HIPAA Challenges: The Privacy Rule May Be In for a Makeover
By Jaime James, MHA, RHIA
For The Record
Vol. 33 No. 5 P. 6
Enacted into law in December 2000, HIPAA’s Privacy Rule has since been updated, including the 2013 HIPAA Omnibus Rule that introduced requirements mandated by the HITECH Act, and new guidance issued following the 2020 court ruling in the Ciox, LLC vs Azar case.
The most recent major update, proposed on January 21, 2021, addresses barriers that may impede the transition to value-based care. Modifications include strengthening the individuals’ right of access, increasing permissible disclosures, reducing regulatory burden, and improving care coordination and care management.
The Notice for Proposed Rule Making (NPRM) received 1,436 comments from a variety of interested parties such as individuals, attorneys, and various health care staff, providers, and organizations.
Health and Human Services (HHS) will review the comments and publish another NPRM or a new HIPAA Privacy Final Rule. There is no specific timeline on when this may happen. Once the Final Rule is published in the Federal Register, the following dates would be applicable:
• Effective Date: 60 days after the Final Rule is published in the Federal Register;
• Compliance Date: 180 days from the Effective Date; and
• Enforcement Date: 240 days after Final Rule is published in the Federal Register.
Based on industry response, there is support for various aspects of the modifications, as well as concerns. Concerns include the need for more alignment with other regulations such as the 21st Century Cures Act, the 42 CFR Part 2 regulations covering federally assisted substance use disorder treatment programs, and state health data privacy laws. To fully assess the impact of these changes, the NPRM should be discussed with your organization’s legal counsel.
Individuals’ Right of Access
Proposed changes and considerations related to individuals’ right of access include the following:
EHR and Personal Health Application (PHA) Definitions
HIM should evaluate the proposed definition wording, where the new terms are used within the proposed rule, how the definitions align to other regulatory definitions, and any organizational impact.
The proposed rule adds that an individual’s right to direct their records to a third party is now based on the EHR definition, whereas an individual’s right to request their protected health information (PHI) for themselves remains unchanged and is based on the designated record set (DRS). An organization must also document the EHRs that are subject to the individual’s right to direct to a third party, in addition to the DRSs that are subject to access by individuals.
Per the proposed rule, the EHR definition aligns with the HITECH EHR definition. There is industry concern, however, that the proposed definition broadens the HITECH definition beyond clinical information to include billing records. If the definition is to include clinical and billing records, some experts believe that the definition, as written, should clearly indicate billing records are included.
How the proposed EHR definition correlates to the current DRS definition should be reviewed. Both definitions include medical and billing records; however, DRS also includes records used to make decisions about individuals. It’s important to note that as of October 6, 2022, the Information Blocking electronic health information definition will no longer be limited to the United States Core Data for Interoperability data elements. Instead, it will be based on the full electronic health information which is defined as an organization’s DRS.
For the proposed PHA definition, industry comments include asking for a clearer understanding of how the proposed definition aligns with the Cures Act Final Rule. Clarification was requested on the relationship between PHAs and “applications a patient chooses to use.” Industry comments include the need for clarification on the forms PHAs may take such as web, mobile, and desktop applications.
Comments reflect concern that the proposed PHA definition is too broad and needs to clearly state that disclosures to a PHA are to a third party as opposed to an extension of the individual. This is supported by the fact that the proposed rule acknowledges that most PHA applications are not covered under HIPAA and have their own data practices that may not follow privacy and security best practices.
The proposed rule asks for comments on whether covered entities (CEs) should be responsible for educating individuals on the risk and benefits of transmitting PHI to a PHA that is not covered under HIPAA. Comments reflect this educational responsibility could be cumbersome for CEs. Under Information Blocking, actors are not required but are highly encouraged to educate their patients on the use of third-party applications.
HIM is already encountering situations that are causing confusion. Third parties often acting on behalf of other nonhealth third parties, such as attorneys and insurance companies, are creating PHR web application locations in which patients can request their records be sent. Some requests specifically state the request is not a patient-directed third-party request.
HIM must then determine whether the request is indeed a patient-directed third-party request and consider how much the individual understands about where their information is being sent and how it will be used. Unfortunately, many patients do not understand.
Right to Inspect Records
The proposed rule adds that when individuals are inspecting their record in person, they can take notes and photographs, and use other personal resources to capture their PHI in a DRS. This modification requires that when PHI is “readily available” at the point of care or in conjunction with an appointment, a provider is not permitted to delay the right of inspection.
There’s trepidation within the industry of the possible organizational and resource impact of these modifications at the point of care—especially in care settings such as the emergency department, behavioral health, and during telehealth visits. For example, questions have been raised about the possibility of filming providers/staff without consent.
Timeliness of Access
The proposed rule shortens the request response time to “as soon as practicable” but in no case longer than 15 calendar days (down from the current 30-day requirement), and includes a one-time 15-calendar day extension. The timeline applies to individuals requesting records for themselves in any form or format and when directing an electronic copy of PHI be sent to a third party.
To trigger the 15-day extension, a CE must implement a policy prioritizing urgent and high-priority requests such as those related to continuing care or the health and safety of the person (when known).
The proposed rule also prohibits “unreasonable measures” that could impede access such as requiring a HIPAA authorization when an access request is acceptable or that the request be made in writing, in person, or only via the CE’s portal when other methods are available.
While some industry comments reflect support of adding “as soon as practicable,” concerns have been voiced related to the 15-day requirement. Many organizations have multiple legacy systems featuring paper records, including some stored offsite, from which a request must be compiled. While the proposed rule does not change the current language that the response time is based upon receipt of the request, requests are often sent to the wrong location within an organization.
HIM should proactively assess how the proposed timeline impacts current practices and resources, also keeping in mind how best to respond to requests “without delay” as defined under Information Blocking and the Content and Manner exception.
Form and Format Requested
The proposed rule updates the language to include that a CE must electronically transmit a copy of PHI upon request. Electronic transmission is defined as e-mail and to or through an individual’s PHA (if readily producible).
Because most PHAs are not covered under HIPAA, some in the industry believe that PHAs should be certified by an independent organization to indicate they meet minimum privacy and security standards. Additionally, some believe that the Office for Civil Rights should provide model language and resources to inform patients of the risks and benefits.
Identity Verification Burden
The proposed rule adds language to explicitly prohibit unreasonable measures for identity verification such as requiring notarization of signatures when it is not necessary, or in-person proof of identity when a remote method could be used.
HIM can assess its current identity verification processes to compare with the nonexhaustive list in the proposed rule. This change could impact CEs that are imposing unreasonable verification methods.
Copies to Third Parties
The NPRM adds a specific section to address an individual’s right to direct copies to a third party. The proposed rule is consistent with the 2020 court ruling and, therefore, the current HIPAA Privacy rule that states individuals have the right to direct their information to a third party when the request is for electronic copies from an EHR. Patient-directed third-party requests do not apply to requests from a paper medical record or for paper copies of records whether they’re stored on paper or in an EHR.
The proposed rule alters the current requirement that patient-directed third-party requests must be in writing. Under the proposed rule, requests may be written, or oral, if clear, conspicuous, and specific. While adding oral requests provides more flexibility in how requests can be made, this has raised questions within the industry. For example, what determines clear, conspicuous, and specific? What processes are permissible by a CE if an oral request is not deemed acceptable? Will an oral request stand up in a court of law? How will HIM protect a patient’s privacy from potential “bad actors” and minimize breaches through miscommunication?
The proposed rule also adds new language that when directed by an individual, the provider or health plan is required to submit a request to another provider for an electronic copy of the individual’s electronic PHI. These, too, can be oral requests.
Third party-directed requests remain a challenge for HIM—especially those requests that are unrelated to treatment.
The proposed rule specifies when patients must be given their records free of charge. This includes in-person inspection and access via an internet-based method that includes access via a PHA.
HIM should compare the NPRM internet-based method description with the information blocking definition that stipulates requests for records will be free when an internet-based method is used and no manual effort is required. As industry comments reflect, the proposed rule needs to align with information blocking and include there is a difference in responding to requests when manual effort is required.
When an individual requests records for themselves, the proposed rule limits the reasonable cost-based fee for electronic copies to labor only. Supply and postage costs for copying records onto a CD or other electronic media cannot be applied.
Changes may be afoot for when a patient directs electronic copies from their EHR to a third party. The 2020 court ruling confirms that, under the current Privacy Rule, patient-directed third-party requests are not subject to fee limitations. Contrary to this ruling, the NPRM proposes that for these requests, only a reasonable cost-based fee may be charged, limited to labor only. Supply and postage for electronic media cannot be charged. This change suggests there will be different fee schedules (and different requests/authorizations needed) for third-party requests based on the format requested (electronic vs paper).
HIM should assess and understand the potential financial and operational impact these changes may have on their organizations.
Estimated Fee Schedules
The proposed rule requires that, if a CE charges a fee to an individual, it must provide advance notice of those fees on its website (if the CE has one). Also, the fee schedule must be made available to patients at the point of service and upon request. The proposed rule outlines what fees are to be included in the advance notice.
In addition, itemized fee estimates and statements must be provided upon request. While an individual’s request for a fee estimate would not automatically extend the time permitted to respond to a request, a CE could use the 15-day extension if more time is needed.
The current Privacy Rule does not prohibit a CE from requiring individuals to pay the fee upfront. While the proposed rule keeps this benefit intact, HHS continues to encourage CEs to waive fees or provide flexibility for those unable to pay upfront or those with financial hardship.
Notice of Privacy Practices (NPP) Requirements
Based on the perceived cumbersome nature and cost associated with the current NPP regulations, the following modifications have been proposed:
• eliminating the requirement to obtain an individual’s written acknowledgement of receipt of a direct treatment provider’s NPP;
• replacing written acknowledgement with the individual’s right to discuss NPP with a designated person;
• eliminating the need to retain NPPs for six years; and
• modifying the content of the NPP.
The NPP changes have mostly been viewed as positive with a few concerns expressed about the continued need for patients to acknowledge their rights in writing.
Care Coordination and Care Management
Several changes have been suggested to improve care coordination and care management.
Modifying the Health Care Operations (HCO) definition. Under the current rule, HHS has found that some CEs interpret HCO to include only population health–based activities. This is a barrier for health plans that fall under the HCO definition when they provide individual-level care coordination and case management activities.
The proposed rule makes punctuation changes (commas to semicolons) within the definition to clarify that HCO includes care coordination and case management activities for both population-based and individual-level activities.
Adding minimum necessary exception for case management and care coordination activities. The current Privacy Rule includes a minimum necessary exception for disclosures to or requests by a health care provider for treatment purposes. The proposed rule adds language to explicitly state that this also includes care coordination and case management activities with respect to an individual.
For HCO, the proposed rule adds a new minimum necessary exception for disclosures to or requests by health plans for care coordination and case management activities with respect to an individual.
The proposed rule retains the right of individuals to request their information not be disclosed and the minimum necessary requirements for other types of disclosures.
Clarifying PHI disclosures to third parties for case management and care coordination purposes. This change clarifies and adds a new subsection that will expressly permit CEs to disclose PHI for individual-level care coordination and case management activities to social services agencies, community-based organizations, home and community-based service providers, and other similar third parties that provide health-related services.
While most of these services will not be covered under HIPAA, HHS does not intend to limit the disclosures or require specific individual authorization. Comments from the industry include asking for additional examples of these organizations and clarification on how to document these cases when disclosing PHI to these parties.
Replacing and expanding PHI disclosures to help individuals experiencing substance abuse disorder, serious mental illness, and in emergency circumstances. These modifications directly relate to permissible disclosures for care coordination by doing the following:
• replacing “professional judgment” with “good faith belief” that the disclosure is in the best interest of the individual in five of the HIPAA Privacy provisions; and
• expanding the ability of CEs to use or disclose PHI without having to determine whether a threat to health or safety is “serious and imminent” and instead whether it is “serious and reasonably foreseeable.”
Many industry stakeholders view these changes as positive. However, consideration needs to be given to other government regulations. The Information Blocking, Preventing Harm, and Privacy Exceptions reference the Privacy Rule calling on the use of professional judgment. In addition, there is the opportunity to further align the Privacy Rule and 42 CFR Part 2 regulations.
Modifying disclosures to telecommunications relay services (TRS). TRS is a federally mandated service that facilitates telephone calls between individuals who are deaf, hard of hearing, or deaf-blind, or who have a speech disability.
The proposed rule expressly permits disclosures of PHI to TRS communication assistants by CEs and their business associates. It also modifies the definition of business associate to exclude TRS providers and clarifies that a business associate agreement is not needed.
Expanding disclosures to armed forces. Two branches of the armed forces are not explicitly included under the current HIPAA Privacy rule. The proposed rule expands disclosures to all uniformed services and adds the Public Health Service Commissioned Corp and the National Oceanic and Atmospheric Administration Commissioned Corps.
While these are proposed rules, it is important for HIM to understand the direction HHS is headed with regard to privacy, and how the Privacy Rule modifications intersect with the new Information Blocking Rule and other regulations. The changes have potential operational and financial impacts on HIM and health care organizations. A point to remember is, in general, what is permissive under HIPAA becomes an obligation to share under Information Blocking.
No matter the outcome of the NPRM, HIM is in position to lead organizational discussions on the positive aspects and challenges presented by the proposed changes.
— Jaime James, MHA, RHIA, is the senior HIM consultant for legislative policy and compliance at MMRA.