The Department of Health and Human Services’ (HHS’) Office of Civil Rights (OCR) proposed modifications to the Health Insurance Portability and Accountability Act privacy rule. The proposals support HHS’ regulatory sprint to coordinated care, and come in response to OCR’s December 2018 request for information on ways to reform the privacy law and further promote coordinated care.
Proposals include modifications to standards that might impede the transition to value-based care by limiting or discouraging care coordination and case management communication among individuals and covered entities (including hospitals, physicians, payers, and insurers).
In addition to adding definitions for the terms electronic health record (EHR) and personal health application, the rule includes access rights proposals to:
- strengthen individuals’ rights to access their personal health information (PHI), including the ability to take notes or use other resources to capture images of their PHI;
- shorten covered entities’ required response time from 30 to 15 calendar days for individuals’ requests for their PHI;
- reduce the identity verification burden on individuals exercising their access rights;
- create a pathway for individuals to direct the sharing of PHI in an EHR among health care providers and health plans; and
- require that health care providers and health plans respond to record requests received from other covered entities, when directed by individuals.
Proposals to improve care coordination and case management, include:
- clarifying the scope of covered entities’ abilities to disclose PHI to certain third parties for individual-level care coordination and case management that constitute treatment or health care operations;
- creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures; and
- clarifying that the scope of covered entities’ abilities to disclose PHI includes disclosure to social services agencies, community-based organization, and other wraparound service providers.
The rule also encourages disclosures of PHI to family and other caregivers to help individuals experiencing substance use disorder (including opioid use disorder), serious mental illness, and in emergency circumstances by:
- replacing the “professional judgment” privacy standard with a standard permitting uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual; and
- expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current, stricter standard which requires a “serious and imminent” threat to health or safety.
Additionally, OCR proposes to eliminate the requirement to obtain an individual’s written acknowledgement of receipt of a direct treatment provider’s notice of privacy practices (NPP), as well as modifications to the content requirements of the NPP.
OCR proposes to begin enforcement of the new and revised standards 240 days after publication of the final rule.
Comments to OCR are due 60 days after the rule is published in the Federal Register.
Contact Senior Director of Policy Erin O’Malley at firstname.lastname@example.org or 202.585.0127 with questions.