On December 10, 2020, the Department of Health and Human Services, Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to revise the HIPAA Privacy Rule. The proposed revisions to the Privacy Rule seek to amend provisions that create barriers to coordinated care “without sufficiently compensating for, or offsetting, such burdens through privacy protections.” OCR developed the proposals after reviewing the public input received in response to the December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. The proposals would significantly expand individuals’ rights to access protected health information (PHI), encourage additional sharing for care coordination or to assist individuals with substance use disorders in certain instances, revise the Notice of Privacy Practice (NPP) requirements, and permit disclosures to Telecommunications Relay Services (TRS).
We have summarized the major proposed revisions to the Privacy Rule below. Please note, however, that regardless of whether these proposed modifications ultimately become enacted, other applicable laws, such as state medical privacy laws and 42 C.F.R. Part 2, among others, will need to be taken into consideration.
Expansions to Right of Access
The NPRM, if implemented into law, would significantly expand individuals’ access rights under HIPAA:
- Timeframe for Responding. Covered entities would need to respond to access requests “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request (instead of the current 30 calendar days).
- Form and Format Requested. The Privacy Rule currently requires covered entities to provide PHI in the form and format requested by the individual if “readily producible” in that form and format. The proposed modifications would clarify that “readily producible” includes secure, standards-based APIs using applications chosen by the individuals, such as a “personal health application.” Individuals would also have the right to take notes, videos, and photographs, or use other personal resources to view or capture PHI in person.
- Fees. Individuals inspecting or obtaining copies of their own PHI would be entitled to that access free of charge when inspecting in person or accessing PHI on the internet. OCR would continue to permit certain fees for labor, supplies, and postage, and would permit limited fees to be charged to an individual directing transmission of an electronic copy of PHI to a third party. Covered entities would be required to provide advance notice of estimated fee schedules on their websites (if they have one) for common types of requests for copies of PHI and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies.
- Right to Direct Copies to a Third Party. The current right of an individual to direct a copy of PHI to a third party would be limited to an electronic copy under the NPRM, to codify a previous court decision on this issue. This request would no longer need to be in writing, as long as it is “clear, conspicuous, and specific.” In addition, the proposal would require a covered entity to transmit electronic PHI in an electronic health record to another covered entity as part of the individual’s access right.
- Verification. OCR also proposed to prohibit a covered entity from imposing “unreasonable” identity verification measures on an individual. Unreasonable measures include notarization of requests, requiring the individual to provide proof of identity in person when remove verification would be practicable, or requiring completion of a full HIPAA authorization form for an access request.
Encouraging Care Coordination and Case Management Activities
The NPRM focuses on further encouraging the engagement of covered entities, whether a health care provider or health plan, in individual-level care coordination and case management activities. OCR proposes to remove the barriers created by the current Privacy Rule to those care coordination and case management activities by:
- Amending the Definition of Health Care Operations. In the current version of the Privacy Rule, some covered entities interpret “health care operations” to only encompass population-based care coordination and case management as opposed to individually-based activities as permitted under “treatment” activities. By amending the definition of “health care operations” to include individual-level care coordination and case management activities, OCR would clarify that covered entities not engaged in treatment activities, such as health plans, can engage in individual-level care coordination or case management activities.
- Creating an Exception to the Minimum Necessary Standard for Disclosures. Currently, the Privacy Rule relieves covered entities engaged in treating an individual from considering the minimum information necessary in disclosures for purposes of care coordination and case management. However, a covered entity not engaged in the treatment of an individual must adhere to the minimum necessary requirements for the same disclosures. The NPRM seeks to treat all covered entities engaging in individual-based care coordination and case management activities the same, regardless of whether performing the activities under the “treatment” or “health care operations” functions as defined by HIPAA.
- Allowing the Disclosure of PHI to Certain Third Parties. The proposed modifications permit covered entities to disclose PHI to certain third parties, including community-based organizations, home and community-based services (HCBS) providers, social services agencies, and other similar third parties providing health-related services for individual-level care coordination and case management without obtaining a valid authorization from the individual. For example, the third party could be a community-based organization engaged in addressing the social determinants of health and health risks by providing food or sheltered housing.
Updates to Notice of Privacy Practices
OCR’s proposal would modify HIPAA’s NPP requirements with the goal of reducing the administrative burden that current acknowledgement requirements create for health care providers, while continuing to help individuals better understand their rights, and how to exercise them, under HIPAA. In an effort to strike this balance, OCR has proposed eliminating the requirement that certain covered entities that have a direct treatment relationship with an individual obtain, and retain copies of, written acknowledgements from that individual confirming their receipt of the NPP and replacing it with a right for the individual to discuss the NPP with a designee of the covered entity. To further support individuals’ awareness of their rights and the privacy practices of a covered entity, the NPRM additionally modifies the NPP content requirements to include an additional description and instruction as to how individuals can exercise their access rights and mandates a new, more detailed and instructive, required header. The proposed header contemplated in the NPRM would include additional specification as to what information the NPP provides to individuals with respect to their rights, and how to exercise them, and the availability of the covered entities’ designated contact person.
Revisions to Encourage Disclosures to Family Members and Other Caretakers in Certain Situations
OCR also proposed several modifications to the Privacy Rule to encourage health care providers to disclose PHI more broadly in scenarios that involve individuals experiencing substance use disorder (SUD) or serious mental illness (SMI) and emergency situations, provided that certain conditions are met. These proposed modifications would improve the ability and willingness of covered entities to make certain uses and disclosures of PHI.
Good Faith Belief
The proposed modifications would amend certain requirements concerning the use and disclosure of PHI under the Privacy Rule, including the provisions on disclosing PHI to family members and friends involved in the individual’s care, to encourage additional sharing by covered entities without fear of violating HIPAA. Specifically, the proposal would replace current language that permits covered entities to make certain uses and disclosures of PHI based on their “exercise of professional judgment” with a relatively more flexible standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual. The proposed modifications would also presume a covered entity’s good faith.
This proposal is supported by OCR’s concern that the requirement under the current rule to exercise “professional judgment” could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual’s best interests.
While professional training and experience naturally inform a health care provider’s good faith belief about an individual’s best interests, a good faith belief does not always require a covered entity or its workforce member to possess specialized education or professional experience. Rather, a standard of “good faith” anticipates that a covered entity or workforce member would exercise a degree of discretion appropriate for its role when deciding to use or disclose PHI and to comply with any other conditions contained in the applicable permissions. Below are a few illustrative examples of how this proposed change would work in practice.
- A covered entity could draw on experience to make a good faith determination that it is in the best interests of a young adult patient, who is incapacitated by an overdose, mental health crisis, or other health emergency, to disclose information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery.
- An acute care facility that lacks a written designation of an emergency contact but possesses knowledge of an incapacitated patient’s designated emergency contact could disclose PHI to that contact, based on a good faith belief that the patient does not object to the disclosure.
- A covered entity could disclose the PHI of an unemancipated minor experiencing a SUD in a state or jurisdiction where applicable law does not treat the minor’s parent as a personal representative, when the provider believes in good faith that disclosing information to the parent could improve the care and treatment of the minor. This proposed standard would remove an impediment to disclosures of PHI to a parent or guardian of a minor experiencing SUD or SMI where the parent or guardian is not recognized as the personal representative of the minor under state law. At the same time, this proposal would not preempt state laws that prohibit the disclosure of sensitive information because this proposal would permit, but not require, the disclosure under HIPAA. As such, a covered entity could comply with both HIPAA and a more restrictive state law by limiting disclosures in accordance with the state law.
Serious and Reasonably Foreseeable Threat
To better enable covered entities to prevent and lessen harm to individuals or the public, the proposed modifications would also enable covered entities to disclose PHI to avert a threat to the health or safety of a person or the public when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. The proposed modification would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.
OCR proposed this change to prevent situations in which covered entities decline to make uses and disclosures of PHI they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. For example, under this proposal, covered entities could use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur.
Clarification Regarding Disclosures to TRS Providers
OCR proposed expressly permitting disclosures to TRS communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
Although not yet scheduled for publication, OCR is accepting comments on the NPRM for 60 days after its publication in the Federal Register.