May 6, 2021
VIA Electronic Submission at www.regulations.gov
RE: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945-AA00
Dear Department of Health and Human Services,
Thank you for the opportunity to submit comments on the Notice of Proposed Rule Making regarding proposed modifications to the HIPAA Privacy Rule (NPRM). I am a privacy and healthcare attorney. Most of my clients are healthcare providers including Federally Qualified Health Centers, private medical and behavioral health practices, and long-term care providers that range in size from solo practitioners to organizations that serve thousands of patients. After the Department of Health and Human Services (the Department) issued its NPRM in December 2020, I reached out to clients to collect feedback on the proposed changes. The comments below reflect my clients’ feedback as well as my own.
III.A. Strengthening the Access Right to Inspect and Obtain Copies of Protected Health Information (PHI)
The Department proposes to add a new right to allow an individual “to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person.” The Department explains that “[u]nder this proposal, covered entities generally would be required to allow individuals to take notes, videos, and photographs using personal resources after arranging a mutually convenient time and place for the individual to inspect their PHI. . .”. Further, the Department proposes to extend the right to inspect to “include points of care where PHI in a designated record set is readily available for inspection by the patient, for example, by viewing x-rays, ultrasounds, or lab results in conjunction with a health care appointment with a treating provider.”
In response to the Department’s request for comments and examples of unintended consequences, I would like to raise a few important point of care access issues. The Department offers no clear boundaries on the point of care access right. Without any limitations, point of care access requests could unnecessarily interfere with care, extend visit times and result in incomplete or improper access to PHI. To the extent that point of care access requests are permitted, such requests should be limited to information related to the visit. Without such a limitation, clinical providers will spend valuable clinical care time functioning as medical records personnel.
The examples of point of care access that the Department provides (e.g., x-rays, lab result, etc.) imply that the Department intended that the point of care access be related to the reason for the visit. And those examples make sense. However, neither the regulatory language nor the Department’s commentary make clear that the right of access during a visit exists only to the extent that those records are related to the visit.
Although the proposed time and manner regulatory language limits in-person inspection to “readily available” records, there is no definition of “readily available.” I am concerned that the Department could interpret “readily available” to include any record contained within a single electronic health record system (EHR). Given the complexity of EHR systems and the fact that clinicians are not trained to locate records in response to access requests in the same manner as medical records professionals, such an interpretation would not only interfere with clinical care but could also result in incomplete or improper access.
To address these concerns and the lack of a definition of “readily available,” I suggest that the proposed language at 45 CFR 164.524(c)(3) be modified as follows: “When protected health information is readily available at the point of care in conjunction with and is related to the health care appointment, a covered health care provider is not permitted to delay the right to inspect. Protected health information is readily available as reasonably determined by the covered entity based on adopted policies and procedures that account for the unique nature of the covered entity’s operations.”
Finally, with respect to the right to record, healthcare providers should have the ability to implement reasonable policies and procedures designed to protect the privacy of other patient information as well as the privacy of the clinicians or office staff.
III.A.3(b)(ii) Modifying the Implementation Requirements for Requests for Access and Timely Action in Response to Requests for Access – Timeliness
The Department proposes to modify the HIPAA Privacy Rule to require that access be provided “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request unless a shorter timeframe applies under another federal or state law. The Department also proposes a single 15 calendar day extension if the covered entity implements policies for “prioritizing urgent or other high priority access requests” to limit the use of the extension.
Implementing a policy for “prioritizing urgent or high priority requests” will be challenging for providers. A policy addressing urgent or high priority requests necessarily requires a reason for the requested access. No current HIPAA rule permits covered entities to require that an individual reveal a purpose or reason for access to his or her own records; in fact, I believe that doing so would violate right of access rules. See 45 CFR §164.524(c). This puts providers in an awkward position when an individual requests access to his or her own records (or directs that records be sent to a third party) and does not volunteer a reason. It would be helpful if the Department could explain how a provider could prioritize urgent or high priority issues upon an individual’s request when it cannot ask the individual for a reason and the individual does not volunteer the information.
III.A.5 Direct Copies of PHI to Third Parties
The Department proposes to add a requirement that a healthcare provider or health plan obtain an electronic copy of PHI from the EHR of another provider or plan at an individual’s request. The Department explains that this “requirement would apply when an individual is an existing or prospective new patient or a current member (or dependent) of Requester-Recipient, and is limited to directing electronic copies of PHI in an EHR back to Requester-Recipient.” Healthcare providers have expressed concern about receiving directives from patients to obtain records that may not be relevant to or necessary for treatment or that may be overburdensome. A healthcare provider should be entitled to use his or her professional judgment to determine whether records are necessary and should not be forced to act solely on the patient’s directive.
Additionally, if oral requests of this nature are permitted, it will add administrative burden. It would be most efficient and effective to have individuals submit the request in writing. To facilitate this process and to ensure that the request is “clear, conspicuous, and specific,” as the Department proposes to require, healthcare providers should be permitted to offer an on-line request option that walks the individual through all the information necessary and provides an opportunity for verification of identity. This comment also applies to the specific request for comment at III.A.9(v), (x) and (w).
III.A.9 Specific Requests for Comments
(o) Security Risks
The Department requests comments on whether it should require providers to educate individuals on the risks associated with the use of personal health applications. Requiring providers to be responsible for such education would be unduly burdensome unless the Department provides specific educational resources to which providers could direct requesting individuals (e.g., a page on the Department’s website describing the risks associated with the use of personal health applications).
(t) Oral Access Requests to direct PHI to Third Party
The Department requests comments on the proposal to require a covered entity to act on an oral access request to either direct an electronic copy of PHI in an EHR to a third party or direct a covered entity to submit such a request. As noted above, the biggest challenge with oral access requests is identity verification.
In another section of the NPRM, the Department states that it “assumes that a covered entity holding records of an individual in an EHR has necessarily established a treatment relationship with such individual, and therefore, imposing additional verification requirements is unnecessary.” This statement may be true in some small practice settings, but it is not true in many other settings. In larger clinics or practices, the providers have the relationship with the patient and the staff managing records requests likely have never interacted with the patient. Further, since COVID-19 has changed the landscape of healthcare delivery, it is possible that the provider has never met the patient in person.
(ii) Flat Fee
The Department requested comment on the reasonableness of the $6.50 flat fee for electronic copies. Given the challenges with calculating a reasonable cost-based fee, the flat fee option has been useful to providers and, because the flat fee rate is under $10, it does not act as a barrier to access for individuals.
III.B. Reducing Identification Verification Burden
The Department seeks comments on its assumption that “a covered entity holding records of an individual in an EHR has necessarily established a treatment relationship with such individual, and therefore, imposing additional verification requirements is unnecessary.” Please see the comments to III.A.9(t) above.
III.E. Clarifying the Scope of Covered Entities’ Abilities to Disclose PHI to Certain Third Parties for Individual Level Care Coordination and Case Management that Constitutes Treatment for Health Care Operations
I welcome and support the explicit clarification that healthcare providers may share PHI with social service agencies and community-based organizations for treatment purposes. This will remove real or perceived barriers to coordination and improve care. Further, such disclosures carry only limited risk as the minimum necessary principle would apply.
III.F. Encouraging Disclosures of PHI when Needed to Help Individuals Experiencing Substance Use Disorder, Serious Mental Illness, and in Emergency Circumstances
The Department proposes to replace the “serious and imminent threat” standard with a “serious and reasonably foreseeable threat” standard in the current regulation pertaining to preventing of harm. The Department explains that it “seeks to prevent situations in which covered entities decline to make uses and disclosures they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure.”
In general, I support the goal of the proposed change, but ask that the Department consider how the proposed amended standard would apply to the following COVID-19 specific situations: (a) a patient lives in a homeless shelter and refuses to permit the provider to disclose a positive COVID-19 test result to shelter; and (b) a student tests positive for COVID-19 and the provider knows that the parents continue to send the child to school despite the test result and diagnosis. Would these situations constitute a “serious and reasonably foreseeable threat”?
III.G. Eliminating Acknowledgment of Receipt Requirement
Healthcare providers everywhere applaud the proposed elimination of the requirement to obtain a written acknowledgement of receipt of the Notice of Privacy Practices (NPP). The requirement creates an administrative burden and offers no substantial benefit. I also support the other proposed changes related to the NPP.
Again, I thank the Department for the opportunity to submit comments. Please feel free to contact me if there are any questions or comments.
Dena M. Castricone, CIPP/US, CIPM