Health Data, Privacy and Security, Regulatory and Health Industry

Pending Regulations Could Change How You Release Medical Records

A medical record is dynamic, with new information being added as a patient visits a physician, undergoes a procedure, gets a diagnosis, and interacts with the healthcare ecosystem in any other way. As a result, there are thousands of unstructured and discrete data points contained in a patient’s medical record, including clinical notes, lab reports, test results, and financial data. 

When a patient or other authorized party requests the release of medical records, it can be complicated. Every time a medical record is requested, an organization must consider if that requesting organization or individual is authorized to access that patient’s medical records, and what portion of the information in that record should be released. Two new notices of proposed rulemaking (NPRM) from the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS) on substance abuse and reproductive rights, if implemented, could potentially add to this complication.

Organizations such as AHIMA and the Association of Health Information Outsourcing Services (AHIOS) are carefully watching these proposed rules, as both would have a significant impact on the systems, processes, and workflows related to releasing medical records. But that’s not to say that these proposed changes are bad — in fact, both are a positive (and necessary) step toward providing increased patient privacy protections in our ever-evolving healthcare landscape. AHIOS’s goal is simply to educate lawmakers, providers, and patients about the impact these changes would have on the process of medical record release.

Proposal To Strengthen Privacy for Patients with Substance Abuse Disorders

In December 2022, HHS proposed new protections to increase care coordination and confidentiality for patients with substance abuse disorders. Building on CARES Act legislation passed in 2020, this NPRM is intended to align certain terms, as well as privacy and security requirements between 42 CFR Part 2 regulations and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) so that entities subject to both rules are able to comply more easily.

Here’s a summary of the key proposed changes in this NPRM:

  • Add new requirements for interactions with government agencies, including requiring certain disclosures to HHS and new requirements around court orders for Part 2 (substance abuse) records.
  • Apply HIPAA and (Health Information Technology for Economical and Clinical Health Act (HITECH) civil and criminal penalties to Part 2 violations.
  • Add new provisions for substance abuse treatment programs including updates to prior authorization rules and new protections for patients who file complaints against treatment programs.
  • Modify notice requirements for any breaches of substance abuse records, applying the same protections as HIPAA and HITECH.

As with any legislative proposal, the devil is in the details. One of the main considerations here is the proposed change in requirements on releasing records that contain substance abuse information. For example, this NPRM would permit the disclosure of Part 2 records based on a single authorization and permit the redisclosure of Part 2 records when permitted by the HIPAA Privacy Rule (both related to the third bullet above). If passed, this would mean that anyone processing medical records must understand when previous authorizations cover subsequent releases, and when a new authorization would be required.

Proposal to Increase Privacy for Reproductive Healthcare

This second new NPRM is based on executive orders issued by the Biden-Harris Administration after the US Supreme Court case Dobbs v. Jackson Women's Health Organization in June 2022. Based on the Dobbs decision, President Biden directed HHS to consider taking additional actions related to HIPAA to “better protect sensitive information related to reproductive health care and bolster patient-provider confidentiality.” The proposed rule reasons that the Dobbs decision, along with new state laws that regulate reproductive healthcare, have changed the legal landscape, and therefore, it’s necessary to adjust the safeguards of protected health information (PHI) under HIPAA.

The key proposed changes would:

  • Specify a definition for reproductive healthcare that includes the “care, services, or supplies related to the reproductive health of an individual.”
  • Prohibit the use or disclosure of PHI for the purpose of a criminal, civil, or administrative investigation or proceeding related to seeking reproductive healthcare that is lawful under the circumstances, or the identification of a person for such an investigation or proceeding.
  • Require an attestation from requests related to health oversight, law enforcement, judicial or administrative proceedings, or from a coroner or medical examiner that the purpose of obtaining PHI is not for a prohibited purpose, as described above.

If finalized, this NPRM would impact the medical record release processes because medical records would have to be parsed for reproductive healthcare information, with an applied understanding of the new purpose-based restrictions around releasing medical records that contain reproductive healthcare information. For example, records that could have previously been released for public health purposes or a criminal or civil investigation could no longer be released without an attestation.

Here are a few of the important determinations that would have to be incorporated into the workflow for all medical record releases going forward if this NPRM becomes law:

  • If reproductive healthcare information is at play
  • If an attestation is required
  • If the reproductive healthcare information relates to care that was lawful under the circumstances

Conclusion

Complying with medical release regulations is a complex business, and it can be difficult to keep up with changing regulations. What can your organization do to be prepared?

Make sure you are keeping an eye on pending regulations and consider engaging a compliance and/or legal expert to help you outline a specific plan for your organization to remain compliant as regulations change. The good news is that both of these proposals include some buffer time between the rule becoming final and compliance being enforced — about six months for the reproductive health NPRM and 22 months for the substance abuse NPRM.

But that doesn’t mean you should wait to start your planning. Now is the time to start discussing how your organization would handle these changes so you’re not starting from scratch if one or both of these rules are finalized.


Bart Howe is president of AHIOS and CEO of HealthMark Group.