The Tortoise and the Hare? HIPAA Joins the Regulatory Sprint to Coordinated Care
On 10 December 2020, the Office of Civil Rights (OCR) for the federal Department of Health and Human Services (the Department) issued Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement (the Proposed Rule).1 The Proposed Rule comes nearly two years after OCR issued a Request for Information from stakeholders regarding the ways that HIPAA could be modernized to support coordinated, value-based care.2 OCR includes numerous proposed changes to the HIPAA Privacy Rule intended to eliminate regulatory barriers for purposes of fostering care coordination and the shift to value-based care models, including clarifying the scope of care coordination for disclosures of protected health information (PHI) under the health care operations and treatment exceptions, and creating an exception to the minimum necessary standard for disclosures related to care coordination and case management.
This rulemaking development is on the heels of other Department agencies finalizing similarly oriented companion rules through the Centers for Medicare and Medicaid Services (CMS) final rule updating the physician self-referral law (or Stark Law),3 and the Office of Inspector General (OIG) final rule creating new safe harbors under the federal Anti-Kickback Statute,4 each of which created new regulatory protection for value-based arrangements in which entities can come together to care for a target population. With proposed changes to an individual’s right of access to their PHI, the Proposed Rule also appears timed with companion rules from CMS and the Department’s Office of the National Coordinator for Health Information Technology (ONC) that promote electronic medical record interoperability, prevent information blocking, and expand patient access to information.5 Lastly, these proposed regulatory changes would advance OCR’s views expressed through a recent series of investigations and enforcement actions under the agency’s “right of access initiative.”6
Promoting Care Coordination
Key proposed changes to the HIPAA Privacy Rule to drive care coordination include the following:
- Clarifying the definition of “health care operations” to more clearly state that it permits all care coordination and case management efforts by health plans, including where such efforts are individual-based, such as following up with an individual patient regarding his or her treatment plan;
- Creating a new exception to the “minimum necessary” standard for disclosures of PHI pursuant to individual-based care coordination and case management efforts between health plans and health care providers; and
- Clarifying that covered entities may disclose PHI to third parties for individual-based care coordination and case management purposes without first obtaining an express authorization from the patient.
Expanded Right of Access
Key proposed changes in line with OCR’s recent enforcement priorities include the following:
- Allowing patients to inspect and even take notes and photographs of their PHI;
- Requiring covered entities to respond to patient requests within 15 days as opposed to 30;
- Reducing covered entities’ burden of identity verification with respect to patients requesting access to their health records;
- Clarifying parameters around the costs covered entities are permitted to charge for providing access to health records, and rquire the disclosure of such fee schedule information;
- Clarifying an individual’s right to direct copies of their PHI to third parties, and limit that right to electronic copies of PHI; and
- Clarifying the responsibilities of business associates in providing patient access to health records.
Finally, key proposed changes to permit additional flexibility in the non-care coordination setting include:
Encouraging Disclosure to Avert a Health or Safety Threat
- To facilitate disclosures in emergency circumstances, which OCR states include the opioid and COVID-19 public health emergencies, the Proposed Rule would relax the standard for disclosure of PHI to avert a threat to health or safety from when there is a “serious and imminent threat” to when harm is “serious and reasonably foreseeable.”
Notice of Privacy Practices
- OCR proposes to eliminate the requirement to obtain an individual’s written acknowledgement of receipt of a provider’s Notice of Privacy Practices (NPP) and to add new required elements for inclusion in the NPP.
These changes are anticipated to have a significant impact on health care providers and other stakeholders that may have been hesitant to engage in certain care coordination arrangements because of concerns that the requisite information sharing may not be permitted under HIPAA, and introduce new requirements that will require resources to implement. Interested parties will have sixty (60) days from the date the Proposed Rule is formally published in the Federal Register to comment, with comments due likely in late February 2021 depending on the date of formal publication.
K&L Gates’ Health Care practice routinely assists health systems, hospitals, and other providers and supplier HIPAA covered entities, as well as health-related IT companies and other HIPAA business associates with preparing and submitting comments to proposed rules, and with legal advice regarding HIPAA compliance.
1 OCR Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, (11 Dec. 2020), formal publication pending in the Federal Register.
2 See OCR Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, 83 Fed. Reg. 64302 (14 Dec. 2018).
3 CMS Medicare Program; Modernizing and Clarifying the Physician Self-Referral Regulations, 85 Fed. Reg. 77492 (2 Dec. 2020).
4 OIG Medicare and State Health Care Programs: Fraud and Abuse; Revisions to Safe Harbors Under the Anti-Kickback Statute, and Civil Monetary Penalty Rules Regarding Beneficiary Inducements, 85 Fed. Reg. 77684 (2 Dec. 2020).
5 See CMS Medicare and Medicaid Programs; Patient Protection and Affordable Care Act; Interoperability and Patient Access for Medicare Advantage Organization and Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, Issuers of Qualified Health Plans on the Federally-Facilitated Exchanges, and Health Care Providers, 85 Fed. Reg. 25510 (1 May 2020); and ONC 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, 85 Fed. Reg. 25642 (1 May 2020).
6 See OCR Press Release OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative, (19 Nov. 2020).
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.