Changes May Be Coming to the HIPAA Privacy Rule

Late last year, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rule-Making regarding potential changes to the HIPAA Privacy Rule; the proposed rule was published in the Federal Register on January 21, 2021. Comments are due on the proposed rule by March 22, 2021. The proposed rule modifies the HIPAA Privacy Rule to further HHS’ Right of Access Initiative and to support and reduce barriers to coordinated care and individual engagement.

The modifications to the HIPAA Privacy Rule focus on four main areas: (1) right of access; (2) care coordination and case management; (3) uses and disclosures to avert a serious threat to health or safety, and (4) Notice of Privacy Practices. The main changes are discussed below.

Right of Access

In the proposed rule, changes are made to an individual’s right to inspect his or her protected health information (PHI). HHS stated that it believes patients are at the center of each health care encounter and that the ability of patients to access and direct disclosures of their health information is key to the coordination of their care. Under the proposed revisions:

• An individual is given the right to view, take notes, take photos, and use other personal resources to capture the information (for example, taking photos with the individual’s cellphone);
• No fee may be imposed for this access; and
• Access must be provided by arranging a mutually convenient time and place for the individual to inspect his or her PHI (which time and place may be the patient’s current appointment or visit – see below).

The proposed rule also adds clarification that a written request for access to PHI may be made in electronic or paper form, provided such a request "does not impose unreasonable measures that impede the individual from obtaining access when a measure that is less burdensome for the individual is practicable for the entity." HHS provides examples of "unreasonable measures," including:

• A form requiring extensive information from the individual that is not necessary to fulfill the request;
• Requiring notarization of the form; or
• Requiring the request be submitted only in paper form, only in person at the entity’s facility, or only through the Covered Entity’s online portal. 

The proposed rule shortens the time in which a Covered Entity must respond to an individual’s request for access from 30 days to as soon as practicable, and no later than 15 calendar days from the date of the request – unless another state or federal law requires a shorter time frame, in which case the shorter time frame applies. Note that the proposed rule would allow a Covered Entity one 15-calendar-day extension but would require that Covered Entities "prioritize urgent or otherwise high priority requests" thus limiting the use of the extension. Further, a new requirement that a Covered Entity offering an individual a summary of requested PHI, rather than a copy, inform the individual that he or she retains the right to receive a copy of the requested PHI if the individual does not agree to receive the summary.

Another change in the proposed rule includes a new point of care access requirement for health care providers. When point of care access is readily available, the provider may not delay immediate access. HHS states that it "anticipates that the time and place where an individual obtains health care treatment generally would be considered a convenient time and place for the individual to inspect the PHI that is immediately available in the treatment area." Therefore, if a patient is at a health care appointment and wants to take photos of his or her file that is kept on the premises, such access must be made available.

Care Coordination and Case Management

The proposed rule amends the definition of "health care operations" to broaden the scope of care coordination and case management activities that constitute health care operations. The new health care operations definition would include, among other activities, "population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination…and related functions that do not include treatment." A new provision also would be added to the permissible uses and disclosures of PHI to carry out treatment, payment and health care operations that permits a health plan or health care provider to disclose PHI without authorization to a third party that provides health-related services (including health-related social services or other supportive services that address health risks, such as food banks or housing shelters). HHS noted that it "believes this change would facilitate and encourage greater wraparound support and more targeted care for individuals, particularly where it would be difficult to obtain an individual’s authorization or consent in advance, because the individual cannot easily be contacted (e.g., when an individual is homeless). This improved care coordination and case management could lead to better health outcomes while retaining existing limits on population-based disclosures."

In addition, the proposed rule would include an express exception to the minimum necessary rule for disclosures to, or requests by, a health plan or health care provider for care coordination and case management at an individual level. HHS believed this necessary to relieve a Covered Entity from having to make determinations about the minimum information necessary to respond to a request or make a disclosure to a health plan or health care provider when the information would support an individual’s care coordination and case management.

Uses and Disclosures to Avert a Serious Threat to Health or Safety

The current rule permits Covered Entities to use or disclose PHI when the Covered Entity has a good faith belief that such use or disclosure is necessary to prevent or lessen "a serious and imminent threat" to the health or safety of a person or the public. The proposed rule would change and clarify this standard to "a serious and reasonably foreseeable threat." The term,"foreseeable threat" would be defined to mean "that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if a use or disclosure is not made, based on facts and circumstances known at the time of the disclosure." HHS noted that this standard includes an express presumption that such a health care provider has met the reasonably foreseeable standard when it makes a disclosure related to facts and circumstances about which the health care provider (or member of the provider’s workforce) has specialized training, expertise, or experience. However, HHS pointed out that the "reasonably foreseeable" standard would not permit the application of assumptions unwarranted by the individual’s diagnosis and specific circumstances. For example, the assumption that a person with a diagnosis of depression or anxiety is a threat to themselves or others merely by virtue of that diagnosis is unfounded and is not "reasonably foreseeable."

Notice of Privacy Practices

The proposed rule makes a number of simplification changes to the Notice of Privacy Practices ("Notice") requirements, including eliminating the requirement:

• For a health care provider with a direct treatment relationship to an individual to obtain written acknowledgement of receipt of the Notice, and if unable to do so, to document the reason and that they made a good faith effort to do so; and
• To retain copies of such documentation for six years.

The written acknowledgement would be replaced with an individual right to discuss the Notice with a person designated by the Covered Entity.

In addition, HHS is proposing to make numerous changes to the required content of the Notice as follows:

• The header would be required to specify that the Notice contains information on how to get copies of records, how to file a complaint for violations of privacy or security of PHI or violations to rights concerning an individual’s information, including the right to inspect and get copies of medical records under HIPAA. The header also must state that the individual has the right to receive a copy of the Notice and discuss it with a designated contact, whose information must be listed.
• The body of the Notice would have to include how an individual can exercise the right to receive copies of medical records at a limited cost and the right to direct a health care provider to transmit electronic copies to third parties.

What Should a Covered Entity Do Now?

Nothing yet. Once a Final Rule is published, any revisions to the Privacy Rule will become effective 60 days from the date of its publication in the Federal Register, and Covered Entities will have up to 180 days from the effective date to implement the changes.

While we can’t say whether the proposed rule will change significantly or not, based on the HHS initiative to improve right of access and care coordination and case management, we can expect many of these changes will become final. Calfee will continue to track the development of the rules. As always, we welcome the opportunity to assist Covered Entities with their HIPAA compliance.