On December 10, 2020, the Department of Health and Human Services, Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to revise the HIPAA Privacy Rule. The proposed revisions to the Privacy Rule seek to amend provisions that create barriers to coordinated care “without sufficiently compensating for, or offsetting, such burdens through privacy protections.” OCR developed the proposals after reviewing the public input received in response to the December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. The proposals would significantly expand individuals’ rights to access protected health information (PHI), encourage additional sharing for care coordination or to assist individuals with substance use disorders in certain instances, revise the Notice of Privacy Practice (NPP) requirements, and permit disclosures to Telecommunications Relay Services (TRS).
We have summarized the major proposed revisions to the Privacy Rule below. Please note, however, that regardless of whether these proposed modifications ultimately become enacted, other applicable laws, such as state medical privacy laws and 42 C.F.R. Part 2, among others, will need to be taken into consideration.
The NPRM, if implemented into law, would significantly expand individuals’ access rights under HIPAA:
The NPRM focuses on further encouraging the engagement of covered entities, whether a health care provider or health plan, in individual-level care coordination and case management activities. OCR proposes to remove the barriers created by the current Privacy Rule to those care coordination and case management activities by:
OCR’s proposal would modify HIPAA’s NPP requirements with the goal of reducing the administrative burden that current acknowledgement requirements create for health care providers, while continuing to help individuals better understand their rights, and how to exercise them, under HIPAA. In an effort to strike this balance, OCR has proposed eliminating the requirement that certain covered entities that have a direct treatment relationship with an individual obtain, and retain copies of, written acknowledgements from that individual confirming their receipt of the NPP and replacing it with a right for the individual to discuss the NPP with a designee of the covered entity. To further support individuals’ awareness of their rights and the privacy practices of a covered entity, the NPRM additionally modifies the NPP content requirements to include an additional description and instruction as to how individuals can exercise their access rights and mandates a new, more detailed and instructive, required header. The proposed header contemplated in the NPRM would include additional specification as to what information the NPP provides to individuals with respect to their rights, and how to exercise them, and the availability of the covered entities’ designated contact person.
OCR also proposed several modifications to the Privacy Rule to encourage health care providers to disclose PHI more broadly in scenarios that involve individuals experiencing substance use disorder (SUD) or serious mental illness (SMI) and emergency situations, provided that certain conditions are met. These proposed modifications would improve the ability and willingness of covered entities to make certain uses and disclosures of PHI.
The proposed modifications would amend certain requirements concerning the use and disclosure of PHI under the Privacy Rule, including the provisions on disclosing PHI to family members and friends involved in the individual’s care, to encourage additional sharing by covered entities without fear of violating HIPAA. Specifically, the proposal would replace current language that permits covered entities to make certain uses and disclosures of PHI based on their “exercise of professional judgment” with a relatively more flexible standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual. The proposed modifications would also presume a covered entity’s good faith.
This proposal is supported by OCR’s concern that the requirement under the current rule to exercise “professional judgment” could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual’s best interests.
While professional training and experience naturally inform a health care provider’s good faith belief about an individual’s best interests, a good faith belief does not always require a covered entity or its workforce member to possess specialized education or professional experience. Rather, a standard of “good faith” anticipates that a covered entity or workforce member would exercise a degree of discretion appropriate for its role when deciding to use or disclose PHI and to comply with any other conditions contained in the applicable permissions. Below are a few illustrative examples of how this proposed change would work in practice.
To better enable covered entities to prevent and lessen harm to individuals or the public, the proposed modifications would also enable covered entities to disclose PHI to avert a threat to the health or safety of a person or the public when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. The proposed modification would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.
OCR proposed this change to prevent situations in which covered entities decline to make uses and disclosures of PHI they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. For example, under this proposal, covered entities could use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.
OCR proposed expressly permitting disclosures to TRS communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
Although not yet scheduled for publication, OCR is accepting comments on the NPRM for 60 days after its publication in the Federal Register.