Time for a Compliance Check Up: Upcoming Modifications to the HIPAA Privacy Rule

The proposed modifications are intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry,” according to the HHS press release announcing the proposed modifications. The press release further states that the Notice is part of the HHS’s Regulatory Sprint to Coordinate Care, a transformation agenda aimed toward promoting value-based healthcare by reforming and removing regulatory barriers that impede coordinated healthcare among providers, health plans, and the patients themselves.⁵

Recent advancements in technology and information management practices, as well as evolving work environments (e.g., telehealth), have underscored inefficiencies and challenges within the existing Privacy Rule, as drafted. In recent years, HHS’s Office for Civil Rights (OCR)⁶ has been called upon to revisit portions of the Privacy Rule that limit information sharing and impede coordinated care. These issues have become increasingly important aspects of providing quality care to patients, particularly given large-scale health crises such as the opioid and COVID-19 public health emergencies.⁷

These proposed changes to the Privacy Rule are hardly a surprise. While HHS previously favored issuing HIPAA guidance to address issues or clarify ambiguities when they surfaced, in December 2018 OCR published a Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (Request), seeking information from the public for consideration during the rule modification drafting process.⁸ After examination of public input received through the Request, HHS published its Notice proposing changes intended to improve the quality of care and reduce burdens on covered entities, while maintaining privacy protections for individuals’ health information.⁹

Heads Up: What’s in the Proposed Rule?

According to HHS, the proposed modifications aim to strengthen individuals’ rights to access their health information, promote coordinated care among providers, and allow increased flexibility for health information disclosures in emergency and life-threatening situations. The modifications also aim to amend parts of the Privacy Rule that may pose unnecessary barriers to effective, coordinated healthcare and would alleviate some of the administrative burdens faced by those required to comply with the Privacy Rule.

Change typically creates both opportunities and challenges, and this proposed change is no different. The Notice proposes modifications that will affect the roles of all parties when it comes to healthcare services and handling protected health information (PHI).¹⁰ Key potential modifications to the Privacy Rule which have the potential to change obligations of covered entities and business associates include:

• Strengthening individuals’ rights to inspect their PHI, including taking notes or using personal resources to access and capture their PHI;¹¹
• Shortening the time period for covered entities to respond to an individual’s request for access to their PHI to 15 calendar days, with an option to extend for 15 additional calendar days (as opposed to the 30-day response period and option for 30-day extension currently in place);¹²
• Requiring covered healthcare providers and health plans to, at the direction of the individual, respond to requests for certain records from other covered entities;¹³
• Reducing the identity verification burdens individuals face when exercising their rights to access PHI (which is especially important with recent increases in telemedicine and remote care options);¹⁴
• Expanding the circumstances under which covered entities can disclose PHI to avert a “serious and reasonably foreseeable” threat to the health and safety of an individual;¹⁵
• Requiring covered entities to make estimated fee schedules available through their websites for right of access requests;¹⁶
• Requiring covered entities to provide individualized fee estimates for a request for copies of PHI, as well as providing itemized bills for completed PHI requests;¹⁷
• Clarifying the scope of permitted PHI disclosures and requests for individual-level care coordination by creating an exception to the “minimum necessary” standard currently in place for the exchange of PHI between covered entities or business associates;¹⁸ and
• Adding and clarifying definitions for terms, including “electronic health record,” “personal health application,” “health care operations” and “business associate.”¹⁹

Certain modifications listed above are designed to reduce the compliance burden on healthcare providers, health plans, and healthcare clearinghouses, among other covered entities. For example, covered entities will have a heightened ability (and even a new obligation) to share PHI when coordinating individual care with other covered entities. Further, the proposed new rule expands the circumstances under which a covered entity may disclose PHI based on the covered entity’s “professional judgment” or during an emergency situation, allowing providers to give appropriate care in the best interests of the individual and in life-threatening situations.

The modifications may present compliance challenges, as well. For example, the new rule will shorten the time for covered entities to respond to individuals’ requests for PHI. Covered entities will be required to provide additional disclosures to individuals regarding their PHI rights, publish general fee structures, and provide individualized fee estimates for fulfilling requests for PHI.²⁰ Planning early for implementation will minimize such challenges.

When Must Covered Entities and Business Associates Come into Compliance?

Upon closure of the public comment period on May 6, 2021, HHS began its review of all public comments and will publish a final version of the new rule in the Federal Register, along with an effective date.²¹ HHS had the option to again extend or reopen the public comment period if it did not receive enough high-quality comments or if it identified another reason to provide more time for public comment, but it did not do so.

What are Covered Entities and Business Associates to Do?

Now is an important time for covered entities and business associates to prepare for change.  There appears to be general cross-sector and bipartisan support for an update to the Privacy Rule, though there will very likely be areas of concern and disagreement expressed in the public comments. Indications are strong that the HIPAA Privacy Rule will be modified in a form that is similar to the new rule as currently proposed in the Notice, although there may be substantive adjustments based on public comments. Covered entities (such as healthcare providers and health plans) and business associates subject to the HIPAA Privacy Rule and their counsel can begin preparing now for compliance with these potential modifications.

A few best practices to consider during the ramp-up period:

• Determine whether, and to what extent, proposed modifications to the Privacy Rule will impact the healthcare operations of the organization. Affected stakeholders may include any covered entity or business associate, including physicians and other healthcare providers, health plans, consumer advocates, healthcare professional associations, and health information technology vendors.
• Stay up to date regarding the proposed modifications, especially after the public comment period closes and a new final rule (including effective date) is announced. This ramp-up period is critically important to ensure that covered entities and business associates are prepared to comply as of the effective date.
• Analyze current HIPAA privacy practices. Develop a plan to identify compliance gaps and revise HIPAA policies and procedures as necessary and in a timely manner once the new rule is finalized. Also consider the manner in which the new HIPAA Privacy Rule may interact with other privacy-related obligations, such as those imposed by state, federal, or international law or by contract.²²

Just as HIPAA makes privacy a prerequisite for patient care, planning for change is an essential prerequisite for successfully navigating the transition to the new HIPAA Privacy Rule.

This article should not be construed as legal advice or legal opinion. The content is intended for general informational purposes only.

Footnotes

1. HHS Proposed Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens, U.S. Dep’t of  Health and Hum. Serv. (Dec. 10, 2020), https://www.hhs.gov/about/news/2020/12/10/hhs-proposes-modifications-hipaa-privacy-rule-empower-patients-improve-coordinated-care-reduce-regulatory-burdens.html.
2. Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (proposed Jan. 21, 2021) (to be codified at 45 C.F.R. Parts 160 and 164), https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.
3. Extension of the Public Comment Period for Proposed Modifications to the HIPAA Privacy Rule, U.S. Dep’t of Health and Hum. Serv. (Mar. 9, 2021), https://www.hhs.gov/about/news/2021/03/09/extension-public-comment-period-proposed-modifications-hipaa-privacy-rule.html (see also https://public-inspection.federalregister.gov/2021-05021.pdf).
4. Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) (to be codified at 45 C.F.R. Parts 160 and 164), https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
5. HHS Proposed Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens, supra n. 1.
6. HHS has delegated to OCR responsibility for enforcement of a variety of federal civil rights laws, including HIPAA-related enforcement. See, e.g., U.S. Dept. of Health and Human Services, Health Information Privacy, available at https://www.hhs.gov/hipaa/index.html.        
7. HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules, U.S. Dep’t of Health and Hum. Serv. (Dec. 12, 2018), https://public3.pagefreezer.com/browse/HHS.gov/31-12-2020T08:51/https://www.hhs.gov/about/news/2018/12/12/hhs-seeks-public-input-improving-care-coordination-and-reducing-regulatory-burdens-hipaa-rules.html.
8. Request for Information on Modifying HIPAA Rules To Improve Coordinated Care, 83 Fed. Reg. 64302 (proposed on Dec. 14, 2018) (related to 45 C.F.R. Parts 160 and 164), https://www.federalregister.gov/documents/2018/12/14/2018-27162/request-for-information-on-modifying-hipaa-rules-to-improve-coordinated-care.
9. HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules, supra n. 7.
10. “Protected Health Information” means individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities. 45 C.F.R. Part 160.103 defines “individually identifiable health information” as information that identifies an individual (or could be used to identify an individual) that is created or received by HIPAA covered entities and relates to the past, present, or future health condition or treatment of that individual. 45 C.F.R. Part 160.103 (2014).
11. 86 Fed. Reg. at 6457.
12. Id. at 6458.
13. Id. at 6462.
14. Id. at 6470.
15. Id. at 6473.
16. Id. at 6464.
17. Id. at 6467.
18. Id. at 6475. “The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure.” Id. at 6447.
19. Id. at 6455.
20. Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, supra n. 2.
21. Once published, the final version of the rule will be available at the following web address: https://www.federalregister.gov/.
22. As just one example, covered entities and business associates should carefully consider their obligations under the 21^st Century Cures Act (Cures Act) and any potential intersections with the modified Privacy Rule. The Cures Act prohibits certain types of “information blocking,” which is “a practice by a health information technology (IT) developer of certified health IT, health information network, health information exchange, or health care provider that, except as required by law or specified by the Secretary of [HHS] as a reasonable and necessary activity, is likely to interfere with access, exchange, or use of electronic health information (EHI).” HealthIT.gov, Information Blocking, available at https://www.healthit.gov/topic/information-blocking. HHS has exercised its authority under the Cures Act to delineate eight categories of activities which do not constitute information blocking. See HealthIT.gov, Information Blocking Exceptions, available at https://www.healthit.gov/cures/sites/default/files/cures/2020-03/InformationBlockingExceptions.pdf. Nonetheless, the same activities which are subject to a Cures Act exception may be affected by the upcoming modifications to the Privacy Rule, and covered entities and business associates subject to both laws should revisit their Cures Act compliance assessments accordingly.