Last week, we presented a high-level summary of the Department of Health and Human Services’ (HHS) recently released proposed rule to revise the HIPAA Privacy Rule.
This week's post delves more deeply into what the proposed changes to expand the Individual Right of Access mean in practice.
For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible.
When Would These Changes Need to Be Implemented?
HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.
Proposed Changes to Expand the Individual (Patient) Right of Access
Response Timeliness
HHS is proposing to halve the amount of time you have to complete an Individual Right of Access request.
Current Requirement
You have up to 30 calendar days to provide access to records requested by a patient. If you are unable to supply access within this time frame – for example, where the information is archived offsite and not readily accessible – you may use one 30-day extension. To do so, you must inform the individual in writing of the reasons for the delay and the date by which you will provide access.
Proposed New Requirement
If finalized, you would have to fulfill the request “as soon as practicable” and no later than 15 calendar days after you receive the request. If you are unable to meet this deadline, you may use one 15-day extension. As is currently the case, if you require the extension, you must inform the individual in writing of the reasons for the delay and the date by which you will provide access.
This new requirement would apply to both requests by an individual patient for direct access and to patients requests that an electronic copy of PHI in an EHR be directed to a third party.
HHS is also proposing to require all covered entities to create written policies for prioritizing urgent or other high priority access requests. While HHS does not define “urgent or high-priority requests,” they provide examples such as “when an individual voluntarily reveals that the PHI is needed in preparation for urgent medical treatment, or that the individual needs documentation of a diagnosis of severe asthma to be allowed to bring medication to school.” These policies would limit the need to use 15 calendar-day extensions for such requests.
How to Prepare
It is highly likely that HHS will finalize this requirement. Several states, including California, Colorado, Hawaii, Louisiana, Montana, Tennessee, Texas, and Washington currently have deadlines to respond to Individual Right of Access requests of less than or equal to 15 days.
We recommend testing out 15 days to identify any workflow changes that may need to be made. Doing so will not only prepare you to comply with this shortened timeframe when it is finalized, but also improve patient satisfaction at your practice.
Identity Verification
HHS proposes to expressly prohibit covered entities from imposing unreasonable verification measures on an individual exercising a right under the Privacy Rule.
Current Requirement
Despite currently having an intended prohibition on requiring unreasonable and burdensome identification measures, HHS routinely receives complaints from patients about covered entities creating barriers to exercising their individual right of access.
Proposed New Requirement
HHS will expressly prohibit you from imposing unreasonable identity verification measures on an individual (or their personal representative) exercising a right under the Privacy Rule. Unreasonable verification measures are those that require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable for you or your practice. This modification is not intended to prevent you from taking reasonable measures to verify the identity and authority of the individual or entity making the request.
HHS provides the following as examples of unreasonable measures:
- Requiring individuals to obtain notarization of requests to exercise their Privacy Rule rights
- Requiring individuals to provide proof of identity in person when a more convenient method for remote verification is practicable for the physician or practice
- Requiring individuals to fill out a form with the extensive information contained in a HIPAA authorization form may impose an unreasonable burden to individuals
- Requiring individuals to submit access requests through online portals
- Absent Security Rule concerns, denying patient-requested third-party applications the ability to register with your EHR’s application programming interface (API)
- Ex: you may not deny an app from registering solely because it does not have a business associate relationship and agreement with you or because the app offers another service to patients that competes with a service that you offer.
How to Prepare
This proposal is also very likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s Individual Right of Access identity verification.
A good first step is to go through the bulleted list above to ensure that you and your practice do not currently employ any of the prohibited verification practice examples. We also recommend asking patients if they have any feedback after going through your identity verification process. Using this feedback will help you improve patient experience and satisfaction.
Personal Health Application (PHA)
This new proposed term under HIPAA.
Current Requirement
There is no current PHA definition under HIPAA. This proposed definition is to align with the Information Blocking Rule requirements which take effect on April 5, 2021.
Proposed New Requirement
HHS proposes to define PHAs as direct-to-consumer applications used for the patient’s own purposes, such as to monitor their own health status and access their own PHI using the app. By adding this definition under the HIPAA Individual Right of Access, HHS is adding the transmission of PHI to PHAs a form of access that a patient can request.
How to Prepare
As stated above, for providers who do not have significant barriers to implementing a secure API through their EHR, providing patients access to their electronic health information via PHAs will be a requirement beginning April 5, 2021 under the Information Blocking Rule. We recommend reaching out to your EHR vendor to ask for a status update on API implementation and whether a fee will be charged by your vendor for access to and use of the API.
It is important to note that PHAs are not and will not be subject to HIPAA privacy and security obligations since they do not work on behalf of or at the direction of a covered entity. You are allowed to have a disclaimer stating this as part of a third-party app authorization process as long as the disclaimer is applied uniformly.
Right to Inspect and Record PHI
HHS proposes to expand the individual’s Right of Access to their PHI to include the right to view, take notes, take photographs, and use other personal resources to capture the information.
Current Requirement
Patients are currently allowed to request access in the manner of in-person inspection. No fees may be charged for this.
Proposed New Requirement
HHS proposes to explicitly require providers to allow individuals to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person. This does not include allowing the individual to connect a personal device, such as a thumb drive, to your information systems as this could pose a security risk.
HHS also proposes to prohibit providers from delaying the right to inspect when PHI is readily available at the point of care in conjunction with a health care appointment.
How to Prepare
Many providers already allow patients to take notes, videos, and photographs, and use other personal resources to view and capture their PHI when the individual inspects it. If your practice does not do this, you may want to evaluate and address any barriers you have in your workflow. We also recommend that you establish clear policies prohibiting the connection of personal devices to your information systems (e.g., your computers and devices) and educate all staff on these policies.
Third Party Directives
HHS proposes to expressly provide individuals with the right to direct providers to transmit an electronic copy of PHI stored in an EHR directly to a third party designated by the individual.
Current Requirement
Patients must request access for a third-party in writing. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. Providers may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.
Proposed New Requirements
HHS proposes to permit individuals (patients and their designated representatives) to direct copies of PHI stored in an EHR to a third party and submit such requests via oral, electronic, or written means. The only requirement is that it be clear, conspicuous, and specific.
HHS also proposes to create a separate set of provisions to require covered health care providers to facilitate an individual’s request for PHI stored in an EHR to be transmitted to a third-party. The provider to who the individual submits the request is the “Requester-Recipient”. The provider who maintains the PHI in their EHR is the “Discloser”.
- This proposal creates a second mechanism, in addition to the permitted TPO disclosures, for a covered health care provider or health plan to obtain an electronic copy of PHI in an EHR from another covered health care provider through a required disclosure initiated by individual’s exercise of right of access.
- Proposal would not require the requesting CE to determine if the Discloser is a covered health care provider before submitting the individual’s request.
- The individual (or their designated representative) can submit a request via oral, electronic, or written means.
- Would require the Requester-Recipient to submit the request to the Discloser on behalf of the individual within 15 calendar days of receiving the individual’s direction and any information needed to submit the request to the Discloser
- There are no 15-day extensions allowed for the Requester-Recipient to submit request to the Discloser.
- Applies only to electronic copies of PHI in an EHR
- Formats for receipt include PDF, .doc, .docx, FHIR, etc…
How to Prepare
This proposal conflicts with current HIPAA policies and it is unclear if this provision will be finalized as proposed. As such, we believe that this proposal is important to be aware of but not to prepare for at this time.
More Blogs on the HIPAA Privacy Proposed Rule
More Information on the Related ONC Information Blocking Requirements (Compliance Date April 5, 2021)
Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5.
On April 5, we will post a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back.
