This week's post is the last installment in our series on the HIPAA Privacy Proposed Rule. Here we inspect the significant proposed changes to disclosures under HIPAA and how they may impact your practice.
For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible. Links to our previous blogs on the HIPAA Privacy Proposed Rule are at the bottom of this page.
When Would These Changes Need to Be Implemented?
HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.
Proposed Changes to HIPAA Disclosures
HHS proposes an express exception to the “minimum necessary” standard for individual-patient-level disclosures to or requests by a health plan or covered health care provider for care coordination and case management.
Current Requirement
You are required to use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. Current exclusions from the minimum necessary standard include:
Proposed New Requirement
HHS is proposing an express exception from the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management.
HHS provides the following examples of the impact of this proposal:
Important note: You would still be able to honor an individual's (patient's) request not to use or disclose information for these purposes.
How to Prepare
Only if finalized would the exception to the minimum necessary standard be allowed. Therefore, we do not recommend any preparation at this time.
Of note, if this exception is finalized, the ONC Information Blocking Final Rule would prohibit you from limiting a permissible disclosure to what you believe to be the minimum necessary information when the Privacy Rule specifically excepts the disclosure from the minimum necessary standard. Thus, if finalized, you would be required to apply the exception unless the patient specifically requests that you not use or disclose the information for the applicable purpose(s).
The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations.
Current Requirement
HIPAA allows uses and disclosures of PHI for treatment, payment, and health care operations (TPO) without an individual's valid authorization. The "health care operations" definition does not currently mention individual-level care. As such, many providers interpret this to mean that patient authorization is required to disclose individual patient data for individual-level care coordination and case management activities.
Proposed New Requirement
This proposed change to the definition of "health care operations" does not change the requirements, but clarifies that you are allowed to disclose individual patient PHI for individual-level care coordination and case management activities without the individual's valid authorization.
How to Prepare
This proposal is highly likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s allowed TPO disclosures. As such, if you currently subscribe to the interpretation that individual patient level care coordination and case management activities require patient authorization, this clarification shows that you do not need a patient authorization for these specific activities.
HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services.
Current Requirement
Currently, you are permitted, but not required, to obtain an individual's consent to use or disclose their PHI for TPO purposes, including to public or private-sector entities that provide health-related social and community based services as part of your treatment activities. This is subject to the minimum necessary standard if the disclosure is made to a third party entity that is not a health care provider.
For example, you are allowed to make a disclosure for the treatment purposes of an elderly or disabled patient by disclosing PHI to a home and community based services (HCBS) provider if it is for the coordination or management of your treatment or necessary health-related services for the patient. This could be for things such as arranging for a home aide to help the elderly or disabled patient with their prescribed at-home or post-discharge treatment protocol.
Although guidance from HHS established that this was allowable, many doctors believe that they have to obtain valid authorization from the patient first.
Proposed New Requirement
HHS proposes to expressly permit you to disclose PHI to social services agencies, community-based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management. This can be either as a treatment activity or as a health care operations activity.
This proposal allows the disclosure of PHI to an entity that provides health-related services to individuals, but these entities do not have to be health care providers; the third parties do not have to be covered by HIPAA. Instead, the third party may be providing health-related social services or other supportive services -- e.g., food or sheltered housing needed to address health risks.
Important notes:
How to Prepare
This proposal is simply a clarification of current policy. It remains up to you to determine how to release information for treatment purposes. We recommend that you continue to offer your patients the opportunity to request that you not disclose information in this way, but you are not required to get written authorization for these releases.
This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder (SUD) and serious mental illness (SMI) and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).
Current Requirements
Proposed New Requirements
HHS proposes to replace the "exercise of professional judgement" with "good faith belief". In practice, this means that the covered entity that decides to disclose the PHI does not have to be a health care professional as long as they are acting within the scope of their authority (e.g., a scheduler disclosing schedule-related information). The proposed standard is meant to encourage covered entities to use and disclose PHI more broadly in circumstances involving SUD and SMI without written authorization. This has several important implications as outlined below.HHS is also proposing to change the "serious and imminent" harm threshold to "serious and reasonably foreseeable" for uses and disclosures to avert a serious threat to health or safety. HHS would:
How to Prepare
There is significant opposition from the medical community and patient rights advocates to the proposals that would weaken privacy protections for individuals with SUD or SMI. Therefore, we do not recommend preparing for those proposals at this time.
The proposal regarding disclosures to avert a serious threat to health or safety has fairly widespread support and is likely to be finalized. As the loosening of restrictions on these disclosures would not be permitted under law until the proposal is finalized and effective, there is no need to prepare at this time. If the proposal is finalized, we will provide additional guidance.
HHS proposes to expressly allow you to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of you and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant.
Current Requirement
HHS currently permits the disclosure of PHI to TRS providers in the case that the patient is clearly aware that a TRS assistant is involved in transliterating text or interpreting ASL to voice and vice versa. In these cases, the patient has the opportunity to agree or object to disclosures of PHI to a TRS communications assistant at the beginning of a call.
Since this policy was created, advances in technology now allow people to communicate with the help of a TRS communications assistant in a seamless manner, such that they may not know that they are using a TRS communications assistant. In addition, TRS is also used to assist communications between workforce members of covered entities and business associates. Therefore, updates to the current policy are needed or a written authorization from the patient would be needed.
Proposed New Requirement
HHS proposes to expressly permit you (and business associates acting on your behalf) to disclose PHI to TRS communications assistants to conduct TPO activities. This change in policy accounts for the advances in technology mentioned in the current requirements section above.
Important Note: TRS providers are federally regulated and mandated to protect the confidentiality of their information.
How to Prepare
This proposal creates administrative simplifications. As such, you do not need to prepare for this proposal. If the proposal is finalized, we will provide you with additional guidance.
HHS proposes to eliminate the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). HHS also proposes to modify NPP content requirements to clarify individual rights with respect to their PHI and how to exercise said rights.
Current Requirement
You must currently obtain a written acknowledgement of receipt of the NPP. You must retain copies of this documentation for six years.
Proposed New Requirement
This proposal eliminates both of the above current requirements, and replaces the written acknowledgement requirement with an individual right to discuss the NPP with you or a person you designate.
Also proposed in this section are several modifications to NPP content. Most of these modifications revolve around informing individuals on how to access and control their information.
How to Prepare
Keep abiding by the current NPP requirements as they are mandatory until and unless these proposals are finalized. If this proposal is finalized, we will provide more detailed guidance on how to comply with the new rules around NPPs.
More Blogs on the HIPAA Privacy Proposed Rule
Part 2: Individual Right of Access Deep Dive
Part 3: Permitted Fees, Explained
More Information on the Related ONC Information Blocking Requirements (Compliance Date April 5, 2021)
Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5.
On April 5, we will post a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back.