HHS Proposes Significant Modifications to the HIPAA Privacy Rule
On January 21, 2021, the U.S. Department of Health and Human Services (“HHS”) published proposed rules that would significantly modify existing regulations concerning the Health Insurance Portability and Accountability Act (“HIPAA”). The proposed rules affect HIPAA’s Privacy Rule and are intended to improve access to patient information for the patient, their providers, and broadly for the purposes of value-based care.
Individual Right of Access
The proposed rules clarify or expand upon access-related rights, as further described below.
- Expanded Right to Inspect: With respect to a patient’s right to inspect their records in person, the proposed rules would expressly enable a patient to record or document or use “other personal resources” to store their Protected Health Information (“PHI”) during such an inspection, but would not require a covered entity to permit a patient to connect a personal device, such as a thumb drive, to an entity’s systems for the purposes of recording PHI. Covered entities would be required to comply with this right of access without charging patients a fee. Of note, the rules propose that when PHI “is readily available at the point of care in conjunction with a health care appointment, a covered health care provider is not permitted to delay the right to inspect.”
- Unreasonable Access Requirements Prohibited: The proposed rules would prohibit “unreasonable” requirements to access. HHS proposes adopting a non-exhaustive list of unreasonable practices, including requiring a patient to notarize an authorization form. In addition, other examples of unreasonable measures in the proposed regulatory text include accepting individuals’ written requests only in paper form, only in person at the covered entity’s facility, or only through the covered entity’s online portal.
- Response Turnaround Time Shortened: The proposed rules shorten the time period that covered entities are required to respond to requests for PHI to no later than 15 calendar days (from the current 30 days), with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
- API Access: HHS is considering whether to require that health care providers adopt and use any API features of their electronic health record (“EHR”) systems, if such features cost little to no money, in order to permit transfer of patient information via the EHR’s API.
Access to Patient Records by Third Parties
The proposed rules will modify existing rules regarding health records requests for records requested to be sent to third parties.
- Requests to Third Parties Limited to ePHI: The rules propose that requests to direct copies of PHI to a third party will be limited to only electronic copies of PHI in an EHR. However, the rules would require that a provider comply with such a request.
- No Requirement for Written Authorization: The proposed rules do away with the requirement that a patient sign a written HIPAA authorization form in order to have records disclosed to a third party. Covered health care providers would be required to respond to an individual’s request to direct an electronic copy of PHI in an EHR (“ePHI”) to a third party designated by the individual when the request is “clear, conspicuous, and specific.” Such a request may be verbal or in writing, including electronically executed requests. Under these proposals, a written access request pursuant to a proper authorization form, such as that contemplated in the current rule, would be one means of exercising this right of access, but an oral request could also be actionable if it is clear, conspicuous, and specific.
- Requirement that Providers Facilitate Access Requests: The proposed rules would require a patient’s provider to submit a request for ePHI from a previous provider if the patient asks the current provider to access the records of the prior provider. This requirement would apply both to when an individual is an existing or prospective new patient. Previous treating providers will be required to respond to such requests for ePHI from the current treating provider.
Fees for Records
The proposed rules modify allowable fees that can be charged for record disclosure. The goal of these fee modifications, as with the information blocking regulations, is increasing access and lowering barriers. As such, the proposed rules entirely prohibit the charging of any fees for certain types of requests, or otherwise require that “reasonable” fees for labor and related costs be charged when, for example, printed copies are requested to be sent to third parties. In addition, where fees are permitted to be charged, the proposed rules will require providers to provide fee estimates prior to executing a request, and certain providers will be required to post their fee schedules for record requests online.
The proposed fee structure, with respect to different types of requests, is excerpted below:
Type of Access
Recipient of PHI
Individual or Personal Representative
Internet-based method of requesting and obtaining copies of PHI.
Receiving a non-electronic copy of PHI in response to an access request.
Reasonable cost-based fee, limited to labor for making copies, supplies for copying, actual postage & shipping, and costs of preparing a summary or explanation as agreed to by the individual.
Receiving an electronic copy of PHI through a non-internet-based method in response to an access request (e.g., by sending PHI copied onto electronic media through the U.S. Mail or via certified export functionality).
Reasonable cost-based fee, limited to labor for making copies and costs of preparing a summary or explanation as agreed to by the individual.
Electronic copies of PHI in an EHR to a third party.
Third party as directed by the individual through the right of access.
Reasonable cost-based fee, limited to labor for making copies and for preparing a summary or explanation agreed to by the individual.
Disclosure of PHI Without Authorization
The prosed rules broaden and clarify situations in which PHI may be disclosed without a patient’s authorization:
- Clarification of Health Care Operation Exception: Currently, the Privacy Rule expressly permits certain uses and disclosures of PHI, without an individual’s authorization, for certain health care operations, among other important purposes. The proposed rules will define “health care operations” to encompass all care coordination and case management by health plans, whether individual-level or population-based. The proposal would provide clarity to covered entities and individuals regarding which Privacy Rule standards apply to which care coordination and case management activities, and thereby facilitate those activities.
- Minimum Necessary Standard Expansion: To consistently promote permissible disclosures of PHI for care coordination and case management, HHS proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management.
- Replacing “Professional Judgment” With “Good Faith” Standard: The proposed rules would amend the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s “good faith” belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith. For example, the proposed rule expands the ability of covered entities to disclose PHI to family members and other caregivers when they have a good faith belief it is in the best interests of the individual, whereas the current rules require an exercise of “professional judgment,” which could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual’s best interests.
- Disclosures Impacting Health or Safety: The proposed rules expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
Rules Affecting Notice of Privacy Practices
HHS proposes eliminating the requirement that a covered health care provider with a direct treatment relationship to an individual obtain a written acknowledgment of receipt of the provider’s Notice of Privacy Practices (“NPP”), which will ease administrative burdens on providers. However, the proposed rules modify the content requirements for NPP’s in order to further clarify for patients their rights with respect to their PHI and how to exercise those rights. HHS proposes the adoption of a standardized header that provides certain key information to patients, such as how to access their information and where to file a complaint.
How Frier Levitt Can Help
In addition to general concerns, HHS is requesting comments on a significant number of questions related to the proposed rules described above. Interested parties have 60 days since publication to comment upon the rules. However, HHS recently extended the deadline to comment upon the rules. As such, the last day to submit comments is May 6, 2021. Providers and other stakeholders interested in providing comment to help shape the final regulations need to act quickly. Contact Frier Levitt for assistance in preparing and submitting comments on new HIPAA rules.
Irrespective of whether a provider chooses to submit a comment, all HIPAA-governed covered entities and business associates must remain aware of the status of these proposed changes and be ready to implement compliance policies to account for applicable revisions to the law.