On January 21, 2021, the Federal Register published a rule outlining proposed changes to the Privacy Rule within the Health Insurance Portability and Accountability Act (HIPAA). It would reduce administrative and regulatory burdens on providers while increasing patients’ ease of access to their medical records.
Submitted by the Department of Health and Human Service’s (HHS’s) Office of Civil Rights (OCR), the rule is open for public comments until March 22, 2021.
To ease access to telehealth services for Medicare recipients during COVID-19, HHS relaxed its enforcement discretion around certain parts of the Privacy Rule earlier this year. However, many private payers did not follow suit. The OCR’s proposal universalizes HHS’ action, which notably removed requirements that providers obtain and store a Notice of Privacy Provisions (NPP) for every patient for six years. Instead, providers could use a modified NPP to meet compliance requirements for telehealth visits.
While the rule from OCR addresses many issues around patient access and the use of Protected Health Information (PHI) in care coordination, questions remain as to the potential misuse of sensitive PHI given the relaxed rules.
Indeed, more than 20 years have passed since HIPAA was enacted in 1996 to both protect the rights of consumers in group health plans and establish safeguards to prevent theft and fraud of PHI. From 2003 to 2013, the transition from paper to electronic medical records presented new security and privacy issues, requiring continuous updates – now collectively known as the HIPAA Privacy Rule – to address these new challenges. Today’s rapid adoption of telehealth services only heightens the importance of such updates.
The Privacy Rule established safeguards for PHI; codified a minimum necessary standard to limit inappropriate access, use, or disclosure of PHI; and defined compliance requirements for providers who maintain PHI. However, it puzzlingly did not ensure patient access to their own medical information. Confusion about the rule has also limited its use in care coordination and case management activities integral to value-based care.
To address this, OCR took action on December 10, 2020. Driven by a 2018 Request for Information that explored how changes to HIPAA could better support patient access and value-based care, OCR then issued a formal Notice of Proposed Rulemaking entitled Proposed Modifications to the HIPAA Privacy Rule to Support and Remove Barriers to Coordinated Care and Individual Engagement, the foundation of January’s proposed rule. In addition to NPP relaxation, it addresses two key areas:
1. Ensuring patient access to health information
Covered entities, including providers and health plans, would need to comply with the following requirements to ensure patient access to PHI:
- Response timeliness: Responses to a request for PHI must occur within 15 calendar days, and extensions for a request are limited to 15 calendar days.
- Right of access: Individuals can inspect PHI in person and use personal resources, such as note taking or capturing images on a mobile phone.
- Third party directives: Healthcare providers and health plans must provide electronic copies of PHI to another healthcare provider at the patient’s request.
- Fee limitations: No fee can be charged for access to PHI in person or by use of internet-based methods to view or obtain a copy of electronic PHI maintained by or on behalf of the provider or health plan. Only reasonable cost-based fees for non-electronic copies of PHI, or electronic copies of PHI directed to a third party, are permissible.
- Identity verification: Burdensome identification verification or notarization requirements are prohibited to access PHI.
2. Increasing availability of PHI for care coordination and case management
The proposed rule establishes an exception to the minimum necessary standard for the use of PHI for:
- Individual level care coordination
- Case management activities
- Health-related social services social and community-based services provided by third parties
- Patients in an imminent or foreseeable emergency or health crisis
OCR is expected to publish a final rule in 2021 that will support the information interoperability and patient access provisions of the 21st Century Cures CMS and ONC Interoperability rules. For more on the 21st Century Cures Act, click here.