The U.S. Department of Health and Human Services (HHS) Office for Civil Rights released a proposed rule on Dec. 11 to modify the Standards for the Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act (HIPAA, P.L. 104-191), commonly referred to as the HIPAA Privacy Rule, to better support coordinated care and reduce burden.
The proposed rule builds off of the feedback received from the agency’s 2018 Request for Information [see Washington Highlights, Dec. 13, 2018] seeking input on how to modernize the HIPAA Privacy Rule as part of HHS’ Regulatory Sprint to Coordinated Care.
In a statement, the HHS Secretary Alex Azar said, “Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long. As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”
- Modifying the rules under the individual right of access (45 CFR 164.524):
- Adding definitions for the terms “electronic health record (EHR)” and “personal health application.”
- Reducing covered entities’ required response time to no later than 15 calendar days (from 30 days).
- Creating a pathway for individuals to direct the sharing of protected health information (PHI) in an EHR among covered health care providers and health plans by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access.
- Amending the definition of “health care operations” to clarify the scope of permitted uses and disclosures for individual care coordination and case management that constitute health care operations (45 CFR 160.103).
- Creating an exception to the “minimum necessary” standard for disclosures for individual-level care coordination and case management, regardless of whether such activities constitute treatment or health care operations (45 CFR 164.502(b)).
- Encouraging disclosures of PHI when needed to help individuals experiencing substance use disorder, serious mental illness, and emergency circumstances by (1) replacing the “professional judgment” privacy standard with a standard based on the covered entity’s good faith belief that the use or disclosure is in the best interests of the individual and (2) expanding the ability to disclose PHI to avert a threat to health or safety when the harm is “serious and reasonably foreseeable” (45 CFR 164.502 and 164.510-514).
Eliminating the requirement to obtain written acknowledgement of receipt of the Notice of Privacy Practices (NPP) and modifying NPP content requirements (45 CFR 164.520).
Comments are due 60 days from the forthcoming publication in the Federal Register.