On January 21, 2021, the Department of Health and Human Services (HHS) published proposed changes to the privacy rule (Privacy Rule) of the Health Insurance Portability and Accountability Act (HIPAA). This Notice of Proposed Rulemaking (Proposed Rule) is part of the prior administration's "Regulatory Sprint to Coordinated Care" to improve coordination of care, promote value-based care, and reduce administrative burden.
HHS raises numerous questions and requests comments from the public. The Proposed Rule includes some proposals that may cause additional burden (such as potentially having to revise notices of privacy practices), but includes many potentially positive changes.
See our PDF guide detailing these separate requests. We recommend that clients consider commenting on the bad and support the good proposals. Comments currently are due March 22, 2021.
Although the new administration has put a freeze on certain regulations that have not yet become effective, this seemingly does not impact the Proposed Rule (which will not become effective until finalized). The big question is whether the Biden administration will continue this "regulatory sprint" and adopt some of these proposals, or if a return to the starting line is in our future.
See below for DWT's advisories on the Sprint regulations amending the Stark and Anti-Kickback laws:
- Done Sprinting, but Are We There Yet? The Value-Based Stark Exceptions and AKS Safe Harbors
- CMS Sprints to Overhaul Stark
- New Sprint Regulations Encourage Investment in EHR and Cybersecurity Technology
Notice of Privacy Practices
HHS takes one large step forward and several smaller steps backwards on its changes to the requirements for the Notice of Privacy Practices (NPP).
The Proposed Rule would eliminate the requirement that covered health care providers with a direct treatment relationship must obtain the individual's acknowledgement of receipt of the NPP or document their good faith efforts to obtain the acknowledgement. This seems likely to reduce confusion for individuals and reduce administrative burden (and wasted paper, some might argue).
However, the Proposed Rule would also require covered health care providers and health plans to amend their NPPs without a grandfather provision. As identified in the HHS 2016-2017 HIPAA Audits Industry Report (issued in December 2020), the HIPAA audits revealed that most covered entities failed to provide appropriate content in their NPPs. Therefore, it is not surprising that HHS sought to address these concerns in the Proposed Rule.
The Proposed Rule would explicitly create a new individual right—the right to discuss the NPP with a workforce member identified in the NPP—even though an individual has been free to ask questions all along. The preamble suggests that probably no more than 1 percent of patients would choose to exercise this right. It is unclear whether HHS expects a workforce member to be available 24/7 to answer questions from individuals.
HHS proposes to expand the required header to state:
NOTICE OF PRIVACY PRACTICES OF [NAME OF COVERED ENTITY, AFFILIATED COVERED ENTITIES, OR ORGANIZED HEALTH CARE ARRANGEMENT, AS APPLICABLE]
THIS NOTICE DESCRIBES:
- HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
- YOUR RIGHTS WITH RESPECT TO YOUR MEDICAL INFORMATION
- HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR RECORDS AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE
- HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY OR SECURITY OF YOUR MEDICAL INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET COPIES OF YOUR RECORDS UNDER HIPAA.
YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE AT [PHONE AND EMAIL] IF YOU HAVE ANY QUESTIONS.
The proposed mandatory header would add at least 110 words in two sentences, come in at a grade level of 15 (college level), and continue to refer to "your medical information" instead of health information that is held by the covered entity. Such a mandatory header essentially would create an incomplete layered notice that highlights some but not all of the required content for a NPP.
Since HHS is considering expanding the mandatory language, one wonders if the preferable approach would be to mandate the posting of a standardized, HIPAA-only NPP (such as one developed based on the model NPP). If that were the case, the content would be correct in the eyes of HHS and covered entities would not have to spend resources developing and amending their NPPs.
The Proposed Rule would also alter language describing the right of access and offer the option of including an explanation of how an individual may have protected health information (PHI) that is not maintained in an EHR directed to a third party. HHS also raises numerous requests for comments, including how to make the concept of health care operations more understandable to the layperson.
Right to Access
A significant portion of the Proposed Rule is dedicated to changing and tightening individual access rights. These changes seem in line with HHS' goals to improve and facilitate information sharing among individuals, their health care providers, and possibly their health plans.
The HITECH Act amended the HIPAA right of access to permit an individual to require a covered entity to transmit an electronic copy of PHI in an electronic health record to a third party (a third-party directive).
In the 2013 Omnibus Rule, HHS relied on its broad authority under HIPAA to expand this third-party directive right to include any PHI in a designated record set, rather than only PHI in an electronic health record. In Ciox Health v. Azar, the court ruled that HHS exceeded its statutory authority by doing so.
Accordingly, the Proposed Rule seeks to amend the Privacy Rule consistent with the Ciox Health decision, limiting third-party directives to electronic health records. Other PHI going to a third party at the individual's direction would fall outside the right of access and instead require the individual's authorization.
To this end, the Proposed Rule includes a definition of "electronic health record" that was included in the HITECH Act but was not previously defined by the Privacy Rule. "Electronic health record" is defined as "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and their staff." Since "clinician" is not currently defined in the Privacy Rule, HHS also clarifies the scope of "authorized health care clinicians and staff" to "include… health care providers that have direct treatment relationships with individuals… such as physicians, nurses, pharmacists, and other allied health professionals."
Further, the Proposed Rule adds a definition of "personal health application," which is "an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer." As detailed in previous HHS guidance, HHS again reiterates in the Proposed Rule that "a personal health application is not acting on behalf of, or at the direct of a covered entity, and therefore would not be subject to [HIPAA]."
HHS states that adding these definitions will help clarify the proposed modifications to the right of access, in particular the modified right of individuals to direct a covered entity to transmit electronic copy of PHI an in electronic health record to a designated third party, including a personal health application.
HIPAA provides an individual with the right to inspect and obtain copies of their PHI. The Proposed Rule strengthens this right by adding language to "enable an individual to take notes, videos, and photographs, and use other personal resources to view and capture [the PHI]" after arranging a mutually convenient time and place to do so.
Covered entities may not impose a fee on the individual for exercising this right. This right does not allow an individual to connect any personal devices, such as a thumb drive, to the covered entity's information systems.
The Proposed Rule clarifies that, although a covered entity may require individuals to make requests for access in writing, a covered entity may not impose "unreasonable measures" that impede an individual's right of access.
Examples of "unreasonable measures" include requiring individuals to fill out extensive information not necessary to fulfill the request (e.g., requiring an individual to fill out a form that contains the same elements as a HIPAA authorization), mandating notarization of the request form, or permitting access requests only through one method (e.g., only through the portal or only in person). Interestingly, the Proposed Rule actually contained examples, which likely will become outdated, as opposed to providing examples in the preamble.
HIPAA currently provides covered entities 30 days to respond to an individual's request, with an additional 30 day extension if the covered entity is unable to respond within the initial 30 days. The Proposed Rule would cut this timeframe in half, requiring covered entities to respond "as soon as practicable" but in no case later than 15 calendar days after the receipt of request, with the possibility of one 15 calendar day extension.
The new timeframe would apply to all requests for access, including when an individual requests an electronic copy of PHI to be directed to a third party. The Proposed Rule would permit covered entities additional time by meeting certain requirements, including establishing a policy to address urgent or high-priority requests.
Many covered entities will have to scramble to implement this shorter timeframe; however, at least eight states already require shorter timeframes, including California, Colorado, and Washington.
It is also worth considering this proposal in conjunction with the 21st Century Cures Act Information Blocking Rule, as many entities are subject to both sets of requirements. The Information Blocking Rule generally will prohibit health care providers from unreasonably delaying access to electronic health information. In practice, this may mean that many covered entities will need to provide access to electronic health information in less than 30 days anyway.
Covered entities should review their operations to ensure that they can meet this shortened deadline and, if they cannot, may wish to comment to HHS raising any concerns.
As mentioned, the Proposed Rule also modifies the Privacy Rule with respect to third-party directives (an individual's right to direct a covered entity to transmit a copy of PHI directly to a third party). It is not surprising that HHS has addressed this right in light of the Ciox Health decision, which struck down HHS's initial approach.
Currently, the request for a third-party directive must be in writing, be signed by the individual, and clearly identify the designated person and where to send the copy of the PHI. Further, the requests directed to a third party applies to all PHI in a designated record set, regardless of whether it is in electronic or paper form.
Under the Proposed Rule, consistent with Ciox Health, requests to a third party for direct copies of PHI would be limited to only electronic copies in an electronic health record. Since this change would limit the scope of PHI to that within an electronic health record, then only covered health care providers generally would be responsible for fulfilling any requests for third-party directives under the Proposed Rule since other covered entities (e.g., health plans and health care clearinghouses) generally will not have an electronic health record.
Additionally, HHS proposes that if another federal or state law requires a covered entity to implement a technology or policy that would have the effect of providing an individual with access to PHI in a particular electronic form and format (e.g., if a federal law requires the provision of access via secure, standards-based API), then that form and format would be deemed "readily producible" for purposes of compliance in fulfilling PHI requests under the Proposed Rule. HHS acknowledges that, in proposing this requirement, HHS is still examining the best way to address individuals' privacy and security when sending PHI to a personal health application and is seeking comment on the issue.
Lastly, the Proposed Rule would require a covered health care provider to respond to an individual's request to direct electronic PHI in an electronic health record to a third party if the oral or written request is "clear, conspicuous, and specific" and would encompass any requests made by the individual via an internet-based method, such as a personal health application submitting a request on the individual's behalf.
The Proposed Rule would require covered health care providers and health plans to submit an individual's access request to another health care provider on the individual's behalf. The requesting health care provider or plan then may receive the requested electronic copies of the PHI in an electronic health record. The requests must be submitted by the requesting entity on behalf of the individual as soon as practicable, but no later than 15 calendar days after receiving the individual's direction.
Although this requirement may be beneficial for some patients, it seems likely to cause confusion within the health care industry and further blur the purpose of the access requests. For example, the need to add in a single regulatory section clarifying definitions of "Requestor-Recipient" and "Discloser" suggests that the requirement is going to cause confusion.
Currently, covered entities may charge a reasonable, cost-based fee to fulfill access requests. Instead, the Proposed Rule would include categories of access for which a covered entity would be prohibited from charging a fee. For example, the Proposed Rule would not permit fees to be imposed for individual requests to inspect PHI in person or when the individual uses an internet-based method to direct an electronic copy of PHI in an electronic health record to any third party.
The Proposed Rule further outlines the allowable costs that a covered entity could charge, should the fee be permitted:
Type of Access
Recipient of PHI
|In-person inspection – including viewing and self-recording or -copying
Individual (or personal representative)
|Internet-based method of requesting and obtaining copies of PHI (e.g., using View-Download-Transmit functionality or a personal health application connection via a certified-API technology)||Individual||Free|
|Receiving a non-electronic copy of PHI in response to an access request||Individual||Reasonable cost-based fee, limited to labor for making copies, supplies for copying, actual postage & shipping, and costs of preparing a summary or explanation as agreed to by the individual
|Receiving an electronic copy of PHI through a non-internet-based method in response to an access request (e.g., by sending PHI copied onto electronic media through the U.S. Mail or via certified export functionality)
||Individual||Reasonable cost-based fee, limited to labor for making copies and costs of preparing a summary or explanation as agreed to by the individual|
|Electronic copies of PHI in an electronic health record received in response to an access request to direct such copies to a third party
||Third party as directed by the individual through the right of access
||Reasonable cost-based fee, limited to labor for making copies and for preparing a summary or explanation agreed to by the individual
The Proposed Rule would also require covered entities to provide estimated fee schedules on their websites and make the fee schedule available to individuals at the point of service upon an individual's request. The Proposed Rule would further require covered entities to provide individualized estimates for the approximate fees for the requested copies of PHI upon request by the individual.
The Proposed Rule clarifies a business associate's obligations with respect to an individual's right to access PHI. Specifically, the Proposed Rule would require business associates to disclose PHI to a covered entity to permit the covered entity to meet its access obligations.
However, if the business associate agreement provides that the business associate will provide access to PHI in an electronic health record directly to the individual or the individual's designee, then the business associate must provide the direct access.
We hope that the Proposed Rule could be clarified so as not to require covered entities to re-open and revise business associate agreements to include additional mandatory content.
Definition of "Health Care Operations"
The Proposed Rule proposes to amend the definition of "health care operations" to clarify that all care coordination and case management activities of a health plan are health care operations, whether individual-level or population-based. This is to address confusion, since some believed that health care operations only addressed population-based activities (a source of confusion because certain health care provider activities are considered treatment when rendered at an individual level, but health care operations when rendered at a population level). We welcome this clarification.
Also, for you HIPAA grammar geeks out there, HHS proposed to convert some pesky commas to semi-colons in the definition of "health care operations," eliminating some confusion regarding the list of health care operations activities. For example, because some items are separated by semi-colons, whereas "case management and care coordination" is separated from "population-based activities relating to improving health or reducing health care costs," by a comma, it suggested that case management was intended as a subset of population-based activities (part of the cause of confusion addressed above). Bonus HIPAA points for anyone who previously noticed that punctuation quirk.
New Exception to Minimum Necessary
HHS proposes to add an exception to the "minimum necessary" standard for individual-level case management and care coordination requests and disclosures by health plans and health care providers. Population-based activities would remain subject to the minimum necessary standard.
We believe that this proposal will be helpful in promoting care coordination, removing compliance concerns about sharing too much information with a health plan. It also helps address limitations in electronic health information exchange, where it is often difficult to control exactly how much PHI is made accessible.
The Proposed Rule does not address the continuing challenge posed by the "minimum necessary" standard with respect to disclosing PHI through an electronic health information exchange for payment purposes. For example, if a health plan requests access to an electronic health record or even a summary record for purposes of reviewing medical necessity, it is difficult to provide access while making reasonable efforts to disclose only the minimum necessary amount of PHI. This is an obstacle to better facilitating the flow of PHI for payment activities.
HHS requests comment on whether it should also exempt individual-level payment activities from the minimum necessary standard. Entities may wish to comment on this point and suggest this as an additional exception to the minimum necessary standard (the standard still could hold a covered entity liable for abusing the electronic exchange and accessing or using more than the minimum necessary PHI).
Disclosures to Other Third Parties
OCR guidance currently provides that a health care provider may disclose PHI to a variety of third parties for treatment purposes, such as social service agencies and home and community based services providers. For example, part of treating a patient may include ensuring that the patient has a place to live and a source of food after discharge.
But this guidance is not well known, and covered entities often are hesitant to share PHI with non-covered entities without patient authorizations due to HIPAA concerns. HHS proposes to amend the Privacy Rule to explicitly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and community based providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management activities.
We believe that having this permission in regulation, rather than only in guidance, will be helpful as it will have the force of law and be more widely known. Although HHS includes many questions for commenters, one of the more interesting ones is whether the Privacy Rule should require an agreement with the recipient that describes and limits the recipient's use and disclosure (as the recipient generally will not be subject to HIPAA). Of course, an agreement (as opposed to a notice or taking no action) would slow or possibly entirely undermine the benefits of this proposed change.
"Professional Judgment" 🡲 "Good Faith Belief"
Currently, various Privacy Rule provisions require that a disclosure be based on "the exercise of professional judgment." This includes certain disclosures to parents or to persons involved in a patient's care.
HHS indicates that some providers seem concerned that, under the current standard, they cannot inform persons involved in a patient's care of health issues, such as a mental health crisis or substance use disorder. HHS proposes to change the standard to a "good faith belief" to lessen compliance concerns that interfere with providers reaching out to family members and others involved in a patient's care. Additionally, the Proposed Rule would create a presumption of good faith absent evidence of bad faith.
HHS has requested comment on the anticipated effect of this proposal, including whether the increased likelihood of disclosure will discourage some individuals from seeking care, and whether a covered entity's good faith belief should even outweigh the individual's express preferences (such as whether a doctor can tell a spouse about a patient's mental health issues based on a good faith belief that it is best for the patient, even if the patient expressly said not to do so).
Disclosures of PHI Through Telecommunications Relay Services (TRS)
Certain persons with disabilities rely on TRS, which phone companies often are required to provide, to communicate PHI. This could include communications from or to patients or plan members, or between workforce members. Current OCR guidance indicates that a TRS provider is not acting on behalf of the covered entity and, therefore, is not a business associate.
HHS proposes to add an explicit regulatory permission for disclosing PHI to a TRS provider to conduct covered functions (health care provider or health plan activities) and to expressly exempt TRS providers from the definition of "business associate."
Addressing Threats of Harm
Under the Proposed Rule, a covered entity would be permitted to use and disclose PHI to prevent or lessen a serious and reasonably foreseeable harm to the health or safety of a person or the public, which would replace the serious and imminent threat standard. "Reasonably foreseeable" means that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if the use or disclosure of PHI is not made, based on the facts and circumstances known at the time of the disclosure.
HHS notes that the standard is whether a similarly-situated covered entity—as opposed to a majority of covered entities—could believe that a serious harm was reasonably likely to occur. HHS seeks to prevent situations in which covered entities decline to disclose PHI to prevent or lessen harm because they were unable to determine whether the harm was imminent, as opposed to likely. It will be interesting to see whether privacy advocates' pushback on "reasonably foreseeable" being too low of a standard, and if a middle ground (such as "reasonably likely") is considered.
The Proposed Rule would also give deference to determinations by health care providers with specialized training, expertise, or experience in assessing an individual's risk to health or safety.
Disclosures Regarding Uniformed Services Personnel
HIPAA includes a provision permitting disclosures of PHI of armed forces personnel for activities deemed necessary by military command to assure the proper execution of the military mission. HHS proposes to expand this permission to the uniformed services, which would include the U.S. Public Health Service Commissioned Corps and the National Oceanic and Atmospheric Administration Commissioned Corps.
Identity Verification Measures
HIPAA currently mandates that covered entities take reasonable steps to verify the identity of an individual requesting PHI. The current requirements do not prescribe a specific form of verification and instead leaves verification to the discretion of the covered entity, as long as the verification measures do not create barriers to or unreasonably delay individuals' ability to exercise their rights under the Privacy Rule.
The Proposed Rule would expressly prohibit covered entities from imposing unreasonable identity verification measures on individuals or individuals' personal representatives when exercising any rights under the Privacy Rule. Unreasonable verification measures would be those that require an individual or individual's personal representative to expend unnecessary effort or expense when the covered entity can implement a less burdensome method. Examples of unreasonable measures include requiring individuals to submit notarized requests to exercise a right or to require individuals to come in person to provide proof of identity.