The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services issued proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule on December 10, 2020. The goal of the proposed regulations is to support individuals’ engagement in their care, to remove administrative barriers to coordinated care, and to reduce regulatory burdens on the health care industry. OCR also released a fact sheet about the proposed modifications, available here. The proposed regulations continue the Department’s “Regulatory Sprint,” which seeks to promote value-based health care by updating federal regulations that unnecessarily impede efforts among health care providers, health plans, and other service providers to coordinate care for individuals. The proposal follows the Department’s 2018 Request for Information – calling for comments whether and how to modify provisions under the HIPAA rules that inhibit care coordination, case management, or value-based care. If the proposed modifications are finalized, they will likely reduce some of the administrative burdens imposed on health care providers and health plans, for example by eliminating the requirements to obtain an individual’s signature for the Notice of Privacy Practices (NPP) and to retain copies of the signature for six years. Further, in an effort to facilitate disclosures of health information to improve patients’ health outcomes, OCR is also proposing significant changes and clarifications to the rules governing an individual’s right of access to health information, as well as additional flexibility to providers in making disclosures to family and caregivers, and to third parties providing case management or care coordination services. The following is a summary of the key highlights: Individuals’ Right of Access to Protected Health Information (PHI): In response to complaints and comments to the 2018 Request for Information that individuals frequently face challenges in obtaining timely access to their PHI, OCR is proposing a number of modifications to strengthen individuals’ rights to access and remove barriers that may limit or discourage coordinated care, including the following: Electronic health record means an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. The definition would include electronic billing and scheduling records, because they contain health-related information. A covered entity would be required to document these electronic health records in the same way that it is currently required to document its designated record sets. The proposed rule does not define “clinicians,” but the commentary indicates that the term would include physicians, nurses, pharmacists and other allied health professionals; This definition is intended to cover consumer-managed health applications. The regulation would not extend the protections of the Privacy Rule to personal health applications – this is just a means for delivering electronic health records to patients; Care Coordination and Exception to the Minimum Necessary Standard: The rule currently allows covered entities to use and disclose PHI for their own health care operations, including “population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination . . . and related functions that do not include treatment.” So far as health care providers are concerned, coordinating care for individuals would typically fall under treatment; population-based activities would be health care operations. The proposed regulation would clarify that care coordination by health plans covers both coordinating care for individual enrollees, as well as population-based activities. Because individual care coordination by health plans constitutes health care operations, it is subject to the minimum necessary rule. OCR sees this as a barrier to the exchange of health information for individual care coordination. The proposed rule would create a new exception to the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations. Disclosures to Social Services Agencies: The proposed rule would modify 45 CFR 164.506(c) to add a new subsection 164.506(c)(6) that expressly permits covered entities to disclose PHI to social services agencies, community based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered health care provider or as a health care operations activity of a covered health care provider or health plan. Although these disclosures are already generally permitted under the existing Privacy Rule for treatment or certain health care operations, OCR explained that too many covered entities are either unaware that the Privacy Rule permits the disclosures or are uncertain about the scope of the permission to disclose and therefore often refuse to make the disclosures. Under this provision a health plan or a covered health care provider could only disclose PHI without authorization to a third party that provides health-related services to individuals, but the new subsection clarifies that the third party does not have to be a health care provider and could instead be a provider of health-related social services or other supportive services. Professional Judgment: To address concerns that HIPAA too often discourages health care providers from disclosing PHI when families and other caregivers of individuals are attempting to assist with health related emergencies, substance abuse, and other circumstances in which individuals are incapacitated or otherwise unable to express their privacy preference, the proposed rule would amend five provisions of the Privacy Rule to replace “the exercise of professional judgment” standard with a standard permitting certain disclosures based on a “good faith belief” about an individual’s best interests as the standard pursuant to which covered entities would be permitted to make certain uses and disclosures in the best interests of individuals. The professional judgment standard, OCR explains, presupposes that a decision is made by a health care professional, such as a licensed practitioner, whereas good faith may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority. The proposed rule would also include a presumption that a covered entity has complied with the good faith requirement, absent evidence that the covered entity acted in bad faith. Together, the OCR explained, these proposed modifications would improve care coordination by expanding the ability of covered entities to disclose PHI to family members and other caregivers when they believe it is in the best interests of the individual, without fear of violating HIPAA. Threats to Health or Safety: The proposed rule would amend the Privacy Rule at 45 CFR 164.512(j)(1)(i)(A) to replace the “serious and imminent threat” standard with a “serious and reasonably foreseeable threat” standard. The amendment seeks to prevent situations in which covered entities decline to make uses and disclosures they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. The proposed modification, OCR explains, would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur. OCR further proposes to define “reasonably foreseeable” using a reasonable person standard. This standard would consider whether a similarly situated covered entity could believe that a serious harm is reasonably likely to occur, and would not require a determination that a majority of covered entities could have such a belief. However, OCR explained in defense of the new rule, the “reasonably foreseeable” standard would not permit the application of assumptions unwarranted by the individual’s diagnosis and specific circumstances. Notice of Privacy Practices (NPP): Disclosures for Telecommunications Relay Services (TRS): TRS is a federally mandated service that facilitates calls between individuals who are deaf, hard of hearing, deaf-blind, have a speech disability, and others. TRS facilitates calls through use of a communications assistant who relays information (including PHI) via text or video. HHS proposes to revise the regulations to expressly permit covered entities to disclose PHI to TRS communications assistants, clarify that a business associate agreement is not needed, and exclude TRS providers from the definition of a business associate. Disclosing PHI of Uniformed Services Personnel: The current regulations permit covered entities to use and disclose PHI of Armed Forces personnel under certain conditions. HHS proposes to expand this provision to include all uniformed services, including the U.S. Public Health Services Commissioned Corps and National Oceanic and Atmospheric Administration Commissioned Corps. Once the proposed regulations are published in the Federal Register, the public comment period will be open for 60 days. Given this timeline, the incoming Administration will be responsible for finalizing the regulations, though it may want to put its mark on them before doing so. *** For more information, please contact Amy Joseph in Boston, Andrea Frey, Steve Phillips or Paul Smith in San Francisco, Linda Kollar or Alicia Macklin in Los Angeles, or your regular Hooper, Lundy & Bookman contact.
Professional
Related Capabilities