On December 10, 2020, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) issued a proposed rule to modify the Standards for the Privacy of Individually Identifiable Health Information (the “Privacy Rule”) promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”). According to HHS’s announcement, the proposed rule would amend the Privacy Rule to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.” Public comments on the proposed rule are currently being accepted through February 12, 2021.
The proposed rule is part of HHS’s Regulatory Sprint to Coordinated Care, initiated pursuant to Secretary Alex Azar’s value-based transformation agenda, which seeks to “promote value-based care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.” Throughout the Privacy Rule, HHS sought to protect health information while also permitting information sharing for certain beneficial purposes. However, stakeholders have questioned whether the Privacy Rule strikes the appropriate balance in certain situations.
Proposed modifications to the HIPAA Privacy Rule include strengthening individuals’ right to access their protected health information (“PHI”), including electronic PHI; facilitating greater family involvement in care for individuals dealing with health crises or emergencies; and allowing providers more flexibility to disclose PHI when harm to a patient is “serious and reasonably foreseeable,” such as during the opioid crisis or COVID-19 public health emergency. Importantly, multiple provisions of the proposed rule, discussed in greater detail below, address electronic health records (“EHRs”) and personal health applications.
Electronic Health Records
Several of the proposed amendments regarding individual access to PHI address sharing information with EHRs.
First, the proposed rule would define the term “electronic health record” as:
an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at [45 C.F.R.] § 164.501, such as physicians, nurses, pharmacists, and other allied health professionals. For purposes of this paragraph, ‘health-related information on an individual’ covers the same scope of information as the term ‘individually identifiable health information’ as defined at § 160.103.
This definition expands on the HITECH Act’s definition of “electronic health record” and clarifies some of its terms, such as “health-related information on an individual.” HHS noted that “health-related information” would be construed broadly and not merely be limited to clinical data, but would also include billing records. HHS also proposed to broadly interpret “authorized health care clinicians and staff” consistent with definitions found in the HITECH Act and offered by the Centers for Medicare & Medicaid Services.
Second, the proposed rule would narrow the right of individuals to direct the transmission of electronic PHI to a third party by codifying the interpretation of the HITECH Act from Ciox v. Azar into regulation. Thus, under the proposed rule, an individual may direct the transmission of electronic PHI to a third party only if the electronic PHI is maintained in an EHR. As a result, requests to direct the transmission of non-electronic copies of PHI or electronic copies of PHI not maintained in an EHR to a third party would no longer fall within the right of access. However, individuals may still obtain PHI that is not maintained in an EHR directly from a covered health care provider or health plan. In addition, individuals may also request that a copy of their PHI not maintained in an EHR be sent to a third party by submitting a valid HIPAA authorization.
Third, the proposed rule would create a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities. Under the proposed rule, covered health care providers and health plans would be required, at the direction of the individual, to submit the individual’s access request for electronic PHI to another health care provider. This request may specify that the disclosing provider transmit the requested PHI to the original provider or health plan via its EHR. This new right would be included in the individual’s right to direct transmission of electronic PHI maintained in an EHR to a third party, discussed above.
Personal Health Applications
In response to the growing number of individuals using personal health applications to access and view their PHI, HHS proposed to revise the right to access to clarify that one of the mechanisms by which a request for access can be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health application used by the individual.
Under the proposed rule, a “personal health application” would be defined as:
an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.
In constructing this definition, HHS drew on the definition of “personal health record” in the HITECH Act, and HHS stated that the proposed definition is meant to be consistent with definition of personal health record. HHS noted, however, that the proposed definition is intended to specifically address health applications, which may or may not be personal health records.
HHS clarified that, where a personal health application is used to fulfill an individual’s access request, the covered entity does not manage, share, or control the information on a personal health application; nor does the application developer manage the information on behalf of or at the direction of a health care provider or health plan. Instead, individuals (or their personal representatives) use a personal health application for the individuals’ own purposes, such as to monitor their own health status and access their own PHI using the application. Thus, a personal health application would not be subject to the privacy and security obligations of the HIPAA Rules as a business associate since it does not create, receive, maintain, or transmit PHI on behalf of a covered entity.
Other Proposed Changes
Finally, the proposed rule includes additional modifications to the Privacy Rule, such as:
- Amending the definition of “health care operations” to clarify and broaden the scope of care coordination and case management that constitute health care operations.
- Modifying provisions on the individuals’ right to access their PHI, including:
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
- Shortening covered entities’ response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
- Clarifying the form and format required for responding to requests for PHI;
- Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered instead of a copy;
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
- Specifying when electronic PHI must be provided to the individual at no charge;
- Modifying the access fee provisions to establish a fee structure based on the type of access request: (1) individuals can inspect and obtain copies of PHI for free when inspecting their PHI in person or requesting electronic copies through the internet, or (2) individuals can be charged a reasonable cost-based fee when receiving a non-electronic copy of PHI, receiving electronic PHI through a non-internet based method, or directing an electronic copy of PHI in an EHR to a third party; and
- Requiring covered entities to post estimated fee schedules on their websites for access and disclosure with an individual’s valid authorization and provide individualized estimates of fees to an individual’s request for copies of PHI, upon request.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures, regardless of whether such activities constitute treatment or health care operations.
- Allowing covered entities to make certain uses and disclosures of PHI based on their good faith belief that the use or disclosure is in the best interests of the individual.
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “seriously and reasonably foreseeable” instead of “serious and imminent.”
- Eliminating the requirement to obtain an individual’s written acknowledgement or receipt of a direct treatment provider’s Notice of Privacy Practices.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services.
Given that a new administration takes office next month (before comments are due), the proposed rule may ultimately undergo significant changes.
Those seeking to submit comments can do so here.