The AAMC submitted comments to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on May 6 in response to proposed changes to the privacy standards for individually identifiable health information under the Health Insurance Portability and Accountability Act (HIPAA, P.L. 104-191 ), commonly referred to as the HIPAA Privacy Rule [refer to Washington Highlights, Dec. 11, 2020 ].
The AAMC’s letter notes the association’s strong support for efforts to remove barriers to the exchange of health information in order to improve patient engagement by enabling patients to have greater access to and control of their health records. However, the association’s comments express concerns about the increasing role of non-HIPAA entities, such as application developers and vendors, in accessing and using sensitive information about patients’ health. Until such entities are subject to privacy and security standards commensurate with HIPAA rules, there is a real threat that the lack of appropriate patient privacy protections will erode any gains in patient engagement. Additionally, proposals seeking to improve care coordination through improved information sharing between providers, payers, and others involved in meeting patients’ health-related needs will positively impact patient care and health outcomes. The AAMC’s comments commend the OCR for its efforts to reduce regulatory burden, such as the proposed elimination of the written acknowledgement of the Notice of Privacy Practices.
AAMC comments on the OCR proposals include:
- Individual Right of Access Definitions for Electronic Health Records (EHR) and Personal Health Applications (PHA or Apps) : The definition of EHR should be harmonized with the Health Information Technology for Economic and Clinical Health Act (HITECH, as part of the American Recovery and Reinvestment Act of 2009, P.L. 111-5 ), limiting it to clinical records created and maintained by health care providers, to prevent an overwhelming record-keeping burden on providers. PHA should be defined as an application created for individual use for health care purposes.
- Individual Right of Access and Privacy of Information in Apps : Protected health information (PHI) transferred through a PHA should only be permitted when the PHA vendor has been certified by an independent organization as meeting minimum privacy and security standards.
- Individual Right of Access and Right to Inspect : The individual right to capture PHI in person should be balanced with reasonable provider parameters.
- Individual Right of Access and Timelines for Response : Timeliness requirements should reflect the current guidance of “as soon as practicable,” but the OCR should maintain the existing 30-day maximum time frame for outlier requests and extensions.
- Individual Right of Access to Direct Copies to Third Parties : Providers should be given discretion to fulfill requests to direct PHI to third parties and to institute a requirement that such requests be made in writing. In addition, the disclosers should be permitted to rely on the requestor’s verification of the identity of the individual making the request.
- Individual Right of Access Fees : Permitted fees for third-party requests for physical copies of health records for non-health care purposes should include labor and other related costs.
- Proposals to Support Care Coordination and Case Management : Proposals that improve patient care coordination should be finalized, but the HHS should specify in greater detail how it plans to balance patient privacy and care coordination regarding disclosures to social service agencies and community-based organizations.
- Disclosures to Support Patients With Substance Use Disorder (SUD), With Serious Mental Illness, and in Emergency Circumstances : The adoption of the “good faith belief” and “serious and reasonably foreseeable” standards should be adopted to facilitate disclosures in the best interests of patients and communities. The HHS should also work to harmonize SUD disclosure standards under HIPAA and 42 CFR Part 2 regulations.
- Notice of Privacy Practices Requirements : The proposal to eliminate the written acknowledgement requirement should be finalized in recognition of the lack of patient benefit and the significant paperwork burden on covered entities.