HHS Office for Civil Rights Proposes Modifications to the Privacy Rule under HIPAA

On Dec. 10, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released the long-awaited Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996  (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

As a critical part of the HHS Regulatory Sprint to Coordinated Care, the HIPAA changes in this NPRM aim to address burdens that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities, while continuing to protect the privacy and security of individuals’ protected health information (PHI).

HIMSS commends HHS and OCR for meeting the objectives set out at the onset of the Regulatory Sprint as outlined by HHS Deputy Secretary Eric Hargan.

OCR’s Proposed Regulation also builds on its 2018 Request for Information that HIMSS commented on in early 2019. Overall, OCR’s proposal codifies and clarifies many of the flexibilities existing within HIPAA and should be helpful in overcoming some of the historically conservative past practices of health system stakeholders that were in response to actions that could have potentially lead to privacy violations.

The Regulation also takes steps to remove barriers that may limit or discourage coordinated care or case management among covered entities as well as individuals, or otherwise imposes regulatory burdens.

OCR proposed several key modifications in this Regulation related to the Individual Right of Access and modifications to the standards for certain disclosures. In addition, OCR included provisions on promoting information disclosure for care coordination and case management, fees permitted, promoting parental and caregiver involvement and addressing the opioid crisis, and the Notice of Privacy Practices (NPP). 

The specifics from OCR’s Proposed Regulation include:

• Strengthen the Access Right to Inspect and Obtain Copies of PHI
   
  • OCR is requesting comments on the proposal to include adding a new right that generally would enable an individual to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person.
     
• Modify the Implementation Requirements for Requests for Access and Timely Action in Response to Requests for Access
   
  • This proposal expressly prohibits a covered entity from imposing unreasonable measures on an individual exercising the right of access that creates a barrier to or unreasonably delays the individual from obtaining access.
     
  • In terms of timeliness, in order to strengthen an individual’s right of access to their PHI in a designated record set, the proposal requires that access be provided “as soon as practicable,” but no later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension.
     
    • Where another federal or state law requires a covered entity to provide an individual with access to the PHI requested in less than 15 calendar days, the Privacy Rule’s proposal would deem that shorter time “practicable.”
       
  • Address the Form of Access
     
    • The HIPAA Privacy Regulation requires a covered entity to provide an individual with access to their PHI in the form and format requested, if readily producible in that form and format. If that form and format is not readily producible, the individual must be provided with their PHI in a readable hard copy form, or other form and format as agreed to by the covered entity and individual.
       
    • OCR proposes that if another federal or state law requires an entity (which may include a business associate acting on behalf of a covered entity) to implement a technology or policy that would have the effect of providing an individual with access to his or her PHI in a particular electronic form and format, it would be deemed “readily producible” for compliance purposes in fulfilling requests for PHI under HIPAA.
       
  • Address the Individual Access Right to Direct Copies of PHI to Third Parties
     
    • Under the proposal, requests to direct copies of PHI to a third party will be limited to only electronic copies of PHI in an electronic health record (EHR), expanding the access right to empower individual-directed sharing of electronic copies of PHI.
       
    • OCR discusses how HHS encourages covered health care providers, when feasible, to provide copies to third parties in the electronic format requested by the individual. In addition, the Regulation points out how there are many formats in which electronic PHI (ePHI) can be saved and transmitted that are accessible, readable, and usable by a third party designated by an individual to receive the individual’s PHI. 
       
  • Adjust Permitted Fees for Access to PHI and ePHI
     
    • OCR is proposing a reasonable, cost-based fee for an access request to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party through other than an internet-based method. The only costs allowed are the cost of labor for copying the PHI requested; supplies for creating the copy (e.g., paper, electronic media); postage for mailing the copy to the individual; and, if agreed to by the individual, preparation of an explanation or summary of the PHI.
       
    • OCR is proposing that no fees are permitted when an individual inspects PHI in person, including taking notes, photographs, or using other personal resources to view or capture the information.
       
  • New definitions for EHR and Personal Health Application
     
    • The Privacy Rule currently does not define the term “EHR.” OCR is proposing to add a definition of EHR that expands on the HITECH Act definition to clarify some of its terms:
       
      • EHR means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, such as physicians, nurses, pharmacists, and other allied health professionals. For purposes of this paragraph, “health-related information on an individual” covers the same scope of information as the term “individually identifiable health information.”
         
    • OCR also believes it is necessary to define a new term in the Privacy Rule, “Personal health application” (or “personal health app”), by drawing on the definition of a personal health record in the HITECH Act:
       
      • Personal Health App is defined as an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.
         
      • The Proposed Regulation notes that a personal health app is not acting on behalf of, or at the direction of a covered entity, and therefore would not be subject to the privacy and security obligations of the HIPAA Rules. However, HHS supports providing individuals with information that will assist them in making the best choices for themselves when selecting a personal health application or other applications that are not being provided on behalf of or at the direction of a covered entity.
         
    • NPP
      • This proposal eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s NPP.

OCR also proposes to amend certain existing standards in the context of encouraging the disclosures of PHI when needed to help individuals experiencing use disorder (including opioid use disorder), serious mental illness, and in emergency circumstances.

In the Regulation, the agency proposes the following changes:

• An exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures
  • This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
     
• OCR also proposes replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment”
  • The new standard permits such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
     
• Finally, OCR proposes expanding the ability of covered entities to disclose PHI to avert a threat to health or safety
  • Such a step only applies when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.

HIMSS foresees that the proposed amendments to standards will require further clarification and interpretation. As these changes attempt to lower the barriers for information sharing, HIMSS wants to ensure clarity around what is necessary to avoid a fragmented interpretation of standards and could lead to the potential for further confusion and hesitation on the part of providers. We want to ensure this Proposed Regulation does not trigger any unintended consequences that lead to hesitation around accepting these new flexibilities.

This Proposed Regulation is expected to be published in the Federal Register soon.  With a 60-day comment period, HIMSS will continue analyzing the proposal and submit comments by the due date.  Look to HIMSS for further information on this Proposed Regulation.