HHS Issues Proposed Rule Modernizing HIPAA Privacy Rule

On December 10, 2020, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released a proposed rule (the Proposed Rule) that would make a number of key changes to the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively, HIPAA). HHS stated that the Proposed Rule is intended to reduce burdens that may limit or discourage care coordination and case management communications among individuals and HIPAA-covered entities while continuing to protect the privacy of individuals. The proposed changes are designed to lead to increased data access, sharing, and portability and to further HHS’s emphasis on patients’ right of information access, which has been highlighted through a series of enforcement actions in 2020. If enacted as proposed, the amendments would require healthcare providers and electronic health records (EHR) vendors to update policies and disclosures related to information access and perhaps even to redesign certain EHR processes. Comments are due 60 days after publication in the Federal Register.

The HIPAA Privacy Rule, first issued in 2000 and subsequently amended, sets forth the standards that must be met to protect individuals’ protected health information (PHI) created, received, maintained, or transmitted by or on behalf of covered entities. The Proposed Rule would amend the HIPAA Privacy Rule to permit additional flexibility for covered entities to promote care coordination and case management, among other key proposals. In developing the Proposed Rule, HHS reviewed comments from the 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care. Key provisions of the Proposed Rule include:

• Individual Right of Access. The Proposed Rule would enhance an individual’s right to access their PHI by allowing individuals to inspect their PHI by taking notes or capturing images of their PHI; by shortening the amount of time a covered entity may take to respond to a request from 30 days to 15 days; by creating a pathway to allow individuals to direct covered entities to share EHR with a third party; by clarifying that the right of access may be satisfied by sharing PHI through a personal health application; and by changing the requirements related to allowing covered entities to charge fees to access PHI, among other provisions. In proposing these changes, OCR states that “individuals frequently face barriers to obtaining timely access to their PHI, in the form and format requested, and at a reasonable, cost-based fee.”
• Identity Verification. Under the Privacy Rule, covered entities would have to take reasonable steps to verify the identity of a person requesting PHI before disclosing the PHI. A covered entity would be prohibited from imposing unreasonable identity verification measures, such as having to obtain notarization of requests or providing proof of identify in person when other methods are practicable.
• Healthcare Operations Definition. Despite guidance to the contrary, OCR states that some covered entities may be interpreting the existing definition of healthcare operations to include only population-based care coordination and case management, rather than individual-level care coordination and case management. Accordingly, OCR proposes to revise the definition of healthcare operations to clarify that all case management and care coordination are included in the definition.
• Minimum Necessary Standard Exception. The Proposed Rule would create an express exception to the minimum necessary standard for certain care coordination and case management uses and disclosures. Namely, covered entities would not be subject to the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management activities, regardless of whether such activities constituted treatment or healthcare operations.
• Disclosure for Care Coordination and Management. The Proposed Rule would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and community-based service providers, and other similar third parties, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider or health plan. Such disclosures would not require patient authorization.
• Disclosure for Substance Abuse, Mental Health, or Other Emergency. Despite issuing extensive guidance on how the Privacy Rule permits such disclosures, OCR stated that covered entities are reluctant to disclose information to persons involved in the care of individuals experiencing substance abuse, mental health, or certain other health emergencies. To address these concerns, OCR proposes several modifications to the Privacy Rule to encourage covered entities to use and disclose PHI more broadly in circumstances that involve substance use disorders, serious mental illnesses, and emergencies.
• Notice of Privacy Practices Changes. OCR acknowledges that the current requirement to provide notice and obtain written acknowledgement that an individual has read a notice of privacy practices imposes significant administrative burdens on healthcare providers. It proposes to replace the written acknowledgment requirement with an individual right to discuss the notices of privacy practices with a person designated by the covered entity, and proposes other modifications to clarify the content requirements of the notice in a way that should make it easier for patients to understand their rights.

If adopted in a final rule, these proposed changes may require updates in covered entities and business associate policies, procedures, and security standards, as well as in notices of privacy practices documents.