The proposed modifications are intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry,” according to the HHS press release announcing the proposed modifications. The press release further states that the Notice is part of the HHS’s Regulatory Sprint to Coordinate Care, a transformation agenda aimed toward promoting value-based healthcare by reforming and removing regulatory barriers that impede coordinated healthcare among providers, health plans, and the patients themselves.5
Recent advancements in technology and information management practices, as well as evolving work environments (e.g., telehealth), have underscored inefficiencies and challenges within the existing Privacy Rule, as drafted. In recent years, HHS’s Office for Civil Rights (OCR)6 has been called upon to revisit portions of the Privacy Rule that limit information sharing and impede coordinated care. These issues have become increasingly important aspects of providing quality care to patients, particularly given large-scale health crises such as the opioid and COVID-19 public health emergencies.7
These proposed changes to the Privacy Rule are hardly a surprise. While HHS previously favored issuing HIPAA guidance to address issues or clarify ambiguities when they surfaced, in December 2018 OCR published a Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (Request), seeking information from the public for consideration during the rule modification drafting process.8 After examination of public input received through the Request, HHS published its Notice proposing changes intended to improve the quality of care and reduce burdens on covered entities, while maintaining privacy protections for individuals’ health information.9
Heads Up: What’s in the Proposed Rule?
According to HHS, the proposed modifications aim to strengthen individuals’ rights to access their health information, promote coordinated care among providers, and allow increased flexibility for health information disclosures in emergency and life-threatening situations. The modifications also aim to amend parts of the Privacy Rule that may pose unnecessary barriers to effective, coordinated healthcare and would alleviate some of the administrative burdens faced by those required to comply with the Privacy Rule.
Change typically creates both opportunities and challenges, and this proposed change is no different. The Notice proposes modifications that will affect the roles of all parties when it comes to healthcare services and handling protected health information (PHI).10 Key potential modifications to the Privacy Rule which have the potential to change obligations of covered entities and business associates include:
- Strengthening individuals’ rights to inspect their PHI, including taking notes or using personal resources to access and capture their PHI;11
- Shortening the time period for covered entities to respond to an individual’s request for access to their PHI to 15 calendar days, with an option to extend for 15 additional calendar days (as opposed to the 30-day response period and option for 30-day extension currently in place);12
- Requiring covered healthcare providers and health plans to, at the direction of the individual, respond to requests for certain records from other covered entities;13
- Reducing the identity verification burdens individuals face when exercising their rights to access PHI (which is especially important with recent increases in telemedicine and remote care options);14
- Expanding the circumstances under which covered entities can disclose PHI to avert a “serious and reasonably foreseeable” threat to the health and safety of an individual;15
- Requiring covered entities to make estimated fee schedules available through their websites for right of access requests;16
- Requiring covered entities to provide individualized fee estimates for a request for copies of PHI, as well as providing itemized bills for completed PHI requests;17
- Clarifying the scope of permitted PHI disclosures and requests for individual-level care coordination by creating an exception to the “minimum necessary” standard currently in place for the exchange of PHI between covered entities or business associates;18 and
- Adding and clarifying definitions for terms, including “electronic health record,” “personal health application,” “health care operations” and “business associate.”19
Certain modifications listed above are designed to reduce the compliance burden on healthcare providers, health plans, and healthcare clearinghouses, among other covered entities. For example, covered entities will have a heightened ability (and even a new obligation) to share PHI when coordinating individual care with other covered entities. Further, the proposed new rule expands the circumstances under which a covered entity may disclose PHI based on the covered entity’s “professional judgment” or during an emergency situation, allowing providers to give appropriate care in the best interests of the individual and in life-threatening situations.
The modifications may present compliance challenges, as well. For example, the new rule will shorten the time for covered entities to respond to individuals’ requests for PHI. Covered entities will be required to provide additional disclosures to individuals regarding their PHI rights, publish general fee structures, and provide individualized fee estimates for fulfilling requests for PHI.20 Planning early for implementation will minimize such challenges.
When Must Covered Entities and Business Associates Come into Compliance?
Upon closure of the public comment period on May 6, 2021, HHS began its review of all public comments and will publish a final version of the new rule in the Federal Register, along with an effective date.21 HHS had the option to again extend or reopen the public comment period if it did not receive enough high-quality comments or if it identified another reason to provide more time for public comment, but it did not do so.
What are Covered Entities and Business Associates to Do?
Now is an important time for covered entities and business associates to prepare for change. There appears to be general cross-sector and bipartisan support for an update to the Privacy Rule, though there will very likely be areas of concern and disagreement expressed in the public comments. Indications are strong that the HIPAA Privacy Rule will be modified in a form that is similar to the new rule as currently proposed in the Notice, although there may be substantive adjustments based on public comments. Covered entities (such as healthcare providers and health plans) and business associates subject to the HIPAA Privacy Rule and their counsel can begin preparing now for compliance with these potential modifications.
A few best practices to consider during the ramp-up period:
- Determine whether, and to what extent, proposed modifications to the Privacy Rule will impact the healthcare operations of the organization. Affected stakeholders may include any covered entity or business associate, including physicians and other healthcare providers, health plans, consumer advocates, healthcare professional associations, and health information technology vendors.
- Stay up to date regarding the proposed modifications, especially after the public comment period closes and a new final rule (including effective date) is announced. This ramp-up period is critically important to ensure that covered entities and business associates are prepared to comply as of the effective date.
- Analyze current HIPAA privacy practices. Develop a plan to identify compliance gaps and revise HIPAA policies and procedures as necessary and in a timely manner once the new rule is finalized. Also consider the manner in which the new HIPAA Privacy Rule may interact with other privacy-related obligations, such as those imposed by state, federal, or international law or by contract.22
Just as HIPAA makes privacy a prerequisite for patient care, planning for change is an essential prerequisite for successfully navigating the transition to the new HIPAA Privacy Rule.
This article should not be construed as legal advice or legal opinion. The content is intended for general informational purposes only.