Get Started

Proposed Changes to the HIPAA Privacy Rule

Last updated April 22, 2021

High-level Summary

On January 21, 2021 the Department of Health and Human Services (HHS) officially released a proposed rule to revise the HIPAA Privacy Rule. While none of these changes can be finalized until after the public comment period has ended and HHS has reviewed the comments and written a final rule, the proposed changes are staggering.

Here we will present a high-level summary of the proposed changes to the HIPAA Privacy Rule and deep dives on the proposed changes to Patient Right of Access, Fees, and Disclosures.

For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible.

 

Background on This Proposed Rule

Over the past several years, there has been a coordinated push to increase patient access to and ability to use their health information. In this Proposed Rule, HHS moves to expand and strengthen the patient Right of Access, align HIPAA with Information Blocking rules, and modernize HIPAA rules in the age of digital health. HHS Secretary, Alex Azar, predicts that the "proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long".

 

When Would These Changes Need to Be Implemented?

HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now.

 

Overview of Proposed Changes

Expanding the Individual (Patient) Right of Access
  • Identity Verification: In this Proposed Rule, HHS proposes to expressly prohibit covered entities from imposing unreasonable verification measures on an individual exercising a right under the Privacy Rule. An unreasonable measure is one that causes an individual to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the covered entity.

  • Personal health application: This new proposed term under HIPAA refers to direct-to-consumer applications used for the patient’s own purposes, such as to monitor their own health status and access their own PHI using the app. These are not and will not be subject to HIPAA privacy and security policies.

  • Right to Inspect PHI: HHS proposes to expand the individual’s Right of Access to their PHI to include the right to view, take notes, take photographs, and use other personal resources to capture the information. 

  • Response Timeliness: HHS proposes to shorten the amount of time a covered entity has to fulfill a request for access to 15 calendar days with one potential additional 15-day extension (currently, covered entities have 30 calendar days with one 30-day extension permitted).

  • Third Party Directives: The Proposed Rule expressly provides individuals with the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR directly to a third party designated by the individual.

 
Fees
  • Fee Limitations: The Proposed Rule describes categories of access for which covered entities cannot charge a fee. No fee can be charged when an individual inspects their PHI in person or uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity. Regarding an access request to direct an electronic copy of PHI in an EHR to a third party, the Proposed Rule specifies that covered entities can only a charge a fee for the labor for copying the PHI and for preparing an explanation or summary of the PHI if the individual has agreed to such summary.

  • Notice of Access and Authorization Fees: The Proposed Rule adds a requirement that covered entities provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual’s valid authorization. 

 
Notice of Privacy Practices
  • Notice of Privacy Practices: The Proposed Rule eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). The Proposed Rule also modifies the content requirements of the NPP to clarify individual rights with respect to their PHI and how to exercise those rights.

 
Disclosures
  • Health Care Operations: The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations.

  • Minimum Necessary Standard: Proposes an express exception to the “minimum necessary” standard for disclosures to or requests by a health plan or covered health care provider for care coordination and case management. (Applies for individual-level, not population-level).

  • Telecommunications Relay Services: HHS proposed to expressly allow covered entities to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of covered entities and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant.

  • Mental Health and Substance Use Disorder: This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).

  • Care Coordination: HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services, in furtherance of the coordination and management of individuals’ care.

Deep Dive into Proposed Changes to Expand the Individual (Patient) Right of Access

 

46-timer-stopwatch-outline
Response Timeliness

HHS is proposing to halve the amount of time you have to complete an Individual Right of Access request.

 

Current Requirement
You have up to 30 calendar days to provide access to records requested by a patient. If you are unable to supply access within this time frame – for example, where the information is archived offsite and not readily accessible – you may use one 30-day extension. To do so, you must inform the individual in writing of the reasons for the delay and the date by which you will provide access.

 

Proposed New Requirement

If finalized, you would have to fulfill the request “as soon as practicable” and no later than 15 calendar days after you receive the request. If you are unable to meet this deadline, you may use one 15-day extension. As is currently the case, if you require the extension, you must inform the individual in writing of the reasons for the delay and the date by which you will provide access.

This new requirement would apply to both requests by an individual patient for direct access and to patients requests that an electronic copy of PHI in an EHR be directed to a third party.

HHS is also proposing to require all covered entities to create written policies for prioritizing urgent or other high priority access requests. While HHS does not define “urgent or high-priority requests,” they provide examples such as “when an individual voluntarily reveals that the PHI is needed in preparation for urgent medical treatment, or that the individual needs documentation of a diagnosis of severe asthma to be allowed to bring medication to school.” These policies would limit the need to use 15 calendar-day extensions for such requests.

 

How to Prepare

It is highly likely that HHS will finalize this requirement. Several states, including California, Colorado, Hawaii, Louisiana, Montana, Tennessee, Texas, and Washington currently have deadlines to respond to Individual Right of Access requests of less than or equal to 15 days.We recommend testing out 15 days to identify any workflow changes that may need to be made. Doing so will not only prepare you to comply with this shortened timeframe when it is finalized, but also improve patient satisfaction at your practice.

 

734-id-business-card-1-outline
Identity Verification

HHS proposes to expressly prohibit covered entities from imposing unreasonable verification measures on an individual exercising a right under the Privacy Rule.

Current Requirement

Despite currently having an intended prohibition on requiring unreasonable and burdensome identification measures, HHS routinely receives complaints from patients about covered entities creating barriers to exercising their individual right of access.

Proposed New Requirement

HHS will expressly prohibit you from imposing unreasonable identity verification measures on an individual (or their personal representative) exercising a right under the Privacy Rule. Unreasonable verification measures are those that require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable for you or your practice. This modification is not intended to prevent you from taking reasonable measures to verify the identity and authority of the individual or entity making the request.

HHS provides the following as examples of unreasonable measures:

  • Requiring individuals to obtain notarization of requests to exercise their Privacy Rule rights

  • Requiring individuals to provide proof of identity in person when a more convenient method for remote verification is practicable for the physician or practice

  • Requiring individuals to fill out a form with the extensive information contained in a HIPAA authorization form may impose an unreasonable burden to individuals

  • Requiring individuals to submit access requests through online portals

  • Absent Security Rule concerns, denying patient-requested third-party applications the ability to register with your EHR’s application programming interface (API)

    • Ex: you may not deny an app from registering solely because it does not have a business associate relationship and agreement with you or because the app offers another service to patients that competes with a service that you offer.

 

How to Prepare

This proposal is also very likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s Individual Right of Access identity verification.

A good first step is to go through the bulleted list above to ensure that you and your practice do not currently employ any of the prohibited verification practice examples. We also recommend asking patients if they have any feedback after going through your identity verification process. Using this feedback will help you improve patient experience and satisfaction.

 

721-hand-with-phone-outline
Personal Health Application (PHA)

This is a new proposed term under HIPAA.

 

Current Requirement

There is no current PHA definition under HIPAA. This proposed definition is to align with the Information Blocking Rule requirements which take effect on April 5, 2021.

 

Proposed New Requirement

HHS proposes to define PHAs as direct-to-consumer applications used for the patient’s own purposes, such as to monitor their own health status and access their own PHI using the app. By adding this definition under the HIPAA Individual Right of Access, HHS is adding the transmission of PHI to PHAs a form of access that a patient can request.

 

How to Prepare

As stated above, for providers who do not have significant barriers to implementing a secure API through their EHR, providing patients access to their electronic health information via PHAs will be a requirement beginning April 5, 2021 under the Information Blocking Rule. We recommend reaching out to your EHR vendor to ask for a status update on API implementation and whether a fee will be charged by your vendor for access to and use of the API.

It is important to note that PHAs are not and will not be subject to HIPAA privacy and security obligations since they do not work on behalf of or at the direction of a covered entity. You are allowed to have a disclaimer stating this as part of a third-party app authorization process as long as the disclaimer is applied uniformly.

 

741-binoculars-telescope-outline
Right to Inspect and Record PHI

HHS proposes to expand the individual’s Right of Access to their PHI to include the right to view, take notes, take photographs, and use other personal resources to capture the information. 

 

Current Requirement

Patients are currently allowed to request access in the manner of in-person inspection. No fees may be charged for this.

 

Proposed New Requirement

HHS proposes to explicitly require providers to allow individuals to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person. This does not include allowing the individual to connect a personal device, such as a thumb drive, to your information systems as this could pose a security risk.

HHS also proposes to prohibit providers from delaying the right to inspect when PHI is readily available at the point of care in conjunction with a health care appointment.

 

How to Prepare

Many providers already allow patients to take notes, videos, and photographs, and use other personal resources to view and capture their PHI when the individual inspects it. If your practice does not do this, you may want to evaluate and address any barriers you have in your workflow. We also recommend that you establish clear policies prohibiting the connection of personal devices to your information systems (e.g., your computers and devices) and educate all staff on these policies.

 

26-share-network-outline
Third Party Directives

HHS proposes to expressly provide individuals with the right to direct providers to transmit an electronic copy of PHI stored in an EHR directly to a third party designated by the individual.

 

Current Requirement

Patients must request access for a third-party in writing. The individual’s request must be in writing, signed by the individual, and clearly identify the designated person or entity and where to send the PHI. Providers may accept an electronic copy of a signed request (e.g., PDF or scanned image), an electronically executed request (e.g., via a secure web portal) that includes an electronic signature, or a faxed or mailed copy of a signed request.

 

Proposed New Requirements

HHS proposes to permit individuals (patients and their designated representatives) to direct copies of PHI stored in an EHR to a third party and submit such requests via oral, electronic, or written means. The only requirement is that it be clear, conspicuous, and specific.

HHS also proposes to create a separate set of provisions to require covered health care providers to facilitate an individual’s request for PHI stored in an EHR to be transmitted to a third-party. The provider to who the individual submits the request is the “Requester-Recipient”. The provider who maintains the PHI in their EHR is the “Discloser”.

  • This proposal creates a second mechanism, in addition to the permitted TPO disclosures, for a covered health care provider or health plan to obtain an electronic copy of PHI in an EHR from another covered health care provider through a required disclosure initiated by individual’s exercise of right of access.

    • Proposal would not require the requesting CE to determine if the Discloser is a covered health care provider before submitting the individual’s request.

  • The individual (or their designated representative) can submit a request via oral, electronic, or written means.

  • Would require the Requester-Recipient to submit the request to the Discloser on behalf of the individual within 15 calendar days of receiving the individual’s direction and any information needed to submit the request to the Discloser

    • There are no 15-day extensions allowed for the Requester-Recipient to submit request to the Discloser.

  • Applies only to electronic copies of PHI in an EHR

    • Formats for receipt include PDF, .doc, .docx, FHIR, etc…

 

How to Prepare

This proposal conflicts with current HIPAA policies and it is unclear if this provision will be finalized as proposed. As such, we believe that this proposal is important to be aware of but not to prepare for at this time.

Deep Dive into Proposed Changes to Permitted Fees for Access to PHI and ePHI

 

101-price-tag-dollar-outline

Permitted Fees

The Proposed Rule describes categories for which covered entities cannot charge a fee.

Current Requirement
You can charge a reasonable, cost-based fee to fulfill access requests from individuals for copies of their PHI with the following limits on the allowable fees to:

  • The costs of labor for copying the PHI requested by the individual, whether in paper or electronic form; 

  • The costs of supplies for creating the paper copy or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy be provided on portable media;

  • Postage, when the individual requests that the copy, or the summary or explanation, be mailed; and

  • Costs for preparing an explanation or summary of the PHI, if agreed to by the individual.

You may not charge any fee or include in fee calculations the costs associated with verification; documentation; searching for and retrieving the PHI; maintaining systems; recouping capital for data access, storage, or infrastructure; or other costs not listed above.

 

Proposed New Requirement

HHS is categorizing the proposed permitted fees based on the method of PHI access and who the recipient of the PHI is (either the individual/personal representative or a third party to which the patient directs you to send their PHI. 

HHS published the table below to summarize the proposed changes.

 

permitted-fees-table-2021

 

Important notes:

  • Internet-based method: this refers to portals, APIs and any similar technology used to request and obtain PHI through the individual right of access.

  • HHS states that it does not intend free access to apply to situations in which the patient is using an online portal to submit a request for copies of PHI to be sent to them in a manner that would require you to incur allowable costs for supplies, postage, or labor for copying. If the internet-based method were used for requesting and obtaining the PHI, it would need to be free.

 

755-invoice-receipt-validating-ticket-outline
Notice of Access and Authorization Fees

HHS proposes to require you to provide advance notice of approximate fees for copies of PHI requested under the Individual Right of Access.

Current Requirement
You must currently provide advance notice of fees under HIPAA However, since the fee a covered entity is permitted to charge will vary based on the form and format and manner of access requested or agreed to by the individual, covered entities must, at the time such details are being negotiated or arranged, inform the individual of any associated fees that may impact the form and format and manner in which the individual requests or agrees to receive a copy of their PHI.

 

Proposed New Requirement

In addition to the current requirement, HHS proposes to require you to do the following:

  • Post the fee schedule online (if you have a website)

  • Make the fee schedule available to individuals at the point of service upon the individual's request

    • In paper or electronic form

    • Location: at the point of care or at an office that is responsible for releasing medical records, as well as orally (e.g., over the phone) as applicable. Point of care could also include a customer service call center that handles requests for records, or any location at which PHI is made available for individuals to inspect.

 

HHS proposes that the notice must include:

  • All types of access available free of charge, and

  • The fee schedule for:

    • Copies provided to individuals (with respect to all readily producible electronic and non-electronic forms and formats for such copies)

    • Copies of PHI in an EHR directed to third parties designated by the individual (with respect to all readily producible electronic forms and formats for such copies)

    • Copies of PHI sent to third parties with the individual's valid authorization (with respect to all forms and formats for such copies).

 

In addition to the above requirements, HHS proposes to require you to provide, upon an individual's request, the following:

  • An individualized estimate of the approximate fees you will charge for the request copies of PHI.

    • This must be completed within 15 calendar days and prior to any extension of time that may be allowed for providing the copies.

  • An itemization of the charges for labor for copying, supplies, and postage, as applicable, which constitute the total fee you charge the individual for PHI copies.

    • Importantly, there is no proposal to amend the current lack of prohibition on allowing you to require individuals to pay a fee for copies of PHI upfront, before receiving such copies.

Deep Dive into Proposed Changes to HIPAA Disclosures

 

60-documents-outline (1)
Minimum Necessary Standard

HHS proposes an express exception to the “minimum necessary” standard for individual-patient-level disclosures to or requests by a health plan or covered health care provider for care coordination and case management. 

 

Current Requirement
You are required to use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. Current exclusions from the minimum necessary standard include:

  • Disclosures to, or requests by, a health care provider for treatment purposes are excluded from the minimum necessary standard.

    • While this exception applies to disclosures, it does not apply to the use of the information by the recipient. In short, if you received PHI for treatment purposes, you may only use the minimum necessary information.

  • Disclosures to the patient of their own information.

  • Uses and disclosures made pursuant to an individual's authorization.

  • Disclosures to HHS when disclosure of information is required under the Privacy Rule for enforcement purposes.

  • Uses or disclosures that are required by other law.

 

Proposed New Requirement

HHS is proposing an express exception from the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management. 

HHS provides the following examples of the impact of this proposal:

  • When a health plan requests a disclosure for care coordination or case management to facilitate an individual's participation in the plan's new wellness program. In this case, you would no longer have to assess whether you can rely on the health plan's determination of the minimum necessary amount of PHI for the purpose.

  • When a covered health care provider contacts a health plan to coordinate potential treatment referrals for a patient, you would not need to consider what information is the minimum necessary to disclose to the health plan for this purpose.

 

Important note: You would still be able to honor an individual's (patient's) request not to use or disclose information for these purposes.

  

How to Prepare

Only if finalized would the exception to the minimum necessary standard be allowed. Therefore, we do not recommend any preparation at this time. 

Of note, if this exception is finalized, the ONC Information Blocking Final Rule would prohibit you from limiting a permissible disclosure to what you believe to be the minimum necessary information when the Privacy Rule specifically excepts the disclosure from the minimum necessary standard. Thus, if finalized, you would be required to apply the exception unless the patient specifically requests that you not use or disclose the information for the applicable purpose(s).

 

1020-rules-book-guideline-outline (2)
Health Care Operations

The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations.

 

Current Requirement

HIPAA allows uses and disclosures of PHI for treatment, payment, and health care operations (TPO) without an individual's valid authorization. The "health care operations" definition does not currently mention individual-level care. As such, many providers interpret this to mean that patient authorization is required to disclose individual patient data for individual-level care coordination and case management activities.

 

Proposed New Requirement

This proposed change to the definition of "health care operations" does not change the requirements, but clarifies that you are allowed to disclose individual patient PHI for individual-level care coordination and case management activities without the individual's valid authorization.

 

How to Prepare

This proposal is highly likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s allowed TPO disclosures. As such, if you currently subscribe to the interpretation that individual patient level care coordination and case management activities require patient authorization, this clarification shows that you do not need a patient authorization for these specific activities. 

 

964-omnichannel-outline
Care Coordination

HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services.

 

Current Requirement

Currently, you are permitted, but not required, to obtain an individual's consent to use or disclose their PHI for TPO purposes, including to public or private-sector entities that provide health-related social and community-based services as part of your treatment activities. This is subject to the minimum necessary standard if the disclosure is made to a third party entity that is not a health care provider.

For example, you are allowed to make a disclosure for the treatment purposes of an elderly or disabled patient by disclosing PHI to a home and community-based services (HCBS) provider if it is for the coordination or management of your treatment or necessary health-related services for the patient. This could be for things such as arranging for a home aide to help the elderly or disabled patient with their prescribed at-home or post-discharge treatment protocol. 

Although guidance from HHS established that this was allowable, many doctors believe that they have to obtain valid authorization from the patient first. 

 

Proposed New Requirement

HHS proposes to expressly permit you to disclose PHI to social services agencies, community-based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management. This can be either as a treatment activity or as a health care operations activity.

This proposal allows the disclosure of PHI to an entity that provides health-related services to individuals, but these entities do not have to be health care providers; the third parties do not have to be covered by HIPAA. Instead, the third party may be providing health-related social services or supportive services -- e.g., food or sheltered housing needed to address health risks. 

 

Important notes:

  • Any disclosures to business associates still require that business associate agreements (BAAs) be in place.

  • This is limited to individual-level disclosures.

 

How to Prepare

This proposal is simply a clarification of current policy. It remains up to you to determine how to release information for treatment purposes. We recommend that you continue to offer your patients the opportunity to request that you not disclose information in this way, but you are not required to get written authorization for these releases.

 

426-brain-outline
Mental Health and Substance Use Disorder

This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder (SUD) and serious mental illness (SMI) and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures).

 

Current Requirements

  • Disclosures to Personal Representatives

    • A personal representative is treated, under HIPAA, in the same way as the individual.

    • In many circumstances, the parent or guardian of an unempancipated minor child is treated as the minor's personal representative under applicable law. In instances in which state or other applicable law does not treat a parent as an unempancipated minor's personal representative, HIPAA permits, but does not require, covered entities to provide access to a parent or guardian. The decision to disclose is based on the professional judgement of a licensed health care professional.

  • Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object

    • You are required to provide an opportunity for an individual who is present or otherwise available to agree or object to the disclosure of PHI to a person involved in the individual's care or payment for care.

    • You are also required to provide an opportunity for an individual to agree or object to their inclusion in the facility directory.

  • Identity Verification

    • Covered entities are required to verify the identity of a person involved in an individual's care before disclosing PHI to the person.

  • Relevant Guidance Encouraging Disclosures of PHI to Help Individuals Experiencing Opioid Use Disorder of Mental Illness

    • A provider may use professional judgment to talk to the parents of someone incapacitated by an opioid overdose about the overdose and related medical information, but generally could not share medical information unrelated to the overdose without permission.

    • The same condition applies to SMI when the patient is incapacitated or in an emergency situation.

  • Uses and Disclosures to Avert a Serious Threat to Safety

    • Requires you to have a good faith belief that the use or disclosure "is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public," if the recipient is "reasonably able to prevent or lessen the threat."

 

Proposed New Requirements

HHS proposes to replace the "exercise of professional judgement" with "good faith belief". In practice, this means that the covered entity that decides to disclose the PHI does not have to be a health care professional as long as they are acting within the scope of their authority (e.g., a scheduler disclosing schedule-related information). The proposed standard is meant to encourage covered entities to use and disclose PHI more broadly in circumstances involving SUD and SMI without written authorization. This has several important implications as outlined below.

  • Parent or guardian who is not the individual's personal representative

    • A covered entity would be allowed to, but not required to, disclose the PHI of an unemancipated minor to a parent or guardian who is not the personal representative of the individual under HIPAA, if consistent with state or other applicable law and a licensed health care professional has a good faith belief that disclosing PHI is in the best interests of the individual.

  • Facility Directories

    • A covered entity would be allowed to include in its facility directory the name, facility location, and general condition of an individual who is incapacitated or in an emergency treatment circumstance if doing so is based on a good faith belief that the disclosure is in the best interests of the individual and is consistent with any prior expressed preference of the individual that is known to the covered entity.

  • Emergency Contacts

    • Covered entities would be allowed to disclose relevant information to a person involved in the individual's care or payment for care when the covered entity reasonably infers, based on a good faith belief, that the individual does not object.

  • Emergencies and Incapacity

    • Covered entities would be allowed to disclose relevant information to family members and other caregivers who are involved with the individual's care or payment for care, or who require notification related to the individual when the individual cannot agree to the disclosure due to absence, incapacity, or emergency circumstances. The covered entity must have a good faith belief the disclosure is in the best interests of the patient.

  • Verifying Requestor's Identity

    • A covered entity would be considered to have satisfied its obligations to verify a requestor's identity if the covered entity acts on a good faith belief in making a disclosure of relevant PHI. In short, you would not be required to collect documentation of the relationship with the patient.

 

HHS is also proposing to change the "serious and imminent" harm threshold to "serious and reasonably foreseeable" for uses and disclosures to avert a serious threat to health or safety. HHS would:

  • Allow providers to use or disclose PHI without having to determine whether the threatened harm is imminent.

  • Define "reasonably foreseeable" to mean "that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if a use or disclosure is not made, based on facts and circumstances known at the time of the disclosure."

 

How to Prepare

There is significant opposition from the medical community and patient rights advocates to the proposals that would weaken privacy protections for individuals with SUD or SMI. Therefore, we do not recommend preparing for those proposals at this time.

The proposal regarding disclosures to avert a serious threat to health or safety has fairly widespread support and is likely to be finalized. As the loosening of restrictions on these disclosures would not be permitted under law until the proposal is finalized and effective, there is no need to prepare at this time. If the proposal is finalized, we will provide additional guidance.

 

202-chat-outline (1)
Telecommunications Relay Services

HHS proposes to expressly allow you to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of you and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant. 

 

Current Requirement
HHS currently permits the disclosure of PHI to TRS providers in the case that the patient is clearly aware that a TRS assistant is involved in transliterating text or interpreting ASL to voice and vice versa. In these cases, the patient has the opportunity to agree or object to disclosures of PHI to a TRS communications assistant at the beginning of a call.

Since this policy was created, advances in technology now allow people to communicate with the help of a TRS communications assistant in a seamless manner, such that they may not know that they are using a TRS communications assistant. In addition, TRS is also used to assist communications between workforce members of covered entities and business associates. Therefore, updates to the current policy are needed or a written authorization from the patient would be needed.

 

Proposed New Requirement

HHS proposes to expressly permit you (and business associates acting on your behalf) to disclose PHI to TRS communications assistants to conduct TPO activities. This change in policy accounts for the advances in technology mentioned in the current requirements section above.

Important Note: TRS providers are federally regulated and mandated to protect the confidentiality of their information.

 

How to Prepare

This proposal creates administrative simplifications. As such, you do not need to prepare for this proposal. If the proposal is finalized, we will provide you with additional guidance.

 

97-document-lock-outline (1)

Notice of Privacy Practices

HHS proposes to eliminate the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). HHS also proposes to modify NPP content requirements to clarify individual rights with respect to their PHI and how to exercise said rights.

 

Current Requirement
You must currently obtain a written acknowledgement of receipt of the NPP. You must retain copies of this documentation for six years. 

 

Proposed New Requirement

This proposal eliminates both of the above current requirements and replaces the written acknowledgement requirement with an individual right to discuss the NPP with you or a person you designate.

Also proposed in this section are several modifications to NPP content. Most of these modifications revolve around informing individuals on how to access and control their information. 

 

How to Prepare

Keep abiding by the current NPP requirements as they are mandatory until and unless these proposals are finalized. If this proposal is finalized, we will provide more detailed guidance on how to comply with the new rules around NPPs.

More Information on the Related ONC Information Blocking Requirements (Compliance Date April 5, 2021)

 

Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5.

On April 5, we posted a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back. 

 

Written by Jessica Peterson

Jessica Peterson, MD, MPH is the Vice President of Health Policy at the consulting firm MarsdenAdvisors.

7-Jessica