On December 10, 2020, the Department of Health and Human Services (the Department) issued a Notice of Propose Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
· In response to complaints and in furtherance of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the NPRM proposes to enhance individuals’ right to access their Protected Health Information (PHI) and requires covered entities to implement corresponding modifications to policies, procedures, and Notices of Privacy Practices (NPPs).
· The proposals in the NPRM also facilitate the sharing PHI in certain instances, particularly for purposes of care coordination and case management.
· Comments on the NPRM are due 60 days after the NPRM is published in the Federal Register.
Right of Access
Inspection and Copying Rights
The NPRM would add a new right that would enable individuals to take notes, videos, and photographs, and use other personal resources to view and capture PHI in their designated record set. Moreover, the NPRM would require that when the PHI is readily available at the point of care in conjunction with a health care appointment, a covered health care provider is not permitted to delay the right to inspect PHI.
Procedures and Timeliness
The NPRM would clarify that while a covered entity may require individuals to make requests in writing, it may not do so in a way that impedes access. The NPRM also modifies the HIPAA Privacy Rule to require that access be provided as soon as practicable and in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar day extension.
API Access
The NPRM proposes that where another state or federal law applicable to the covered entity requires access in a particular form and format, the PHI is deemed readily producible in such form and format. The Department clarifies that, with respect to the ONC’s information blocking rule under the 21st Century Cures Act, this would mean that if a covered health care provider refused to provide an electronic copy of PHI in response to a request for access via a secure API, despite the provider’s having implemented a secure API established within the provider’s EHR for the purpose of complying with the ONC rule, the provider would be in violation of HIPAA.
Right to Direct Copies of PHI to Third Parties
The right of an individual to direct transmission of electronic copies of their PHI in an EHR to a third party was established by the HITECH Act. The NPRM codifies the limits of that right, as established by Ciox v. Azar, by limiting that right to electronic copies of PHI in an EHR. A covered health care provider would be required to respond to an individual’s request to direct an electronic copy of PHI in the EHR to a third party when the request is clear, conspicuous, and specific, which would allow individuals to use an internet-based method including personal health applications. The NPRM also proposes that if an individual requests that a covered health provider or health plan obtain electronic PHI from a covered health care provider, the recipient of that request is required to submit it on the individual’s behalf as soon as practicable, but no later than 15 calendar days after receipt.
Fees for Access to PHI and ePHI: Notice of Fees
The NPRM proposes to modify the access fee provisions such that in-person inspection and internet-based methods of access, including using certified API technology, would be free for individuals and other access to electronic PHI would be limited to a cost-based fee based on labor costs. In addition, the NPRM would require that covered entities provide notice of approximate fees for copies of PHI online if they have a website.
Identity Verification
In response to complaints received by the Department, the NPRM proposes to expressly prohibit covered entities from imposing unreasonable identity verification measures on an individual, or his or her personal representative, exercising a right under the HIPAA Privacy Rule. Notably, the Department indicates that requiring individuals to obtain notarization or complete a form as extensive as a HIPAA authorization may impose an unreasonable burden.
Definitions of EHR and Personal Health Application
In order to implement key privacy provisions of the HITECH Act, the NPRM proposes definitions for electronic health record (EHR) and personal health application. The definition of EHR proposed by the Department is not limited to clinical data and could include billing and other data. As defined by the Department, a personal health application is not acting on behalf of or at the direction of covered entity and therefore would not be subject to HIPAA and may or may not be a personal health record, as that term is defined by HITECH.
Information Sharing
Definition of Health Care Operations Includes Care Coordination
In response to uncertainty about whether the care coordination activities were included in the definition of “treatment” or “health care operations,” or both, the NPRM proposes to clarify that the definition of health care operations includes all care coordination by health plans, whether the care coordination is individual, or population based.
Exception to Minimum Necessary Standard for Care Coordination and Case Management
The NPRM proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management at the individual level.
Permitted Disclosures to Health-Related Services Providers for Care Coordination and Case Management
While acknowledging that such disclosures of PHI are already permitted, the NPRM proposes to add a new subsection that would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and other similar service providers for individual level care coordination and case management.
“Good Faith Belief” Replaces “Exercise of Professional Judgment”
To encourage covered entities to use and disclose PHI more broadly, particularly when families and other caregivers assist with health-related emergencies, substance use disorders, and serious mental illness, the NPRM proposes to replace the “exercise of professional judgement” with “good faith belief” as the standard for covered entities’ making certain uses of PHI in the best interest of the individual. Further the NPRM proposes establishing a presumption that the covered entity has complied with the good faith requirement, absent evidence that the covered entity acted in bad faith.
“Serious and Foreseeable Threat” Replaces “Serous and Imminent Threat”
With the aim of improving the timeliness of disclosures of PHI to lessen threats to public health or safety, the NPRM proposes to replace the “serious and imminent threat” standard with “ serious and reasonably foreseeable threat” standard.
Notice of Privacy Practices (NPP)
NPP Procedures
To reduce administrative burdens, the NPRM would eliminate the requirement that covered entities that are health care providers with a direct treatment relationship to an individual obtain their written acknowledgement of having received the provider’s NPP. If the written acknowledgement is not obtained, the provider may document its good faith effort and reason for not obtaining the acknowledgement.
NPP Content
In connection with the proposed modifications to the right of access and the limitation of the right to access not including the requests to direct to third parties of PHI that are not ePHI in an EHR, as discussed above, the NPRM would modify the required header of the NPP to include information about: how to access their health information; file a HIPAA a complaint; and the right to review a copy of the NPP and discuss its contents with a designated person. The NPRM, would also require that covered entities revise their NPP to describe how an individual can exercise their right to access to obtain a copy of their health information at limited cost or, in some cases, free of charge and the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party.
Other Notable Clarifications and Proposed Changes
Disclosures of PHI to Telephone Relay Services
The NPRM proposes to expressly permit covered entities, and their business associates, to disclose PHI to Telecommunications Relay Services (TRS) communications assistants and excludes TRS providers from the definition of business associate.
Permitted Uses and Disclosures of PHI for All Uniformed Services
In response to a joint comment from the U.S. Public Health Service and the National Oceanic and Atmospheric Administration, whose Uniformed Services personnel must meet medical readiness standards, the NPRM would expand the current Armed Forces permission for covered entities to use and disclose PHI for mission requirements and veteran eligibility to all Uniformed Services.