On May 6, 2021, the comment period for the proposed modification to regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule and Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”) closed. The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued its initial request for information in December 2018, subsequently released the Notice of Proposed Rulemaking (“NPRM”) to the public on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021 (the “Proposed Rule”). After a significant degree of public interest in providing input on the proposals, OCR extended the comment period from its original end date of March 22, 2021, to May 6, 2021.
Comments to the Proposed Rule reveal a common thread: stakeholders support the Proposed Rule’s goals, such as increasing patient access to their health information and removing barriers to care coordination, but stakeholders are concerned about compliance in an already-complex regulatory framework and urge HHS to ensure HIPAA requirements take precedence over other potentially overlapping requirements. Additionally, Covered Entities who would be subject to the Proposed Rule also face additional hurdles due to inconsistent and potentially more restrictive state law requirements as further described herein.
Background
The proposed changes to the Privacy Rule are part of HHS’s Regulatory Sprint to Coordinated Care, launched in support of HHS’ transformation to value-based care, which has a focus on removing “unnecessary obstacles” to coordinated care and has spurred regulations from several HHS agencies, such as the Office of the Inspector General and the Centers for Medicare and Medicaid Services, in addition to OCR. Further, the Proposed Rule has been timed to coincide with the implementation of regulations to promote interoperability on April 5, 2021 (the “Interoperability Rules”)[1] pursuant to the 21st Century Cures Act[2] as we have described in prior blog posts.
Proposed Changes to the HIPAA Privacy Rule
The Proposed Rule aims to change provisions of the Privacy Rule that impede the transition to value-based health care since they have resulted in barriers to coordinated care and case management communications among individuals and covered entities (including hospitals, physicians, and other healthcare providers, payors, and insurers). It requires covered entities and business associates to update their policies, procedures, security standards, notices of privacy practices (“NPP”), authorization and disclosure forms, and business associate agreements, among other things. It aims to give providers more flexibility in disclosing protected health information (“PHI”) to provide care to patients.
Key proposed changes include the following:
-
Changes to NPP. The Proposed Rule eliminates the requirement that a covered entity must obtain an individual’s signature or acknowledgment of NPP, instead allowing an individual the right, but not the requirement, to discuss the NPP with a person designated at the covered entity. The Proposed Rule also requires the NPP header to include information about how individuals can access their information, file a HIPAA complaint, and contact a designated representative.
-
Removes Barriers to Coordinated Care and Care Management. The Proposed Rule allows covered entities to disclose PHI to entities that coordinate “ancillary and health-related” services, such as social services agencies, community-based organizations, home- and community-based service providers, among others, in order to enhance support for individuals. This provision in particular supports the goals of interoperability under the Interoperability Rules by removing barriers to obtaining individual authorization and consent under the prior Privacy Rule.
-
Broadens Disclosures for Health Emergencies. The Proposed Rule allows for disclosure of PHI for the care and treatment of individuals experiencing substance abuse disorders, serious mental health issues, and other health emergencies. Specifically, covered entities would be permitted to disclose PHI if there is a “serious and reasonable threat,” and covered entities are required to disclose PHI if there is a “good faith belief” it is in the best interest of an individual (as opposed to the former standard of an “exercise of professional judgment”).
-
Expands Individuals’ Right to Access their PHI. The Proposed Rule allows individuals greater access to their own PHI, including allowing individuals to take notes, videos, and photographs and use other personal resources to view and record PHI in person, barring unacceptable security risks. The Proposed Rule also shortens the deadline requiring covered entities to provide individuals with access to their PHI “as soon as practicable,” but no later than 15 days, with the possibility of one 15-day extension (from a previously 30-day deadline with one 30-day extension). The Proposed Rule also clarifies when PHI must be provided to individuals at no charge, amends the fee charged when a covered entity responds to an individual’s request to direct records to third parties, and requires covered entities to post fee schedules on their websites, and upon request, to provide fee estimates and itemized bills.
-
Defined Terms. The Proposed Rule adds definitions for “Electronic Health Record” (EHR) and “Personal Health Application,” (“PHA”) which aims to clarify the rights of individuals to direct a covered entity to transmit and access PHI given the lack of regulatory definitions for such terms previously.
Comments Express Support for Goals, Concern for Implementation
As of March 18, 2021, OCR had already received 772 comments on the Proposed Rule before it granted a 45-day extension of the comment period. As of May 6, 2021, the comment period closed. Key stakeholders submitted comments that largely expressed support for the goals and ideals of the Proposed Rule, but also expressed concern for the potentially complex and burdensome requirements when considered in the broader regulatory framework.
The Association of American Medical Colleges (“AAMC”) submitted a comment that emphasized its support for the provisions of the Proposed Rule that remove barriers to the exchange of health information for coordinating care among providers, payers, and others. In its comment, AAMC emphasized its support for “giving patients greater access to and control over their own health records,” and “expanding permitted disclosures of PHI to facilitate individual care coordination and case management.” However, it expressed concern about increasing the ability of non-HIPAA entities to access and use sensitive information about a patient’s health until such entities are subject to privacy and security standards commensurate with HIPAA rules. Finally, AAMC requested HHS harmonize rules addressing access to health data and interoperability, including regulations under HIPAA, the Interoperability Rules, and Title 42 of the CFR: Confidentiality of Substance Use Disorder Patient Records (Part 2) in order to improve compliance and reduce operational burden on providers.[3]
The California Hospital Association (“CHA”) submitted a comment that praised the Proposed Rule’s aim to improve patient access to their health information, reduce barriers to care coordination, and decrease administrative burden in privacy regulations. However, CHA also expressed its concern that the Proposed Rule will introduce additional regulatory complexity to a changing and complex regulatory web. It noted that the Interoperability Rules already represent a new complex regulatory environment in this field. In addition, the Coronavirus Aid, Relief, and Economic Security (CARES) Act presents another layer of complex confidentiality requirements. Finally, Part 2 of Title 42 of the CFR represents yet another layer of information blocking and sharing restrictions. Therefore, CHA urged HHS to acknowledge the overlapping regulations and not implement any proposed changes to HIPAA that would be enforced prior to the availability of technologies essential to responding to patient requests, such as those that depend on the widespread adoption of application programming interface capabilities.[4]
The American Hospital Association (“AHA”) echoed CHA’s sentiments: “The HIPAA regulations do not operate in a vacuum. It is imperative that HHS acknowledge in the final regulations the intersections of the regulations under HIPAA, the [ONC] Cures Act Interoperability and information blocking requirements, and Part 2 regulations….” The AHA similarly suggested that HIPAA, as the most comprehensive of the three federal regulatory regimes, should take preeminence for health privacy protections and the other rules should defer to a conform with its privacy obligations. In particular, the Interoperability Rules should align with the obligations created under HIPAA and not create overlapping requirements.[5]
Finally, the American College of Radiology (“ACR”) expressed a similar sentiment. While it concurred with the NPRM’s stated goals, ACR felt concern that the introduction of new complex topics could be unduly complex and burdensome in the medical imaging context.[6]
Implications of the Proposed Rule
As expressed above, while there is broad acknowledgment of the merits of the Proposed Rules’ goals, as expressed by several commenters, there are significant concerns with the complexity that is added by the rule and the general issues related to overlapping regimes created by various departments/agencies with HHS. By way of example, OCR has created definitions for PHA and EHR and expanded individual access rights; however, the Interoperability Rules attempted to create standards regarding such access through references to the United States Core Data for Interoperability (USCDI). If the Proposed Rule is finalized, entities will be required to navigate multiple layers of overlapping and potentially conflicting regulations.
A second key issue is the impact of state laws on the Proposed Rule and other regulations being issued by HHS pursuant to the “Regulatory Sprint to Coordinated Care.” Since HIPAA does not pre-empt state law that is more protective of PHI, health care providers and other covered entities need to examine to what extent they will be able to rely on the more liberal disclosure requirements around coordinated care if such disclosures are restricted by state law. Several states such as California and New York have more restrictive laws that may prohibit such disclosures.
We will continue to monitor and provide relevant updates regarding the Proposed Rule as HHS provides additional guidance.
[1] 85 FR 25642 (May 20, 2020) (as corrected at 85 FR 43711 (July 20, 2020) and 85 FR 4709 (August 4, 2020)); and 85 FR 25510 (May 1, 2020)
[2] Pub.L. 114 – 255 (December 13, 2016)
[3] Association of American Medical Colleges, Comment re: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement [RIN 0945-AA00], May 6, 2021.
[5] American Hospital Association, Comment re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, March 20, 2021.
[6] American College of Radiology, Comment re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement; March 15, 2021.