Department of Health and Human Services Announces Proposed Changes to the HIPAA Privacy Rule

RELATED: HIPAA Privacy Rule Changes Coming in 2023: Five Steps to Prepare (May 3, 2023)

On January 21, 2021, the Department of Health and Human Services (HHS) published proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

The proposed rule is part of HHS’ Regulatory Sprint to Coordinated Care, which seeks to promote value-based healthcare by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients. Specifically, HHS aims to amend the regulations implemented pursuant to HIPAA and HITECH where the rules present barriers to coordinated care and case management or where they otherwise impose burdens on covered entities that do not increase individuals’ privacy protections.

Executive Summary

1. If HHS finalizes the proposed rule, HIPAA covered entities (including hospitals, physicians and other healthcare providers, payors and insurers) and business associates will be required to update their policies, procedures, security standards, notices of privacy practices (NPP), authorization and disclosure forms, and business associate agreements, among other things, to reflect the modifications made by the proposed rule.
   
   
2. The proposed rule would give providers more flexibility in disclosing protected health information (PHI) to provide care to their patients, including encouraging providers to engage in a greater degree of care coordination.
   
   
3. Covered entities interested in providing comments to the proposed rule must submit them on or before March 22, 2021.

Key Proposed Changes

1. Removes Patient Acknowledgement of NPP. The proposed rule would eliminate the requirement that a covered entity obtain an individual’s signature or acknowledgment of receipt of the NPP. Instead, the proposed rule would replace this requirement with an individual’s right to discuss the NPP with a person designated at the covered entity.

The proposed rule also would modify the content of the NPP. The modifications would include revising the NPP header to include information on how individuals can access their health information, file a HIPAA complaint and contact a designated individual to ask questions.

2. Revises Minimum Necessary Standard. HHS proposed removing the minimum necessary requirement when healthcare plans or providers make disclosures for care coordination and case management at the individual level. For example, when a health plan requests that a healthcare provider disclose an individual’s PHI for care coordination to facilitate an individual’s participation in the plan’s wellness program, the healthcare provider could disclose the PHI without analyzing whether the disclosure meets the minimum necessary standard.

3. Allows for Disclosures Related to Care Coordination and Case Management. The proposed rule would clarify that covered entities may disclose PHI to entities that coordinate “ancillary and health-related” services. These ancillary and health-related services could include social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management. HHS believes this change would facilitate greater wraparound support for individuals, particularly when it is difficult to contact an individual for authorization (e.g., when the individual is homeless).

4. Broadens Allowable Disclosures for Health Emergencies. HHS proposed broadening the allowed disclosure of PHI for the care and treatment of individuals experiencing substance abuse disorders, serious mental health issues and other health emergencies. Specifically, if the proposed changes are finalized, covered entities would be permitted to disclose PHI if there is a “serious and reasonably foreseeable threat” instead of the current standard of a “serious and imminent threat.” Further, the proposed rule would replace “exercise of professional judgment” with “good faith belief” as the standard for when covered entities need to disclose PHI in the best interest of individuals.

5. Expands Individuals’ Rights to Access Their PHI. The proposed rule would strengthen individuals’ rights to access their own PHI by expanding how individuals can retrieve their PHI and decreasing the time allotted to covered entities to respond to individuals’ requests for their PHI. HHS proposed allowing individuals to take notes, videos and photographs, and use other personal resources to view and capture PHI as part of their right to inspect PHI in person. HHS noted, however, that it would not expect a covered entity to tolerate unacceptable security risks, such as allowing individuals to connect a thumb drive to the covered entity’s information system.

HHS also proposed to modify the longstanding access rules to require covered entities to provide individuals with access to their PHI “as soon as practicable,” but in no case later than 15 days, with the possibility of one 15-day extension. The 15-day deadline would replace the current 30-day deadline with one 30-day extension. Regardless, covered entities should always review applicable state law, as many states impose shorter time limits for granting individuals’ access to their PHI.

6. Modifies Fees Charged for Access to PHI. The proposed rule would clarify when PHI must be provided to individuals at no charge and amend the fee charged when a covered entity responds to an individual’s request to direct records to third parties. The proposed rule would also require covered entities to post fee schedules on their websites and, upon request, provide individualized fee estimates and itemized bills in response to an individual’s request for copies of his or her PHI.

7. Adds Definitions for Key Terms. HHS proposed adding definitions for “Electronic Health Record” (EHR) and “Personal Health Application.” These definitions may impact how HIPAA applies to EHRs and applications that individual patients use to share their data.

McGuireWoods will continue to monitor the proposed rule. For additional information on privacy and security of health information and HHS’ Regulatory Sprint to Coordinated Care, see McGuireWoods’ previous alerts and insights.