OCR Proposes Changes to HIPAA Regulations

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced its proposal to make significant changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. If adopted, the proposed rule would require covered entities to make substantial changes to their HIPAA policies and procedures and related workflows.

Here are the most noteworthy aspects of the proposed regulations:

Increasing individuals’ access to PHI

The proposed rule would allow individuals inspecting their PHI to take notes or use other personal resources to view and capture images of such PHI. The proposed rule would also prohibit a covered healthcare provider from delaying an individual’s right to inspect PHI when the PHI is readily available at the point of care in conjunction with a healthcare appointment. A covered entity would not, however, have to allow individuals to connect personal devices to the covered entity’s information system.

The proposed rule would shorten the time frame within which a covered entity must respond to an individual’s request for access to the individual’s records from 30 days (with an option for a 30-day extension) to 15 days (with an option for a 15-day extension). Under the proposed rule, a covered entity may use an extension only if the covered entity has established written policies for prioritizing urgent or other high-priority access requests (especially those related to health and safety).

The proposed rule would prohibit such measures. Similarly, the proposed rule would prohibit a covered entity from imposing unreasonable identity verification requirement or other “unreasonable barriers or delay” in access to PHI.

Currently, the Privacy Rule requires covered entities to transmit a copy of PHI directly to another person designated by the individual when directed by the individual, provided that the request is in writing, is signed by the individual, and clearly identifies the designated person and where to send the copy of the PHI. The proposed rule would limit this right so that it applies only to electronic copies of PHI contained in an electronic health record (EHR), which could include PDF and other electronic formats that are accessible, usable and reasonable, such as .doc and .docx format. The proposed rule would require a covered healthcare provider to respond to such a request so long as the request is “clear, conspicuous, and specific”—replacing the current requirement that the request be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI. The proposed rule would add a definition of EHR for the purpose of clarifying the scope of an individual’s right to direct an electronic copy of PHI in an EHR to a third party.
The proposed rule would also create a second mechanism (which is in addition to the treatment, payment and healthcare operations permitted disclosure) for a covered entity to obtain an electronic copy of PHI from another covered healthcare provider.

The proposed rule would require covered entities to inform individuals about their right to direct requested electronic copies of PHI in an EHR to designated third parties when a covered entity offers to provide a summary in lieu of the requested copies of PHI.

Changes Relating to Notices of Privacy Practices

The proposed rule would eliminate the requirement that covered entities that are direct treatment providers obtain an individual’s written acknowledgment of receipt of the covered entity’s Notice of Privacy Practices (NPP), and replace it with an individual right to discuss the NPP with a person designated by the covered entity whose name, phone number and email address must be listed in the header of the NPP. In addition, the proposed rule would modify the content requirements of the NPP to notify individuals of their rights with respect to accessing their PHI.

Modifying Fee Structure Based on Access Type

To increase an individual’s awareness of the cost of copies of PHI, and to make the access fee requirements more uniform, the proposed rule would require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization. In addition, the proposed rule would modify the access fee provisions to specify when a covered entity may charge fees when responding to an individual’s right to access request.

Clarifying the Scope of Permitted Disclosures for Care Coordination and Case Management

The proposed rule would amend the definition of healthcare operations in order to clarify that PHI may be shared with health plans involved in care coordination and care management. The proposed rule would also expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community- based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management and wraparound support services for individuals. Under this provision, a health plan or a covered healthcare provider would only be permitted to disclose PHI without authorization to a third party that provides health-related services or other supportive services, such as food or housing.

Disclosures that are in the “Best interest” of the Individual

The proposed rule would replace the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard would presume a covered entity’s good faith, and that presumption could only be overcome with evidence of bad faith. The circumstances in which the new standard would apply include the following:

  1. Disclosure of an unemancipated minor’s PHI to parents or guardians who are not the minor’s personal representative if doing so is consistent with state or other applicable law.
  2. Inclusion of an individual’s name in a facility directory and disclosure of the individual’s location and general condition when the individual is unable to agree or object.
  3. Disclosure of relevant information to a person involved in an individual’s care or payment for care when the covered entity reasonably infers, based on a good faith belief, that the individual does not object.
  4. Disclosure of relevant information about an individual to family members and other caregivers who are involved with the individual’s care or payment for care, or who require notification related to the individual, when the individual cannot agree to the disclosure because of absence, incapacity or emergency circumstances.
  5. The proposed rule would also permit covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety.