Two years after issuing a request for information seeking feedback on possible changes to HIPAA and smack dab in the middle of a global pandemic, on December 10, 2020, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) announced major proposed changes to the HIPAA Privacy Rule. The proposed changes focus on coordination of care and significant revisions to the patient right of access provisions (Right of Access).
The official notice of the proposed rules has not yet been published in the Federal Register, but once it is, the public will have 60 days to provide written comments on the proposals. Then, it likely will be another year or two before we hear back from HHS and OCR on the matter. The last major changes to HIPAA were proposed over a decade ago in 2010 and became effective in March 2013.
Below, I provide a summary of the proposed changes, highlighting those that are most significant from the perspective of healthcare providers. I begin with the proposed changes that I find most consequential and on which I may submit written comment to HHS and OCR after collecting feedback from providers.
The bullet-point format below is intended to provide only a high-level overview and an alternative to reading the 357-page advance copy of the proposed changes or, when it is available, the approximately 100 pages of headache-inducing tiny font in the Federal Register. For details, please refer to the actual text of the proposed changes.
Most Consequential Proposed Changes
- Enhanced right for in-person inspection. HHS proposes to add a new right that would allow an individual to take notes, videos, and photographs, or use other personal resources to view and capture protected health information (PHI) as part of the right to inspect his or her PHI in person.
- The individual would need to arrange a mutually convenient time and place for the inspection, but disturbingly, HHS seems to believe that “convenient” for providers includes an inspection taking place in a medical records office or during a care visit where the PHI is immediately available.
- Issues for consideration: (1) what other information could be captured while a patient is allowed to snap photos of information visible on a computer screen?; (2) is a medical records office an appropriate place for a patient to be present and to be permitted to take photos and videos?; (3) how will allowing an on-demand inspection of records during a care visit negatively impact care?; (4) if the patient makes the visit solely to look at records, who will pay for the visit?; and (5) other logistical, privacy and workflow issues.
- Fifteen days to comply with records requests from patients. HHS proposes to reduce the permitted time to respond to requests for information from 30 days to “as soon as practicable, but no later than 15 calendar days” after receipt of the request. The proposed rule will allow for a one-time, 15 calendar day extension, but only if the covered entity has a written policy for prioritizing urgent or high priority requests.
- Given the many records request challenges that exist, including locating old or off-site records, completing redactions when required, and managing the incredibly high volume of records requests, the reduction to 15 days seems unreasonable. It may be reasonable to reduce the time to 15 days when the requested information is also available through the patient portal, but I am interested in provider feedback on this issue.
- Additionally, to take advantage of a 15-day extension, providers would need to collect information from patients as to why they are making the request or surmise the reason for the request based on available information. Notably, neither the current nor proposed HIPAA rules permit covered entities to require that patients provide a reason for a request to access their own records.
- Right to direct copies to third parties. HHS proposes that it create a separate provision for right to direct copies of PHI to third parties. This provision would be broken down into three parts:
- Consistent with the Ciox v. Azar decision from January 2020, an individual can only direct that electronic copies of PHI in an electronic health record (EHR) be sent to third parties. The court in Ciox v. Azar identified this limitation based on the language in the HITECH Act.
- A provider would be required to respond to an individual’s request to direct an electronic copy of PHI in an EHR to a third party designated by the individual when the request is “clear, conspicuous, and specific” and may be written or oral. This would do away with the current requirement that the request be in writing.
- When an individual makes a “clear, conspicuous, and specific” request that a provider or a health plan collect records from another covered entity, that provider or health plan must obtain an electronic copy from the identified covered entity. In other words, the provider or health plan must assist the individual by submitting the individual’s request to the identified covered entity and directly collect the records. HHS describes this as a mechanism in addition to the existing permissive exchange for treatment, payment, or healthcare operations.
- Fees
- Individuals
- No fee for in-person inspection of records or through an internet-based method maintained by the covered entity (e.g., patient portal).
- A reasonable, cost-based fee for copies or a summary. As detailed in OCR’s 2016 guidance on Right of Access and approved by the court in Ciox, a reasonable, cost-based fee includes only labor costs for making the copies, cost of supplies, actual shipping costs, and the agreed-upon cost for preparing a summary.
- Directed electronic copies of PHI from an EHR to a Third Party
- A fee can only be charged if the request cannot be fulfilled through an automated process. (e.g., request to copy PHI from EHR to a thumb drive and mail).
- A reasonable, cost-based fee may be charged. Such fee is limited to labor for copying and the agreed-upon cost for preparing a summary. No mailing or supply costs allowed.
- Directed non-electronic copies or copies not contained in an EHR to Third Party. OCR will treat these requests as having been made pursuant to an authorization of the individual and subject only to the limitations in the regulation on the sale of PHI. That regulation permits only a “reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.” In other words, the state per page fee limits could apply.
- Advance notice of Fees
- Covered entities must post a fee schedule online and make it available to individuals upon request at the point of service. The fee schedule must detail options to obtain records at no cost and applicable fees for copies of records or for records that individuals direct to be sent to third parties.
- Upon request, covered entities must provide an individualized estimate of the approximate fees to be charged for the requested copies of PHI within the initial 15-day response timeframe and without extending that 15-day clock.
- Seeking to codify its 2016 guidance on documentation of a reasonable, cost-based fee, covered entities must provide an itemization of the charges that make up the reasonable, cost-based fee.
- Individuals
- Expand the discretion of providers in making disclosures to help individuals experiencing substance use disorder, serious mental illness, and in emergency circumstances.
- Replace the “exercise of professional judgment” standard with a “good faith belief” standard to permit uses and disclosures in the best interest of the individual without the implication that a medical professional must be making the determination.
- This change will apply in five areas: (1) when parent/guardian is not the legal representative under state law; (2) facility directory; (3) emergency contacts; (4) emergencies and incapacity; and (5) verifying a requestor’s identity.
- OCR will apply a presumption of compliance absent evidence of bad faith.
- Replace “serious and imminent threat” with “serious and reasonably foreseeable threat” in the serious threat exception. This determination would be based on a reasonable person standard considering the training of the person.
- Two presumptions: (1) the harm was reasonably foreseeable; and (2) the covered entity believed that the use or disclosure was necessary to prevent or lessen the harm.
- Purpose is to establish a higher level of deference to providers to determine whether there is a serious threat of harm.
- These proposed changes do not change or preempt federal or state law providing more protections (e.g., 42 CFR Part 2 and state laws regarding mental health or substance use disorder). As a result, the effect of these proposed changes by Part 2 programs or providers subject to more stringent state laws may be minimal.
- Replace the “exercise of professional judgment” standard with a “good faith belief” standard to permit uses and disclosures in the best interest of the individual without the implication that a medical professional must be making the determination.
- Notice of Privacy Practices
- Eliminate the requirement to obtain a written acknowledgement of receipt of the Notice of Privacy Practices (NPP) or document attempts to obtain written acknowledgement. This would be a welcome change.
- New NPP header requirements. The NPP’s header must state that the purpose of the NPP is to provide information on: (1) how to access information; (2) how to file a complaint; and (3) individual’s right to receive a copy of the notice and discuss with a designated person.
- New Right of Access content. The NPP must describe how an individual can obtain a record at no fee or a limited fee and the right to direct the provider to transmit electronic copies of PHI in an EHR to a third party.
- Optional content. The NPP may explain that when an individual directs that non-electronic copies of PHI or PHI that is not part of an EHR be sent to a third party, the individual can either obtain the copies directly and provide them to the third party or the request will be handled as a request pursuant to a valid authorization.
Notable Proposed Changes
- Requests for Access
- The proposed changes prohibit covered entities from imposing “unreasonable measures” on an individual exercising the right of access or that “unreasonably delay” access. While a covered entity can require that a request for access be in writing, it cannot impose requirements that impede access, such as requiring the completion of an entire authorization form or accepting only paper requests.
- Form of Access
- There are numerous references to HHS’s Office of the National Coordinator for Health Information Technology’s (ONC) recent Information Blocking Final Rule throughout these proposed changes. HHS proposes language that would ensure that access using approved technologies or methodologies under other laws, such as the Information Blocking Final Rule, is deemed “readily producible” for purposes of complying with requests for access.
- Further, HHS proposes to require that, when a covered entity offers a summary in lieu of access, it must inform the individual that he or she retains the right to obtain a copy of the requested PHI if they do not agree to receive the summary.
- Business Associates and Right of Access. The proposed change would explicitly provide that a business associate need only provide direct access to requesting individuals when the business associate agreement with the covered entity requires it to do so.
- Reduce identification verification burden. HHS proposes to expressly prohibit a covered entity from imposing unreasonable identity verification measures on an individual. Unreasonable verification measures include but are not limited to notarization, proof of identity in person, and portal use as sole option for requesting record to prove identity.
- HHS assumes that a covered entity holding records of an individual in an EHR has necessarily established a treatment relationship with such individual, and therefore, imposing additional verification requirements is unnecessary.
- Add definitions for “electronic health record” and “personal health application.”
- Amend the definition of health care operations to encompass all care coordination and case management by health plans, whether individual-level or population-based.
- Add an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or provider for care coordination and case management.
- Clarify disclosures to non-healthcare providers for care coordination and case management
- HHS proposes to expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and community-based service providers, and other similar third parties that provide health-related services for care coordination and case management. They provide these services either as a treatment activity of a provider or as a health care operations activity of a provider or health plan. The third party does not have to be a health care provider.
- Permit disclosures for telecommunications relay services for people with a hearing impairment or speech disability to conduct covered functions without the need for a Business Associate Agreement.
- Expand the permission to use and disclose the PHI of Armed Forces Personnel to cover all uniformed services personnel (e.g., US Public Health Service Commissioned Corps and the National Oceanic and Atmospheric Administration Commissioned Corps).
Over the coming weeks, there will be much more to say about these proposed regulatory changes. My goal with this post was to provide a useful summary to stimulate discussion. Please feel free to reach out if you would like to provide feedback on any of the above proposed changes. Again, I will be soliciting feedback from healthcare providers to submit comments during the 60-day comment period.