OCR Issues Proposed Modifications to HIPAA Privacy Rule

OCR Issues Proposed Modifications to HIPAA Privacy Rule to Remove Barriers to Coordination of Care and Reduce Regulatory Burden

Overview


On December 10, 2020, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) with proposed modifications to the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) adopted under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (collectively, HIPAA). The proposed modifications support individuals’ engagement in their care, remove barriers to coordinated care and reduce regulatory burdens in the health care industry under HHS’s Regulatory Sprint to Coordinated Care.

In Depth


On December 10, 2020, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) with proposed modifications to the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) adopted under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (collectively, HIPAA).

The proposed modifications respond to comments that OCR received to its December 14, 2018, Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (2018 RFI) and are intended to support individuals’ engagement in their care, remove barriers to coordinated care and reduce regulatory burdens in the health care industry under HHS’s Regulatory Sprint to Coordinated Care. According to HHS Secretary Alex Azar, “Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long. As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.” However, the modifications would also add burdens, including new content requirements for HIPAA covered entities’ notices of privacy practices (NPPs), shorter timeframes for responding to individuals’ access requests and a new access fee notice regarding fees for individuals’ requests for copies of medical records and other records in a designated record set. For more information on the 2018 RFI, please see our On the Subject. For more information regarding the Regulatory Sprint to Coordinated Care, visit our Regulatory Sprint Resource Center.

The NPRM solicits comments on OCR’s proposals, which are due 60 days after publication of the NPRM in the Federal Register.

Individual Right of Access

The NPRM would make several changes to individuals’ Privacy Rule right to inspect and obtain copies of their protected health information (PHI) maintained in a designated record set. The proposed changes would:

  • Expand the methods that individuals may use when inspecting their health information to include the ability to take notes, videos and photographs.
  • Require covered entity health care providers to allow patients to review PHI upon request that is readily available at the point of care in conjunction with a health care appointment.
  • Reduce the time limit for covered entities to provide access from 30 to 15 calendar days.
  • Clarify that PHI is “readily producible” in a requested electronic form or format if another state or federal law requires the covered entity to provide access in the form or format requested.
  • Require patients to sign a valid HIPAA authorization (and not rely on the HIPAA right of access) before sending certain non-electronic PHI or electronic PHI outside of an electronic health record directly to a third party.
  • Require health care providers to transmit an electronic copy of PHI in an electronic health record (EHR) directly to a health care provider or health plan designated by the individual.
  • Limit and clarify the fees that covered entities may charge for providing access to individuals.

We discuss these proposed changes and their implications below.

Right to Inspect and Obtain Copies of PHI

OCR proposes to expand the individual right to inspect PHI by requiring covered entities to allow individuals to take notes, videos, and photographs, and use other personal resources to view and capture PHI in the individual’s medical record, billing records or other designated record set after arranging a mutually convenient time and place with the individual. Additionally, the NPRM would require covered entity health care providers to allow individuals to, upon request, inspect PHI readily available at the point of care in conjunction with a health care appointment. In these circumstances, a covered entity health care provider would not be permitted to delay the individual’s right to inspect the PHI.

The NPRM does not define when PHI is “readily available” for purposes of inspection in conjunction with an individual’s appointment, and instead requests comment on this point. OCR also clarifies that the NPRM would not require covered entities to allow an individual to connect a personal device, such as a thumb drive, to the covered entity’s information systems in order to inspect the individual’s PHI, as doing so would pose an unacceptable security risk.

Modifying the Requirements for Requests for Access

OCR seeks in the NPRM to prevent covered entities from establishing “unreasonable measures” that prevent or unreasonably delay an individual from obtaining access to PHI. OCR has proposed examples of reasonable and unreasonable preconditions for obtaining access in the regulatory text itself. It would be permissible, for example, for a covered entity to require individuals to complete a standard form containing the information the covered entity needs to process the request. It would be unreasonable under the NPRM, however, to require an individual to obtain notarization of his or her signature on the request form, or to submit the request only in paper form, only in person at the entity’s facility, or only through the covered entity’s online portal. OCR notes that the examples it has provided in the regulatory text are non-exhaustive, leaving the door open for OCR to deem additional practices unreasonable through additional guidance or enforcement.

Timely Action in Response to Requests for Access

Currently, covered entities have 30 days to provide access to individuals after receipt of a request and may extend this time period by up to an additional 30 days by providing the individual a written statement of the reason for the delay and the expected completion date. In the NPRM, OCR proposes to shorten this period of time by half—requiring covered entities to provide access to individuals “as soon as practicable” but in no case later than 15 calendar days after receipt of the request. The health care provider may avail itself of one 15 calendar day extension to provide access if the covered entity has established a policy to address urgent or high-priority requests. OCR further proposes to deem “practicable” any time period shorter than 15 calendar days established by other federal or state laws—meaning OCR could enforce as a HIPAA violation a covered entity’s failure to provide access within time periods established under these other laws. OCR does not define “urgent or high-priority requests” but notes that it would include situations where an individual voluntarily reveals to the covered entity that the PHI is needed in preparation for urgent medical treatment, or that the individual needs documentation in order to be able to bring and take a medication to school.

Under the Medicare Promoting Interoperability Program (f/k/a meaningful use), participating clinicians and hospitals are required to provide patients with timely access to electronic health information through a patient portal or application programing interface (API) within four business days in order to receive a positive numerator score on the applicable measure. The NPRM does not specifically reference the Promoting Interoperability Program, or indicate whether the “Provide Patients With Electronic Access to Their Health Information” measure constitutes a federal access “requirement.” However, Medicare does not require clinicians and hospitals eligible for the Promoting Interoperability Program to participate in the program. Instead, they must participate to avoid Medicare reimbursement reductions. Covered entity health care providers participating in Medicare should look for guidance from OCR in the final rule on whether the Promoting Interoperability Program “timely access” guideline will inform enforcement of the provision of electronic access under HIPAA.

Addressing the Form of Access

Currently, covered entities must provide individuals with access to PHI in the form or format requested by the individuals if “readily producible” in that form or format. The NPRM would clarify that if other federal or state law requires a covered entity or its business associate to implement a technology or policy that would have the effect of providing an individual with his or her PHI in a particular electronic form and format, such form or format would be deemed “readily producible” for purposes of compliance in fulfilling requests for such PHI. OCR notes in the NPRM preamble, for example, that covered entities that have implemented an API certified under the Health IT Certification Program of the HHS Office of the National Coordinator for Health Information Technology (ONC) would be required to make PHI available through the API to an individual’s personal health application.

The NPRM would also require covered entities that provide patients with a summary in lieu of access to PHI to inform the individual that the individual retains the right to obtain a copy of the requested PHI if the individual does not agree to receive the summary. OCR notes that this requirement does not apply if the covered entity is providing the summary because it is lawfully denying a request for a copy of the PHI (e.g., electing to provide a summary in lieu of psychotherapy notes).

Addressing the Individual Access Right to Direct Copies of PHI to Third Parties

OCR notes in the NPRM preamble that in light of the recent Ciox v. Azar decision, OCR believes it only has the authority to require directed access under the HIPAA right of access (i.e., direct disclosure to a third party identified by the individual) in situations where the requested PHI is contained in an EHR. As a result, OCR has included a three-part proposal to provide more definition to individuals’ right to instruct covered entity health care providers to disclose electronic copies of PHI to third parties.

First, the NPRM would limit requests under the right of access to provide copies of PHI directly to a third party to requests for electronic copies of PHI in an EHR. OCR proposes to define EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and their staff….” OCR clarifies that the term “health care clinician” includes all health care providers that have direct treatment relationships with individuals, and that the term “health-related information on an individual” includes all PHI.

Second, the NPRM would require a covered health care provider to respond to an individual’s request to direct an electronic copy of PHI in an EHR to a third party designated by the individual when the request is “clear, conspicuous, and specific” (orally or in writing). The proposed requirement would replace the current requirement that a request to direct an electronic copy of PHI in an EHR be in writing, signed by the individual, and clearly identify the designated person and where to send the copy of the PHI.

Third, the NPRM would create a new required disclosure pathway under which covered entity health care providers (Disclosers) must, at the direction of an individual, disclose electronic copies of PHI stored in an EHR to covered entity health care providers or health plans identified by the individual (Requestors-Recipients). Under this pathway, the Requestor-Recipient would be required to make the request to obtain PHI on behalf of the individual as soon as practicable and within 15 days of receiving the individual’s direction and any information needed to submit the access request to the disclosing health care provider. The Discloser would be required to disclose the PHI to the Requestor-Recipient as soon as practicable, but not less than 15 calendar days after receiving the request.

Adjusting Permitted Fees for Access to PHI and ePHI

The NPRM would further modify the access provision under the Privacy Rule by establishing two types of access to PHI that the covered entity must make available to the individual for free:

  • In-person inspections of PHI, which may include recording or copying PHI in a designated record set with the individual’s own devices or resources
  • Use of an internet-based method (e.g., a patient portal or a standards-based API) to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity.

The second proposed free method of access would solidify a policy expressed by HHS in the preamble to the Cures Act Final Rule—that health care providers should make electronic health information available through APIs free of charge to patients as well as personal health application developers seeking access through the API on behalf of the patient. The Cures Act Final Rule prohibits developers of certified APIs from charging fees to personal health application developers to access the certified API.

For other types of access, covered entities would still be permitted to charge a reasonable, cost-based fee provided that fee includes only the following costs:

Type of Access Recipient of PHI Allowable Fees
In-person inspection, including viewing and self-recording or copying Individual (or personal representative) Free
Internet-based method of requesting and obtaining copies of PHI (e.g., using View-Download-Transmit functionality (VDT), or a personal health application connection via a certified-API technology) Individual Free
Receiving a non-electronic copy of PHI in response to an access request Individual Reasonable cost-based fee, limited to labor for making copies, supplies for copying, actual postage and shipping, and costs of preparing a summary or explanation as agreed to by the individual
Receiving an electronic copy of PHI through a non-internet-based method in response to an access request (e.g., by sending PHI copied into electronic media through the US Postal Service or via certified export functionality) Individual Reasonable cost-based fee, limited to labor for making copies and costs of preparing a summary or explanation as agreed to by the individual
Electronic copies of PHI in an EHR received in response to an access request to direct such copies to a third party Third party as directed by the individual through the right of access Reasonable cost-based fee, limited to labor for making copies and for preparing a summary or explanation agreed to by the individual

Notice of Access Fees

The NPRM would add a new section requiring covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s authorization. The Privacy Rule does not presently require the posting or provision of estimated fees, except in the limited case where an individual agrees in advance to receive a summary or explanation of PHI in lieu of receiving access to the underlying PHI. In the NPRM preamble, OCR states that the goals of this proposed change are to “increase an individual’s awareness of the cost of copies of PHI,” “make the access fee requirements more uniform” and “promote compliance . . . with fee limitations.”

Fee Schedule

The NPRM would require covered entities to post a fee schedule online if they have a website and to make the fee schedule available to individuals upon request at the point of service. With respect to fee schedule availability at the point of service, the NPRM preamble states that OCR would expect that a covered health care provider make the fee schedule available upon request, in paper or electronic form, at the point of care or at an office that is responsible for releasing medical records as well as orally (e.g., over the phone), as applicable. For covered health care providers and health plans, the point of service also could include a customer service call center that handles requests for records, or any location at which PHI is made available for individuals to inspect.

The notice must identify all types of PHI access available free of charge and, for access that requires payment of a fee, include a fee schedule for copies of PHI:

  • Provided to individuals, with respect to all readily producible electronic and non-electronic forms and formats for such copies.
  • In an EHR and directed to third parties designated by the individual, with respect to all readily producible electronic forms and formats for such copies.
  • Sent to third parties with the individual’s authorization, with respect to all available forms and formats for such copies.

Individualized Estimate

The NPRM would require covered entities to provide an “individualized” estimate of the approximate fees to be charged for requested copies of PHI, upon request. According to the NPRM preamble, OCR would expect the covered entity to provide the individualized estimate upon request and within the initial time (or in many cases sooner) in which the covered entity must fulfill the access request (prior to any extension of time that may be allowed for providing the copies) and prior to providing the requested PHI, to allow for a meaningful decision by the individual regarding the scope of the request or the form and format requested. If more time is needed to provide the requested copies after providing an individualized estimate, the covered entity may notify the individual of its need for a 15-day extension.

The NPRM would also require that covered entities provide, upon request, an itemization of the charges for labor for copying, supplies and postage, as applicable, which constitute the total fee charged to the individual for copies of PHI.

Timing of Payment

The Privacy Rule does not expressly prohibit a covered entity from requiring individuals to pay a fee for copies of PHI “upfront” before receiving such copies, and the NPRM does not propose to amend the Privacy Rule to require that covered entities fulfill access requests before fees are paid. However, the NPRM preamble provides that OCR “continues to encourage covered entities that charge fees for copies of PHI to waive fees or provide flexibility in payment (such as delaying charges or accepting payment in installments, without delaying the provision of copies) for individuals who are unable to pay upfront due to an emergency or a lack of resources.” OCR also encourages covered entities to waive access fees in cases where the individual cannot pay the fee due to a demonstrated financial hardship, including when the requesting individual is a Medicaid beneficiary, homeless, otherwise financially disadvantaged, or experiencing financial strain due to some other type of emergency situation.

Further, an individual’s request for a fee estimate under the NPRM would not automatically extend the time permitted for covered entities to provide copies of PHI under the right of access; however, a covered entity would have the ability to inform the individual if one 15-day extension is needed.

Business Associate Agreements

The NPRM would modify the Privacy Rule to clarify when a business associate must disclose PHI and to whom to accommodate an individual’s right to access. Specifically, the NPRM would specify that a business associate must disclose PHI to the covered entity so the covered entity can meet its access obligations to individuals. However, if the business associate agreement provides that the business associate will provide access to PHI in an EHR directly to the individual or the individual’s designee, then the business associate must provide such direct access. The NPRM preamble states that this proposed clarification is intended to be consistent with the preamble discussion on this topic in its 2013 omnibus final rule implementing the HITECH Act’s amendments to the Privacy Rule and subsequent OCR guidance.

Disclosures to Social Services Agency and Community-Based Organizations

The NPRM proposes to expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, house and community-based services providers, and similar third parties that provide or coordinate health-related services needed for care coordination and case management. OCR noted that such disclosures may currently be permissible as treatment or health care operations activities, but that an express permission would provide clarity. The modification would clarify that the third party must provide health-related services but that the third party need not be a health care provider. Rather, the third party may provide supportive services such as food or shelter, which would reduce health risks. According to the NPRM preamble, OCR “believes this change would facilitate and encourage greater wraparound support and more targeted care for individuals, particularly where it would be difficult to obtain an individual’s authorization or consent in advance, because the individual cannot easily be contacted (e.g., where an individual is homeless).”

Care Coordination and Case Management

OCR proposes various modifications to the Privacy Rule to remove barriers to the transition to value-based health care, including to remove impediments to care coordination and case management communications among individuals, covered entities and others involved in individuals’ care. We discuss these proposals below.

Amendment to Definition of Health Care Operations to Clarify Scope of Care Coordination and Case Management

The NPRM proposes to modify the definition of “health care operations” to make clear that it includes “individual-focused care coordination and case management activities” in addition to “population-based care coordination and case management.” OCR noted that some covered entities have interpreted the definition of “health care operations” to include only population-based case management and care coordination, excluding individual-focused case management and care coordination by health plans. Because health plans do not perform “treatment” activities within the meaning of HIPAA, and therefore, cannot avail themselves of the “treatment” exception in performing these activities, this interpretation has created a barrier to a health plan’s ability to perform these activities in compliance with the Privacy Rule.

Exception to Minimum Necessary for Care Coordination and Case Management

In the 2018 RFI, OCR sought feedback on whether it should relax or change the existing exceptions to the Privacy Rule’s minimum necessary standard to include certain uses and disclosures of PHI in connection with care coordination and case management. Under the existing minimum necessary standard, covered entities and business associates may only use and disclose the minimum necessary PHI for a particular purpose, unless an exception applies. Though there is an exception to the minimum necessary standard for treatment, including care coordination and case management activities undertaken by health care providers as part of treatment, there is no broad exception for such activities when they fall outside of treatment.

Against this backdrop, the NPRM would add a new exception to the minimum necessary standard for “disclosures to, or requests by, a health plan or a covered health care provider for care coordination and case management” only when such data exchange is in furtherance of the care coordination or case management of a specific individual, rather than broad-based population level activities.

Health plans and other covered entities would be required to continue to comply with the minimum necessary standard with respect to:

  • PHI disclosures for non-individual level care coordination and case management.
  • PHI disclosures to entities other than health care providers and health plans (for example, to social service agencies or transitional supporting housing authorities).
  • Uses of PHI for care management.
  • Uses, requests and disclosures of PHI for any other activities, including population health activities.

OCR believes that this approach would enable health care providers and health plans to better coordinate their shared care of particular individuals. Although not expressly discussed, enabling health care providers and health plans to feel comfortable sharing information to coordinate the care of an individual might have immediate application as the health care system continues to struggle to address COVID-related needs and tracking and begins the wartime-like effort of inoculating the general population using multiple two-dose vaccine options, with attendant unparalleled information and data-gathering challenges. This approach may also facilitate value-based care models and enable health plans to take a greater role in improving care while controlling costs under a range of innovative risk-sharing models currently being explored, which typically have a heavy reliance on digital health tools and information sharing.

Proposed Changes to Encourage Disclosures of PHI to Help Individuals Experiencing Substance Use Disorder, Serious Mental Illness and in Emergency Circumstances

Context

OCR proposes to provide covered entities with more regulatory flexibility to disclose PHI regarding individuals who are experiencing a substance use disorder (SUD) or serious mental illness (SMI) or in the context of other emergencies. According to the NPRM preamble, these proposals are intended to respond to the US opioid crisis, increasing incidents of mass violence and, as noted in the 21st Century Cures Act, “a sense of Congress” that the Privacy Rule lacks clarity regarding when covered entities may use and disclose PHI about individuals with SMI to support their treatment. At the center of these proposals is a proposed shift to a “good faith belief” standard that covered entities would use in lieu of the current “exercise of professional judgment” standard applicable to certain permitted disclosures of PHI without a Privacy Rule-compliant authorization signed by the patient. We discuss the new “good faith belief” standard below.

While OCR has issued guidance over the past few years to help clarify when a covered entity may disclose PHI to families, caregivers and other recipients when treating a patient experiencing SUD or SMI, OCR recognizes that some covered entities remain “reluctant to disclose information to persons involved in the care of individuals experiencing these health issues, even when the Privacy Rule permits such disclosures.” The NPRM intends to address the reluctance through the proposed changes discussed below.

Good Faith Belief Standard and Presumption of Compliance

OCR proposes to amend five provisions of the Privacy Rule to replace “the exercise of professional judgment” standard and instead require a “good faith belief” standard for certain situations when a covered entity is deciding whether to make certain permitted, non-mandatory disclosures of PHI without an authorization signed by the patient. The new standard is intended to encourage covered entities to use and disclose PHI more broadly in circumstances that involve individuals experiencing SUD, SMI and emergencies without fear of HIPAA penalties. As part of the shift to the good faith belief standard, OCR proposes to add a new presumption that a covered entity complied with the good faith requirement when covered entities make a disclosure based upon a belief that the disclosure is in the best interests of the individual with regard to these five provisions, absent evidence that the covered entity acted in bad faith.

OCR notes in the preamble discussion that the proposed “good faith belief” standard is more permissive than the current “professional judgement” standard because it would allow other workforce members of a covered entity other than professionals to make decisions in a patient’s best interest, and the proposed revisions to the Privacy Rule would presume a covered entity’s “good faith.”

We discuss the five proposed amendments to the Privacy Rule replacing “the exercise of professional judgment” standard with a “good faith belief” standard below.

  1. Personal Representative Standard
    • OCR’s proposed shift to a “good faith belief” standard would amend the Privacy Rule provisions regarding unemancipated minors. The Privacy Rule currently defines a personal representative to be a person authorized under state and other applicable law to act on behalf of an individual with respect to health care decisions. For parents, guardians or other persons acting in loco parentis but who are not considered a personal representative of an unemancipated minor under applicable law, covered entities currently may, but are not required to, disclose PHI to the parent, guardian or other person acting in loco parentis if the disclosure is consistent with applicable law and is based on the “professional judgment” of a licensed health care professional.
    • OCR would permit a covered entity to disclose PHI of an unemancipated minor to a parent or guardian who is not the individual’s personal representative if consistent with applicable law and a licensed health care professional has a good faith belief that the disclosure is in the individual’s best interests.
    • The proposal would provide more flexibility to a covered entity in disclosing PHI to the parent or guardian of an unemancipated minor experiencing SUD or SMI where the parent or guardian is not the minor’s personal representative. However, OCR emphasizes that the proposed change would not preempt state law prohibiting the disclosure of sensitive information, and that the provision permits, but does not mandate, such disclosures of PHI. Therefore, covered entities would need to continue to be mindful of more stringent state laws regarding disclosures of sensitive information in addition to requirements under the federal SUD confidentiality regulations promulgated by HHS’s Substance Abuse and Mental Health Services Administration regarding the disclosure of SUD or SMI information. For more information regarding the federal SUD confidentiality regulations, see our On the Subject regarding amendment to the regulations included in the CARES Act.
  2. Facility Directories
    • The Privacy Rule requires covered entities to provide an opportunity for an individual to agree or object to the individual’s inclusion in the facility directory. The NPRM would allow a covered entity to include in its facility directory the name, facility location and general condition of an individual who is incapacitated or in an emergency treatment circumstance if doing so is based on a good faith belief that the disclosure is in the best interests of the individual and is consistent with any prior expressed preference of the individual that is known to the covered entity. This change would facilitate a hospital’s disclosure of directory information about an individual who is incapacitated and unable to identify family members or other caregivers involved in his or her care who are trying to locate the individual.
  3. Uses and Disclosures with the Individual Present or Otherwise Available
    • The Privacy Rule requires covered entities to provide an opportunity for an individual who is present or otherwise available to agree or object to the disclosure of PHI to a person involved in the individual’s care or payment for care. The NPRM proposes to allow the disclosure of PHI to a person involved in an individual’s health care or payment of care if the covered entity “[r]easonably infers from the circumstances, based on a good faith belief, that the individual does not object to the disclosure,” even in circumstances where the individual is available but the covered entity has not obtained the individual’s agreement to the disclosure or provided the individual an opportunity to object. Currently, such disclosures are permitted if based on the covered entity’s “exercise of professional judgment.”
  4. Uses and Disclosures When an Individual Cannot Agree or Object (Emergencies or an Incapacity)
    • The Privacy Rule currently permits a covered entity to disclose PHI that is “directly relevant” to a person involved in an individual’s health care or payment for care when the individual is not present or cannot agree or object to the use or disclosure because of incapacity or an emergency circumstance, if the covered entity determines the disclosure is in the best interest of the patient based on professional judgment. The NPRM would replace the “professional judgment” standard and instead allow such disclosures if the covered entity has a “good faith belief that the disclosure is in the best interests of the individual ….”
  5. Verifying Requestor’s Identity
    • The NPRM proposes to modify the Privacy Rule’s requirement that a covered entity verify the identity of a person involved in the individual’s care before disclosing PHI to the person by allowing the covered entity to make a disclosure based on a good faith belief rather than the exercise of professional judgment. In the NPRM preamble, OCR states that “this proposal would, for example, improve the ability of a covered hospital to disclose PHI of an individual experiencing an emergency to a person who represents that he or she is a family member or caregiver of the individual, without requiring the family member or caregiver to present documentation of the relationship with the individual, if the hospital has a good faith basis for believing the requestor and the requestor’s identity.”

Unreasonable Verification Measures

The NPRM would prohibit unreasonable measures to verify an individual that would impede the individual from exercising the individual’s right to access PHI or other rights under the Privacy Rule. The NPRM would define an unreasonable measure as one that causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity. Practicability considerations would include a covered entity’s technical capabilities, its obligations to adopt reasonable safeguards to protect the privacy of PHI, its obligations to protect the security of electronic PHI under the HIPAA Security Rule and the costs of implementing measures that are more convenient for individuals. OCR provides the following examples of unreasonable measures: requiring an individual to provide proof of identity in person when a method for remote verification is practicable for the covered entity and more convenient for the individual, or requiring an individual to obtain notarization of the individual’s signature on a written request to exercise the individual right.

Unreasonable verification methods that do not comply with the Privacy Rule or Security Rule would also potentially be prohibited information blocking if the covered entity is a regulated actor under the Cures Act Final Rule.

Uses and Disclosures to Avert a Threat to Health or Safety

The NPRM would modify the Privacy Rule’s current disclosure exception for disclosures to avert a threat to health or safety to require the disclosure to be necessary to prevent a serious and reasonably foreseeable harm, or lessen a serious and reasonably foreseeable threat, to the health or safety of a person or the public. The reasonable foreseeable standard would replace the current requirement that a threat to health or safety be “imminent.” OCR would define “reasonably foreseeable” to mean “that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if a use or disclosure is not made, based on facts and circumstances known at the time of the disclosure.”
The NPRM would also provide that when a covered entity health care provider (or a member of its workforce) that has specialized training, expertise or experience in assessing an individual’s risk to health or safety—such as a licensed mental or behavioral health professional—determines that it is appropriate to use or disclose PHI under the exception, the determination will be entitled to heightened deference if the determination is related to facts and circumstances about which the covered entity (or workforce member) has such training, expertise or experience.

Elimination of Requirement to Obtain Acknowledgment of Notice of Privacy Practices and Content Requirements

The NPRM proposes eliminating the requirement that a covered entity provider with a direct treatment relationship obtain a written acknowledgement of receipt of the NPP. The Privacy Rule currently requires such covered health care providers to make a good faith effort to obtain a written acknowledgment of receipt of the provider’s NPP and in the event that acknowledgment cannot be obtained, to document the provider’s good faith efforts and the reason for not obtaining such acknowledgment. The NPRM proposes eliminating the acknowledgment requirement and replacing it with a right to discuss the NPP with a person designated by the covered entity (Designated Person).

The NPRM further proposes modifying the NPP content requirements to provide information about:

  • How to access one’s health information.
  • How to file a HIPAA Privacy Rule complaint.
  • The right to receive a copy of the NPP and discuss the contents with the Designated Person.

Areas for Comment

Covered entities, business associates and other interested stakeholders should note that OCR requested comments on a number of issues, including, but not limited to, the following:

  • Whether the proposed standard change from “professional judgment” to “good faith belief” would discourage individuals from seeking care and whether the standard should apply to some or all nine provisions that currently call for the exercise of “professional judgment
  • Whether the Privacy Rule should permit a covered entity to disclose the PHI of an individual who has decision making capacity to the individual’s family member, friend or other person involved in care, in a manner inconsistent with the individual’s known privacy preferences based on the covered entity’s good faith belief that the use or disclosure is in the individual’s best interests, in any situations outside of an emergency circumstance
  • The circumstances under which overriding an individual’s prior expressed preferences should constitute bad faith on the part of the covered entity
  • Whether the proposed “serious and reasonably foreseeable threat” standard would discourage individuals from seeking care
  • Whether the proposed change to improve a covered entity’s ability to prevent potential harm outweigh risks
  • Whether there are unintended consequences related to granting extra deference to a covered health care provider based on specialized risk assessment training, expertise or experience when determining that a serious threat exists or that serious harm is reasonably foreseeable
  • Whether OCR should establish a specific permission for mental and behavioral health professionals to disclose PHI when, in the view of the professional, the disclosure could prevent serious and reasonably foreseeable harm or lessen a serious and reasonably foreseeable threat
  • Whether OCR should establish a separate required timeframe for covered entities to respond to individuals’ requests for access fee estimates or an itemized list of charges, and what timeframe(s) would be appropriate
  • Whether there should be a legal consequence to covered entities for the bad faith provision of an incorrect estimate of fees for access and authorization requests, and if so, what actions should be considered evidence of bad faith
  • The Experiences of covered entities and individuals with records requests