OCR Requests Information from Stakeholders on Significant Changes to the HIPAA Rules

On December 14, 2018, the US Department of Health and Human Services, Office for Civil Rights (OCR) published a long-awaited Request for Information (RFI) that seeks feedback on whether and how the HIPAA Privacy and Security Rules (HIPAA Rules) should be revised to better promote coordinated care. In a press release, OCR indicated that its primary goal in issuing the RFI is to identify whether certain HIPAA provisions unnecessarily “limit or discourage information sharing needed for coordinated care or to facilitate the transformation to value-based health care.” The RFI is broad in scope and suggests that OCR is considering making the first significant changes to the HIPAA Rules since its January 2013 HIPAA Omnibus Rulemaking. Stakeholders have until February 12, 2019 to submit comments to OCR electronically through www.regulations.gov or by mail.

OCR specifically requests stakeholders to comment on the following proposals for potential modifications to the HIPAA Rules:

1. Create an express requirement for Covered Entities to timely respond to requests for protected health information (PHI) from other Covered Entities (and non-covered health care providers) for the purposes of treatment, payment and health care operations, including care coordination and case management
2. Except disclosures of PHI to Covered Entities and non-covered health care providers for care coordination and case management from the HIPAA Privacy Rule’s minimum necessary standard
3. Establish an express regulatory permission for Covered Entities to disclose PHI to social service agencies or community-based support programs
4. No longer consider health care clearinghouses as Business Associates of Covered Entity health care providers when processing claims and/or require health care clearinghouses to be directly subject to requirements to provide individuals with access to PHI
5. Establish new permissions for Covered Entities to disclose PHI to family members, caregivers, and others in a position to avert threats of harm to health and safety, or when necessary to promote the health and recovery of individuals with substance use disorders or serious mental illness, as well as reduce potential barriers to caregiver involvement in individuals’ health care that are presented by the “personal representative” concept under the HIPAA Privacy Rule
6. Implement the HITECH Act’s mandate to expand the HIPAA Privacy Rule’s accounting of disclosures requirement to include disclosures through an Electronic Health Record (EHR) over the previous three years for treatment, payment and health care operations (and withdraw OCR’s May 2011 Notice of Proposed Rulemaking, in which OCR proposed to establish a new patient right to an “access report” listing each time the individual’s information in an electronic designated record set was accessed for either a “use” or a “disclosure”)
7. Establish a safe harbor for Covered Entities that use OCR’s Model Notice of Privacy Practices and eliminate or modify the obligation for covered health care providers with direct treatment relationships with individuals to make a good faith effort to obtain a written acknowledgment of an individual’s receipt of the provider’s Notice of Privacy Practices

We provide more details below regarding the foregoing proposed modifications to the HIPAA Rules and the significance of OCR’s corresponding requests for information.

Requiring Covered Entities to Timely Disclose PHI to Other Covered Entities and Health Care Providers for Treatment, Payment, and Health Care Operations Purposes

The HIPAA Privacy Rule currently permits Covered Entities to disclose PHI to other Covered Entities and non-covered health care providers without individual authorization for certain treatment, payment and health care operations purposes. OCR is considering amending the HIPAA Rules to generally require—and not merely permit—Covered Entities to disclose PHI to other Covered Entities (and non-covered health care providers) upon receiving a request for access to PHI from such providers for treatment purposes. To that end, OCR solicits public comment on whether such a requirement would effectively reduce any barriers health care providers experience when seeking to obtain medical records or other forms of PHI directly from Covered Entities for treatment purposes. In addition, OCR requests comment on whether Covered Entities should also be required to disclose PHI to requesting Covered Entities or non-covered health care providers for the purposes of payment and health care operations, including care coordination and case management.

OCR seemingly recognizes that the contemplated mandatory disclosure requirement would have sweeping implications for both HIPAA-regulated entities and health care consumers, and the agency seeks input on whether it should narrow the scope of any such requirement. With consumers’ privacy interests in mind, OCR raises the possibility of limiting any mandatory disclosure requirement in the following ways:

• Applying the requirement to only a subset of Covered Entities
• Applying the requirement only to disclosures between Covered Entities, rather than disclosures from Covered Entities to health care providers who are not also covered by HIPAA
• Limiting the requirement to only certain categories of disclosures (for example, only treatment and payment disclosures)
• Limiting the requirement to only certain categories of PHI (for example, PHI maintained in a designated record set) or excepting specific types of PHI from the requirement (such as psychotherapy notes)
• Allowing an individual to “opt-out” of certain categories of required disclosures (such as disclosures for health care operations purposes)
• Requiring a Covered Entity to obtain the individual’s authorization before requesting PHI for an acceptable purpose from another Covered Entity

OCR also requests feedback on whether any more restrictive state or federal laws or regulations, including the Confidentiality of Substance Use Disorder Patient Records regulations (42 C.F.R. Part 2), would limit the potential application of the suggested mandatory disclosure requirement.

Relatedly, OCR seeks comment on whether it should impose a timeliness requirement for any mandatory disclosures from a Covered Entity to a requesting Covered Entity or non-covered health care provider. OCR requests input on whether certain categories of disclosures (such as treatment disclosures) should be subject to stricter deadlines than other ones. Further, OCR is considering whether PHI stored in particular media formats, such as electronic records, should be furnished to the requesting entity more rapidly than PHI in other forms, such as paper. OCR also appears to be simultaneously exploring whether the HIPAA Privacy Rule’s access provisions should be modified to incorporate stricter timeliness requirements for responding to individuals’ requests to access certain types of PHI, such as electronic PHI.

An update to the HIPAA Privacy Rule that imposes a mandatory disclosure requirement is likely to impact the daily operations of both Covered Entities and non-covered health care providers alike. Covered Entities, health care providers, and other interested stakeholders should consider sending OCR comments that weigh the potential benefits and costs of such a requirement.

Eliminating the Minimum Necessary Requirement for Care Coordination and Case Management Disclosures

Generally, the HIPAA Privacy Rule requires a Covered Entity to reasonably limit its uses and disclosures of PHI to the minimum amount of PHI necessary to achieve the intended purpose of the use or disclosure. The minimum necessary standard, however, does not apply to disclosures that a Covered Entity makes to a health care provider for treatment purposes.

OCR solicits comment on whether the minimum necessary standard should continue to apply to disclosures made by Covered Entities for certain health care operations purposes. Specifically, OCR requests public input on whether the exceptions to the minimum necessary standard should also include “population-based case management and care coordination activities, claims management, review of health care services for appropriateness of care, utilization reviews, or formulary development.” OCR is also interested in identifying other potential exceptions to the minimum necessary standard that would promote the goals of care coordination and case management.

Covered Entities that participate in an organized health care arrangement (OHCA) or other clinically integrated settings that are not commonly owned or controlled should consider submitting comments to OCR on this topic. Because these Covered Entities share PHI with one another for joint health care operations activities, they are especially likely to benefit from the suggested additional exceptions to the HIPAA Privacy Rule’s minimum necessary standard.

Disclosures of PHI to Social Service Agencies or Community-Based Support Programs

Currently, the HIPAA Privacy Rule permits Covered Entities to disclose PHI to social service agencies or community-based support programs (Agencies and Programs) for treatment purposes, which includes the coordination or management of health care by a health care provider with a third party. OCR recognizes, however, that Covered Entities are nonetheless currently hesitant to share PHI with these Agencies and Programs without a written authorization or Business Associate Agreement (BAA) because these recipients are not directly subject to HIPAA.

OCR is exploring whether to amend the HIPAA Privacy Rule to more explicitly permit such disclosures without authorization or a BAA or, alternatively, require these Agencies and Programs to agree to protect PHI in a similar manner to a Business Associate before the Covered Entity can disclose PHI to them.

A more explicit HIPAA pathway for disclosures between Covered Entities and Agencies and Programs may facilitate treatment disclosures in instances where Covered Entities are currently hesitant to share PHI without a written authorization due to the recipient Agency or Program not being a Covered Entity or Business Associate under HIPAA. In other instances, however, requiring Covered Entity health care providers and Agencies and Programs to enter into agreements similar to BAAs could create additional burdens for the Agencies and Programs, as well as the Covered Entity health care providers that refer patients to them. The RFI discusses situations where multidisciplinary teams could include law enforcement officials, such as drug courts, and suggests that an alternative process may be needed to account for the presence of law enforcement officials. But 42 C.F.R. Part 2 typically dictates the procedure for disclosing PHI to and from drug court multidisciplinary teams because 42 C.F.R. Part 2 contains more stringent protections than HIPAA. Creating a BAA-like pathway for disclosures between drug courts and Covered Entities could potentially require drug court teams (e.g., judges, court staff and social workers) to both obtain 42 C.F.R. Part 2-compliant consents and enter into an agreement with special HIPAA-compliant terms with the Covered Entities.

Covered Entity health care providers that currently use the existing treatment pathway to disclose PHI to Agencies and Programs should consider providing feedback to OCR on this proposal given the significant changes that OCR appears to be contemplating to these disclosures.

Health Care Clearinghouses

Under the current HIPAA Rules, health care clearinghouses are Covered Entities that function as Business Associates of Covered Entity health care providers when they assist them with engaging in standard transactions with health plans. Given the large volume of PHI held by a health care clearinghouse, OCR posits in the RFI that individuals could potentially access their full treatment histories from health care clearinghouses without having to separately request PHI from each of their health care providers. OCR further queries whether the status of a health care clearinghouse as a Business Associate, which is often subject to BAA provisions restricting its ability to respond directly to individuals’ access requests, may be a barrier to improving individuals’ ability to receive timely access to PHI.

Accordingly, OCR is considering whether the health care clearinghouse should be directly subject to individual access requirements. OCR is also examining whether the health care clearinghouse should be solely classified as Covered Entities, eliminating the need for a BAA to be in place between the clearinghouse and Covered Entity health care providers. OCR recognizes potential concerns with the latter approach, particularly if Covered Entity health care providers would not be able to impose other contractual limitations on how health care clearinghouses can use and disclose PHI, such as by limiting clearinghouses’ uses and disclosures of PHI received from providers to those necessary to process claims.

The majority of patients and beneficiaries may not be aware that a health care clearinghouse processes their data, let alone the particular clearinghouse from which they can request access to their PHI. Given the access fee limitations imposed by both the HIPAA Privacy Rule and certain state laws, it is unclear whether a health care clearinghouse would have financial or other incentives to advertise its PHI access fulfillment services to patients and other individuals. Classifying clearinghouses as Covered Entities may not be the only way to improve and facilitate patient access to PHI. Covered Entities (including health care clearinghouses), patients and their advocates, and other industry stakeholders should consider sending comments to OCR regarding the value of imposing access obligations on health care clearinghouses and the extent to which individuals’ access rights under the HIPAA Privacy Rule would be enhanced.

Family Members, Caregivers, and Others’ Role in Promoting the Health and Recovery of Individuals with Substance Use Disorders or Serious Mental Illness

The HIPAA Privacy Rule generally permits Covered Entity health care providers to share an individual’s PHI with family members, friends and caregivers, so long as the individual has been given the opportunity to object to the disclosure when feasible. Covered Entities are also allowed to disclose PHI to prevent or lessen a serious and imminent threat to an individual’s safety (including to the individual’s family members, friends, caregivers and others in a position to alleviate the threat). In October 2017, OCR issued guidance clarifying when HIPAA permits Covered Entities to discuss an individual’s PHI with his or her family, friends and others during crisis situations, such as the opioid crisis. Later that year, OCR issued guidance regarding when HIPAA permits Covered Entities to share mental health information with third parties.

In the RFI, OCR acknowledges that misunderstandings continue to persist around when HIPAA allows Covered Entities to share PHI with an individual’s caregivers and other third parties. Such confusion, OCR finds, “may hinder effective coordination of care and case management involving caregivers, including family and friends.” Consequently, OCR states that it will consider issuing a separate rulemaking to encourage Covered Entities to disclose PHI to an individual’s family members, caregivers and others, as needed to prevent harm to a person’s health or safety, assist those struggling with substance use disorder (such as opioid use disorder), and promote the health of those with serious mental illness.

OCR also seeks comment on whether the HIPAA Rules frustrate the ability of parents and guardians to obtain critical information about their unemancipated minor children, including PHI about their mental health and substance use disorders. Similarly, OCR solicits feedback on whether the HIPAA Rules’ provisions permitting disclosures to an individual’s legal personal representative need to be amended to accommodate various treatment coordination scenarios, such as when adult children who need to readily access treatment information about their elderly parent for whom they are caregivers. OCR’s questions on this topic signal that the agency is seeking a solution that will balance the potential detriment to a patient’s health if a Covered Entity cannot easily share PHI with his or her caregivers against the patient’s interests in privacy and autonomy.

Accounting of Disclosures for Treatment, Payment and Health Care Operations

Section 13405(c) of the HITECH Act dramatically expanded the original accounting of disclosures requirement to newly require the inclusion of very routine disclosures. Specifically, Congress directed OCR to promulgate regulations to give individuals the right to receive an accounting of treatment, payment and healthcare operations disclosures through an EHR for the previous three years, but only in a manner that balances the interests of individuals in learning the circumstances under which their PHI is being disclosed and the administrative burden of accounting for such disclosures.

In May 2011, OCR released a Notice of Proposed Rulemaking that would have required Covered Entities that had implemented an EHR to make available to individuals, upon request, an “access report” detailing each access of PHI in the electronic designated record set made during a three-year period (whether the access resulted in a “use” or “disclosure” of PHI). OCR never finalized the rule due to significant negative feedback in public comments to the rulemaking, including concerns about the technological feasibility of producing an access report, the prohibitive cost of adding access report functionality, and the lack of information that would be meaningful or useful to individuals in an access report.

The RFI announces OCR’s intention to withdraw the May 2011 proposed rule and seeks input on alternative approaches to making an accounting available that includes treatment, payment and health care operations disclosures. Specifically, OCR seeks granular information about the number of treatment, payment and health care operations disclosures made by Covered Entities and by Business Associates on their behalf and about the experience of Covered Entities with accounting of disclosures requests under current law, such as the frequency of such requests, the length of time needed to respond to such requests, and information about whether compiling an accounting is done manually and/or automatically through the EHR.

While the RFI states that the access report requirement proposed in May 2011 would create “undue burden for covered entities without providing meaningful information to individuals,” OCR includes questions relating to the ability of EHRs to distinguish “uses” from “disclosures” and the type of information recorded for each access event. OCR seemingly seeks to confirm the technological infeasibility that commenters described in 2011.

In other RFI questions, OCR requests comments on whether it would be sufficient for OCR to require Covered Entities to conduct and document “a diligent investigation into disclosures of PHI upon receiving an individual’s request for an accounting of disclosures” for treatment, payment and health care operations. OCR wonders whether this requirement could apply not just to disclosures made through EHRs, but disclosures made orally or using paper records as well.

The ideas contemplated in the accounting of disclosures queries could create significant administrative and technological burdens for Covered Entities, and it will be important for Covered Entities to respond fully to these questions to convey the difficulties in developing these accountings. Indeed, throughout this RFI section on accountings, OCR seeks detailed information about current practices and technological capacity, as well as predictions about future capacity, including cost estimates of adding certain functionalities.

Notice of Privacy Practices

Currently, a Covered Entity health care provider is required to provide its Notice of Privacy Practices (NPP) to individuals by the date of first service delivery and upon an individual’s request. In addition, Covered Entity health care providers that have a direct treatment relationship with an individual must make a good faith effort to obtain a written acknowledgment that the individual has received the health care provider’s NPP. OCR is seeking input on whether to eliminate the written acknowledgment requirement and is requesting specifics on the administrative burdens currently created by the requirement. Covered Entity health care providers would likely welcome the elimination of the NPP acknowledgment requirement because it would remove a recordkeeping requirement that arguably does not lead to more patients reading the NPP itself.

OCR is also considering creating a safe harbor that would deem Covered Entity health care providers in compliance with the HIPAA Privacy Rule’s NPP requirement if they implement one of OCR’s model NPPs, which are available on OCR’s website. These model notices, which are more concise and easier to read than the typical NPP, may become more widely adopted if OCR elects to provide a compliance safe harbor for their use.

Conclusion

Overall, OCR appears to be signaling significant rulemaking in 2019 relating to HIPAA. While some of the proposals discussed above might potentially reduce burden on Covered Entities, others could result in new requirements that Covered Entities would need to invest time and resources in addressing in their HIPAA compliance policies, procedures, and forms.

The RFI provides Covered Entities, Business Associates and other stakeholders an important opportunity to express support of or opposition to these proposals before they are introduced in proposed rulemaking. In addition, HIPAA-regulated entities may want to consider putting forth additional ideas to assist OCR with reconciling HIPAA with current health care industry priorities, such as modernizing preparatory to research rules to keep pace with precision medicine, creating enforcement safe harbors for certain types of cyber-attacks, and facilitating data-sharing between health plans and providers engaging in value-based pricing arrangements.

Please contact your regular McDermott attorney or any of the authors of this On the Subject for more information on the RFI or if you are interested in assistance with drafting a responsive comment. McDermott is hosting a breakfast on January 17, 2019 in our Washington, DC. office, where we will discuss the RFI and reactions from industry stakeholders. To RSVP, please contact Jennifer Randles at jrandles@mcdermottplus.com.