OCR Proposes Substantial Changes to HIPAA Privacy Rule

On December 10, 2020, as part of its Regulatory Sprint to Coordinated Care, the Department of Health and Human Services Office for Civil Rights (OCR) issued a notice of proposed rulemaking to modify the HIPAA Privacy Rule. The modifications seek to remove barriers that may hinder communications between providers and health plans to better coordinate care. The proposed changes also seek to give patients increased access to their protected health information (PHI) and make it easier for them to share information. We have provided a summary of those modifications that will help OCR achieve these initiatives.

Strengthening Individuals Right of Access

Timeframe Responses. After spending the last year focusing on individuals’ rights to access their PHI through enforcement actions, OCR is continuing this trend by proposing a variety of modifications to the access right. Specifically, the proposed rule decreases the timeframe to respond to a request for PHI from 30 days with the option for a 30-day extension to 15 days with an optional 15-day extension.

Form and Format Requests. OCR also seeks to clarify the form and format in which individuals can request access to their PHI. Currently, HIPAA mandates that covered entities provide PHI in a form and format requested by an individual if “readily producible” in that specific form and format. Clarifying what this term means, the proposed rule explains that “readily producible” includes secure, standards-based APIs using applications selected by individuals. Additionally, individuals would be permitted to do things like take notes, photographs and videos to view and capture their PHI while in person.

Verification Process. The proposed rule seeks to prohibit covered entities from imposing unreasonable identity verification measures on individuals exercising their rights under HIPAA, such as mandating that individuals seek notarization for requests or necessitating individuals complete a HIPAA authorization for access requests.

Fees. OCR seeks to clarify what covered entities may charge when responding to an access request, specifying that individuals accessing or obtaining copies of their PHI on the internet can do so free of charge. However, OCR will continue to allow certain fees for labor, supplies and postages and when individuals direct that an electronic copy of PHI be sent to a third party. Notably, covered entities would have to provide advance notice of estimated fee schedules on their websites, if they maintain one, with respect to right of access requests and for disclosures with a valid authorization.

Right to Direct Copies to a Third Party. Codifying a recent court decision, an individual’s right to direct a copy of PHI to a third party is limited to an electronic copy of that information. Further, when individuals request that their PHI be sent from one covered entity to another, the covered entity disclosing the PHI must adhere to this request under the individual access right.

Encouraging Care Coordination and Case Management Activities

Definition of Health Care Operations. Because OCR has, over the course of time, received feedback that some covered entities interpret the existing definition of health care operations to include only population-based care coordination activities and management, and to exclude individually-focused care coordination and case management, the proposed rule seeks to clarify the definition of health care operations to include all care coordination and case management by health plans, whether individual-level or population-based.

Minimum Necessary Standard. OCR proposes to add an exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management at the individual level. OCR hopes this proposed change would relieve covered entities from the need to determine the minimum information necessary in the exchange of information between health care providers and health plans when the exchange is in support of individual-level care coordination and case management activities.

Disclosure of PHI to Third Parties. Because some parties believed it was necessary to obtain authorization from an individual to share information with third parties which are part of a broader treatment plan, OCR is proposing to explicitly permit covered entities to disclose PHI to social service agencies and community-based organizations providing health-related services for individual-level care coordination and case management. These disclosures would not require an authorization and could only be made to a third party providing health-related services to individuals.

Updating Notice of Privacy Practices

To reduce an administrative burden for covered entities, the proposed rule eliminates the requirement that certain covered entities obtain an individual’s written acknowledgement of receipt for the covered entity’s Notice of Privacy Practices (NPP) and maintain that acknowledgment for six years.

The proposed rule also modifies some of the content requirements for NPPs to assist individuals in better understanding their rights under HIPAA. Specifically, OCR proposes to modify the NPP content requirements to include a header providing instructions on how individuals can access their PHI, the process to file complaints and the right to receive a copy of the NPP and discuss with a designated person at the covered entity.

Facilitating PHI Disclosures during Emergencies

To facilitate disclosures of PHI when assisting individuals in the event of an emergency or health crisis, OCR proposes to modify the standard for disclosures in these instances. Currently, covered entities are permitted to make these disclosures based on their “professional judgement.” OCR proposes to adopt a less stringent standard based on a covered entity’s “good faith” belief that the disclosure is in the individual’s best interest. Further, the proposed rule would replace the “serious and imminent threat” standard with the less stringent “serious and reasonably foreseeable threat” standard when making a disclosure relating to a health safety threat.

OCR encourages comments from all stakeholders with public comments due 60 days after the proposed rule’s publication in the Federal Register. Thereafter, OCR may revise the proposed rule as it responds to comments, and the changes would be effective 60 days after being finalized and published in the Federal Register, followed by a period of up to six months for affected covered entities to come into compliance. If you have any questions regarding these proposed modifications, please contact one of our team members below.