HHS Proposes to Modernize HIPAA to Facilitate Care Coordination and Case Management

Last week, the United States Department of Health and Human Services (HHS) released a proposed rule (Proposed Rule) that would amend privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) to remove barriers to care coordination and case management. The Proposed Rule, whose changes are intended to support HHS’s Regulatory Sprint to Coordinated Care, is based in part on the more than 1,300 comments HHS received in response to a December 2018 Request for Information, which we covered here.

HHS’s proposals generally focus on promoting greater access to and availability of protected health information (PHI), in alignment with recent HHS interoperability rules. Specifically, the Proposed Rule proposes to strengthen the individual right of access to PHI; enable greater permissible disclosures of PHI for care coordination, including with social service and community-based organizations; and expand permissible disclosures related to mental health and substance use disorder (SUD) treatment.

Comments are due 60 days after the Proposed Rule is published in the Federal Register. While this will occur after the change of administration, and therefore it is unclear how comments will be handled, we would encourage organizations impacted by the HIPAA rules to comment as the input could be used in continued or future rulemaking efforts by HHS.

Strengthening the Right of Access

Under HIPAA, individuals generally have a right to access their own PHI.¹ As a critical component in care coordination, the ability of individuals to access their own PHI has been a focus of recent HIPAA enforcement efforts and at the forefront on recent interoperability rules. It is therefore no surprise that it is also a focus of the Proposed Rule, which proposes numerous changes to HIPAA’s right of access provisions. Most notably, these include:

• Strengthening the access right to inspect and obtain copies of PHI by expressly including the right to view, take notes, take photographs, and use other personal resources to capture the information;
• Expressly prohibiting a covered entity from imposing unreasonable measures on an individual exercising the right of access that create a barrier or unreasonable delay;
• Requiring that access be provided “as soon as practicable” and reducing the time limits from the current limit of 30 calendar days to 15 calendar days;
• Providing that if other federal or state law requires an entity to provide access in a particular electronic form and format, the PHI is deemed “readily producible” in such form and format;
• Expressly providing the right of an individual to direct a covered health care provider to transmit an electronic copy of PHI in an EHR (see below) directly to a third party designated by the individual;
• Adjusting permitted fees for access to PHI, including requiring that access be free of charge where it is in the form of an in-person inspection or an internet-based method of requesting and obtaining copies of PHI;
• Requiring covered entities to provide advance notice of approximate fees for copies of PHI; and
• Clarifying that a business associate generally must provide PHI to the covered entity for the covered entity to meet its access obligations unless the business associate agreement provides otherwise.

For purposes of these provisions, HHS proposes to create new defined terms “electronic health record” (EHR)² and “personal health application”³ in order to more clearly define the scope of certain access provisions.

Given recent enforcement efforts and the HIPAA Right of Access Initiative, it is no surprise that many of the changes in the Proposed Rule are aimed at expanding individuals’ right to timely access their PHI. HHS invites comment on these proposals as well as its proposed definitions of EHR and personal health application. As entities are implementing the final interoperability and price transparency rules that support individual access to data through application programming interfaces (APIs), it will be important to consider the implications of these changes on those compliance efforts.

Supporting Care Coordination and Case Management

HHS has proposed three changes in the Proposed Rule to support the ability to disclose PHI for care coordination and case management, including to address recent issues regarding disclosure of PHI to support social services.

First, to address confusion regarding the definition of health care operations and what activities are included, HHS proposes to amend the definition of health care operations to clarify that it includes all care coordination and case management by health plans, whether individual-level or population-based. HHS requests comments on the benefits and costs of this clarification, including how the clarification might affect covered entities’ decision-making.

Second, HHS proposes to add an exception to the minimum necessary standard for disclosures to or requests by a health plan or covered health care provider for care coordination and case management, so that the covered entity or business associate need not consider minimum necessary requirements in making such disclosures. This exception would only apply to individual-level care coordination and case management activities.

Third, HHS proposes to expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based services (HCBS) providers, and other similar third parties that provide health or human services to specific individuals for individual-level care coordination and case management. Such disclosures would be permissible as a treatment activity of a covered health care provider or as a health care operations activity of a covered health care provider or health plan. Furthermore, under the Proposed Rule, a covered health care provider or health plan may disclose PHI to one of these third parties for the care coordination and case management activities of another health care provider or health plan.

Fourth, HIPAA currently permits a covered entity to use or disclose PHI of Armed Forces personnel for certain activities deemed necessary by appropriate military command authorities to assure the proper execution of a military mission.⁴ To facilitate care coordination and case management for all individuals serving in the Uniformed Services, HHS proposes to expand the provision to cover all Uniformed Services personnel, not just Armed Forces.

Expanding Permissible Disclosures of PHI to Help Individuals with a SUD or Serious Mental Illness and in Emergency Circumstances

HHS proposes to expand the permissibility of disclosures of PHI to an individual’s family members, friends, and caregivers that are helping individuals with a SUD or serious mental illness. Several HIPAA provisions permit disclosures in “the exercise of professional judgment.” To further encourage covered entities to share information where such sharing is in the individual’s best interests, HHS proposes to amend these provisions to replace the “professional judgment” standard with a standard permitting disclosures based on a “good faith belief” about an individual’s best interests. HHS also proposes to amend the HIPAA provision allowing a covered entity to use or disclose an individual’s PHI if the covered entity believes in good faith that the use or disclosure is necessary to prevent or lessen a “serious and imminent threat” to the health or safety of a person or the public. HHS proposes to replace the “serious and imminent threat” standard with a “serious and reasonably foreseeable threat” standard. This change would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent, which may be difficult or impossible in many cases.

Modifying Requirements Regarding Notices of Privacy Practices (NPPs)

HHS proposes a number of changes to the requirements regarding the NPP. First, HHS proposes to eliminate the requirement to obtain a written acknowledgement of receipt of the NPP, as well as the requirement that if the provider is unable to obtain such an acknowledgement, it must document any good faith efforts and the reason for not obtaining the acknowledgement. HHS also proposes to use the NPP to better highlight individual rights with regard to their PHI, including requiring language in the required header to specify that the NPP provides information on (1) how individuals may access their health information, (2) how to file a HIPAA complaint, (3) individuals’ right to receive a copy of the notice and discuss its contents with a designated contact person, and (4) how to contact the designated contact person. HHS also proposes to require more specificity in NPPs to describe individuals’ rights to access their own PHI.

Permitting Disclosures to Telecommunications Relay Service (TRS) Providers

HHS proposes to expressly permit covered entities and their business associates to disclose PHI to TRS communications assistants to conduct covered functions. TRS is a federally mandated service that federally regulated common carriers are required to provide individuals to facilitate calls with those who are deaf, hard of hearing, or deaf-blind, who have a speech disability, and others. HHS also proposes to revise the definition of business associate to expressly exclude TRS providers from the definition. These proposals are intended to help ensure that workforce members and individuals who are deaf, hard of hearing, or deaf-blind, or who have a speech disability are able to communicate using TRS for care coordination and other activities.

Effective and Compliance Dates

The Proposed Rule proposes that final regulations would take effect 60 days after publication and compliance would be required 180 days after the effective date. HHS seeks comment on whether this is sufficient time for compliance, which would include revising existing policies and procedures, training workforce, and implementing the changes.

Next Steps

Comments on the Proposed Rule are due 60 days after publication in the Federal Register. Stakeholders should analyze the potential impact of the Proposed Rule and submit comments for consideration. Crowell & Moring has significant experience with HIPAA regulations and can advise you on understanding the implications of these potential changes and on considering responses to HHS. For further assistance, please contact Jodi Daniel.