This week's post is the last installment in our series on the HIPAA Privacy Proposed Rule. Here we inspect the significant proposed changes to disclosures under HIPAA and how they may impact your practice.
For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible. Links to our previous blogs on the HIPAA Privacy Proposed Rule are at the bottom of this page.
When Would These Changes Need to Be Implemented?
HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.
Proposed Changes to HIPAA Disclosures
Minimum Necessary Standard
HHS proposes an express exception to the “minimum necessary” standard for individual-patient-level disclosures to or requests by a health plan or covered health care provider for care coordination and case management.
You are required to use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. Current exclusions from the minimum necessary standard include:
- Disclosures to, or requests by, a health care provider for treatment purposes are excluded from the minimum necessary standard.
- While this exception applies to disclosures, it does not apply to the use of the information by the recipient. In short, if you received PHI for treatment purposes, you may only use the minimum necessary information.
- Disclosures to the patient of their own information.
- Uses and disclosures made pursuant to an individual's authorization.
- Disclosures to HHS when disclosure of information is required under the Privacy Rule for enforcement purposes.
- Uses or disclosures that are required by other law.
Proposed New Requirement
HHS is proposing an express exception from the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management.
HHS provides the following examples of the impact of this proposal:
- When a health plan requests a disclosure for care coordination or case management to facilitate an individual's participation in the plan's new wellness program. In this case, you would no longer have to assess whether you can rely on the health plan's determination of the minimum necessary amount of PHI for the purpose.
- When a covered health care provider contacts a health plan to coordinate potential treatment referrals for a patient, you would not need to consider what information is the minimum necessary to disclose to the health plan for this purpose.
Important note: You would still be able to honor an individual's (patient's) request not to use or disclose information for these purposes.
How to Prepare
Only if finalized would the exception to the minimum necessary standard be allowed. Therefore, we do not recommend any preparation at this time.
Of note, if this exception is finalized, the ONC Information Blocking Final Rule would prohibit you from limiting a permissible disclosure to what you believe to be the minimum necessary information when the Privacy Rule specifically excepts the disclosure from the minimum necessary standard. Thus, if finalized, you would be required to apply the exception unless the patient specifically requests that you not use or disclose the information for the applicable purpose(s).
Health Care Operations
The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations.
HIPAA allows uses and disclosures of PHI for treatment, payment, and health care operations (TPO) without an individual's valid authorization. The "health care operations" definition does not currently mention individual-level care. As such, many providers interpret this to mean that patient authorization is required to disclose individual patient data for individual-level care coordination and case management activities.
Proposed New Requirement
This proposed change to the definition of "health care operations" does not change the requirements, but clarifies that you are allowed to disclose individual patient PHI for individual-level care coordination and case management activities without the individual's valid authorization.
How to Prepare
This proposal is highly likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s allowed TPO disclosures. As such, if you currently subscribe to the interpretation that individual patient level care coordination and case management activities require patient authorization, this clarification shows that you do not need a patient authorization for these specific activities.
HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services.
Currently, you are permitted, but not required, to obtain an individual's consent to use or disclose their PHI for TPO purposes, including to public or private-sector entities that provide health-related social and community based services as part of your treatment activities. This is subject to the minimum necessary standard if the disclosure is made to a third party entity that is not a health care provider.
For example, you are allowed to make a disclosure for the treatment purposes of an elderly or disabled patient by disclosing PHI to a home and community based services (HCBS) provider if it is for the coordination or management of your treatment or necessary health-related services for the patient. This could be for things such as arranging for a home aide to help the elderly or disabled patient with their prescribed at-home or post-discharge treatment protocol.
Although guidance from HHS established that this was allowable, many doctors believe that they have to obtain valid authorization from the patient first.
Proposed New Requirement
HHS proposes to expressly permit you to disclose PHI to social services agencies, community-based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management. This can be either as a treatment activity or as a health care operations activity.
This proposal allows the disclosure of PHI to an entity that provides health-related services to individuals, but these entities do not have to be health care providers; the third parties do not have to be covered by HIPAA. Instead, the third party may be providing health-related social services or other supportive services -- e.g., food or sheltered housing needed to address health risks.
- Any disclosures to business associates still require that business associate agreements (BAAs) be in place.
- This is limited to individual-level disclosures.
How to Prepare
This proposal is simply a clarification of current policy. It remains up to you to determine how to release information for treatment purposes. We recommend that you continue to offer your patients the opportunity to request that you not disclose information in this way, but you are not required to get written authorization for these releases.
Mental Health and Substance Use Disorder
This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder (SUD) and serious mental illness (SMI) and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).
- Disclosures to Personal Representatives
- A personal representative is treated, under HIPAA, in the same way as the individual.
- In many circumstances, the parent or guardian of an unempancipated minor child is treated as the minor's personal representative under applicable law. In instances in which state or other applicable law does not treat a parent as an unempancipated minor's personal representative, HIPAA permits, but does not require, covered entities to provide access to a parent or guardian. The decision to disclose is based on the professional judgement of a licensed health care professional.
- Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object
- You are required to provide an opportunity for an individual who is present or otherwise available to agree or object to the disclosure of PHI to a person involved in the individual's care or payment for care.
- You are also required to provide an opportunity for an individual to agree or object to their inclusion in the facility directory.
- Identity Verification
- Covered entities are required to verify the identity of a person involved in an individual's care before disclosing PHI to the person.
- Relevant Guidance Encouraging Disclosures of PHI to Help Individuals Experiencing Opioid Use Disorder of Mental Illness
- A provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.
- The same condition applies to SMI when the patient is incapacitated or in an emergency situation.
- Uses and Disclosures to Avert a Serious Threat to Safety
- Requires you to have a good faith belief that the use or disclosure "is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public," if the recipient is "reasonably able to prevent or lessen the threat."
Proposed New RequirementsHHS proposes to replace the "exercise of professional judgement" with "good faith belief". In practice, this means that the covered entity that decides to disclose the PHI does not have to be a health care professional as long as they are acting within the scope of their authority (e.g., a scheduler disclosing schedule-related information). The proposed standard is meant to encourage covered entities to use and disclose PHI more broadly in circumstances involving SUD and SMI without written authorization. This has several important implications as outlined below.
- Parent or guardian who is not the individual's personal representative
- A covered entity would be allowed to, but not required to, disclose the PHI of an unemancipated minor to a parent or guardian who is not the personal representative of the individual under HIPAA, if consistent with state or other applicable law and a licensed health care professional has a good faith belief that disclosing PHI is in the best interests of the individual.
- Facility Directories
- A covered entity would be allowed to include in its facility directory the name, facility location, and general condition of an individual who is incapacitated or in an emergency treatment circumstance if doing so is based on a good faith belief that the disclosure is in the best interests of the individual and is consistent with any prior expressed preference of the individual that is known to the covered entity.
- Emergency Contacts
- Covered entities would be allowed to disclose relevant information to a person involved in the individual's care or payment for care when the covered entity reasonably infers, based on a good faith belief, that the individual does not object.
- Emergencies and Incapacity
- Covered entities would be allowed to disclose relevant information to family members and other caregivers who are involved with the individual's care or payment for care, or who require notification related to the individual when the individual cannot agree to the disclosure due to absence, incapacity, or emergency circumstances. The covered entity must have a good faith belief the disclosure is in the best interests of the patient.
- Verifying Requestor's Identity
- A covered entity would be considered to have satisfied its obligations to verify a requestor's identity if the covered entity acts on a good faith belief in making a disclosure of relevant PHI. In short, you would not be required to collect documentation of the relationship with the patient.
HHS is also proposing to change the "serious and imminent" harm threshold to "serious and reasonably foreseeable" for uses and disclosures to avert a serious threat to health or safety. HHS would:
- Allow providers to use or disclose PHI without having to determine whether the threatened harm is imminent.
- Define "reasonably foreseeable" to mean "that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if a use or disclosure is not made, based on facts and circumstances known at the time of the disclosure."
How to Prepare
There is significant opposition from the medical community and patient rights advocates to the proposals that would weaken privacy protections for individuals with SUD or SMI. Therefore, we do not recommend preparing for those proposals at this time.
The proposal regarding disclosures to avert a serious threat to health or safety has fairly widespread support and is likely to be finalized. As the loosening of restrictions on these disclosures would not be permitted under law until the proposal is finalized and effective, there is no need to prepare at this time. If the proposal is finalized, we will provide additional guidance.
Telecommunications Relay Services
HHS proposes to expressly allow you to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of you and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant.
HHS currently permits the disclosure of PHI to TRS providers in the case that the patient is clearly aware that a TRS assistant is involved in transliterating text or interpreting ASL to voice and vice versa. In these cases, the patient has the opportunity to agree or object to disclosures of PHI to a TRS communications assistant at the beginning of a call.
Since this policy was created, advances in technology now allow people to communicate with the help of a TRS communications assistant in a seamless manner, such that they may not know that they are using a TRS communications assistant. In addition, TRS is also used to assist communications between workforce members of covered entities and business associates. Therefore, updates to the current policy are needed or a written authorization from the patient would be needed.
Proposed New Requirement
HHS proposes to expressly permit you (and business associates acting on your behalf) to disclose PHI to TRS communications assistants to conduct TPO activities. This change in policy accounts for the advances in technology mentioned in the current requirements section above.
Important Note: TRS providers are federally regulated and mandated to protect the confidentiality of their information.
How to Prepare
This proposal creates administrative simplifications. As such, you do not need to prepare for this proposal. If the proposal is finalized, we will provide you with additional guidance.
Notice of Privacy Practices
HHS proposes to eliminate the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). HHS also proposes to modify NPP content requirements to clarify individual rights with respect to their PHI and how to exercise said rights.
You must currently obtain a written acknowledgement of receipt of the NPP. You must retain copies of this documentation for six years.
Proposed New Requirement
This proposal eliminates both of the above current requirements, and replaces the written acknowledgement requirement with an individual right to discuss the NPP with you or a person you designate.
Also proposed in this section are several modifications to NPP content. Most of these modifications revolve around informing individuals on how to access and control their information.
How to Prepare
Keep abiding by the current NPP requirements as they are mandatory until and unless these proposals are finalized. If this proposal is finalized, we will provide more detailed guidance on how to comply with the new rules around NPPs.
More Blogs on the HIPAA Privacy Proposed Rule
More Information on the Related ONC Information Blocking Requirements (Compliance Date April 5, 2021)
Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5.
On April 5, we will post a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back.