HIPAA Privacy Rule revisions in 2021
In December 2020, the Department of Health and Human Services (HHS) announced proposed major revisions to the HIPAA Privacy Rule, which would be the first significant changes to the Privacy Rule since the 2013 Omnibus Rule. The proposed revisions essentially serve three main principles:
- To enhance an individual’s right of access to their protected health information
- To facilitate value-based health care by modifying provisions that currently limit care coordination and case management communications
- To encourage disclosures of protected health information (PHI) when needed to help individuals experiencing substance use disorder (including opioid use disorder) and serious mental illness, as well as in emergency circumstances.
Right of Access. The individual’s right of access to their PHI has become an area of focus for HHS. In 2019, the Office of Civil Rights (OCR) launched the Right of Access Initiative to enforce the rights of patients to receive copies of their medical records. In the proposed rule, along the same lines, HHS states that the revisions serve to address the barriers individuals frequently face to obtaining timely access to their PHI, in the form and format requested and at a reasonable, cost-based fee.
The proposed revisions to the right of access regulation (45 CFR 164.524) would, among other things:
- Enhance an individual’s right to inspect and capture (e.g., take photos of) PHI in person
- Decrease the time to respond to an access request from the existing 30 days to as soon as practicable (but no later than 15 calendar days)
- Give individuals the right to direct an electronic copy of PHI be transmitted to a third party under the individual’s right of access
- Require health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an electronic health record
- Make changes to limit the fees permitted for electronic copies of PHI and require covered entities to post estimated fee schedules on their websites
- Allow for new technology, such as a secure, standards-based API, to be used as a method for fulfilling requests for electronic access
Care coordination and case management. The proposed revisions are also part of HHS’ Regulatory Sprint to Coordinated Care, a project intended to promote value-based health care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients. In the proposed rule, HHS notes that it “… intends for this proposed rule to support the full scope of care coordination and case management activities to further the Department’s goal of achieving value-based health care.” To this end, the proposed revisions would:
- Change the definition of “health care operations” to allow use and disclosure of PHI for individual-level care coordination and case management as health care operations
- Create an exception to the minimum necessary rule for individual-level care coordination and case management uses and disclosures
- Permit disclosure of PHI to social services agencies, community-based organizations, home and community based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals
Disclosures to help individuals. The standard for when covered entities could disclose PHI to avert a threat to health or safety would be relaxed to when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety in various provisions of the Privacy Rule. These proposed revisions are intended to encourage covered entities to share information in individuals’ best interests, without fear of HIPAA penalties.
Notably absent from the proposed revisions are changes to the HIPAA accounting of disclosures rule (45 CFR 164.528), which have been long-delayed. HHS indicated that those will be subject of future rule-making.
The proposed revisions were published on January 21, 2021, as a Notice of Proposed Rulemaking (NPRM) with a notice and comment period. Comments are due on March 22, 2021, or 60 days from date of publication. Based on the comments received, some of the proposed revisions could change although it is likely that most revisions will remain largely as proposed. The revisions will become effective 180 days after publication of the Final Rule. It would normally be expected that the revisions would be finalized and effective by the end of the year, although it is unclear if the changes to the administrative branch with the new presidency will impact this schedule.
Once finalized, many of the revisions will have a substantial impact on the day-to-day operations of HIPAA covered entities and will require action by covered entities, including revisions to policies, creation of new policies, revisions to the Notice of Privacy Practices, changes to procedures used and workforce training. Accordingly, expect for 2021 to be a year for significant changes to your HIPAA privacy program.