Health Information Compliance Alert

Published on Wed Apr 07, 2021 PDF

Tip: Add your 2 cents before it’s too late.

If you’re concerned about the feds’ rumblings to reconstruct the HIPAA Privacy Rule, you’ve got more time to review the proposed changes — and to offer your opinion on the policies.

Details: In December 2020, the HHS Office for Civil Rights (OCR) quietly released a revamp of the HIPAA Privacy Rule. Published in the Federal Register on Jan. 21, the notice of proposed rulemaking (NPRM) “contains nearly 100 requests for comment [and] would make significant and far-reaching changes to the HIPAA privacy regime,” say attorneys Jo-Ellyn Sakowitz Klein and Caroline D. Kessler with law firm Akin, Gump, Strauss, Hauer & Feld LLP in a blog post.

In March, OCR extended the comment period to give stakeholders more time to review the proposals before solidifying any changes. The agency is giving the public until May 6 to weigh in on the proposals, due to the substantial modifications to the HIPAA Privacy Rule suggested in the notice, an OCR release explains. Originally the comment period was slated to end on March 22, but a regulatory freeze was announced on Jan. 20 and may account for the change, Sakowitz Klein and Kessler indicate.

“OCR anticipates a high degree of public interest in providing input on the proposals because the HIPAA Privacy Rule affects nearly anyone who interacts with the health care system,” said Robinsue Frohboese, acting OCR director, in a release. “The extension of the comment period to May 6, 2021, will give the public a full opportunity to consider the proposals and submit comments to inform future policy.”

Find Out What OCR Wants to Change

The twin pillars of federal healthcare, quality and cost, continue to reshape policies and regulations. The latest OCR proposals are infused with MACRA, 21st Century Cures Act, and HITECH Act ideologies with the aim of putting a more modern spin on HIPAA.

For example, “the proposed rule would change current HIPAA and HITECH Act protections in order to reduce barriers to the implementation of value-based care models,” notes attorney David Tassa with law firm King & Spalding LLP in online legal analysis.

Among the burden-reducing updates are several that address HIPAA Right of Access, which has become a major focus for OCR over the past 18 months (see story, p.3). The NPRM suggests not only changing the fee structures for records requests by both patients and third parties, but also updating the response time for delivering the protected health information (PHI) from the current 30-day turnaround to 15 days.

Plus, as part of the records’ inspection process, individuals would be able “to take notes or use other personal resources to view and capture images of their PHI,” the proposed rule says. Additionally on the Right of Access front, the NPRM outlines form-and-format requirements for PHI requests, reduces ID verification burdens, updates policies for electronic PHI (ePHI) files, and sets up future website and patient portal requirements for CEs on records request fee schedules.

Right of Access isn’t the only HIPAA topic that OCR wants to modify and modernize. Here’s a short checklist of other proposals on the table:

• Definitions: OCR wants to update the definitions for EHRs and personal health applications (PHAs) to align with HITECH Act definitions.
• Care coordination: The proposal suggests “creating an exception to the ‘minimum necessary’ standard for individual care coordination and case management uses and disclosures,” relates law firm Wachler & Associates in a blog post on the NPRM.
• Good faith vs. professional judgment: OCR proposes to drop the professional judgment standard in the Privacy Rule and replace it with CEs’ “good faith belief” when sharing an individual’s PHI is in the patient’s best interest. “The proposed rule would effectuate this change through updates to five separate regulatory provisions,” explains law firm Akin, Gump, Strauss, Hauer & Feld LLP in online legal analysis.
• NPP rules: OCR aims to roll back some of the administrative burdens associated with written notices of privacy practices (NPPs). The NPRM uses data garnered from a 2018 request for information (RFI) on NPPs, which factors into OCR proposing to nix the requirement for patients to acknowledge in writing they received the NPP; cut the NPP content standards; and require CEs to offer verbal education on NPPs instead.
• TRS changes: The proposed rule offers new guidance on telecommunications relay services (TRS). OCR hopes to ease restrictions for CEs and their business associates to “disclose PHI to TRS communications assistants” on individuals who are deaf, hard of hearing, or deaf-blind, or who have a speech disability” and make it easier for these patients, the NPRM suggests.
• Emergencies: Lessons learned from COVID-19 also contribute to OCR’s proposals. The NPRM hopes to modify existing requirements on sharing data when public safety is impacted.

Review the OCR notice and comment by May 6 at www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.