HHS floats major changes to HIPAA Privacy Rule
The HHS Office for Civil Rights on Thursday proposed substantial new changes to HIPAA Privacy Rule, with the goal, the agency says, to further value-based reimbursement and improve care coordination by enabling greater patient and family access to health data.
WHY IT MATTERS
The notice of proposed rule-making, drafted as part of HHS' Regulatory Sprint to Coordinated Care initiative, aims to remove regulations that might impede communication and data exchange between provider organizations and health plans.
The agency says the proposed changes would expand individuals' rights to access their own digital health information, boost information-sharing and case management across the care continuum, and enable greater family and caregiver involvement during emergencies or health crises.
The changes would also offer more flexibilities for disclosures in situations such as opioid overdoses and the COVID-19 public health emergency.
In addition, the hope is that a streamlined new rule would reduce administrative burdens on HIPAA-covered entities while continuing to protect patient privacy.
OCR proposes amending the Privacy Rule to increase permissible disclosures of protected health information and improve care coordination and case management by "adding definitions for the terms electronic health record and personal health application," it says.
Additionally, provisions relating individuals' right of access would be modified in several ways, according to the NPRM:
- Strengthening individuals' rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
- Shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
- Clarifying the form and format required for responding to individuals' requests for their PHI.
- Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
- Reducing the identity-verification burden on individuals exercising their access rights.
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
- Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
- Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the "minimum necessary" standard. It would "relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations," according to the proposed rule-making.
The goal is to expand the scope of covered entities' abilities to disclose PHI to "social services agencies, community-based organizations, home and community based service providers, and other similar third parties that provide health-related services."
Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on "professional judgment" with a standard permitting such uses or disclosures based on that entity’s "good faith belief that the use or disclosure is in the best interests of the individual," according to the proposed rule. (The agency acknowledges that "the proposed standard is more permissive in that it would presume a covered entity’s good faith," but says such a presumption "could be overcome with evidence of bad faith.")
The new rule would also expanding covered entities' latitude for PHI disclosure when it's meant to avert a "serious and reasonably foreseeable" risk to health or safety – as compared with the existing standard, which requires a "serious and imminent" threat.
It would also eliminate the requirement that providers obtain an individuals' written acknowledgment of receipt for Notice of Privacy Practices. And it would modify the content requirements of the NPP to "clarify for individuals their rights with respect to their PHI and how to exercise those rights."
Public comments on the NPRM will be due 60 days after its publication in the Federal Register. HHS says it wants to hear from the ecosystem of HIPAA-covered entities, other healthcare and technology stakeholders, consumer advocates – and, especially, patients and their families – between now and then. Comments can be submitted at Regulations.gov.
THE LARGER TREND
HIPAA has been around for nearly 25 years, but its Privacy Rule is newer – first proposed in 1999 and in effect since 2003.
A lot has changed for healthcare, information and technology since that time – which is why some folks have been asking for years whether HIPAA might be due for a refresh, given the realities of the digital health ecosystem and the push for patient access and value-based care.
Concrete discussions about updating the rule and streamlining its provisions had gained steam in recent years.
The new proposed rule-making is in keeping with OCR's recent emphasis on patient and family right of access – something it's shown through a series of enforcement actions over the past few months.
The goal, ultimately, should be to solve the so-called "Goldilocks dilemma" of the digital age: Healthcare information is being more widely shared than ever – so how can that be balanced with the need for robust privacy protections?
ON THE RECORD
"Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long," said HHS Secretary Alex Azar. "As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health."
"Today's announcement is a continuation of our ongoing work under my Regulatory Sprint to Coordinated Care to eliminate unnecessary regulatory barriers blocking patients from getting better care," said HHS Deputy Secretary Eric Hargan. "These proposed changes reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that we uphold HIPAA's promise of privacy and security."