The U.S. Department of Health and Human Services Office for Civil Rights ("OCR") first released a Notice of Proposed Rulemaking ("NPRM") to modify the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule on December 10, 2020. OCR extended the deadline for public comment to the NPRM to May 6, 2021 and recently released those comments to the public. Given OCR's recent, increasing focus upon enforcement of the HIPAA Privacy Rule's right of access requirements (i.e., individuals' right to inspect and obtain copies of their Protected Health Information ("PHI")), this alert focuses on the number of provisions in the NPRM seeking to expand individuals' access rights under HIPAA.

Recognizing that individuals' ability to access and direct disclosures of their PHI is crucial to their care coordination and that lack of patient access to their PHI contributes to negative health outcomes for such individuals and the nation's health care system, OCR focuses upon strengthening individuals' right to access their PHI in the NPRM. In the preamble of the NPRM, OCR acknowledges that it continues to hear, through complaints, reports, and comments, that individuals are often faced with barriers to access their PHI in a timely fashion, despite the fact that OCR has issued extensive guidance and performed significant public outreach regarding this particular topic. As a result, OCR proposes several amendments to the HIPAA Privacy Rule's right of access requirements in the NPRM.

For example, the NPRM includes a provision that bolsters individuals' right to inspect their PHI in person, including allowing individuals to take notes or use other personal resources to review their PHI at no cost, and prohibits covered health care providers from delaying the right to inspect when PHI is readily available for inspection by the patient in conjunction with a health care appointment. In addition, OCR proposes shortening covered entities' required response time to individuals' access requests to no later than fifteen (15) calendar days (rather than the existing 30-day turnaround), with the opportunity for a 15-day extension. The NPRM also clarifies the required form and format for responding to individuals' access requests (e.g., informed by the 21stCentury Cures Act "information blocking" provision, OCR clarifies that "readily producible" copies of PHI specifically include copies of ePHI requested by individuals through secure, standards-based application programming interfaces ("APIs") that use applications chosen by individuals). The NPRM further limits the existing individual right to direct a copy of PHI to a third party to an individual right to direct an electronic copy of PHI in an EHR to a third party. Among other things, the NPRM adjusts and clarifies what fees covered entities may charge when responding to access requests and expressly prohibits covered entities from imposing "unreasonable measures" on an individual's exercise of their right to access their PHI (e.g., unreasonable identity verification measures, notarization of individual's signature, accepting only paper requests or only requests made through the covered entity's online portal).

OCR received comments to the NPRM from over 1,400 individuals and organizations. Many commenters agreed with the proposed modifications to the right of access requirements, particularly the prohibition on the imposition of fees in certain circumstances. Some commenters, however, disagreed with some of the proposed changes to the right of access requirements. For example, several commenters expressed concern regarding the proposed language that would permit covered entities to limit access to certain types of PHI. More specifically, the commenters took issue with the new proposed regulatory definition of "electronic health record," which limits its scope to records of providers with "direct treatment relationships" with the individuals. Others stated that patient requests to designate a third party to receive copies of their PHI should not be limited to electronic copies of PHI in an EHR and should continue to be in the individual's preferred format. Some health care organizations expressed concern regarding the administrative burdens that providers would face, particularly with respect to the proposed shortened timeframe for responding to access requests and allowing inspection of PHI at the point of care in conjunction with a health care appointment. Other commenters urged OCR to provide further clarification regarding how covered entities should respond to access requests and what policies and procedures they should have in place. Finally, other commenters called for the further standardization of the term "designated record set."

As we await amendments to the HIPAA right of access requirements, covered entities must continue to take access requests seriously and provide prompt responses in accordance with the regulations and OCR's published guidance on this topic. Covered entities should also begin to evaluate how they could effectively implement the new 15-day access request response timeframe, as we anticipate that the existing 30-day timeframe will be shortened. If you have any questions regarding the development and implementation of policies and procedures to comply with the HIPAA right of access requirements, please do not hesitate to contact any member of the Health Law Practice Group at Shipman.

The NPRM and submitted public comments may be found here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.