HHS Proposes Changes to the HIPAA Privacy Rule to Promote Patient Access to PHI, Care Coordination and Value-Based Health Care

On December 10, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced proposed changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule via a Notice of Proposed Rulemaking (the “Proposed Rule”). The intent of this Proposed Rule is to build on feedback HHS received during its 2018 Request for Information asking stakeholders how HHS could modify the HIPAA Privacy Rule to support value-based health care and care coordination, while preserving the privacy and security of each patient’s protected health information (“PHI”).¹ Accordingly, among other provisions, the Proposed Rule proposes modifications to the Privacy Rule that improve an individual’s access to PHI and clarify the scope of care coordination and case management. Notably, many of the key provisions of the Proposed Rule, which are further described in this Alert, also reflect a U.S. District Court for the District of Columbia decision from earlier this year that vacated in part certain HHS regulations regarding the delivery of an individual’s PHI to third parties.²

The Proposed Rule is part of HHS’s “Regulatory Sprint to Coordinated Care,” a Trump administration initiative aimed at promoting value-based health care by ensuring that regulatory burdens do not unnecessarily impede coordination among health care providers, health plans, and other stakeholders.³ In related rulemaking, HHS agencies also recently published final rules on information blocking, interoperability, and patient access requirements as well as a final rule that introduces safe harbors and exceptions under the Anti-Kickback Statute and Stark law, respectively, for value-based health care arrangements. Ropes & Gray has covered both rules in separate Alerts.⁴

Comment Period & Compliance Date

The Proposed Rule is subject to a 60-day comment period beginning on the date that it is published in the Federal Register. Once the Proposed Rule is published as final in the Federal Register, then the regulations would be effective 60 days thereafter, followed by the 180-day compliance period set forth in the Privacy Rule. Accordingly, covered entities and business entities will have the full 240-day period before HHS’s enforcement of the changes to the regulations.

An Individual’s Right of Access to PHI

Under the Privacy Rule, covered entities must provide individuals, upon their request, the ability to access, inspect, and copy PHI in their designated record sets. The Proposed Rule would bolster this right in significant respects, including by:

• allowing individuals to use their own devices and resources to capture their own PHI, free of charge, in order to minimize barriers to obtaining timely access to their PHI;
• shortening the covered entities’ required response time from the current 30-day time frame with 30-day extension to a 15-calendar-day timeframe with a one-time 15-calendar-day extension;
• amending the fee structure so that electronic PHI is provided free of charge to requesting individuals;
• requiring covered entities to post on their websites their estimated fee schedules for providing individuals access to their PHI; and
• clarifying the format required for responding to individuals’ requests for their PHI (e.g., if the electronic PHI is available via a standards-based API format, then such a format would be acceptable).

In modifying their provisions to an individual’s right of access to PHI, HHS clarified that covered entities would need to adopt policies and procedures that are reasonable in light of these changes.

An Individual’s Right to Direct PHI to Third Parties

The Proposed Rule would amend the Privacy Rule to clearly distinguish between the aforementioned individual’s right to access, inspect, and copy PHI and an individual’s right to direct the sharing of PHI in an EHR among covered entities, as established under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. At the individual’s request, covered entities would need to submit, on behalf of the individual, a request to access electronic copies of the individual’s PHI housed in another health care provider’s EHR. In turn, the Proposed Rule would also require covered entities to respond to records requests that they receive from other covered entities when directed by an individual’s request, which could be made orally or in writing. Covered entities could levy fees in conjunction with these requests; however, the Proposed Rule would limit such fees to the expenses associated with the labor required.

Covered Entity Disclosures for Care Coordination and Case Management

The Privacy Rule currently allows disclosures for treatment and health care operations purposes without the need for patient authorization. Within the definitions of “treatment” and “health care operations,” the Privacy Rule includes some care coordination and case management activities. As an example of those activities, the Privacy Rule states that activities such as population health management would be care coordination and case management activities. The Proposed Rule would clarify HHS’s view that this example is not meant to be limiting and that individual-level care coordination and case management would be included as care coordination and case management activities.

The Proposed Rule would also clarify that covered entities could also disclose PHI to social services agencies, home- and community-based service providers, and other similar third parties that provide health-related services in order to facilitate the coordination of care and case management for individuals. Such third parties do not need to be health care providers or covered entities for such disclosures to be allowable.

In furtherance of HHS’s objective to minimize any burdens to such care coordination and case management activities, the Proposed Rule would also add an exception to the Privacy Rule’s “minimum necessary” standard for disclosures to or requests by a covered entity for care coordination and case management activities.

Disclosures to Help Individuals in Emergency Circumstances

The Proposed Rule would change the disclosure requirement during “emergency circumstances” from making disclosures of PHI to avert a threat to health and safety when a harm is “serious and imminent” to when a harm is “serious and reasonably foreseeable.” HHS’s intent is to address situations where covered entities were not sure whether a disclosure could be made for lack of imminence, such as a patient that seems suicidal but has not expressed any imminent plans to commit suicide. Moreover, the Proposed Rule would allow covered entities to make disclosures when, based on their “professional judgment,” the disclosure is in the best interest of the individual. For example, if an individual is incapacitated due to an overdose, a health care provider may share the individual’s status with the individual’s family if the provider has a good faith belief that the disclosure is in the best interest of the individual.

Notice of Privacy Practices

The Proposed Rule would eliminate the requirement to obtain an individual’s written acknowledgment of receipt of a provider’s Notice of Privacy Practices (“NPP”). Instead, covered entities would need to provide an individual with the right to discuss the NPP with a person designated by the covered entity.

 * * *

If you have questions about any topic covered in this Alert, please contact your regular Ropes & Gray advisor.