HHS Proposes Major Changes to the HIPAA Privacy Rule

Overview

On December 10th, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced significant proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The announcement continues a recent flurry of proposed rules at the end of the year and the term of the current administration. If finalized, the proposed rule would make numerous changes to the HIPAA Privacy Rule, including requiring a variety of operational changes from covered entities.  While the proposed changes primarily impact covered entities, some of these changes may require operational changes by business associates and changes to business associate agreements, particularly on issues related to access.  The proposed rule, however, does not make permanent the temporary flexibilities extended pursuant to the COVID-19 pandemic.

Comments Requested

OCR is encouraging comments from all stakeholders, including patients and their families, and HIPAA covered entities and their business associates, as well as consumer advocates, health care professional associations, health information management professionals, health information technology vendors, and government entities. Public comments on the proposed changes will be due 60 days after publication in the Federal Register; this is likely to mean that comments will be due in mid-February. Comments can be submitted at Regulations.gov by searching for the Docket ID number HHS-OCR0945-AA00 and following the instructions online, or by mail as detailed in the proposed rule.

Notable Proposals with Direct Operational Impact

There are a variety of definitional and policy clarifications that would affect how covered entities implement certain provisions of the Privacy Rule, some of which do appear in alignment with the proposed rule’s stated intent to “address standards that may impede the transition to value-based health care . . .  or pos[e] other unnecessary burdens.” However, there are several notable proposals that would result in specific operational changes for covered entities and their business associates, including:

Access Provisions
  • Shorter Response Time. The proposed rule would shorten covered entities’ required response time to fulfill patient record copy and access requests to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Access Policy Revisions. The proposed rule would require covered entities to establish written policies for prioritizing urgent or other high priority access requests (especially those related to health and safety) so as to limit the need to use 15 calendar-day extensions for such requests.
  • “Third-Party Directed” Requests Limited. In a positive change for covered entities, the proposed rule would limit the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR, consistent with the HITECH Act and the Ciox decision, which we previously discussed.
  • Facilitating Access Request Submission. The proposed rule would require covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR. Specifically, if an individual made a “clear, conspicuous, and specific” request (which the proposed rule says could be oral) that his or her covered health care provider or health plan (“Requester-Recipient”) obtain an electronic copy of PHI in an EHR from one or more covered health care providers (“Discloser”), Requester-Recipient would be required to submit the individual’s request to Discloser, as identified by the individual. The proposal would require that Requester-Recipient submit such access requests to Discloser on behalf of the individual as soon as practicable, but no later than 15 calendar days after receiving the individual’s direction and any information the Requester-Recipient needs to submit the access request to Discloser.
  • Response to Access Request Submissions. Reciprocally with the above, the proposed rule would also require covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access.
Fee Limits and Disclosures
  • Amended Fee Limits. The proposed rule would amend the permissible fee structure for responding to requests to direct records to a third party. The proposed rule would also require that access and copies be provided for free in certain circumstances (i.e., when an individual inspects PHI about the individual in person or an individual uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity). For other instances of access pursuant to the individual right of access, HHS proposes to limit the amount covered entities may charge to a “reasonable, cost-based fee,” and, per prior guidance, what may be included in such fees is very limited. However, covered entities would be permitted to charge less restricted fees when fulfilling requests to send non-electronic copies of PHI in an EHR, or electronic copies of PHI that is not in an EHR, to third parties, because these requests would no longer be within the right of access.
  • Fee Schedules. The proposed rule would also require covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests. With respect to fee schedule availability at the point of service, the expectation would be that a covered health care provider would make the fee schedule available upon request, in paper or electronic form, at the point of care or at an office that is responsible for releasing medical records, as well as orally (e.g., over the phone), as applicable.
Notice of Privacy Practices (NPP)
  • Text Revision. The proposed rule would modify certain content requirements of the NPP, including statements related to individuals’ rights with respect to their PHI and how to exercise those rights. Covered entities would need to revise their current NPP to incorporate the new language, as well as designate and identify in the NPP specific contact information for a person with whom patients may discuss the NPP.
  • Signature Not Required. One proposed change that would decrease burden on covered entities is the proposed elimination of the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s NPP.

Conclusion

If finalized, the provisions of the proposed rule would work major revisions to the HIPAA Privacy Rule. The final rule, if adopted, would take effect 60 days after its publication in the Federal Register and compliance would be required 180 days after that, providing a 240 day compliance period.  In addition to the changes and operational impacts discussed above, these changes would require revision of HIPAA policies, forms, and processes; would require reevaluation and possible revision to business associate agreements, especially with regard to patient rights provisions; and would require training of staff on the new requirements. While it is unclear whether a change in administration would affect the proposals, covered entities, business associates, and other stakeholders should carefully review the proposed rule and consider submitting comments to HHS before the deadline. For more information or for assistance in preparing comments to the proposed rule, please contact Kevin Coy, Madison M. Pool, or Erin E. Doyle.