January 26, 2022

Volume XII, Number 26


January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

Proposed Modifications to HIPAA Expands Individual Access Rights and Encourages Further Sharing of PHI for Care Coordination

On December 10, 2020, the Department of Health and Human Services, Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to revise the HIPAA Privacy Rule. The proposed revisions to the Privacy Rule seek to amend provisions that create barriers to coordinated care “without sufficiently compensating for, or offsetting, such burdens through privacy protections.” OCR developed the proposals after reviewing the public input received in response to the December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. The proposals would significantly expand individuals’ rights to access protected health information (PHI), encourage additional sharing for care coordination or to assist individuals with substance use disorders in certain instances, revise the Notice of Privacy Practice (NPP) requirements, and permit disclosures to Telecommunications Relay Services (TRS).

We have summarized the major proposed revisions to the Privacy Rule below. Please note, how. ever, that regardless of whether these proposed modifications ultimately become enacted, other applicable laws, such as state medical privacy laws and 42 C.F.R. Part 2, among others, will need to be taken into consideration.

Expansions to Right of Access

The NPRM, if implemented into law, would significantly expand individuals’ access rights under HIPAA:

  • Timeframe for Responding. Covered entities would need to respond to access requests “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request (instead of the current 30 calendar days).
  • Form and Format Requested. The Privacy Rule currently requires covered entities to provide PHI in the form and format requested by the individual if “readily producible” in that form and format. The proposed modifications would clarify that “readily producible” includes secure, standards-based APIs using applications chosen by the individuals, such as a “personal health application.” Individuals would also have the right to take notes, videos, and photographs, or use other personal resources to view or capture PHI in person.
  • Fees. Individuals inspecting or obtaining copies of their own PHI would be entitled to that access free of charge when inspecting in person or accessing PHI on the internet. OCR would continue to permit certain fees for labor, supplies, and postage, and would permit limited fees to be charged to an individual directing transmission of an electronic copy of PHI to a third party. Covered entities would be required to provide advance notice of estimated fee schedules on their websites (if they have one) for common types of requests for copies of PHI and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies.
  • Right to Direct Copies to a Third Party. The current right of an individual to direct a copy of PHI to a third party would be limited to an electronic copy under the NPRM, to codify a previous court decision on this issue. This request would no longer need to be in writing, as long as it is “clear, conspicuous, and specific.” In addition, the proposal would require a covered entity to transmit electronic PHI in an electronic health record to another covered entity as part of the individual’s access right.
  • Verification. OCR also proposed to prohibit a covered entity from imposing “unreasonable” identity verification measures on an individual. Unreasonable measures include notarization of requests, requiring the individual to provide proof of identity in person when remove verification would be practicable, or requiring completion of a full HIPAA authorization form for an access request.

Encouraging Care Coordination and Case Management Activities

The NPRM focuses on further encouraging the engagement of covered entities, whether a health care provider or health plan, in individual-level care coordination and case management activities. OCR proposes to remove the barriers created by the current Privacy Rule to those care coordination and case management activities by:

  • Amending the Definition of Health Care Operations. In the current version of the Privacy Rule, some covered entities interpret “health care operations” to only encompass population-based care coordination and case management as opposed to individually-based activities as permitted under “treatment” activities. By amending the definition of “health care operations” to include individual-level care coordination and case management activities, OCR would clarify that covered entities not engaged in treatment activities, such as health plans, can engage in individual-level care coordination or case management activities.
  • Creating an Exception to the Minimum Necessary Standard for Disclosures. Currently, the Privacy Rule relieves covered entities engaged in treating an individual from considering the minimum information necessary in disclosures for purposes of care coordination and case management. However, a covered entity not engaged in the treatment of an individual must adhere to the minimum necessary requirements for the same disclosures. The NPRM seeks to treat all covered entities engaging in individual-based care coordination and case management activities the same, regardless of whether performing the activities under the “treatment” or “health care operations” functions as defined by HIPAA. 
  • Allowing the Disclosure of PHI to Certain Third Parties. The proposed modifications permit covered entities to disclose PHI to certain third parties, including community-based organizations, home and community-based services (HCBS) providers, social services agencies, and other similar third parties providing health-related services for individual-level care coordination and case management without obtaining a valid authorization from the individual. For example, the third party could be a community-based organization engaged in addressing the social determinants of health and health risks by providing food or sheltered housing.

Updates to Notice of Privacy Practices

OCR’s proposal would modify HIPAA’s NPP requirements with the goal of reducing the administrative burden that current acknowledgement requirements create for health care providers, while continuing to help individuals better understand their rights, and how to exercise them, under HIPAA. In an effort to strike this balance, OCR has proposed eliminating the requirement that certain covered entities that have a direct treatment relationship with an individual obtain, and retain copies of, written acknowledgements from that individual confirming their receipt of the NPP and replacing it with a right for the individual to discuss the NPP with a designee of the covered entity. To further support individuals’ awareness of their rights and the privacy practices of a covered entity, the NPRM additionally modifies the NPP content requirements to include an additional description and instruction as to how individuals can exercise their access rights and mandates a new, more detailed and instructive, required header. The proposed header contemplated in the NPRM would include additional specification as to what information the NPP provides to individuals with respect to their rights, and how to exercise them, and the availability of the covered entities’ designated contact person.

Revisions to Encourage Disclosures to Family Members and Other Caretakers in Certain Situations

OCR also proposed several modifications to the Privacy Rule to encourage health care providers to disclose PHI more broadly in scenarios that involve individuals experiencing substance use disorder (SUD) or serious mental illness (SMI) and emergency situations, provided that certain conditions are met. These proposed modifications would improve the ability and willingness of covered entities to make certain uses and disclosures of PHI.

Good Faith Belief

The proposed modifications would amend certain requirements concerning the use and disclosure of PHI under the Privacy Rule, including the provisions on disclosing PHI to family members and friends involved in the individual’s care, to encourage additional sharing by covered entities without fear of violating HIPAA. Specifically, the proposal would replace current language that permits covered entities to make certain uses and disclosures of PHI based on their “exercise of professional judgment” with a relatively more flexible standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual. The proposed modifications would also presume a covered entity’s good faith.

This proposal is supported by OCR’s concern that the requirement under the current rule to exercise “professional judgment” could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual’s best interests.

While professional training and experience naturally inform a health care provider’s good faith belief about an individual’s best interests, a good faith belief does not always require a covered entity or its workforce member to possess specialized education or professional experience. Rather, a standard of “good faith” anticipates that a covered entity or workforce member would exercise a degree of discretion appropriate for its role when deciding to use or disclose PHI and to comply with any other conditions contained in the applicable permissions. Below are a few illustrative examples of how this proposed change would work in practice.

  • A covered entity could draw on experience to make a good faith determination that it is in the best interests of a young adult patient, who is incapacitated by an overdose, mental health crisis, or other health emergency, to disclose information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery.
  • An acute care facility that lacks a written designation of an emergency contact but possesses knowledge of an incapacitated patient’s designated emergency contact could disclose PHI to that contact, based on a good faith belief that the patient does not object to the disclosure.
  • A covered entity could disclose the PHI of an unemancipated minor experiencing a SUD in a state or jurisdiction where applicable law does not treat the minor’s parent as a personal representative, when the provider believes in good faith that disclosing information to the parent could improve the care and treatment of the minor. This proposed standard would remove an impediment to disclosures of PHI to a parent or guardian of a minor experiencing SUD or SMI where the parent or guardian is not recognized as the personal representative of the minor under state law. At the same time, this proposal would not preempt state laws that prohibit the disclosure of sensitive information because this proposal would permit, but not require, the disclosure under HIPAA. As such, a covered entity could comply with both HIPAA and a more restrictive state law by limiting disclosures in accordance with the state law.

Serious and Reasonably Foreseeable Threat

To better enable covered entities to prevent and lessen harm to individuals or the public, the proposed modifications would also enable covered entities to disclose PHI to avert a threat to the health or safety of a person or the public when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. The proposed modification would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.

OCR proposed this change to prevent situations in which covered entities decline to make uses and disclosures of PHI they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. For example, under this proposal, covered entities could use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.

Clarification Regarding Disclosures to TRS Providers

OCR proposed expressly permitting disclosures to TRS communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.

Although not yet scheduled for publication, OCR is accepting comments on the NPRM for 60 days after its publication in the Federal Register.

© 2022 Foley & Lardner LLPNational Law Review, Volume X, Number 349

About this Author

Jennifer L. Urban Data Security Attorney Foley & Lardner Milwaukee, WI

Jennifer L. Urban (formerly Rathburn) is a partner with Foley & Lardner LLP. Jennifer focuses her practice on counseling clients on data protection programs, data incident management, breach response and recovery, monetization of data and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational and legal issues companies must address to maintain the confidentiality of, access toand integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing...

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

Samuel Goldstick, Foley Lardner Law Firm, Chicago, Cybersecurity and Healthcare Law Attorney

Samuel (Sam) Goldstick is a data privacy and cybersecurity associate at Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, as well as Technology and Health Care Industry Teams. He also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E).

Prior to joining Foley, Mr. Goldstick was an associate at a prominent law...

Chloe B. Talbert Technology Transactions & Outsourcing Practice Foley & Lardner Los Angeles, CA
Law Graduate

Chloe Talbert is a law graduate with Foley & Lardner LLP. She is a member of the firm’s Technology Transactions & Outsourcing Practice. Chloe is not admitted to practice in any state.

Chloe began her career with Foley as a summer associate in 2018.

In 2017, Chloe was a judicial extern for the Honorable Judge Benjamin H. Settle in the U.S. District Court for the Western District of Washington.

Practice Areas

  • Technology Transactions & Outsourcing
  • Intellectual Property