United States: Proposed HIPAA Regulations Would Improve Individual Patient Care And Expand Patient Rights

Nearly two years after soliciting public suggestions to modify HIPAA rules to improve the coordination of care, the Department of Health and Human Services (DHHS) issued a Proposed Rule which changes parts of the Privacy Rule to allow for more flexibility in disclosure of protected health information (PHI), as well as improve care coordination, case management, and patient access to their PHI. The Proposed Rule, to be published in the Federal Register on December 18, 2020, is part of the DHHS initiative to facilitate nationwide transformation of health services to value-based health care.

Individual Right of Access

Under the current Privacy Rule, individuals, with limited exceptions, have the right to access their own PHI. However, DHHS believes there are certain procedures imposed by covered entities which act as barriers to access. Such procedures diminish the speed, practicality, and ease of access. The Proposed Rule includes several modifications which would remove such barriers, facilitate information sharing and benefit both patients and providers.

• Limitation on Access Requirements & Timeliness of Response to Requests - DHHS proposes to (i) explicitly prohibit covered entities from implementing onerous access requirements that unreasonably delay access to records, (ii) limit access requirements, and (iii) shorten the response time for access to records from 30 days to 15 calendar days (with the option for one 15 day extension). The timeliness requirement applies regardless of the format of the PHI requested.
• Delivery of Information to Third Parties - When an individual requests PHI to be transmitted to a third party, under the current rule the covered entity is permitted, but not required, to disclose the PHI as requested and may charge fees beyond those associated with a request for a copy of PHI. DHHS proposes a separate set of provisions to address the right of the patient to direct the transmittal of copies of PHI to third parties, to request transmittal of PHI in electronic records to a third party, and to empower individuals to share PHI in electronic records among covered providers and health plans.
• Modification to Identity Verification Measures - The Privacy Rule currently requires covered entities to implement reasonable steps to verify the identification of individuals requesting access to PHI. In implementing this requirement, covered entities are currently given broad discretion to determine the format of verification. The Proposed Rule calls for a prohibition of unreasonable verification measures, which include those that would require an individual to expend unnecessary effort or expense when a less burdensome process is practical for the particular covered entity.
• Additional Changes and Pandemic Considerations - The Proposed Rule proffers several other changes that provide clarity to the interpretation and implementation of an individual's access rights under the Privacy Rule, including the addition of previously excluded definitions of "Electronic Health Record" or "EHR" and "Personal Health Application." The Proposed Rule also notes that under current requirements, covered entities do not have the explicit right to deny or delay the right to inspect PHI in person to prevent the spread of infectious disease, nor do they have an established ability to, on the basis of health and safety, provide a reasonable alternative to in-person access. Therefore, DHHS seeks comments on whether covered entities should be permitted to provide copies of PHI in lieu of in-person inspection of PHI when necessary to protect the health and safety of the individual and others.

Care Coordination and Case Management

To promote care coordination and case management, the Proposed Rule includes several modifications creating more flexibility for covered entities to use and disclose PHI for such purposes. Specifically, DHHS proposes to clarify the definition of "health care operations" to include case management and care coordination. DHHS also proposes to add a new provision expressly permitting covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers and other similar third parties that provide health-related services, including social services or other supportive services, to the individual. A covered entity would be able to make such disclosures without the patient's authorization, as part of the provider's treatment activities or health care operations.

Additionally, under the Privacy Rule, covered entities are generally required to use, disclose, or request only the minimum necessary PHI to meet the purpose of such use, disclosure, or request. The Proposed Rule includes an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or provider for care coordination and case management of a specific individual.

Disclosures to Help Individuals Experiencing Substance Use Disorder, Serious Mental Illness, and in Emergency Situations

Under the Privacy Rule, covered entities can disclose PHI in certain circumstances in the "exercise of professional judgment." To encourage covered entities to disclose PHI more broadly in cases involving substance use disorder, serious mental illness, and emergency situations, DHHS proposes to replace "exercise of professional judgment" with "good faith belief" as the standard to allow covered entities to disclose PHI in certain circumstances in the best interests of individuals. DHHS would make the modification in the following sections:

• 45 C.F.R. 164.502(g)(3)(ii)(C) (parent or guardian who is not the individual's personal representative);
• 45 C.F.R. 1 64.510(a)(3) (facility directories);
• 45 C.F.R. 164.510(b)(2)(iii) (emergency contacts);
• 45 C.F.R. 164.510(b)(3) (emergency and incapacity); and
• 45 C.F.R. 164.514(h)(2)(iv) (verifying requestor's identity).

Acording to DHHS, a good faith standard may be exercised by other workforce members, not just licensed professionals, thereby allowing more individuals to make the determination. DHHS also proposes a presumption that the provider has complied with the good faith requirement, absent evidence to the contrary. DHHS reminds covered entities that they must still assess the facts and circumstances surrounding the disclosures, including an individual's prior expressed privacy preferences.

Additionally, to broaden a covered entity's ability to disclose PHI to address threats of harm, DHHS proposes to replace the "serious and imminent threat" standard with a "serious and reasonably foreseeable threat" standard. "Reasonably foreseeable" would be based on a reasonable person standard, without assumptions unwarranted by the individual's diagnosis and specific circumstances.

Notice of Privacy Practices

The Privacy Rule currently requires covered health care providers that have a direct treatment relationship with an individual to make a good faith effort to obtain the individual's written acknowledgement of the provider's Notice of Privacy Practices (NPP). If the provider is unable to obtain such acknowledgement, the provider must document its efforts and reasons for not obtaining the acknowledgement. To reduce paperwork burdens and confusion among patients and office staff, DHHS proposes to eliminate this requirement and replace it with an individual right to discuss the NPP with a person designated by the provider.

Additionally, to help increase patients' understanding of the NPP, DHHS proposes the following changes to the contents of the NPP:

• modify the required header of the NPP to specify that the notice provides information about how to access their health information, how to file a HIPAA complaint, and the individuals' right to receive a copy of the NPP and discuss it with a designated person;
• require the header of the NPP to include the designated contact person's phone number and email address and whether such person is available onsite;
• require the NPP to describe how individuals can obtain a copy of their records at limited cost or free of charge and can direct the provider to transmit an electronic copy of PHI in an EHR to a third party; and
• at the provider's option, include information to address instances in which individuals can obtain a copy of PHI directly or request the provider to send a copy of PHI to a third party if the PHI is not in an EHR and/or is in a non-electronic format.

The Proposed Rule may have a significant impact on the current HIPAA policies and procedures adopted by covered entities. If finalized, the rule will require changes to the NPPs and procedures for patient access to their health records. We suggest a careful review of the Proposed Rule to prepare for possibly significant changes. There is an opportunity to comment and suggest alternatives or voice concerns up to January 4, 2021.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.