Three HIPAA Increases Potentially on the Horizon
By Lindsey Phillips
On December 10, 2020, the Office for Civil Rights (OCR) at the United States Department of Health and Human Services (HHS) announced proposed changes to the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The proposed changes, which are set out in the Notice of Proposed Rulemaking (NPRM), are a part of the broader initiative to promote value-based care, enable better coordination among healthcare providers, and facilitate patient autonomy and engagement. This article discusses some of the proposed changes and recent updates contained in the NPRM.
Increased Access to Individuals' Protected
One of the primary goals of the NPRM is to increase patients' access to their protected health information (PHI) and enhance individuals' engagement in their healthcare decisions. Accordingly, there are several proposed changes within the NPRM that are designed to facilitate this goal.
First, covered entities would only have 15 calendar days after receiving a request from a patient for PHI to provide a response. In addition, covered entities would have the opportunity for an extension of no longer than 15 calendar days. This differs from the present rule in that covered entities are currently allowed 30 calendar days to provide a response and have the opportunity for an extension of 30 calendar days.
Secondly, the changes would expressly allow patients to inspect their PHI in person. Not only would individuals have the right to inspect their PHI in person, but they would also have the right to take notes and use personal resources to capture images, videos, and audio with no fee.
Third, the proposed modifications would reduce the current identity verification burden individuals have when they are exercising their access rights. For example, requiring individuals to obtain notarization on an access request would constitute an unreasonable barrier to access and would therefore no longer be allowed under the proposed modifications.
Covered healthcare providers and health plans would also be required to respond to certain records requests received from other covered healthcare providers and plans if such requests are directed by individuals pursuant to their right of access. OCR provides the following example:
If an individual from California was involved in an automobile accident in Virginia, and is being treated by a variety of specialists, orthopedists, neurologists, physical therapists in Virginia, the individual can send a request to one of the treating doctors in Virginia to obtain an electronic copy of the individual's records from their primary care physician in California to assist the Virginia treating physicians in providing care to the individual. The Virginia doctor would be required to forward the request within 15 days and the California doctor would be required to respond to the request within 15 days.
This change would allow patients to exercise autonomy and better control the sharing of their information, and it would further facilitate coordinated care, which is a primary goal of OCR.
Another key theme found in the NPRM is expanded permission to disclose PHI in certain circumstances. For example, the proposed rule changes would allow covered entities to disclose PHI in circumstances where individuals are experiencing an emergency or health crisis. The current standard for disclosure of PHI in an emergency or health crisis is based on the covered entity's professional judgment. The proposed modification relaxes this standard slightly in that it would allow a covered entity to disclose PHI in an emergency situation or health crisis when the covered entity has a good faith belief that the disclosure is in the best interest of the individual. A good faith belief could be based either on direct knowledge of relevant facts or representations by a person who can reasonably be expected to know relevant facts. Mental illness and substance abuse crises are included in the types of crises for which a disclosure of PHI would be allowed.
In addition, under the proposed rules, covered entities would be allowed to disclose PHI to prevent a threat to health or safety when the threat is "serious and reasonably foreseeable." The current standard is considerably more stringent in that it allows the disclosure of PHI to avert a threat to health or safety only when the threat is "serious and imminent." This proposed change would hopefully empower covered entities to disclose PHI in situations where harm is likely without being fearful of HIPAA penalties because the harm was not imminent.
Under the proposed modifications, covered entities would further be allowed to disclose PHI to coordinate care with social and community services. Covered entities would be expressly permitted to disclose PHI to social services agencies, community-based organizations, home and community based service providers, and similar third parties.
Increased Time to Provide Comments and Feedback
On March 9, 2021, OCR announced that the public comment period for the NPRM would be extended from its original deadline of March 22, 2021, to May 6, 2021. The NPRM contains an extensive number of proposed changes that span over 300 pages. While HHS has stated that the proposed modifications support the Department's Regulatory Sprint to Coordinated Care, the proposed changes do present some concerns among stakeholders. Accordingly, all stakeholders are encouraged to participate in the public comment and feedback process and now have until May 6th to do so.
While these are currently only proposed rules, we would expect to see some of these "increases" implemented through final rulemaking.
Lindsey Phillips is an associate at Burr & Forman LLP practicing exclusively in the firm's Healthcare Industry Group.