Proposed HIPAA Privacy Rule Amendments

The Department of Health and Human Services (HHS) published a new Notice of Proposed Rulemaking (NPRM) on January 21, 2021 which is currently open for comment until March 21, 2021. This proposed rule constitutes the most recent step in HHS’s “Regulatory Sprint to Coordinated Care,” and is intended to improve care coordination and case management by amending provisions of the HIPAA Privacy Rule to remove unnecessary barriers and increase permissible disclosures of Protected Health Information (PHI). The major proposed amendments are listed below:

• Strengthening individuals’ rights to inspect their PHI in person by enabling individuals to take notes, videos, or photographs to view and capture images of their PHI. Physical access to PHI must be provided without imposing a fee. When PHI is readily available at the point of care in conjunction with a health care appointment, a covered health care provider is not permitted to delay the right to inspect.

• Adding an explicit requirement that covered entities refrain from imposing unreasonable measures on an individual exercising their right of access that create a barrier to or unreasonably delay the individual’s access (e.g., accepting requests to access only through an online portal, only in person, or only in paper form; or using a request to access form which requires more information from the individual than is necessary to complete the request.)

• Shortening covered entities’ time to respond to individual requests from the current 30 days to “as soon as practicable”, but no later than 15 calendar days. Covered entities would additionally have the opportunity to extend the response time by no more than 15 calendar days (shortened from the current 30-day extension), but must have a policy in place to address urgent or high priority requests to use the extension.

• Requiring covered entities to inform individuals that they retain the right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.

• An individual need only make a clear, conspicuous, and specific request, either orally, in writing, or electronically to direct an electronic copy of PHI to a third-party designee.

• Creating a pathway for individuals to direct the sharing of PHI in an Electronic Health Record (EHR) among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR. The requester, acting on behalf of the individual, must submit the individual’s request to the other party as soon as practicable, but no later than 15 calendar days of receipt of the request. Covered health care providers and health plans would be required to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access.

• Establishing a fee structure covering categories of access for which covered entities cannot charge a fee and describing the costs that may be included when an access fee is permitted.

• Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

• Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.

• Expressly permits covered entities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, without authorization, to facilitate coordination of care and case management for individuals.

• To encourage health care providers to disclose PHI to family and other caregivers of individuals in relation to health-related emergencies, Substance Use Disorders, and Serious Mental Illness, the rule replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures to be based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.

• Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current, stricter standard which requires a “serious and imminent” threat to health or safety.

• Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP), the requirement to document good faith efforts to obtain acknowledgement, and the requirement to retain any such documentation for 6 years.

• Modify the required header of the NPP to specify that the notice provides information about how to access health information, how to file a HIPAA complaint, and individuals’ right to receive a copy of the notice and to discuss its contents with a designated person. This requirement would apply for all health care providers, not just those with direct treatment relationships with individuals.

• Expressly permitting all disclosures relating to any covered functions performed by, for, or on behalf of covered entities to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and clarifying that a TRS communications assistant is not a business associate and a Business Associate Agreement is not required.

• Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

See Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 FR 6446 (2021).