By Dawn Morgenstern, Chief Privacy Officer and Senior Principal Consultant, and Wes Morris, Managing Principal Consultant
In December 2020, the U.S. Department of Health and Human Services (HHS) announced potential changes for the HIPAA Privacy Rule, the first major HIPAA update since the Omnibus Final Rule in 2013. HHS officially published these proposed changes on January 21, 2021, and began accepting public comments through March 22, 2021.
If the proposed changes become the final rule, the effective date will be 60 days from publication of the final rule. All covered entities and business associates are expected to comply with the changes no later than 180 days, unless comments submitted and accepted are to the contrary, from that effective date.
The Health Insurance Portability and Accountability Act became law back in 1996, with periodic updates and changes. The two most recent changes of note are from 2009 with Breach Notification Rule implementation, which requires covered entities and business associates to provide notification of breaches of all unsecured protected health information (PHI), and then again in 2013 with the addition of the Omnibus Final Rule, which enacted a range of provisions to strengthen privacy and security requirements.
With no major changes since 2013, the industry has undergone a range of transformations, including the proliferation of technologies related to patient care, service delivery, and other administrative functions.
HHS indicates these proposed changes should remove barriers to coordinated care and individual engagement, including hospitals, physicians, payors, insurers, and other healthcare providers. The goal is to relieve some unnecessary burdens that limit access to PHI, while continuing to protect privacy and security rights.
If implemented, the changes will require covered entities and business associates to adjust some policies, procedures and practices, and also educate the workforce on those changes to ensure compliance.
Let’s take a closer look at some of the key proposed changes to the HIPAA Privacy Rule and what they could mean for your organization.
Here is a high-level look at some of the core areas of change:
- Improve individual’s right of access and right to direct PHI to third parties
- Expand care coordination and case management activities (including a modification to the minimum necessary standard for these activities)
- Improve ability to disclose PHI to social services agencies and home-based/community-based organizations for individual-level care coordination and case management
- Require modifications to the Notice of Privacy Practices (NPP)
- Remove the burden to get acknowledgement of receipt of the NPP from the patient
As covered entities and business associates (BA) look at these proposed changes, one of the biggest areas of attention will be on access to PHI. The list of changes includes an adjustment that will mandate provider response to PHI requests, including oral and written requests, and outlines expectations regarding response time and documentation of activities.
For many years, healthcare providers have relied on authorization forms to guide how each individual agency handles and responds to PHI requests. That most commonly takes shape as a form patients are expected to complete and sign. This proposal changes that and says PHI requests can now also be accepted as spoken requests or in writing, so the authorization form is no longer going to be the go-to-response for all PHI requests.
Something as simple now as, “May I have my records or could you please get them for me?” could be considered a formal records request.
This modification changes where the onus is and who has to move forward to complete the request.
Across the industry electronic protected health information (ePHI) takes many forms and is handled by a variety of disparate solutions. There’s no set or best practice format.
When it comes to those oral records requests, some entities and BAs already have a similar process in place when it comes to requesting, for example, immunization records, where there hasn’t necessarily been a written requirement to get those records. This new option for verbal requests for all PHI will require flexibility and additional documentation of the request and steps to take to meet the request.
As for response time, the proposal suggests changing from the original 30 days with a potential for a 30-day extension, to 15 days with one potential 15-day extension. Part of the guiding influence on this change is the assumption that today an increasing number of healthcare entities use at least some form of an electronic health record (EHR), and as a result, they are quicker to process. However, this change is applicable to both paper and electronic records.
In general, there will be a 15-day response time that will cover three key areas:
- Requests to send PHI copies to a third party, which is limited to only ePHI in an EHR
- Provider requirement to direct ePHI in the EHR to a third party when the request is “clear, conspicuous, and specific”-orally or in writing, including electronically executed requests
- Provider or health plan must facilitate a person’s request to direct ePHI in an EHR to a designated third party
If another federal or state law requires less than 15 calendar days for response, the shorter time period would be required.
If the covered entity or BA cannot provide access within the required 15 days, then one 15-day calendar extension may be used under these circumstances:
- The organization notifies the requestor in writing of delay reasons and the date it will be ready
- Has a policy to deal with urgent and high-priority requests
While providers can discuss the request with the individual before meeting fulfillment obligations, it cannot exceed the 15-day response requirement.
Organizations are expected to meet these requirements, regardless of the format of PHI, i.e. paper or electronic.
Another key change relates to how patients can inspect and get copies of their PHI. The proposed changes open the door for patients to take notes, record videos, take photos, or use other resources to view and capture PHI within a designated record set when requesting in-person access.
This change is likely to bring about a number of challenges for organizations, especially when it comes to protecting staff and other patients from a range of possible privacy and other rights violations. Essentially, it comes down to providing a mutually convenient time and place to review these records.
- It also raises questions about when to provide that access.
- Will it be your policy to stop mid-care and provide access or will you arrange a different time and place for that inspection?
- As a provider, it’s worth noting that you may not be permitted to delay the right to inspection. Will you need to move the individual to a different environment?
- Will you have to establish a rule set for the requestor denoting what is and what is not acceptable?
- How will you ensure other people’s privacy is not compromised?
As HHS solicits feedback on all proposed changes, this may be a good point to speak up about.
- Does this have the potential to cause unreasonable workflow disruptions?
- Are there unintended consequences that arise from making PHI readily available in conjunction with a healthcare appointment?
- What does “readily available” mean for your organization?
- What is a convenient time and place, in light of OCR’s statement that “the time and place where an individual obtains health care treatment generally would be considered a convenient time and place for the individual to inspect the PHI that is immediately available in the treatment area”?
For years, for simplicity many organizations relied on authorization forms to complete these requests, whether they’re for an individual directly or a third party. But if these forms are going to become a thing of the past-and since verbal requests are now acceptable- how do you verify identify?
In the past, providers often required proof of ID in various forms including a driver’s license, notary, or other approved manners. HIPAA authorization outlines core elements, but those elements aren’t necessarily related to the right of access. Also, with our changing digital environments, there are now more ways to verify identity remotely than just filling out a form. These are some of the reasons that forms today may likely be considered unreasonable under the new proposed standards.
This proposed change, if approved, would require entities to take a close look at mechanisms they’re going to put in place to capture access request and verify identity. There will need to be a set of policies and procedures that guide this, including team training to ensure your employees understand those policies and procedures, that they know how to verify information accordingly, and they understand what to do with the information captured. You’ll need to demonstrate that you have a policy that’s reasonable and appropriate.
The new proposal to eliminate identity verification burdens also:
- Expressly prohibits imposing unreasonable identity verification measures on an individual (or their representative)
- Removes unreasonable verification measures that require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable, including:
- Providing proof of identity in person when the method for remote verification is practicable
- Obtaining a notarization of a signature on a written request
- Requiring individuals to fill out a form with the extensive information contained in a HIPAA authorization form
- Only submitting written requests in paper form, only in person at the facility, or only through an online portal
Entities may require requests for access in writing (in electronic or paper form) as long as it doesn’t impose unreasonable measures.
The proposed HIPAA Privacy Rule changes also address permitted fees for PHI and ePHI access. These changes create separate fee structures related to access request type, individual access (including representatives) and third parties.
The changes outline two areas where no fees are permitted at all – for example, in-person reviews and online methods to view or get PHI. Other request types, like transferring PHI to an electronic device for mailing or some third-party requests can be subject to reasonable cost-based fees.
Here’s a quick look at the proposed fee structure:
In addition to outlining what the structure might look like, the proposal also includes requirements to:
- Post a fee schedule online for all readily producible electronic and non-electronic forms and formats for copies if the covered entity has a website
- Provide fee notice to individuals upon request
- Provide an individualized estimate of access and authorization fees upon request
The challenge point here may be determining what’s “reasonable” fees. While the proposal outlines what can be included in calculating those charges, it doesn’t specify what those charges should be.
You may find some state guidance on your fee schedules and should adjust appropriately. For example, if your state has a mandate that says you can charge 30 cents per printed page, and the HIPAA rule says “reasonable cost” then you will need to demonstrate how you set the 30 cent per page fee. What labor was involved? Costs of supplies for the copies? Postage? Shipping? Etc.
The proposed changes also include an amendment to the definition of a health care operation for clarification. This now will include all care coordination and case management by individual or population-based health plans. Currently, some cases for health plans didn’t include individual level, so this brings some clarity to that.
For example, a nurse in a doctor’s office calls a patient to discuss follow-up care: This is a treatment activity. But the same activity performed by a nurse working for a health plan would be a health care operation.
The proposal also includes an exception to the minimum necessary standard for disclosures to-or requests by-health plans or providers when conducting care coordination or case management related to an individual.
The proposed changes are also focused on creating more opportunities for care coordination and case management. It now includes social and community services. The change would mean that covered entities could now disclose PHI to those agencies, as well as home- and community-based services or similar third parties that provide coordinated health services.
This change would align disclosures for care coordination with disclosures for treatment, which individuals expect to occur without providing additional authorization or consent.
This change relates to areas of the Privacy Rule that now say “exercise of professional judgment” to “good faith belief” as related to uses and disclosures for the best interest of the individual. Previously, “professional judgment” implied a standard that the healthcare decision was made by a licensed practitioner, but “good faith” expands this to include other team members who know HIPAA policies and act in scope of their authority.
This amends five provisions of the Privacy Rule to replace the “exercise of professional judgment” with “good faith belief” when making uses and disclosures in the best interests of the individual. Areas of impact:
- Parent or Guardian who is not the individual’s personal representative
- Facility Directories
- Emergency Contacts
- Emergencies and incapacity
- Verifying Requestor’s Identity
Another big, proposed change is related to the Notice of Privacy Practices (NPP) and the potential elimination of the written acknowledgement requirement.
The change would remove the requirement for providers to get a written acknowledgment of NPP receipt, and it also removes the requirement to retain copies of that documentation for six years. Instead, individuals will have the right to discuss an NPP with a designated person at the covered entity.
Other NPP modifications under consideration include:
- Modifying required NPP header to specify:
- How to access health information
- How to file a HIPAA complaint
- Individual’s right to receive a copy of the notice and to discuss its contents with a designated person, including if the designated contact person is available onsite. It must include a phone number and email address the individual can use to reach the designated person.
- Would apply to all covered entities, not just providers with direct treatment relationship with individuals
- Describing how an individual can get a copy of their records at limited cost or, in some cases, free of charge
- The right to direct a covered healthcare provider to transmit an electronic copy of PHI in an EHR to a third party
There are two areas of note regarding other uses and disclosures in the changes.
- Expanding telecommunications services for people who are deaf or hard of hearing that would allow the relationship to be established at the time of the need
- Expanding the permission to use and disclose the PHI of Armed Forces personnel to cover all uniformed services personnel such as the U.S. Public Health Service (USPHS) Commissioned Corps and National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps
The 60-day window has been extended for comments, so now is the time to dive into the proposed changes and submit feedback on how they may impact your organization. There is still time to speak out before these become final rule.
In the interim, a few tips to help you prepare for what’s coming next:
- Stay informed of final rule publication
- Understand there could be substantial changes based on comments received
- Develop a plan of action to update your policies, procedures, and required documentation
- Note: You cannot implement changes to policies or procedures prior to the effective date of the revised NPP
- Make a plan to educate your workforce on the final changes in a timely manner after the go into effect
Don’t put off preparation for these changes. Planning now can help you understand compliance expectations and set a plan of action so you’re ready when the changes go into effect.