A Closer Look at OCR’s Proposed Modifications to the HIPAA Privacy Rule
December 23, 2020
On Thursday, December 10, 2020, the Office of Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) proposed modifications to the HIPAA Privacy Rule1 as part of HHS’s “Regulatory Sprint to Coordinated Care”. The proposed rule follows OCR’s Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (“RFI”) issued more than two years ago in 20182. Among the most important proposed changes to the HIPAA Privacy Rule concern the agency’s modification to an individual’s right of access, which come on the heels of HHS’s interoperability and data blocking rules3. Taken together, the changes aim to empower an individual’s access to health information, remove obstacles to efficient care coordination and management, and remove administrative burdens on covered entities.
In this article we take a closer look at the proposed modifications to the HIPAA Privacy Rule and highlight key takeways for covered entities and their business associates.
I. Expanding Patients’ Access and Control Over PHI
In 2019, OCR announced that it would be focusing its compliance and enforcement attention on individuals’ right to access their protected health information (“PHI”)4. Consistent with that effort, the proposed rule bolsters individuals’ access rights in the following ways:
- Creates a new pathway for individuals to direct the sharing of their PHI in an electronic health record among covered health care providers and health plans.
The modifications will give individuals the right to direct covered entities to submit requests for the individual’s electronic health record PHI to other health care providers and to receive the requested copies for the individual. The modification would also require covered health care providers to disclose any PHI in an electronic health record to a third party at an individual’s request. Supporting this new right is a new definition of electronic health record that has been added at 45 CFR 164.501 in line with the HITECH Act’s definition of the same term. OCR’s proposed definition would include electronic billing and scheduling records because they contain health-related information. A covered entity would be required to document uses and disclosures of these electronic health records in the same way that it is currently required to document its designated record sets.
- Right to Direct PHI to a Patient APP
OCR’s proposal also creates a definition of “personal health application” to be added at 45 CFR 164.501 to facilitate an individual’s right to request transmission of PHI to a health app to the extent the information is “readily producible to or through such an application”. Importantly OCR also clarifies that the health app would not automatically be considered a business associate.
A question regarding a covered entity’s discretion to deny an individual’s request to have PHI transmitted to an app based on the covered entity’s concerns about how the app will use or disclose the PHI it receives was clarified in April 2019, by an OCR FAQ that indicated a covered entity must oblige an individual’s request to provide PHI to a health app regardless of the perceived risks of disclosure and that the disclosing covered entities would not face liability for fulfilling the individual’s request unless the app was developed by the covered entity or acting at its behest. Consistent with that, the NPRM highlighted OCR’s position that a personal health application operating unrelated to the covered entity is not acting on behalf of, or at the direction of a covered entity, and therefore would not be subject to the privacy and security obligations of the HIPAA Rules
- Reduces the timeframe for covered entities to respond to individuals exercising their right to access their PHI from 30 days to 15 days.
Covered entities must respond to requests from individuals “as soon as practicable,” but no later than 15 days with the possibility of one 15 day extension. Where another applicable state or federal law prescribes a shorter period than that, it will be deemed “practicable”. Covered entities will also need to develop a policy governing the processing of higher priority or urgent requests to limit the use of extensions only for those requests.
- Clarifies the right to inspect and obtain PHI by taking notes, video or photographs and the right to inspect PHI at the point of care.
A significant portion of the NPRM outlines improvements to strengthen the right to inspect and obtain copies of PHI. Most of these changes, however essentially represent codifications of existing guidance, in particular guidance the agency issued in 20165.
The addition of a new right at 45 CFR 164.524(a)(1)(ii) would specifically enable an individual to inspect and capture PHI in a designated record set which includes the ability to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set. Further, when PHI is readily available in a designated record set at the point of care in conjunction with a health care appointment, a covered health care provider is not permitted to delay the right to inspect. Accordingly, covered entities will need to be ready to accommodate requests that patients have to view and capture their PHI essentially at each and every appointment. However, OCR does not appear to require that a covered entity allow for mechanisms to facilitate data transfer that would create an unacceptable security risk to the covered entity. Specifically, the proposal does not require a covered entity to connect a “personal device”, such as a thumb drive, to a covered entity’s information systems.
Takeaway: Covered entities will need to consider the impact of these inspection rights on day-to-day operations as well as on the security of systems and confidential information. Also, one issue not considered in the proposed modifications is the lack of any right by the covered entity to deny in-person inspection of PHI due to concerns over the spread of infectious disease during the pandemic.
- Expressly articulates the verification standards related to a covered entity’s obligation to respond to requests to access PHI - a covered entity may not impose unreasonable identity verification measures on an individual.
45 CFR 164.514(h) requires a covered entity to take reasonable steps to verify the identity of a person requesting access to his or her PHI. OCR issued guidance to help clarify a covered entity’s verification responsibilities explaining that a covered entity may not impose unreasonable measures on an individual requesting access that create a barrier to or unreasonably delay the individual from obtaining access and proposes to modify paragraph (2)(v) of 45 CFR 164.514(h) to codify this clarification. An unreasonable measure is defined as “one that causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity6.” “Practicability” considerations include a covered entity’s technical capabilities and the costs of implementing measures that are more convenient for individuals. It also includes by way of reference to 45 CFR 164.306 and 45 CFR 164.530(c), a covered entity’s general obligations to implement appropriate administrative, technical, and physical safeguards.
Takeaway: This modification essentially calls on covered entities to consider the overall spirit of the HIPAA Rules when determining what verification safeguards and procedures it should apply to requests for PHI. OCR’s commentary provides quite a few examples of safeguards the agency would consider unreasonable which may form the basis of future guidance.
II. Clarifying Scope of Care Coordination and Case Management
The Privacy Rule contains a complex architecture governing what disclosure of PHI can be made, for what purposes, and by whom. The proposed rule facilitates greater flexibility on the part of covered entities with respect to disclosure of PHI to further the agency’s core priority of advancing coordinated care.
- Clarifies the definition of healthcare operations to facilitate uses and disclosure of PHI to advance coordinated care.
OCR proposes to expand on and clarify the definition of health care operations in 45 CFR 164.501 to make clear that the term covers individual care coordination and case management activities undertaken by health plans as well as providers. At present, the definition of health care operations at 45 CFR 164.501(1) can be read such that the references to “case management” and “care coordination” are limited to population-based activities. As a result, OCR received feedback that some health plans believed it necessary to obtain an individual authorization to conduct patient-specific care coordination and case management involving the use or disclosure of PHI whereas the same activity could be conducted by a provider without authorization because it would constitute treatment (e.g. a call to a patient by a nurse to discuss follow-up care would be considered a treatment activity, while the same call made by a health plan would be a health care operation).
By simply separating the activities following the term “population-based activities” at 45 CFR 164.501 with semi-colons as opposed to commas OCR believes it will be clear that health care operations includes both population-based and patient-specific activities.
- Expands the ability to disclose PHI to social service agencies, community-based organizations, and others.
Subject to the Privacy Rule’s “minimum necessary” standard, health care providers are permitted under the existing rules to disclose PHI to certain social service organizations and home and community-based services (“HCBS”) without individual authorization if they determine that the disclosure is necessary for, or may help further, the individual’s health or mental health care. However, OCR determined that many covered entities make disclosures to social service entities only after obtaining an authorization from the individual while others never disclose PHI, even when a treating provider specifies the service as part of a treatment plan.
OCR’s proposal to include a new subsection (6) at 45 CFR 164.506(c) would expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management, as either (a) a health care provider’s treatment activity or (b) a health care provider’s or health plan’s health care operations activity – i.e. without the requirement of obtaining an authorization7. However, prior to making such a disclosure, a covered entity must be mindful of whether the third-party to whom PHI is being disclosed is acting for or on behalf of the covered entity, in which case it would be a business associate of the covered entity and a business associate agreement would be required in order to make the disclosure.
Takeaway: This proposal is likely to allow for more common sense disclosures made to facilitate comprehensive support and more targeted care for individuals (e.g. housing, living assistance) that are otherwise complicated by the existing rules. However, the kinds of third-party entities receiving PHI under this proposal might not be covered entities or business associates which means the HIPAA rules would not protect PHI disclosed to them. Covered entities need to undertake an analysis or maintain a policy to ensure whether disclosures require a business associate agreement and if not, do not create undue risk for patients with respect to their PHI.
III. Disclosures to Telecommunications Relay Services
The proposed rule expressly permits disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifies the definition of business associate to exclude TRS providers.
TRS is a federally mandated service offered by federally regulated common carriers to hearing-impaired and other individuals needing assistance with engaging in communication by telephone. Consistent with its previous guidance, OCR proposes to specifically permit covered entities and their business associates to disclose PHI to TRS communications assistants without the need for an authorization or a business associate agreement because the individual has an opportunity to agree or object to disclosures of protected health information to the communication assistant8.
IV. Modifying Standards for the Disclosure of PHI in Emergencies and Health Crises
Although the context for these proposed modifications when the RFI was issued was primarily the opioid crisis, the Covid-19 pandemic provided an additional test case to determine how well the HIPAA Rules could perform under serious emergency conditions9. OCR’s proposal would create flexibility for covered entities to address emergencies in the following ways:
- Replaces the “professional judgment” standard with a “good faith” standard in determining whether a covered entity may disclose PHI to family and friends in emergency situations
Notwithstanding the important role family members, friends, and other caregivers (“FMFCs”) play in supporting the care of individuals with substance use disorder and serious mental illnesses, a number of provisions in the Privacy Rule act as barriers to disclosures to FMFC’s. The modifications reflect OCR’s intent to facilitate the disclosure of PHI by healthcare providers to FMFCs who are attempting to assist the individual. Such assistance may be in the context of health related emergencies and other circumstances in which the individual may be incapacitated or otherwise unable to express a privacy preference.
Currently, 45 CFR 164.502(g) grants the same PHI access rights to a personal representative of a patient as it does to the patient him/herself10. 45 CFR 164.502(g)(3)(ii)(C) permits, but does not require, covered entities to provide access to PHI to a parent, guardian, or other person acting loco parentis, if s/he is not a personal representative under applicable law.
Per 45 CFR 164.510, before using or disclosing PHI in certain circumstances that do not require an authorization, covered entities must provide an individual the opportunity to agree or object to such use or disclosure. But in an emergency, patients are not always able to agree or object to such disclosures. In this case 45 CFR 164.510(a)(3) permits covered health care provider to disclose facility directory information to FMFCs and others (e.g., clergy) only if (1) the disclosure is consistent with prior expressed preference of the patient known to the covered health care provider, and (2) the disclosure is in the patient’s best interests as determined by the health care provider’s “professional judgment.”
Finally, 45 CFR 164.514(h)(2)(iv) requires the covered entity to verify the identity and authority of the PHI requester — FMFCs or otherwise. This obligation is met when the covered entity verifies the identity and authority through exercise of “professional judgment.”
Under the proposed modifications, covered entities would be required to determine whether to disclose an individual’s PHI to FMFCs in “good faith,” rather than pursuant to their “professional judgment.” The professional judgment standard presupposes that a decision is made by a health care professional (e.g., a licensed practitioner). The proposed good faith standard may be satisfied by a decision of not only licensed health professionals, but also other workforce members who are trained on the covered entity’s HIPAA policies and procedures, and acting appropriately within the scope of their authority.
Accordingly, the “professional judgment” standard is replaced by the “good faith” standard in five (5) places under OCR’s proposal11:
- 45 CFR 164.502(g)(3)(ii)(C), applying to a parent or guardian who is not the individual’s personal representative under applicable law;
- 164.510(a)(3), pertaining to disclosure of an individual’s name in a facility directory and disclosure of the individual’s location and general condition when the individual is incapable of agreeing or objecting to the disclosure;
- 164.510(b)(2)(iii), relating to disclosures where the covered entity reasonably believes that the individual does not object;
- 164.510(b)(3), relating to disclosures in emergency situations; and
- 164.514(h)(2)(iv), relating to procedural barriers by requiring covered entities to verify the requestor’s identity.
Takeaway: The shift to a “good faith” standard will facilitate use or disclosure in a wide range of situations where obtaining patient authorization is difficult or impossible. Additionally, the flexibility for other members of the covered entity’s workforce to make the determination can help enable policies and processes that actually put the decision making power in the hands of the right person - whether it be a social worker or physician. Even though OCR expressly states in the NPRM that it would not second-guess a covered entity’s decision to disclose an individual’s PHI in “good faith”, covered entities should review their HIPAA privacy policies and training of their workforce members12.
- Disclosure of PHI to Avert a Threat to Health or Safety – “Serious and Reasonably Foreseeable standard”
Under 45 CFR 164.502, covered entities may use or disclose an individual’s PHI if the disclosure would prevent and lessen harm to the individual or the public. Such uses and disclosures are permitted by covered entities only if the failure to do so would pose a “serious and imminent threat.” Additionally, the covered entity must be able to determine that the recipient of the PHI will reasonably be able to prevent harm or lessen the threat, or the use or disclosure must be necessary for a legitimate law enforcement activity such as the identification or apprehension of an individual.
OCR proposes to replace the “imminent threat” standard with a more flexible “serious and reasonably foreseeable threat” standard. With this modification, covered entities will be permitted to use or disclose PHI without having to determine whether the threatened harm is imminent – an analysis that risks delaying or impeding a covered entity response if it is unable to come to a conclusion based on the facts presented.
The proposed modifications define “reasonably foreseeable” using the reasonable person standard under a new subparagraph: 45 CFR 164.512(j)(5). The new standard is based on the standard set forth in the Restatement of Torts13.
Takeaway: This modification would enable health care providers to timely notify a family member about an individual’s risk of suicide, for example, even if the provider cannot predict that a suicide attempt is likely to occur “imminently.” However, covered entity providers will still need to weigh this new standard against state laws, which in some cases impose an “imminent harm” standard. This dichotomy may be particularly important in the mental health context in which a state law “imminent harm/imminent threat” standard could be considered more stringent and protective of the patient in certain circumstances such as when determining if the patient poses a risk of imminent harm to others prior to deciding whether to disclose PHI.
- Create an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures under 45 CFR 164.502(b)(2)
Except for disclosures related to treatment by a provider, the Privacy Rule requires covered entities to limit uses and disclosures of PHI to the minimum necessary as needed to specifically accomplish the purpose of each use or disclosure. The proposed rule would expand the scope of this exception to health plans engaged in care coordination and case management such that the minimum necessary standard would not apply to uses and disclosures by a health plan for these activities concerning an individual, even if such activities were considered health care operations instead of treatment activities.
Takeaway: This modification alleviates the need for covered entities in particular, heath plans, to decide if a disclosure of PHI meets the minimum information necessary when the use or disclosure is to support individual-level care coordination and case management activities. However, health plans may wish to consider maintaining policies that functionally limit what PHI is disclosed to manage risk.
V. Easing Administrative Burdens With Respect to Notice of Privacy Practices (“NPP”) and Providing Ease of Access for Individuals to Their PHI
- Eliminates requirements for signed notice of privacy practice acknowledgement of receipt and record retention requirement.
45 CFR 164.520(c)(2)(ii) currently requires a covered health care provider having a direct treatment relationship with an individual to make a good faith effort to obtain a written acknowledgment of receipt of the provider’s NPP; and if unable to obtain the written acknowledgment, the covered health care provider must document its good faith effort to do so and the reason for not obtaining an individual’s acknowledgment, and maintain documentation for six years. The proposed rule replaces the signature requirement with an individual’s right to discuss the NPP with a person designated by the covered entity14. Additionally, it proposes to eliminate the 6-year recordkeeping requirement.
- Modifies content requirements for the NPPs to include an informative header.
The proposed rule includes an additional description and instruction as to how individuals can exercise their access rights and mandates a new, more detailed and instructive compulsory header to specify to individuals that the notice provides information about (1) how to access their health information; (2) how to file a HIPAA complaint; and (3) an individuals’ right to receive a copy of the notice and to discuss its contents with a designated person.
The Department proposes to add an optional element that covered health care providers may add to their NPPs that would address individuals’ requests to direct copies of PHI to a third party that are not in an EHR or that are not electronic copies of PHI by informing them of the ability to request the copies of PHI directly and how to use a valid authorization to request the disclosure of the requested copies to a third party.
Takeaway: These proposed modifications will alleviate paperwork and administrative burdens, while potentially improving the ability of patients to understand their rights and how to exercise them, including what they can do if they suspect a violation of the Privacy Rule, and who to contact with specific questions.
VI. Amending the Permissible Fee Structure & Notice of Access Fee
OCR proposes to require covered entities provide advance notice of approximate fees for providing copies of PHI, post a fee schedule online if they have a website, and to make the fee schedule available to individuals upon request at the point of service under the access right and with an individual’s authorization. The Privacy Rule does not presently require the posting or provision of estimated fees, except in the limited case where an individual agrees in advance to receive a summary or explanation of PHI in lieu of receiving access to the underlying PHI. The point of service could include a customer service call center that handles requests for records, or any location at which PHI is made available for individuals to inspect. The advance notice must identify all types of PHI access available free of charge and, for access that requires payment of a fee, include a fee schedule for copies of PHI.
* * *
If finalized, the provisions of the proposed rule would bring about important changes to the HIPAA Privacy Rule in facilitating access to PHI and reducing barriers to coordinated care. However, these changes are not without their risks and we anticipate OCR receiving and having to work through a substantial amount of comments during the notice and comment period. Covered entities should begin to assess their operations in light of the proposed modifications and prepare, to the extent possible, for the release of final modifications by reviewing existing policies, state laws for purposes of possible preemption and arrangements with vendors such as mobile apps.
 U.S. Dep’t of Health and Human Services, HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens (Dec. 10, 2020), https://www.hhs.gov/about/news/2020/12/10/hhs-proposes-modifications-hipaa-privacy-rule-empower-patients-improve-coordinated-care-reduce-regulatory-burdens.html.
 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, 83 FR 64302 (Dec. 14, 2018), https://www.federalregister.gov/documents/2018/12/14/2018-27162/request-for-information-on-modifying-hipaa-rules-to-improve-coordinated-care.
 See U.S. Dep’t of Health and Human Services, HHS Finalizes Historic Rules to Provide Patients More Control of Their Health Data (March 9, 2020), https://www.hhs.gov/about/news/2020/03/09/hhs-finalizes-historic-rules-to-provide-patients-more-control-of-their-health-data.html.
 See Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
 U.S. Dep’t of Health and Human Services., Proposed Modifications to the HIPAA Privacy Rule to Support and Remove Barriers to, Coordinated Care and Individual Engagement – 4153-01-P (Dec. 10, 2020) 344, https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf.
 See 45 CFR 164.501(1).
 U.S. Dep’t of Health and Human Services FAQ 500, https://www.hhs.gov/hipaa/for-professionals/faq/500/is-a-relay-service-a-business-associate-of-a-doctor/index.html.
 See U.S. Dep’t of Health and Human Services, Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (March, 2020) https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
 See 45 CFR 164.502(g)(1); 45 CFR 164.502(g)(3)(i).
 For illustrations of permissive disclosure in “good faith” belief under each of the five sections above, please see HIPAA Privacy Rule NPRM 2020, at 147–51.
 For example, as stated in the NPRM, “’good faith’ would permit a licensed health care professional to draw on experience to make a good faith determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose. In this circumstance, the professional’s good faith belief should be informed by professional judgment, but the professional would be assured that the Department would not second-guess the decision made for the patient’s best interests by, for example, requiring the professional to prove that the decision was consistent with his or her professional training.” See U.S. Dep’t of Health and Human Services., Proposed Modifications to the HIPAA Privacy Rule to Support and Remove Barriers to, Coordinated Care and Individual Engagement – 4153-01-P (Dec. 10, 2020) https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf at p.146.
 Rest. 2d Torts, § 283.
 45 CFR 164.520(b)(1)(iv)(G).