Case Management
HIPAA’s “minimum necessary” standard generally requires that, when using or disclosing PHI or requesting PHI from another covered entity or business associate, the covered entity or business associate must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. HHS is proposing to add an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for individual case management and care coordination activities with respect to an individual.
Mintz HIPAA Team Reaction: HIPAA’s existing minimum necessary standard already provides regulated entities with the flexibility to use the information that they need for a particular purpose, including case management and care coordination, as long as they don’t use more than what they need. Eliminating the minimum necessary standard shouldn’t result in a dramatic change because regulated entities will likely continue to use the information that they need for case management and care coordination, but not more.
Clarifying the Scope of Care Coordination and Case Management Activities
The Privacy Rule allows for certain uses and disclosures of PHI without an individual’s authorization, including uses and disclosures for treatment and health care operations. According to HHS, some covered entities have interpreted the existing definition of health care operations to include only population-based care coordination and case management, effectively excluding individual-focused care coordination and case management by health plans. To clear up any misapprehension, the proposed rule would update the definition of “health care operations” to expressly include all care coordination and case management.
Similarly, some covered entities have experienced confusion about the scope of treatment activities with respect to disclosures of PHI made to third parties that provide health-related social and community-based services to an individual. HHS is proposing to add new language to the relevant implementation specifications that would expressly permit covered entities to disclose PHI to a social services agency, community-based organization, home and community based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities, whether as a health care provider’s treatment activity or as a health care provider’s or health plan’s health care operations activity.
Mintz HIPAA Team Reaction: With these changes, OCR is beginning to treat case management and care coordination more like treatment activities, which are unfettered under the HIPAA Privacy Rule. This is a positive shift, given the important role of case managers as part of the treatment team.
Facilitating Appropriate PHI Disclosures in Emergencies and Health Crises
As we’ve learned all too well this year, emergencies and health crises can occur anywhere, anytime, to anyone. The proposed rule addresses these circumstances and would facilitate disclosures of PHI to help individuals experiencing an emergency or health crisis by proposing to modify the standard for certain permitted disclosures by covered entities. In these situations, covered entities currently are permitted to make certain uses and disclosures of PHI based on their “professional judgment,” which historically has caused some confusion. The proposed changes would replace the “professional judgment” standard with one that permits such uses or disclosures based on a covered entity’s “good faith” belief that the use or disclosure is in the individual’s best interests. HHS is also proposing to replace the Privacy Rule’s “serious and imminent threat” standard with respect to certain covered entity uses and disclosures of PHI relating to a health or safety threat with a “serious and reasonably foreseeable threat” standard.
Mintz HIPAA Team Reaction: It’s not clear to us how the “good faith” and “best interests of the individual” standard is different from the existing “professional judgement” standard. OCR’s own guidance makes clear that health care providers may share PHI if “in their professional judgement, doing so is in the patient’s best interest.” Separately, it’s important for covered entities to remember that state law is still a consideration when making these types of communications.
Eliminating the Requirement for Signed Notice of Privacy Practices Acknowledgement of Receipt
Covered entities are required to provide their Notice of Privacy Practices (NPP) to individuals by the date services are first rendered and must make a good faith effort to obtain individuals’ written acknowledgment of receipt of the NPP. Documentation related to this requirement must be retained by the covered entity for six years. The proposed rule would eliminate the written acknowledgement requirement, along with the associated record retention obligation.
The proposed rule also seeks to modify content requirements for NPPs to include a header informing individuals that the NPP describes: (i) how the individual’s medical information may be used and disclosed; (ii) the individual’s rights with respect to his/her medical information; (iii) how the individual may exercise his/her right to get copies of records at limited or no cost; and (iv) how to file a HIPAA complaint. In addition to the content referenced in the header, the NPP would also need to inform the individual of his/her right to discuss the NPP with a contact person designated by the covered entity and provide the relevant contact information.
Mintz HIPAA Team Reaction: Elimination of the written NPP acknowledgement of receipt, or documentation of an attempt to obtain an acknowledgement of receipt, will definitely reduce an administrative burden for covered entities. The written acknowledgement doesn’t appear to add significant value for patients as a privacy matter. Getting a patient to acknowledge receipt of an NPP doesn’t mean that the patient has actually reviewed the NPP.
Excluding TRS Providers from HIPAA’s “Business Associate” Definition
Telecommunications Relay Service (TRS) is a telecommunications service available to hearing-impaired and other individuals needing assistance with engaging in communication by telephone. TRS provides these services through communications assistants who may communicate PHI between the parties to a TRS-supported conversation. HHS is proposing to expressly allow covered entities and their business associates to disclose PHI to TRS communications assistants relating to covered functions without a business associate agreement. The proposed rule would also add a new subsection to the “business associate” definition to expressly exclude TRS providers.
Mintz HIPAA Team Reaction: This change will result in TRSs being treated like “conduits” or transmission-only services under the HIPAA Privacy Rule. The U.S. Postal Service is the most familiar example of a conduit under HIPAA. OCR had narrowed the conduit exception under HITECH, so it will be interesting to see if this change marks a trend or if it is specific to TRSs.
Extending Permitted Uses and Disclosures of Armed Forces Personnel PHI to Include Other Uniformed Services
The Privacy Rule currently permits covered entities to use and disclose Armed Forces personnel PHI for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if certain conditions are met. HHS is proposing to extend this permission to include PHI of U.S. Public Health Service Commissioned Corps and National Oceanic and Atmospheric Administration Commissioned Corps personnel, who are Uniformed Services personnel but not part of the Armed Forces.
Mintz HIPAA Team Reaction: This change strikes us as reasonable, because it will result in the consistent treatment of uniformed personnel, regardless of their service mandate.