On December 10, 2020, the Office for Civil Rights (OCR) of the HHS proposed modifications to the HIPAA Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) (collectively the proposed rule). The Notice of Proposed Rulemaking, found here, was published on January 21, 2021. HHS is soliciting comments on the proposed rule until May 6, 2021.
The proposed rule was introduced as part of former HHS Deputy Secretary Eric Hargan's Regulatory Spring to Coordinated Care, which focused on reducing regulatory burdens on care coordination and also promoted the importance of value-based healthcare. Through this initiative, HHS also updated the Confidentiality of Substance Use Disorder Patient Records regulation (42 CFR Part 2) as well as Stark Law and Anti-Kickback Statute regulatory reforms.
To achieve better care coordination, the proposed rule includes the following revisions:
To facilitate the disclosure of protected health information (PHI) for individuals undergoing certain health-related emergencies, including behavioral health-related crises, the standard for determining whether disclosure is appropriate in certain situations changes from "professional judgment" to "good faith." HHS noted that the good-faith standard is not as limiting as the professional judgment standard.
To expand the ability of covered entities (CEs) to disclose PHI to prevent or stop a threat to health or safety, the proposed rule lessens the harm standard from "serious and imminent" to "serious and reasonably foreseeable." According to HHS, the proposal eliminates the burden of having to determine whether a threat is imminent, which may be a hard determination for many CEs to make.
To promote care coordination and eliminate confusion, the definition of "health care operations" was modified to include care coordination and case management for individuals. Similarly, the proposed rule includes an exception to the minimum necessary standard for care coordination and case management for individuals.
To permit PHI to be shared with community-based and social services organizations, CEs' ability to share PHI with certain third parties is clarified, including the express permission for CEs to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other organizations that provide or coordinate health-related services needed for care coordination and case management with respect to individuals.
To increase or enhance individuals' rights to access their own health information:
a. Shorten the time required for CEs to respond to individuals' request for their PHI from 30 to no later than 15 calendar days upon receipt of a request.
b. Permit individuals to control sharing of their PHI via an electronic health record among covered health care providers and health plans by requiring such providers and plans to submit an individual's access request to another provider and to receive the requested electronic copies back in the electronic health record.
c. Enhance individuals' right to inspect their PHI in person by permitting individuals to take notes or use other resources to view and capture images of their PHI, including using a mobile phone to take pictures of their PHI.
d. Clarify the form and format required to respond to individuals' request for their PHI.
e. Reduce the requirements for verifying individuals' identity when such individuals exercise their access rights.
f. Specify when electronic PHI must be provided free of charge.
g. Require CEs to display estimated fee schedules for a right-of-access request and for valid authorization disclosures on the CEs' webpages.
h. Require CEs to provide individuals, upon request, with an itemized bill for completed requests for PHI.
i. To reduce administrative burden, eliminate the requirement for CEs to obtain individuals' written acknowledgment of receipt of the CE's notice of privacy practices. Similarly, CEs will no longer need to retain copies of an individual's acknowledgment for six years.
j. To ensure that individuals understand how to access their PHI, modify the notice of privacy practices content requirements, including amending required headings.
k. To provide for disclosures to entities providing accessible services, CEs are expressly permitted to disclose PHI to telecommunications relay services communications assistants. This will ensure that individuals, CEs and business associates are able to share PHI as permitted by HIPAA without the worry of involving a telecommunications relay services assistant. Specifically, the definition of "business associate" is modified to exclude telecommunications relay services providers.
l. To better align the permitted uses and disclosures related to armed forces personnel with those of the uniformed services, CEs will be permitted to use and disclose PHI of U.S. Public Health Services Commissioned Corps and the National Oceanic and Atmospheric Administration Commissioned Corps in the same manner as those of armed forces personnel.
We are continually monitoring the proposed rule and are poised to assist you with compliance efforts when the proposed rule becomes final.
Would you like to receive our Day Pitney C.H.A.T. Newsletter? Sign up here.
Day Pitney Healthcare Attorneys Shannon K. Cohall and Susan R. Huntington authored the article, "New Warning for Providers: U.S. Department of Health and Human Services Issue New Guidance on Data Risks Associated with Websites and Portals," for The Journal of Federal Agency Action.