Yolanda Sims, JD, MHA
KAMMCO Loss Prevention and Risk Management Advisor
On January 21, 2021, the Federal Register
published a rule outlining proposed changes to the Privacy Rule with the Health Insurance Portability and Accountability Act (HIPAA). It would reduce administrative and regulatory burdens on providers while increasing patients’ ease of access to their medical records. The entire rule is too lengthy and complex to cover in this article. For the sake of brevity, I will highlight several key components and provide a few examples to better illustrate understanding.
Individual Access Rights
The proposed changes aim to strengthen patient access to their protected health information (PHI) by permitting individuals to inspect their PHI in-person, including taking notes or using other personal devices to view and capture images of their records.
Empowering and Providing a Pathway for Sharing
The proposed rule would permit the individual to control the sharing of PHI in an electronic health record (EHR) among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
The proposed rule would shorten covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
New and Expanded Definitions
The proposed rule would broaden the definition of healthcare operations and for the first time, add the definitions Electronic Health Record (EHR) and Personal Health Application (PHA). The EHR definition would be generally consistent with the HITECH Act of 2009.
Disclosures to Facilitate Care with Social and Community Services
The proposed rule would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home and community based service providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination and case management with respect to an individual.
Changing the Content to NPPs
Covered entities would no longer be required to obtain written confirmation that a Notice of Privacy Practices (NPPs) has been provided nor maintain the documentation for six years.
Covered entities would be required to post estimated fee schedules on their websites for both PHI access and disclosures with an individual’s valid authorization as well as provide individualized estimates of fees for an individual’s request for copies of PHI. The proposed rule would also require specifications for when electronic PHI must be provided to the individual at no charge.
Disclosures to Prevent Harm or Lessen the Threat of Harm: Permitted to Avert Threat of Health and Safety
The proposed rule would expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable”, instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
Disclosures of PHI in the Best Interests of Individuals Experiencing Emergencies or Health Crises, Including Serious Mental Illness and Substance Use Disorder Crises
- Example: An emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19, without delay caused by the need to assess whether the threat is sufficiently “imminent” to permit the disclosure.
The proposed rule would facilitate the disclosure of PHI needed to improve care for individuals experiencing certain health emergencies by modifying the standard for certain permitted disclosures from one based on a covered entity’s “professional judgment” to one based on its “good faith” belief that a disclosure would be in the best interests of the individuals.
Telecommunications Relay Services (TRS)
- Example: Good faith would permit a licensed health care professional to draw on experience to make a determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose relevant information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose.
The proposed rule would expressly permit disclosures to TRS communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
- Example: A hospital nurse who is deaf can use a TRS communications assistant to facilitate a call with a health plan representative about pre-authorization for a patient’s procedure, or to coordinate post-discharge care for an individual with another health care provider, without obtaining the individual’s authorization and without the hospital having a business associate agreement with the TRS provider.
All health industry participants (clinicians and healthcare consumers) are encouraged to visit www.regulations.gov
and partake in the comment period before the Department of Health and Human Services (HHS) makes a final decision on the proposed modifications. The public comment period is set to expire March 22, 2021. The effective date of a final rule would be 60 days after publication. In summary, the proposed rule would require covered entities and business associates to update policies, procedures and processes once finalized. As a provider of care, your action item is to consider now
how these changes may operationally impact your organization.
Office for Civil Rights (OCR) Proposes Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regulatory Burdens FACT SHEET (December 2020).
Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement 86 Fed. Reg. 6,446 (January 21, 2021)