The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has issued a Notice of Proposed Rulemaking (NPRM) that proposes significant changes to the HIPAA Privacy Rule. The NPRM comes nearly two years after OCR asked stakeholders to identify HIPAA provisions that impede value-based care, seeks to "empower patients, improve coordinated care, and reduce regulatory burdens," and is part of HHS's "Regulatory Sprint to Coordinated Care" initiative.

Below we provide an overview of the most significant proposed modifications:

  • Enhancing Individuals' Access Rights. The proposed rule seeks to strengthen an individual's right to access his or her PHI in several respects, including by:
    • Clarifying the Inclusion of Electronic Health Records. The proposed rule would define "electronic health record" as "an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and their staff," and "personal health application" as "an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer." In defining these terms, OCR aims to clarify that an individual's right to access his or her PHI extends to electronic health records, and that that one of the ways a request for access can be fulfilled is transmitting an electronic copy of the PHI to the individual's personal health application.
    • Strengthening Individual Inspection Rights. The Privacy Rule includes a right to "inspect and obtain a copy of" PHI in a designated record set, and the proposed rule would strengthen this right by generally requiring a covered entity to allow individuals to take notes, videos, and photographs (using their own personal resources) of their PHI after arranging a mutually convenient time and place to do so, without imposing a fee.
    • Modifying Individual-Directed PHI Sharing Rights and Requirements. The proposed rule would permit individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered health care providers and health plans to submit an individual's access request to another health care provider and to receive back the requested electronic copies of the individual's PHI in an EHR. Additionally, the individual right of access to direct the transmission of PHI to a third party would be limited to electronic copies of PHI in an EHR. Covered health care providers and health plans would be required to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access.
    • Prohibiting Unreasonable Identity Verification Measures. To protect against the unauthorized access of PHI, the Privacy Rule generally requires a covered entity to take reasonable steps to verify the identity of an individual requesting PHI before disclosing it. The proposed rule would expressly prohibit a covered entity from imposing "unreasonable" identity verification measures on an individual, or the individual's personal representative, exercising a right under the Privacy Rule. Examples of unreasonable verification measures would include requiring extensive information from the individual that is not necessary to fulfill the request, requiring notarization of the individual's signature, or only accepting individuals' written requests in paper form, in person at the covered entity's facility, or through the covered entity's online portal.
    • Shortening Covered Entities' Timeframe for Responding to Access Requests. Under the Privacy Rule, covered entities must act on an individual's request to exercise his or her access right no later than 30 days after receipt of the request, with an option for a 30-day extension. The proposed rule would cut both of these timeframes in half, requiring a covered entity to provide an individual with access to his or her PHI "as soon as practicable," but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension.
    • Adjusting Permitted Fees for Access to PHI. The Privacy Rule allows covered entities to charge a reasonable, cost-based fee to fulfill access requests. The proposed rule would outline categories of access for which a covered entity could not charge a fee, including inspections of PHI in person and the viewing or obtaining of electronic PHI by an internet-based method, and the allowable costs that may be included when an access fee is permitted. The proposed rule would further require covered entities to post estimated fee schedules on their websites and, upon request, provide individualized fee estimates for an individual's request for copies of PHI, as well as itemized bills for completed requests.
  • Improving Coordinated Care. The proposed modifications aim to promote care coordination by:
    • Clarifying the Scope of Care Coordination and Case Management. The Privacy Rule permits certain uses and disclosures of PHI without an individual's valid authorization, including for treatment and certain health care operations. However, many covered entities have interpreted the definition of "health care operations" ("...population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination...") to include only population-based coordination and case management, which would exclude individual-focused care coordination from the permitted uses and disclosures of PHI. The proposed rule would amend the definition of "health care operations" to encompass all care coordination and case management by health plans, whether individual-level or population-based.
    • Creating an Exception to the "Minimum Necessary" Standard for Disclosures for Individual-Level Care Coordination and Case Management. The Privacy Rule generally requires that covered entities use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. The standard includes exceptions to facilitate the provision of health care to individuals, including disclosures to, or requests by, a health care provider for treatment purposes. Care coordination and case management are subject to the minimum necessary standard, however, because they are currently considered "health care operations activities." The proposed rule would add an express exception to the standard for uses by, disclosures to, or requests by, a health plan or covered health care provider for individual-level care coordination and case management, regardless of whether such activities constitute treatment or health care operations.
    • Clarifying Permitted Disclosures of PHI for Care Coordination and Case Management. The proposed rule would create a new subsection that would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties that provide health-related services for individual-level care coordination and case management, either as a "treatment" activity of a covered health care provider or as a "health care operations" activity of a covered health care provider or health plan. As such, these disclosures would not require authorization by the individual.
    • Encouraging Disclosures of PHI in Emergency Circumstances. The proposed rule would amend five sections of the Privacy Rule that currently permit covered entities to use and disclose PHI based on their "professional judgment," and instead permit such uses and disclosures based on covered entities' "good faith belief" that they are in an individual's best interests. The new standard would presume covered entities' good faith but allow this presumption to be rebutted. This proposed modification seeks to encourage health care providers to disclose PHI when families and other caregivers attempt to assist an individual with a health-related emergency, substance use disorder, or serious mental illness. In a similar vein, the proposed rule would also lower the standard for the Privacy Rule provision that permits a covered entity to use or disclose an individual's PHI to avert a threat to health or safety from a "serious and imminent threat" standard to a "serious and reasonably foreseeable threat" standard.
  • Reducing Regulatory Burdens. The proposed rule also reflects an attempt to reduce regulatory and/or administrative burdens, including by:
    • Eliminating the Requirement to Obtain Written Acknowledgment of a Notice of Privacy Practices (NOPP). The Privacy Rule requires a covered health care provider with a direct treatment relationship to an individual to make a good faith effort to obtain the individual's written acknowledgment of receipt of the provider's NOPP, or if the provider is unable to obtain such a written acknowledgment, to document its good faith efforts and the reason(s) for not obtaining the acknowledgment and to maintain that documentation for six years. The proposed rule would eliminate the written acknowledgment and corresponding record creation and retention requirements, and instead create an individual right to discuss the NOPP with a person designated by the covered entity. The proposed rule also includes proposed modifications to the content of the NOPP, including to the header information and the description of the access right.

If the amendments in the NPRM are adopted, covered entities will need to update their HIPAA compliance programs in a number of areas, including updating operating processes to accommodate the modified and expanded patient access rights and updating policies and procedure documentation to address these access rights changes; updating their NOPP to align with new content requirements and specifications; and ensuring members of the covered entity's workforce are appropriately trained on responding to expanded individual access rights. Additionally, business associate agreements will need to evaluated, and likely amended, to ensure business associate obligations relating to access requests are in line with the amended access right requirements.

Public comments on the NPRM are due 60 days after date of publication in the Federal Register. The NPRM was posted on the OCR website on December 10, 2020, but has not yet been published. Comments may be submitted via the following methods:

  • Federal eRulemaking Portal. Stakeholders may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number
    HHS-OCR0945-AA00l; or
  • Regular, Express, or Overnight Mail, at:
    U.S. Department of Health and Human Services, Office for Civil Rights
    Attention: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945-AA00
    Hubert H. Humphrey Building, Room 509F
    200 Independence Avenue, SW
    Washington, D.C. 20201

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved