New Year, New Rule? OCR Proposes Changes to the HIPAA Privacy Rule
While 2020 saw the publication of the other final rules comprising the U.S. Department of Health and Human Services’ (“HHS”) “Regulatory Sprint to Coordinated Care,” the long-awaited proposed changes to the HIPAA Privacy Rule were published on December 10, 2020. The Notice of Proposed Rulemaking (“NPRM”) addresses several anticipated changes to the Privacy Rule.
First, if you have been following the Office for Civil Rights’ recent settlements, it will come as no surprise that changes to the individual rights provisions of HIPAA takes center stage in the NPRM. The changes add several new provisions to the individual rights section, including:
- Allowing individuals to take notes or use other personal resources to view and capture images of their PHI while inspecting them in person;
- Shortening the response time for access requests to no later than 15 calendar days with one 15-day extension permitted;
- Creating a pathway for sharing of the PHI contained in their electronic health record (“EHR”) from one health care provider or plan to another provider;
- Reducing requirements for identity verification while maintaining the security of PHI;
- Clarifying the form and format for responding to individual requests and instances when the electronic PHI must be provided to the individuals at no cost;
- Increasing access to estimated fee schedules by requiring covered entities post the schedules on their website.
Second, the NPRM modifies a handful of permitted disclosures. It includes a modification to the standard for permitted disclosures of PHI when individuals are experiencing emergencies or health crises and disclosure is in the best interest of individuals. The previous disclosure standard with a covered entities’ “professional judgment” is modified to a covered entities’ “good faith” belief that disclosure is in the best interest of the individual. This update encompasses emergencies or health crises for individuals with substance use disorder or mental health illness to help coordinate care between individuals and their family member or caregivers. Another similarly focused update strives to prevent harm or lessen a threat of harm by changing the disclosure of PHI standard to permit disclosures to avert threats. The current standard of “serious and reasonably foreseeable” threat now will allow disclosure of PHI if there is a “serious and imminent” threat to health or safety. Also, the NPRM includes provisions for use and disclosure of PHI for Uniformed Service Members.
Third, the NPRM includes updates to Notice of Privacy Practices and administrative requirements associated with the Practices. The NPRM proposes eliminating the requirement for written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and the associated document retention requirement. The NPRM also requires content updates to the Notice of Privacy Practices with headers designating how the individuals can exercise the rights with their PHI.
Fourth, portions of the NPRM focus on the Telecommunications Relay Service (“TRS”). The update expressly permits the disclosure of PHI to TRS communication assistants while subsequently modifying the definition of business associate to exclude TRS providers.
Finally, the NPRM includes adding changes to facilitate care coordination such as:
- Updating the definition of “health care operation” to emphasize the inclusion of care coordination and case management for individuals;
- Creating an exception to the minimum necessary standard for disclosures for care coordination and case management of individuals by health plans or providers; and
- Permitting disclosure of PHI to social and community service agencies and organizations for individual level care coordination and case management.
The Federal Register published the NPRM on January 21, 2021. Comments are due within sixty days of the date of publication setting a deadline on or before March 22, 2021.
Save the agency’s change in position or priority from the new administration, we can expect OCR to publish a final rule sometime in 2021. Because the proposed changes, if finalized, would require likely renegotiation of all business associate agreements and substantial changes to policies and the Notice of Privacy Practices, HHS specifies the expected compliance timeframe. The final rule would become effective sixty days after publication, and compliance would be required within 180 days thereafter, effectively giving covered entities 240 days to comply with the final rule. That time will go fast, so covered entities should start planning for likely changes now.