HIPAA for the Holidays: How OCR’s December HIPAA Notice of Proposed Rulemaking Could Impact Covered Entities
In case privacy lawyers did not have enough to keep up with over the holiday season (as we’ve mentioned, there’s already plenty to keep up with in Europe and California), HHS’s Office for Civil Rights recently issued a Notice of Proposed Rulemaking (“NPRM”) to revamp the HIPAA Privacy Rule.
As the NPRM is a holiday gift that you cannot return, we present this post highlighting its key changes, which include an overhaul of access rights and various new patient disclosure requirements.
- Key Changes to Access Rights, Including Reducing Response Deadline to 15 Days and Creation of New Access Rights
The NPRM would require significant operational, policy, and procedure adjustments by reducing the timeline to respond to access requests from 30 calendar days to 15 calendar days. The proposal would permit a conditional one-time 15-day extension of the deadline if the covered entity is unable to respond within 15 days. That extension would only be available if the covered entity (i) provides the individual a written statement of reasons for the delay and a specific date for responding to the request; and (ii) implements a policy to prioritize “urgent or otherwise high priority requests” to limit the need to use the 15-day extension period.
Besides shortening the timeframe in which covered entities can respond to access requests, the NPRM would also require covered health care providers to disclose any PHI in an electronic health record to a third party at an individual’s request. Individuals would also have the right to direct a covered health care provider or health plan to submit requests for the individual’s electronic health record PHI to separate health care providers and to receive the requested copies for the individual.
Covered entities would also have to fulfill an individual’s request to access their PHI through a personal health application to extent the information is “readily producible to or through such application.” “Personal health application” would be defined as “an electronic application used by an individual to access health information about that individual, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.”
The NPRM would also add more specificity around individuals’ rights to inspect PHI in a designated record set by adding a provision stating that the right to inspect generally “includes the right to view, take notes, take photographs, and use other personal resources to capture the information.” Another proposal would also provide that a covered health care provider could not delay fulfilling a request to inspect PHI in a designated record set where PHI “is readily available at the point of care in conjunction with a health care appointment.”
- Changes to Notice of Privacy Practices (“NPP”) Content and Acknowledgement Requirements
The NPRM would also change the content requirements for NPPs significantly, including by:
- Replacing the mandatory NPP header with more extensive mandatory header language. That language would flag that the NPP includes information about how PHI is used and disclosed, individual rights over PHI, how to get copies of PHI, and how to file a complaint.
- Changing the access right disclosures to reflect the proposed expanded scope of those rights and to state that the access rights are available at “limited cost or, in some cases, free of charge.”
- Requiring disclosure of contact information for a designated person to answer questions about the covered entity’s privacy practices.
- Providing that the NPP could include information about how to direct PHI disclosures to a third party when the PHI is not in an electronic health record or not in electronic format, such as by submitting a direct access request or submitting an authorization permitting the disclosure.
The NPRM would also eliminate the requirement for direct treatment providers to obtain written acknowledgments of receipt of the provider’s NPP, and to retain copies of that documentation for six years.
- New Uses and Disclosures for Which an Authorization or Opportunity to Agree or Object Is Not Required
The NPRM would also change the provisions regulating uses and disclosures of PHI for which a covered entity would not have to obtain an authorization or provide an opportunity to agree or object, including by creating additional grounds for those uses and disclosures. To summarize:
- The current standard that permits covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and imminent” would be changed to a “serious and reasonably foreseeable” standard. The revised standard may provide more flexibility to make such disclosures. Additionally, determinations made under the revised standard by a covered health provider with specialized training, expertise, or experience in assessing an individual’s health or safety risk may be entitled to heightened deference.
- The NPRM would also permit PHI of uniformed services personnel to be used or disclosed “for activities deemed necessary by appropriate Uniformed Services command authorities to assure the proper execution of the Uniformed Services mission.” This provision would extend HIPAA’s current permission for use and disclosure of armed forces personnel’s PHI to all uniformed services personnel.
- The Privacy Rule would expressly permit disclosures of PHI to a telecommunications relay service communications assistant, which facilitates phone calls for individuals with disabilities, as necessary to conduct covered functions.
These changes would generally provide covered entities with more flexibility in PHI uses and disclosures, but would require updates to internal policies and procedures to account for these provisions.
- New Requirement for Notice of Fees
A covered entity that charges certain permitted fees under HIPAA, such as for responding to access requests, would be required to provide notice of those fees. The NPRM contemplates three ways for covered entities to provide this notice: (1) by posting a fee schedule on its website and making the fee schedule available at the point of service and upon request; (2) by providing individualized estimates of approximate fees it may charge for certain requests covered by the fee schedule; and (3) by providing individuals an itemized list of the costs for labor, supplies, and postage that make up any fees it charges.
This proposal would require covered entities who do or may wish to charge fees HIPAA permits to assess the basis for those fees and prepare to provide the fee disclosures described above.
- Expanded Definition of Health Care Operations
The NPRM would modify the definition of “health care operations” to include “care coordination and case management for individuals” within the scope of that definition. While health care providers can already use and disclose PHI among health care providers for care coordination and management purposes as “treatment,” this change would also allow health plans to use and disclose PHI for those purposes. It would also potentially permit health care providers to share PHI for those purposes with non-healthcare provider covered entities.
- Adjustments to Minimum Necessary Rule Exceptions
OCR proposes a new exception to HIPAA’s “minimum necessary” requirement to allow more extensive disclosures to “a health plan for care coordination and case management activities with respect to an individual” in the NPRM. The NPRM would also clarify that the existing exception for disclosures to or by a health care provider for treatment would permit disclosures or requests “for care coordination and case management activities with respect to an individual.”
These proposals would provide health plans greater flexibility for disclosures for care coordination and case management activities and would provide health care providers a clearer basis for disclosing more than the minimum necessary amount of PHI for those purposes.
- Relaxed Standard for PHI Disclosures in Emergency Circumstances
The NPRM proposes to change the standard for permitted disclosures about individuals experiencing certain health emergencies from one based on a covered entity’s “professional judgment” to one based on the covered entity’s “good faith” belief that a disclosure would be in the best interests of the individual.
- New Permission for Disclosures to Social and Community Services
A covered entity would be able to disclose an individual’s PHI to a social services agency, community-based organization, home-and-community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities under the NPRM.
- Prohibition of Unreasonable Verification Measures
Under the NPRM, a covered entity would be prohibited from imposing “unreasonable verification measures” that would impede individuals from exercising their HIPAA rights. A measure would be unreasonable if it “causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity” considering the covered entity’s technical capabilities, HIPAA compliance obligations, and costs of more convenient measures.
- Other Adjustments to Definitions
The NPRM would adjust the definitions for other terms used in the Privacy Rule in addition to “health care operations”, as described above, including:
- Excluding telecommunications relay service providers from the definition of “business associate.”
- Creating a new defined term for “electronic health record,” based on the HITECH Act’s definition of the same term.
- Creating a new defined term for “personal health application” for use in the proposed provision giving individuals a right to request access to their PHI through a personal health application to extent the information is “readily producible to or through such application.”
* * *
If the NPRM’s proposals are adopted, covered entities will need to make significant updates to their HIPAA compliance programs. Those changes could include:
- Changes to internal policies to account for the changes to access rights, adjusted scopes of permitted uses and disclosures, and other revised standards;
- Updates to standard operating procedures and new technical solutions to facilitate patients’ exercise of new and expanded access rights;
- Updates to NPPs and other patient disclosures;
- Updates to existing HIPAA privacy training programs to account for expanded access rights and reduced timeframes for responding; and
- Amendments to business associate agreements to ensure that business associates’ obligations to assist the covered entity with access requests are aligned with the new access right provision.
Covered entities would do well to start thinking about these changes sooner rather than later: the NPRM contemplates enforcement of the new and revised standards beginning 240 days following publication of the final rule (a timeframe that includes a 60-day period for the final rule to become effective and a 180-day compliance period under the HIPAA rules). Keep in mind, however, that because the NPRM’s 60-day public comment period (which begins after its publication in the Federal Register) will end under a new presidential administration, the path from proposal to publication of the final rule may be less than straightforward.
We will continue to monitor developments on the NPRM. Please feel free to reach out if you have any questions about the potential impacts of the NPRM, or your current HIPAA compliance program.