Proposed Changes to the HIPAA Privacy Rules

On December 10, 2020, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) issued a notice of the agency’s intent to modify the HIPAA Privacy Rules. The HHS’ stated purpose was to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry. The OCR encouraged comments on the Notice of Proposed Rule Making (NPRM) by the stakeholders (i.e. patients and their families, HIPAA-covered entities, consumer advocates, health care professional associations, health maintenance management professionals, health information technology vendors, and government entities). The NPRM was published in the Federal Register on January 21, 2021, with a comment period that ends on March 22, 2021.

Individual Right of Access:

The proposed objective to the rule change was to create standardized use of secure, standards-based application programming interfaces (APIs) to facilitate the sharing of Protected Health Information (PHI) and make it easier for an individual to access their own PHI. Currently, this is not the case for implementation of API’s within and outside the HIPAA-regulated community.

To achieve this goal, the new rules would provide definitions for electronic health record and personal health application, set mandatory modes for individuals to access their own PHI (including setting uniform fees for access), modifications to response timeframes from 30 days to 15 days, revisions to requests to direct electronic copies to third parties and to modify the Business Associate (BA) scope of responsibility to individual access to PHI creating potential direct liability for the BA.

The revisions to requests to direct electronic copies to third-parties would allow a Requestor-Recipient (third-party HIPAA covered entity) to rely on an oral request for PHI, then submit an access request to a Discloser (HIPAA covered entity), then the Discloser would be required to treat the request as an individual request, but provide the PHI to the Requestor-Recipient.

The HIPAA Covered Entities will most likely be required to bear the burden of these changes.

Verification:

The proposed rule changes would prohibit HIPAA-covered entities from imposing unreasonable identity verification measures. The prohibited measures would include requiring an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable for the particular covered entity. For example, prohibited identity requirements would include requiring notarization, proof of identity in person, or requiring completion of a form requesting extensive information when only limited information is necessary.  Implementation of this rule change will necessarily require review of current policies and procedures to make sure the new verification process is compliant with the changes. 

Care Coordination and Case Management:

The proposed rule changes would redefine the definition of health care operations to include all care coordination and case management by health plans, whether individual or population-based. The purpose of this change is to clarify for HIPAA-covered entities and individuals the scope of care coordination/case management activities to facilitate beneficial activities.

Minimum Necessary Rule:

This rule change to the health care operations is to provide helpful clarifications of permissions currently available under HIPAA Privacy. This change would add an express exception to the minimum necessary standard of disclosure to, or requests by, HIPAA-covered entities for care coordination and case management. It is proposed that it would create an express permission to HIPAA-covered entities to disclose PHI for individual-level care coordination and case management to social services agencies, community-based organizations, home, and community-based service providers, and other third parties that provide health-related services to specific individuals. This exception would therefore allow HIPAA-covered entities to disclose PHI without requiring an authorization to a third party that provides health-related services to specific individuals even though the third-party is not a health care provider.

The purpose of this rule change is to increase disclosure by HIPAA-covered entities when it is in the individuals’ best interest. This purpose is achieved by replacing the HIPAA-covered entity’s standard of exercising professional judgment with a good faith belief. Also, the HIPAA Privacy Rule standard of serious and imminent threat is changed to a serious and reasonably foreseeable threat standard. 

Acknowledgment of Notice of Privacy Practice

The proposed rule change would eliminate the requirement for HIPAA-covered health care providers with direct treatment relationship to an individual to obtain written acknowledgment of receipt of the Notice of Privacy Practices (NPP).

For all HIPAA-covered entities, the current NPP would be replaced with the following. HIPAA covered entities must produce a statement requiring an individual’s right to discuss the NPP with a person designated by the covered entity, modifications to the NPP header with specific instructions for individual access to PHI and patient rights, NPP header revisions to specify whether designated contact person is available onsite and their phone number and email address. This would, by implication, require a review of and changes to the current policies and procedures, as well as ensuring the NPP on the website is updated.

Telecommunications Relay Services:

This rule revision would expressly permit HIPAA-covered entities and business associates to disclose PHI to telecommunication relay services assistances (TRS) without requiring a Business Associate Agreement.

Armed Forces Personnel:

This rule revision would expand the permission in the HIPAA Privacy Rule addressing disclosures to Armed Forces, to facilitate coordinate care and enhance U.S. Public Health Service and the National Oceanic and Atmospheric Administration Commissioned Corp’s readiness.

Summary:

The proposed HIPAA Privacy Rule Changes may be reviewed at: https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf              

At the conclusion of the comment period on March 22, 2021, the proposed rule changes are subject to rulemaking under the Administrative Procedures Act. Although the rule changes were submitted under the previous administration, they are believed to have bi-partisan support and are likely to be approved into final regulations.

For questions about this article, or any other Health Care Law related matter, please contact an attorney in our Health Care Law practice Group.