Publications

Publications Index

OCR Issues Proposed Rule to Amend Key Provisions of the HIPAA Privacy Rule to Support and Remove Barriers to Coordinated Care and Individual Engagement

On December 10, 2020, the Office for Civil Rights of the Department of Health and Human Services ("HHS") released a proposed rule that amends provisions in the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule to facilitate individuals’ engagement in their care, remove barriers to coordinated care and reduce administrative burdens on the health care industry.

In 2018, HHS launched the “Regulatory Sprint to Coordinated Care,” an initiative to accelerate a transformation of the healthcare system, with a focus on removing “unnecessary obstacles” to coordinated care.  On November 20, 2020, HHS and Centers for Medicare & Medicaid Services (“CMS”) each issued a sweeping set of final regulations that introduced significant new value-based terminology, safe harbors and exceptions, as well as clarifications of existing requirements, under the federal anti-kickback statute (“AKS”) and federal physician self-referral law (“Stark Law”), respectively. We addressed these revisions in separate alerts available here and here.  Like the changes to AKS and the Stark Law, the proposed changes to the HIPAA Privacy Rule are part of the Regulatory Sprint to Coordinated Care initiative. 

Specifically, the key proposed changes to the HIPAA Privacy Rule include the following:

Individual Right of Access. (164.524).

• Adding a new right at 45 CFR 164.524(a)(1)(ii) that would enable an individual to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person.
• Shortening a CE’s required response time to an individual’s request to access their PHI (paper or electronic) to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30 day-extension period).
• Proposing in 45 CFR 164.524(d)(1), that a covered health care provider would be required to respond to an individual’s request to direct an electronic copy of PHI in an EHR to a third party designated by the individual when the request is “clear, conspicuous, and specific” - which may be both orally or in writing.
• Requiring that CEs allow an individual to exercise their access right to inspect their PHI in person without charging a fee and proposes to prohibit CEs from charging a fee to view, and capture or provide an electronic copy of PHI through an internet-based method (e.g., patient portals or other application programming interface system).
• Adding a new section (§164.525) that requires CEs to post a fee schedule online (if they have a website) and make the fee schedule available to individuals at the point of service upon an individual’s request. The fee schedule must include the types of access available free of charge and any fees for copies related to providing individuals with paper or electronic PHI or associated with providing any third parties designated by the individual with PHI.
• Clarifying that a business associate must disclose PHI to the CE to assist in its access requirements, but must provide PHI in an EHR directly to the individual or their designee when specifically outlined in the business associate agreement.
• These changes could collectively ease patients’ administrative burdens related to accessing PHI and deter adverse health care consequences related to delays in receipt of PHI by health care providers.

Reducing Identity Verification Burden for Individuals Exercising the Right of Access. (§164.514(h)).

• Modifying 45 CFR 164.514(h) to expressly prohibit CEs from imposing unreasonable identity verification measures that require an individual (or his or her personal representative) to expend unnecessary effort or expense (e.g., notarization of requests) when exercising a right under the Privacy Rule.
• This change could remove barriers that unreasonably delay an individual’s access to their PHI.

Amending the Definition of Health Care Operations to Clarify the Scope of Care Coordination and Case Management. (160.103).

• Clarifying that health care operations encompasses all care coordination and case management activities by health plans and covered health care providers, whether population-based or focused on particular individuals.
• This change would allow health plans to participate in both individual-focused and population-focused care coordination and case management activities.

Creating an Exception to the Minimum Necessary Standard for Disclosures for Individual-Level Care Coordination and Case Management. (164.502(b)(2)).

• Adding an express exception to the minimum necessary standard for disclosure to, or requests by, a health plan or covered health care provider for care coordination and case management.
• This exception would apply only to those care coordination activities that are at the individual level (not population-level).
• This expansion would allow providers to better coordinate and manage patient care across systems and delivery models.

Sharing PHI with Third Parties for Individual-Level Care Coordination & Case Management that Constitute Treatment or Health Care Operations. (164.506).

• Clarifying that a CE can share PHI with social service organizations and home and community-based providers to facilitate care coordination and treatment without obtaining an individual’s express authorization.
• This change could make it easier for a provider to disclose PHI about a patient needing mental health care supportive housing to a service agency that arranges such services for individuals.

Encouraging Disclosures when Needed to Help Individuals Experiencing Substance Use Disorder, Serious Mental Illness and in Emergency Circumstances. (164.502).

• Expanding the ability of a CE to disclose PHI to an individual’s family members and caregivers without fear of violation of HIPAA by changing the “professional judgement” standard to a “good faith belief” that such uses and disclosures are in the best interest of individuals.
• This change could improve care coordination among drug overdose or mental illness patients by making it easier for a provider to disclose PHI to their family members when the CE believes such disclosure are in the best interests of the patient.

Eliminating the CE’s Requirement for Obtaining Written Acknowledgement of the Receipt of the Notice of Privacy Practices ("NPP") and Other NPP Changes. (164.520).

• Eliminating the requirement for a CE with a direct treatment relationship to an individual to obtain written acknowledgement of receipt of the NPP and, if unable to obtain the written acknowledgement, to document their good faith efforts and the reasons for obtaining the acknowledgement.
• Modifying the content requirements of the NPP to help increase patients’ understanding of an entity’s privacy practices and their rights with respect to PHI.
• Establishing that an individual has a right to discuss the NPP with a designated person.
• Adding an optional element to the NPP to explain that individuals have the right to request to send PHI (non-electronic) to third parties upon receipt of a valid authorization.
• These changes could ease a CE’s administrative burdens regarding fulfilling the requirements related to disclosing the NPP and ensure that more people understand their rights under the NPP.

The proposed rule can be accessed here.  

For any questions regarding whether these changes affect your organization’s privacy practices, please contact Gary Schober (716.848.1289), Michelle Merola (518.736.2917), Roopa Chakkappan (716.848.1258) or any member of our Cybersecurity and Privacy Practice.