Here's what you need to know.
By Gregory J. Myers, David W. Asp, and Develyn J. Mistriotti
In January 2021, the U.S. Department of Health and Human Services (HHS) proposed revisions and additions to HIPAA and HITECH’s protected health information (PHI) and privacy regulations.1 Because the final rule is expected to be published soon, and most provisions likely will be effective six months thereafter,2 health information professionals should expect some or all of the below-noted regulatory changes in 2022. Compliance will be necessary to avoid the risk of sanctions from the Office of Civil Rights.3 It thus behooves covered entities (as used in this article, “covered entities” is the statutory term that includes health care providers, health plans, and health care clearinghouses) and, to a lesser degree, their business associates (as used in this article, “business associates” is the statutory term that includes entities that provide services or perform functions that involve use or disclosure of PHI to a covered entity) to prepare for a mandatory overhaul of PHI management and processing systems in the coming months. This article details the proposed rule’s alterations to the HIPAA landscape and the major implications for health care entities and patients.
Clearer, stronger individual rights to access PHI; stricter regulation of covered entities
Two new definitions clarify the scope of electronic PHI (ePHI) requests. First, to clarify the scope of information within the purview of individuals’ rights to access ePHI, HHS proposes to expand on HITECH’s definition of “electronic health record” (EHR).4 The proposed rule provides:
Electronic health record means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians… include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at §164.501, such as physicians, nurses, pharmacists, and other allied health professionals. For purposes of this paragraph, ‘health-related information on an individual’ covers the same scope of information as the term ‘individually identifiable health information’ as defined at §160.103.[5]
As HIPAA’s definition of “individually identifiable health information” includes non-clinical records,6 such as billing records, so too would the new definition of EHR. As such, the scope of records covered entities must produce in response to ePHI requests could be broader under the new rule.
Second, to clarify that use of “personal health applications” (PHA) is a recognized method for individuals to request access to ePHI under HIPAA, the proposed rule gives PHA an overdue definition.7 Under the rule, PHA would mean:
[A]n electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.[8]
New and modified rights and regulations make accessing PHI easier for patients and make delivering PHI potentially more burdensome for covered entities. Current regulations require that covered entities give individuals the right to inspect or obtain copies of their PHI.9 HHS seeks to strengthen the right of access in several ways under the proposed rule.
First, under the proposed rule, a covered entity would be prohibited from establishing policies and safeguards that impose “unjustified” or “unreasonable” barriers to individual access.10 The proposed rule does not define unjustified or unreasonable, but does clarify that while an entity could continue requiring individuals to provide written access requests, it may not do so in a way that impedes access “when a measure that is less burdensome for the individual is practicable.”11
Second, HHS seeks to strengthen the right to in-person inspection by permitting individuals to take notes, videos, and photographs, and to use other personal resources to view and capture PHI.12 This would include instances when PHI “is readily available at the point of care in conjunction with a health care appointment.”13 (Covered entities would not be required to allow an individual to connect a personal device, such as a thumb drive, to the entity’s electronic systems.14) Covered entities would need to provide access without imposing a fee,15 and this could include making space available for in-person inspection. Many covered entities may find it more practicable to simply produce the full record set, rather than allow in-person inspection.
Third, HHS proposes to cut the timeline for responding to access requests in half.16 Currently, covered entities must respond to requests within 30 days of receiving the request,17 and if an entity cannot provide access or a written denial within 30 days, it may extend the timeline by another 30 days.18 The proposed rule requires entities to provide PHI “as soon as practicable” but no later than 15 days after receiving the request19 and gives entities a single, optional 15-day extension.20
Fourth, HHS seeks to minimize financial barriers to access by implementing scenario-specific fee allowances and narrowing the scope of permissible fees.21 Current rules allow entities to charge a “reasonable, cost-based fee” for processing paper or electronic requests.22 Under the proposed rule, permissible fees would differ by scenario in the following manner.
Reasonable, cost-based fees would be permitted if:
(1) The individual requests a non-electronic copy of their PHI or agrees to receive a summary or explanation23
(2) The individual requests an electronic copy of their PHI through a non-Internet-based method24
(3) The individual requests an electronic copy of their PHI be delivered to a third-party through a non-Internet-based method25
Access would need to be free of charge if:
(1) The individual inspects their PHI in-person26
(2) The individual uses an Internet-based method to view or obtain a copy of their ePHI, and the domain is maintained by or on behalf of a covered entity27
What constitutes a “reasonable, cost-based fee” would also change under the proposed rule. At the moment, HIPAA limits reasonable, cost-based fees to costs for: (i) the labor of copying, whether in paper or electronic form; (ii) supplies for creating paper copies or electronic media, if the individual specifically requests portable media; (iii) postage, when individuals request delivery by mail; and (iv) preparing an explanation or summary of PHI, if agreed to by the individual.28 Under the proposed rule, when entities engage in non-internet-based processing of ePHI requests, a reasonable, cost-based fee would only include the costs of labor for copying and preparing an explanation or summary; it would exclude supply and postage costs.29
Fifth, HHS seeks to clarify form and format requirements for responses.30 Currently, covered entities must provide access in the form and format chosen by the requesting individual, if readily producible in that form and format. If not so producible, entities must provide either a readable hard copy or a different form and format to which the individual agrees.31 Under the proposed rule, if other “law requires the provision of access in a particular electronic form and format [e.g., access via secure, standards-based API], the [PHI] is deemed readily producible in such form and format….”32
Other proposed changes to the individual right of access include requiring covered entities to post approximate access fee schedules online, to provide individualized estimates of fees upon request, and to provide itemized bills for completed requests;33 limiting the scope of requests directing PHI to third-party designees to only electronic copies of PHI, and expanding that right to allow oral, electronic, or written requests;34 reducing identity verification burdens on individuals exercising access rights;35 requiring entities to inform individuals they retain the right to obtain or direct copies of PHI to third parties when a summary of PHI is offered in lieu of a copy;36 and requiring providers and health plans to respond to certain records requests received from other covered entities when directed by individuals.37
New rules for using and disclosing PHI without patient authorization
Unless otherwise specified in its provisions, HIPAA prohibits covered entities from using or disclosing PHI without a patient’s express authorization.38 There are many exceptions that permit or even require entities to use or disclose PHI in the absence of patient consent.39 The proposed rule would add to and broaden the scope of such exceptions.
First, HIPAA currently permits certain non-patient-authorized uses and disclosures of PHI for purposes of certain “health care operations” (HCO).40 The current definition of HCO expressly includes population-based activities related to improving health or reducing health care costs; it does not expressly include individual-level care coordination and case management.41 As such, “some covered entities [have interpreted this definition] to include only population-based care coordination and case management,”42 and HHS proposes to clarify that disclosures related to individual-level care coordination and case management are included in the definition of HCO and, therefore, the HCO exception.43
Second, HHS proposes a new exception to the “minimum necessary” requirement.44 Under the minimum necessary requirement, covered entities are required to use, disclose, or request only the minimum PHI necessary to meet the purpose of said use, disclosure, or request.45 The proposed rule creates an exception to this requirement for disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management purposes at the individual level.46
Third, HHS seeks to streamline PHI disclosure to, and use by, social services agencies and community-based organizations.47 The current rule permits, but does not require, covered entities to obtain patient consent before using PHI or disclosing it to entities for health-related social and community-based services as part of treatment activities.48 The proposed rule would categorically allow disclosures to social services agencies, community-based organizations, home- and community-based service (HCBS) providers, and similar third parties that provide health services to individuals.49 The purpose of said disclosure would need to be individual-level care coordination or case management, but entities to whom the disclosure is made would not need to be healthcare providers covered by HIPAA.50
Fourth, many HIPAA provisions allow providers to use or disclose PHI pursuant to “the exercise of [their] professional judgment.”51 Encouraging providers to liberally use or disclose PHI to assist individuals experiencing substance use disorder, mental illness, or in emergency circumstances, HHS proposes to replace the “exercise of professional judgment” standard with a more lenient “good faith” standard.52 Under the new rule, good faith uses or disclosures would be permitted: (1) to the individual’s personal representatives; (2) when the patient is unable to agree or object to the use or disclosure; and (3) to avert serious threats to health or safety.53 Notably, whereas the current rule permits PHI use or disclosure to address a “serious and imminent threat” to health or safety,54 the proposed rule would allow such use or disclosure when the threat is merely “serious and reasonably foreseeable.”55 HHS proposes a presumption that providers comply with good faith requirements absent any evidence of bad faith.56
Other proposed changes to rules governing non-patient-authorized PHI use and disclosure include permitting PHI disclosures for Telecommunications Relay Services for individuals who are deaf, hard of hearing, or deaf-blind and for people with a speech disability;57 and permitting PHI use or disclosure for all Uniformed Services personnel when deemed necessary to the proper execution of the Uniformed Services mission by the appropriate command personnel.58
Eliminating the required notice of privacy practices (NPP) to patients; creating related rights and requirements
Currently, providers must obtain a patient’s written acknowledgment of receipt of the provider’s NPP.59 Providers who cannot obtain written acknowledgment are required to document reasons for the failure to do so and maintain that document for six years.60
Under the proposed rule, there would be no need to obtain written acknowledgment or to retain documentation in the absence of such acknowledgment.61 Instead, the rule would require that the NPP’s header discuss how to access PHI, how to file a HIPAA complaint, and the patient’s right to receive a copy of the NPP.62 The NPP would also need to include the email address and phone number of a person designated to discuss the entity’s privacy practices.63
Conclusion
These changes are coming. Health care providers, health plans, and their business associates should begin planning, in consultation with legal counsel, to update policies, procedures, contracts, and staff training programs related to handling and processing PHI.
NOTES
1 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (1/12/2021) (to be codified at 45 C.F.R. pts. 160, 164) (Proposed Rule). See also Health Insurance Portability and Accountability Act of 1996 (HIPAA); Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
2 Proposed Rule, 6448 (“Effective and Compliance Dates”).
3 Id.
4 Id. at 6455; see 42 U.S.C. §19721(5) (HITECH defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”).
5 Id. at 6532 (to be codified at 45 C.F.R. §164.501); see id. at 6455 (explaining the addition).
6 45 C.F.R. §160.103.
7 Proposed Rule, 6533 (to be codified at 45 C.F.R. §164.501); see id. at 6456 (explaining the addition).
8 Id.
9 45 C.F.R. §164.524(a)(1).
10 Proposed Rule, 6535 (to be codified at 45 C.F.R. §164.524(b)(1)(ii)); see id. at 6458 (explaining the addition).
11 Id. at 6459.
12 Id. at 6535 (to be codified at 45 C.F.R. §164.524(a)(1)(ii); see id. at 6457 (explaining the addition).
13 Id. at 6457.
14 Id. at 6458.
15 Id. at 6457.
16 Id. at 45 C.F.R. §164.524(b)(2)(i); see id. at 6459 (explaining the reduction).
17 45 C.F.R. §164.524(b)(2)(i).
18 45 C.F.R. §164.524(b)(2)(ii)(A)–(B). An extending entity must, in the initial 30-day window, provide the requestor with a written statement of the reason for delay and expected completion date. Id.
19 Where other federal or state law requires an entity to provide access sooner, that shorter period will be deemed “practicable.” Proposed Rule, 6459–60. By statute, at least eight states require access provision in less than 30 days, and at least five states give individuals the right to view or inspect the record in fewer than 30 days. See id. (CA, CO, HI, LA, MT, TN, TX, and WA).
20 Id. at 6535 (to be codified at 45 C.F.R. §164.524(b)(2)(ii), with subsection 164.524(b)(2)(ii)(A)–(C) listing preconditions to exercising the optional extension, such as preestablishing expedited procedures for handling “urgent” or “high priority” requests).
21 See id. at 6464–67 (explaining permissible fees by scenario).
22 45 C.F.R. §164.524(c)(4).
23 Proposed Rule, 6536 (to be codified at 45 C.F.R. § 164.524(c)(4)); see again id. at 6464–67 (explaining the modification).
24 See id. at 6466.
25 Id. at 6536 (to be codified at 45 C.F.R. §164.524(d)(6)).
26 Id. (to be codified at 45 C.F.R. §164.524(c)(4)).
27 Id. In this scenario, HHS “intends that such access would be provided without charging a fee to the individual or the personal health application developer.” Id. at 6465 (emphasis added).
28 45 C.F.R. §164.524(c)(4).
29 Proposed Rule, 6536 (to be codified at 45 C.F.R. §164.524(c)(4)(i)(B)–(C)); see id. at 6466 (explaining the modified definition). This would also be the case when the recipient is a third party. Id. at 6536 (to be codified at 45 C.F.R. § 164.524(d)(6)).
30 See id. at 6461 (“Addressing the Form of Access”).
31 45 C.F.R. §164.524(c)(2)(i).
32 Proposed Rule, 6535 (to be codified at 45 C.F.R. §164.524(c)(2)(iii)).
33 Id. at 6538 (to be codified at 45 C.F.R. §164.525); see id. at 6467–68 (explaining the additions).
34 Id. at 6536 (to be codified at 45 C.F.R. §164.514(d)(1)); see id. at 6492–93 (explaining this modification is a codification of the decision in Ciox v. Azar, 435 F. Supp. 3d 30 (D.D.C. 1/23/2020)).
Gregory J. Myers (William Mitchell College of Law, 1998, magna cum laude) is a partner at Lockridge Grindal Nauen P.L.L.P. (LGN) in Minneapolis, where he has practiced health care law for 24 years.
David W. Asp (University of Minnesota Law School, 2004, cum laude) is a partner at LGN, where he has practiced health care law for 16 years.
Develyn J. Mistriotti (University of Minnesota Law School, 2022) is a third-year law student and law clerk at LGN.