HHS Proposes Significant Value-Based Care Changes to HIPAA Privacy Rule

January 28, 2021

As its days dwindle down, the administration is mobilizing for one final push to reduce what it perceives to be unnecessarily burdensome regulation, including on the medical privacy front. On December 10, the HHS Office for Civil Rights (OCR) issued a notice of proposed rulemaking (NPRM) to modify the HIPAA and HITECH Act Privacy Rule.

The Proposed Privacy Act Changes 

As with the recent kickback regulations, the OCR Privacy Rule initiative is designed to clear the path for value-based health care. Specifically, the NPRM proposes to modify the Privacy Rule to expand the scope of permissible disclosures of protected health information (PHI), i.e., PHI disclosures permitted without the individual’s consent, to include disclosures that will promote care coordination and case management communications among individuals and labs, hospitals and other HIPAA covered entities. Key changes proposed:

  • Clarifying the definitions of the key terms “electronic health record” and “personal health application”; 
  • Shortening the response time for patient health record requests from 30 days to 15 days (with a 15-day extension under limited circumstances);
  •  Making it easier patients or their personal representatives to verify their identity when requesting access to their PHI or exercising another Privacy Rule right; 
  • Creating an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures; 
  • Clarifying the minimum necessary standard with respect to care coordination and case management activities;
  • Removing obsolete parts of the Notice of Privacy Practices (NPP) requirements;
  • Amending the permissible fee structure for responding to patient health record requests and requires covered entities to post estimated fees on their website for access and for disclosures with a patient’s authorization;
  • Making it easier for family and caregiver to be involved in the care of individuals experiencing emergencies or health crises; and
  • Modifying provisions on individuals’ rights of access to PHI.

Takeaway

The deadline to comment on the NPRM is March 11, 60 days after its publication in the Federal Register. If it’s finalized—and that’s a big “if” considering that a new administration will be in control—the final rule would take effect 60 days after it’s published. Labs and other covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. Among other things, you’d then have to:

  • Update your information privacy policies and procedures and train lab employees on the changes; 
  • Revise your Notice of Privacy Practices; and
  • Renegotiate business associate agreements to comply with the new requirements.

NIR will keep an eye on things and explain how to do each of the above when and if it appears that the changes are really going to happen.

**************

This article originally appeared in G2 Intelligence, National Intelligence Report, January 2021.

To learn more about ePolicy News and access past newsletters and articles, click here.

For more information regarding ASCP's advocacy initiatives and policy positions, please contact ASCP's Center for Public Policy at (202) 408-1110.

sponsors_hologic
 ASCP ePolicy News is supported by an unrestricted grant from Hologic.

ADVERTISEMENT