On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.”  The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI).   The key proposed changes are discussed below.

Relaxing Requirements. HHS is proposing some changes that would loosen the standards for disclosing PHI in certain instances and for technical compliance with HIPAA. For example, the privacy standard currently permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment.” This standard permits such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual.  The proposed standard is more permissive and would presume a covered entity’s good faith; however, this presumption could be overcome with evidence of bad faith. Another example is the proposal to expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. Finally, HHS is also proposing to eliminate the requirement that covered entities must obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices.

Strengthening Individuals’ Right to Access. Consistent with the underlying objectives of the Information Blocking Rule, the proposed rule seeks to increase the ability of individuals’ access to their PHI. Key proposals include:

  • Requiring Covered Entities to permit individuals to take notes, videos, and photographs using personal resources after arranging a mutually convenient time and place at no cost to the individual. For example, such inspection may occur in conjunction with a health care appointment whereby the individual inspects x-rays or lab results.
  • Decreasing the timeframe allowed for covered entities to respond to requests for access. Presently, covered entities must provide access in no later than 30 days from receipt of the request, which may be extended for an additional 30 days if certain criteria are met. However, the proposed rule would require access be provided “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension.

Payer-to-Payer Data Exchange on Fast Healthcare Interoperability Resources (FHIR).   CMS also set forth three proposals to enhance and expand the payer-to-payer data exchange, which is again, consistent with the Information Blocking Rule :

  1. At a patient’s request, clinical data as defined in the USCDI version 1 (“Clinical Data”), claims and encounter data, and information regarding pending and active prior authorization decisions will be exchanged via a FHIR-based Payer-to-Payer API;
  2. The payer-to-payer data exchange is extended to state Medicaid and CHIP FFS programs; and
  3. A patient can opt-in to data sharing during enrollment requiring the payors to share Clinical Data, claims and encounter data, and information about pending and active prior authorization decisions at enrollment.

Disclosures to Social Service Organizations. The proposed rule would modify 45 CFR 164.506(c) and add a new subsection 164.506(c)(6), which would expressly permit covered entities to disclose PHI for certain social services.  Specifically, it would allow covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that” provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider or health plan.”

The proposed changes along with the Information Blocking Rule, signals the government’s direction related to sharing, coordination, and accessibility of electronic health records.  If you need help submitting comments (within 60 days from the date the proposed changes were published), have any questions about your HIPAA policies, implementation issues related to information blocking or these proposed rules, please contact any of the authors of this blog.