HHS Reveals Proposed Changes to HIPAA Privacy RuleModifications Aim to Improve Care Coordination
Among the changes proposed are:
- Dropping the requirement for healthcare entities to obtain and retain for six years patients' signed acknowledgements of notices of privacy practices;
- Reducing the time from 30 days to 15 days for covered entities to fulfill patient requests for receiving copies of their health information;
- Allowing more flexibility to healthcare providers in making decisions to share patient information - such as about opioid abuse or COVID-19 treatment - with family members in situations involving "serious and foreseeable" threats, rather than the current "serious and imminent" threat standard.
The 357-page proposal - part of HHS' "regulatory sprint to coordinated care" - aims to support individuals' engagement in their care, remove barriers to coordinated care and reduce regulatory burdens on the healthcare industry, HHS' Office for Civil Rights says in a statement.
"Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long," said HHS Secretary Alex Azar. "As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health."
HHS says the proposed changes to the HIPAA Privacy Rule:
- Strengthen individuals' rights to access their own health information, including electronic information;
- Improve information sharing for care coordination and case management;
- Facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises;
- Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies;
- Reduce administrative burdens on HIPAA-covered healthcare providers and health plans while continuing to protect individuals' health information privacy.
"These are comprehensive reforms to the HIPAA regulations that were a long time coming," HHS OCR Director Roger Severino said at a Thursday news media briefing.
Encouraging Data Sharing
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that the HHS proposed rule "seems to continue the idea of expanding the opportunities for covered entities to share patient information for 'desirable' purposes, including coordinated care."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says he "greatly appreciates the proposed change to allow uses and disclosures to prevent serious and 'reasonably foreseeable' harm, rather than serious and 'imminent' harm. Many healthcare providers are seeking to do the right thing and prevent harm, but are concerned that a harm is not necessarily 'imminent.'"
Greene says he also welcomes the proposed removal of the requirement to obtain acknowledgment of receipt of the notice of privacy practices. "The acknowledgment of receipt was an idea with good intentions, but often does not work well in practice," he says.
Some covered entities, however, could face challenges in meeting the new requirement of providing patients with copies of their health records within 15 days of receiving a request. "It seems reasonable, in theory, but I know that it is easy to underestimate how much is involved in health information management," he says.
In fact, the proposal with the biggest potential immediate impact on data security and privacy teams at healthcare entities will be the "tightening up of right of access obligations," says healthcare attorney Matt Fisher of the law firm Mirick O'Connell.
"Shortening the response time to 15 days will push organizations to be very prompt with responses," he says. "The proposed rule also seeks to introduce more flexibility in the initial request process. The change to the request process appears to target what can be perceived as artificial barriers and complications being thrown up by organizations to hinder access. Taking the proposed changes, together with many recent HIPAA settlements focused on right of access, it is clear that information must be made accessible and not held up."
Nahra notes that the Biden administration could make modifications before the rule is finalized.
But during the briefing with reporters, Eric Hargan, HHS deputy secretary, noted that the changes proposed are "bipartisan, commonsense reforms" and that he hoped "changes in administrations won't impact them."
HHS is seeking public comment on its notice of proposed rulemaking for 60 days.
The proposed modifications to HIPAA come nearly two years after OCR issued a request for public input on potential changes to HIPAA (see: HHS Seeks Feedback on Potential HIPAA Changes).
In an August video interview with Information Security Media Group, Timothy Noonan, HHS OCR's deputy director of health information privacy, noted that many of the questions OCR posed in its RFI revolved around the perceived obstacles to sharing patient information among healthcare providers as well as the burdens often put on patients and their families to have that information exchanged.
Also complicating those issues are the challenges involved in sharing mental health and opioid addiction information, including balancing better care coordination with patient privacy concerns, he noted.
"We got really great feedback - 1,300 comments and close to 4,000 pages of responses," Noonan said. "And we read every comment and try to balance the interests of everyone [regarding] the privacy and security of the health information vs. the desire to have flexibility to share it where the circumstances are warranted."
The proposed changes could save healthcare organizations, health plans and other HIPAA-covered entities as much as $3.2 billion over five years, Noonan said.