HHS Issues Proposed Changes to the HIPAA Privacy Rule

On Dec. 10, 2020, the Department of Health and Human Services (HHS) issued a proposed rule that would make certain changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposed changes are intended to:

• Support individuals’ engagement in their care;
• Remove barriers to coordinated care; and
• Reduce regulatory burdens on the health care industry.

While many of the proposals primarily impact health care providers and their patients, a number of proposed provisions will also have an impact on employer-sponsored health plans.

This Compliance Bulletin provides an overview of the changes affecting employer-sponsored plans included in the proposed rule.

Action Steps

These proposed rules have not been finalized and may not be relied upon. HHS is requesting comments on the provisions in the proposed rules. Public comments on the proposals are due 60 days after the proposed rule is published in the Federal Register.

If finalized, the provisions in the final rule would take effect 60 days after publication. Covered entities would generally have 180 days from the effective date to comply.

The Proposed Rule

The proposed changes to the HIPAA Privacy Rule affecting employer-sponsored plans include:

• Amending the definition of “health care operations” to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
• Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether those activities constitute treatment or health care operations.
• Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
• Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting uses or disclosures based on a covered entity’s good faith belief that it is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith. The proposed rule would also expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety.
• Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and modifying the content requirements of the Notice of Privacy Practices to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
• Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI, and shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
• Adding a definition for the term “electronic health record” (EHR), as well as requirements for EHRs. The proposed rule would create a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
• Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

If finalized, the provisions in the final rule would take effect 60 days after publication. Covered entities would generally have 180 days from the effective date to comply.

This Bulletin is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. Design ©2020 Zywave, Inc. All rights reserved.