By MICHAEL R. LOWE, BRIAN C. EVANDER, AND SARA D. MCLAUGHLIN
On December 10, 2020, the Department of Health and Human Services (HHS) announced proposed changes/modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health and Information Technology for Economic and Clinical Health Act of 2009 (HITECH). That announcement stated that these proposed changes/modifications will “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” On January 21, 2021, HHS published those proposed modifications/changes. This article looks at the key elements of those proposed modifications/changes and what those changes mean for all HIPAA covered entities.
“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said former HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”
Key proposed changes are:
- Extensive changes to enhance individuals’ rights of access to protected health information (PHI) (including allowing individuals to take notes or photos of their PHI as part of the right of inspection, prohibiting a covered health care provider from delaying the right to inspect if PHI is readily available at the point of care in conjunction with a health care appointment, shortening response time for providing access from 30 to 15 days, reducing identity verification burdens, limiting individuals’ rights to direct a copy of PHI to a third party to a right to direct an electronic copy of PHI in an electronic health record (EHR) to a third party, creating a pathway for a covered health care provider or health plan to obtain an electronic copy of PHI in an EHR from a covered health care provider through a required disclosure initiated under the individual’s right of access, adjusting the permitted fees for copies of PHI, and requiring advance notice of approximate fees);
- The proposed rule would eliminate the requirement to obtain an individual’s written acknowledgement of receipt of the notice of privacy practices (NPP), by replacing this requirement with an individual’s right to discuss the NPP with a person designated at the covered entity;
- Modifying the content of the NPP to clarify the individuals’ rights and how to exercise them, including provisions on how patients can access their health information, file a HIPAA complaint and contact a designated individual to ask questions;
- Easing the standard that permits covered entities to make certain uses and disclosures of PHI based on their professional judgment;
- Clarifying covered entities’ abilities to disclose PHI to social service agencies, community-based organizations, home- and community-based services providers and others that provide health-related services to facilitate care coordination and case management for individuals;
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety;
- Clarifying that “health care operations” encompasses all care coordination and case management by health plans, whether individual-level or population-based;
- Broadening the allowed disclosure of PHI for the care and treatment of individuals experiencing substance abuse or disorders, serious mental health issues and other health emergencies, if there is a “serious and imminent threat”, and would replace “exercise of professional judgement” with “good faith belief” as the standard for when covered entities need to disclose PHI in the best interest of the individual;
- Creating an exception to the minimum necessary standard for individual-level care coordination and case management uses and disclosures;
- Adding definitions for “Electronic Health Record” (EHR) and “Personal Health Application” (PHA), which may impact how HIPAA applies to EHRs and applications patients share their data; and
- Permitting disclosure to Telecommunications Relay Services communications assistance without a business associate agreement and expanding the permission to use and disclose PHI of armed forces personnel to cover all uniformed services personnel.
The proposed changes to the rule would give providers more flexibility in disclosing protected health information which would in turn encourage providers to engage in more extensive care coordination with other providers and case management. Covered entities interested in providing comments to the proposed rule changes must submit them to HHS on or before March 22, 2021. If these proposed changes/modifications are approved and finalized, all HIPAA covered entities (including hospitals, physicians and other healthcare providers, payors and insurers) and business associates will be required to update their policies, procedures, security standards, notices of privacy, authorization and disclosure forms, and business associate agreements to reflect those changes/modifications.
Using our experience and expertise, Lowe & Evander, P.A., navigates the obstacles our clients face, serving not only as their attorneys, but also as their legal strategists, trusted advisors and protectors of their rights and interest against government investigations and lawsuits when necessary, and we help chart a course through the maze of state and federal health care laws, rules and regulations.
Be on the lookout for how our newest service line Halos4Health can help you and your practice. We plan to introduce it together with our strategic partners CompliancePro Solutions, L.L.C. (Kelly McLendon), Alliance Health Partners, L.L.C. (Larry Jones) and Cheryl Modica later this year.
Michael R. Lowe, Esquire is a Florida board-certified health law attorney at Lowe & Evander, P.A. Mr. Lowe regularly represents providers, physicians and other licensed health care professionals, and facilities in a wide variety of health care law matters.
For more information regarding those health care law and such matters please visit www.lowehealthlaw.com
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information and content in this article are intended to convey general informational only and may not constitute the most up-to-date legal or other information. Readers of this article should contact their attorney to obtain advice with respect to any particular legal matter. No reader of this article should act or refrain from acting on the basis of information in this article without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.