Regulatory and Health Industry
What You Need to Know About Proposed Modifications to HIPAA’s Privacy Rule
A Notice of Proposed Rule Making (NPRM) for modifications to the HIPAA Privacy Rule was published by the Department of Health and Human Services (HHS) in the Federal Register on January 21 and is open for comment until March 22. The purpose of the proposed changes is to improve individual access to protected health information (PHI) and increase permissible disclosures of PHI with the intent of improving care coordination and case management.
This is a high-level summary of the proposed modifications. Some of the key comments made by HHS in the NPRM are included along with associated NPRM page numbers. To fully assess the impact of the changes, the NPRM should be discussed with your organization’s legal counsel.
Summary of Modifications
Adds Definitions for Electronic Health Record (EHR) and Personal Health Applications
- Proposed EHR definition (p. 42, 338)
- EHR means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff. Such clinicians shall include, but are not limited to, healthcare providers that have a direct treatment relationship with individuals as defined at 164.501, such as physicians, nurses, pharmacists and other allied health professionals. For purposes of this paragraph, “health-related information on an individual” covers the same scope of information as the term “individually identifiable health information” (IIHI) as defined at 160.103.
- Proposed personal health application definition (p. 47, 338)
- An electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared and controlled by or primarily for the individual and not by or primarily for a covered entity or another party such as the application developer.
- Further explanation: A personal health app is a service offered directly to consumers. The covered entity (CE) does not manage, share, or control the information nor does the application developer manage the information on behalf or at the direction of a healthcare provider or health plan (e.g., through a patient portal) or another party that collects or manages PHI for its own purposes (e.g., research organization).
Modifies Provisions on Individuals’ Right of Access
- Strengthens individual right to inspect their PHI in person (p. 49, 185, 348)
- Adds that individual can take notes, photos, videos to capture copies of their PHI in a designated record set (DRS).
- Requires when PHI is “readily available” at the point of care or in conjunction with an appointment, provider is not permitted to delay the right to inspect.
- Stipulates that providing a summary (even if patient agrees to it) does not replace a patient’s right to a copy.
- Modifies implementation requirements and shortens CE response time (p. 53, 58, 185, 348)
- May still require an access request in writing but prohibits “unreasonable measures” that could impede access such as:
- Filling out HIPAA authorization when access request is acceptable
- Submitting request only in paper form, only in person or only through CEs portal
- Changes response time to 15 calendar days (from 30 days), including a one-time 15-day extension
- Requires policies and procedures for prioritizing urgent and other high priority access requests to limit need for 15-calendar day extension
- Response time applies to individual requests and individual requests directed to third parties
- Addresses form of access (p. 63, 187, 350)
- Addresses what constitutes “readily producible” form and format when providing requested copies of PHI
- Addresses ePHI transmitted via a personal health application
- Requires CEs to inform individuals about their right to obtain or direct copies of PHI to a third party when a summary or explanation is offered
- Addresses individual right of access to direct copies of PHI to third parties (p. 68, 188, 351)
- Creates separate set of provisions to address individual right to direct copies to third party
- Limits the right to direct transmission of copies of PHI to a third party to only electronic copies of PHI in an EHR
- Requests can be oral or written if clear, conspicuous, and specific including requests submitted via an internet-based method such as personal health app
- Creates new requirement that individuals may direct a provider or health plan (Requestor-Recipient) to submit a request for an electronic copy of the individual’s PHI in an EHR on behalf of the individual to a CE (Discloser) that maintains that individuals PHI
- Adjusts permitted fees for access to PHI (p. 78, 191, 222, 246, 350)
- Clarifies when ePHI must be provided to the individual free of charge (p. 79, 82, 351)
- Individual inspects their PHI in-person which may include recording or copying PHI in a DRS with individual’s own device
- Must be free of charge
- Inspecting PHI may include viewing the information on a patient portal, which could be made available in person for the individual at the point of care in conjunction with a healthcare appointment or at a medical records office
- Individual uses Internet-based method to view or obtain copies of electronic PHI
- Must be free of charge
- Examples include View/Download/Transmit or personal health application.
- Proposes the term “Internet-based method” would apply to portals and APIs as well as similar successor technologies. Includes any internet-based methods described in the Cures Act
- It is not the intent to apply free access to situations where the individual is simply using an online portal to submit a request for copies of PHI to be sent to him or her in a manner that would require the covered entity to incur allowable costs for supplies, postage or labor for copying
- Amends the fee structure for certain requests requested by the individual for themselves (p. 81, 84, 350)
- Access requests for non-electronic copy of PHI through other than an Internet-based method
- Reasonable cost-based fee as currently defined in Privacy Rule, including labor, supplies, postage, and costs for preparing summary
- Access requests for electronic copy of PHI through other than an internet-based method
- Reasonable cost-based fee limited to labor only for making electronic copies of the PHI and preparing a summary or explanation as agreed to by the individual
- The costs for media and postage would not be allowed for providing electronic copies of PHI by any method
- This is pursuant to section 13405(e) of the HITECH Act which states, “any fee that the CE may impose for providing an individual with a copy of such information (or a summary or explanation of such information) if such copy is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy
- HHS understands that a CE may copy the PHI onto electronic media and mail to individual or use the export functionality of certified EHR technology to transmit ePHI. However, based on the plain reading of the HITECH statutory requirement, the Dept is proposing to limit the fees
- Amends the fee structure for certain requests when an individual directs PHI to a third party (p. 80, 85, 354)
- Individual directs electronic copy of PHI in EHR to third-party
- Reasonable cost-based fee limited to labor only for making electronic copies of the PHI and preparing a summary or explanation as agreed to by the individual
- Consistent with the 2020 Court Ruling, the NPRM proposes in 45 CFR 164.524(c)(3)(ii) to limit the right of an individual to direct copies of PHI to a third-party to only electronic copies of PHI in an EHR
- Individual directs non-electronic copy of PHI in an EHR or electronic copies of PHI that is not in an EHR to third parties
- Fees not subject to the access fee limitations
- Disclosure based on valid authorization vs access request (whether to an individual’s family member, CE researcher or any other person)
- Fees remain limited by the Privacy Rule’s provisions on the sale of PHI at CFR 164.502(a)(5)(ii)(B)(2)(viii) and 45 CFR 164.502(a)(5)(ii)(A) and by applicable state law
- Adds new requirements for notice of access and authorization fees (p. 90, 195, 223, 356)
- Requires CEs to post fee schedules on their websites (if they have one)
- Requires a CE to provide a copy of the fee schedule, upon request
- Requires CEs to provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies, upon request
- Does not prohibit requiring payment upfront before receiving copies
- Does not propose to amend rule to require CEs to fulfill the requests of individuals by providing copies before fees are paid
- Individual directs electronic copy of PHI in EHR to third-party
- Access requests for non-electronic copy of PHI through other than an Internet-based method
- Individual inspects their PHI in-person which may include recording or copying PHI in a DRS with individual’s own device
- Clarifies when ePHI must be provided to the individual free of charge (p. 79, 82, 351)
- May still require an access request in writing but prohibits “unreasonable measures” that could impede access such as:
Prohibits CEs from imposing unreasonable identity verification measures
Unreasonable identity verification measures include (p. 102, 196, 344):
- Requiring notarization of signature
- Requiring in person proof of identity when remote method could be used
Amends the definition of healthcare operations (pg. 109, 111, 197, 338)
- Clarifies the scope to include individual-focused (in addition to current population-based) care coordination and case management activities.
Creates an exception to the minimum necessary standard for disclosures to or requests from health plans or CEs for individual-level care coordination and case management activities (p. 112, 198, 224, 339)
- Some disclosures for payment purposes are related to individual-level care coordination and case management activities. Disclosures for payment purposes are subject to minimum necessary and do not change.
Clarifies scope of CEs’ ability to disclose PHI to certain third parties for individual-level care coordination and case management (p. 121, 200, 225, 341)
- Permits social services, community-based organizations, home and community-based service providers and similar third parties to facilitate individual-level care coordination and case management activities that constitute treatment or healthcare operations.
Encourages disclosures of PHI to help individuals experiencing substance abuse disorder including opioid use disorder, serious mental illness (SMI) and in emergency circumstances (p. 132, 201)
- Replaces “professional judgment” with “good faith belief” that the disclosure is in the best interest of the individual in five provisions
- Permits CEs to use or disclose PHI without having to determine if the threat is “serious and imminent” and instead whether it is “reasonably foreseeable” to avert a serious threat to health or safety
Eliminates/modifies Notice of Privacy Practice (NPP) requirements (p. 159, 202, 230, 274)
- Eliminates requirement to obtain an individual’s written acknowledgement of receipt of a direct treatment provider’s NPP
- Replaces written acknowledgement with individual’s right to discuss NPP with designated person
- Eliminates need to retain NPP for six years
- Modifies the content of the NPP
Permits disclosures to Telecommunications Relay Services (TRS) communication assistants (p. 167, 203, 231, 281, 343)
- Modifies definition of Business Associate (BA) to exclude TRS providers.
Expands Armed Forces permission to use and disclose PHI to all Uniformed Services (p. 171, 205, 343)
Comment Submission Process
Submit comments to the NPRM by any of the following methods:
- Electronic Comments: You may submit electronic comments at www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA00. Follow the instructions at regulations.govonline for submitting comments through this method.
- Regular, Express, or Overnight Mail: You may mail comments to HHS, Office for Civil Rights, Attention: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945-AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue, SW, Washington, DC 20201.
Tips for Submitting Effective Public Comments
- Plan Ahead. The comment period closes at 11:59 pm (ET) on the date comments are due. Planning ahead helps to ensure that you submit your comments well before the deadline.
- Contact the Agency. If you have questions or do not understand a part of the regulatory document, reach out to the agency contact person listed on the document before submitting your comment.
- Identify the Issues. In your comment, clearly identify which issues you are commenting on within the regulatory action. Provide the page number, column, and/or paragraph from the Federal Registerif you are commenting on a particular word, phrase, or sentence.
- Selection is Fine. You do not have to comment on every issue in a rule. You may select the issues on which you wish to comment.
- Address Specific Agency Requests. The department often requests comments on specific parts of proposed rules. This may be a helpful place to focus your comments.
- Details, Details. Constructive, detailed comments (whether positive or negative) are most helpful. If you agree with a proposed action, your comments are helpful to show that the public wants or needs the proposed action. If you disagree with a proposed action, suggest an alternative (including not regulating at all) and include an explanation of how the alternative might meet the same objective or be more effective. Evidence-based information is particularly helpful.
For more information about commenting effectively, check out the full list of Tips for Submitting Effective Comments - PDF on Regulations.gov.
HHS Resources
Regulations.gov - Proposed Rule Document
Jaime James (jjames@mrview.com) has over 40 years HIM experience and is currently senior HIM consultant of legislative policy and compliance, MMRA.