Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

By Laura M. Cascella, MA, CPHRM

2022 Alliance sponsor article provided courtesy of MedPro Group

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.¹

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information-sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.²

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”³

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”⁴

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).⁵

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.⁶

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

• Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
• Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
• Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
• Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
• Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.⁷

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.⁸ The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority.”⁹

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.¹⁰

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.¹¹

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.¹² Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

• Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
• Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
• Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
• Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
• Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with 30-day timeframe to identify potential obstacles for future compliance.
• Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
• Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.¹³

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.

Endnotes

1 Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from http://www.mcguirewoods.com/events/firm-events/2021/10/preparing-for-major-hipaa-changes-in-2022; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from
http://www.jdsupra.com/legalnews/hipaa-privacy-rule-modification-7104453/
2 Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from
https://thehipaaetool.com/hipaa-changes-ahead/; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from http://www.theregreview.org/2021/08/16/allen-hipaa-at-25-remains-a-work-in-progress/
3 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).
4 Ibid.
5 Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
6 Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
7 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from
https://compliancy-group.com/proposed-changes-to-hipaa-privacy-rule/
8 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.
9 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
10 Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.
11 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
12 Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
13 Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

Avoiding Allegations of Negligent Referral in Medicine

2021 Alliance sponsor feature article courtesy of MedPro Group

Healthcare providers can be accused of “negligent referral” if they refer patients to specialists who mishandle the patients’ cases and cause injuries. This article examines negligent referral and offers strategies for how practitioners should handle referrals. Following is a case example in which a family physician was accused of negligent referral.

Case Example: Referral for Cataract Surgery
Dr. C was a family physician who had a long-term, older male patient who began to complain about diminishing vision. Dr. C did an examination and suspected the patient had cataracts. She recommended that the patient see Dr. H, a local ophthalmologist whom Dr. C had known and referred patients to for many years. The patient saw Dr. H and was diagnosed with cataracts. During cataract surgery, the patient suffered a retina injury (a recognized risk of cataract surgery), which resulted in permanent loss of vision in the affected eye. The patient sued Dr. H for malpractice and Dr. C for negligent referral to Dr. H.

In this case, it appears that Dr. C made an appropriate referral for an appropriate reason. Yet she was sued for negligent referral. However, no negligence occurred in this referral. The fact that a provider refers a patient to a certain specialist, and the patient subsequently suffers a suboptimal outcome as a result of treatment from that specialist, does not provide a basis for an allegation of negligent referral. This is true when the patient suffers a recognized complication of a procedure, or even when the specialist makes a mistake that results in a patient injury.

Negligent referral occurs when the provider does not use appropriate care in determining that a referral is necessary or in referring the patient to a qualified specialist — e.g., if the referring provider knew or should have known that the specialist was not competent to render the needed care. Lack of competency might be the result of various factors. For example, the necessary care might be outside the specialist’s scope of practice, or an impairment might jeopardize the specialist’s ability to provide safe care (e.g., an illness, injury, substance abuse, or advanced age).

Every specialist has cases that result in suboptimal outcomes and occasional cases in which errors are made. That does not — in and of itself — make the specialist an inappropriate referral resource. Again, the allegation of negligent referral only applies when the referring provider has reasonable grounds to believe that a patient will have a suboptimal outcome as a result of the specialist’s treatment.

In the previous case example, the patient might have had grounds for a negligent referral allegation if Dr. C had knowingly referred him to an ophthalmologist who was unable to provide safe patient care as a result of a physical impairment.

Strategies to Avoid Allegations of Negligent Referral

One effective way to avoid allegations of negligent referral is to give patients choices related to their care. Although occasionally a situation might occur in which there is only “one person for the job,” generally more than one specialist is available, even if some travel is involved. If the primary care provider is aware of several competent specialists in the area, then he/she should provide the patient with a list of these specialists.

The primary care provider also might suggest that the patient contact his/her insurance carrier to obtain specialist recommendations (and to verify coverage). The primary care provider also might consider referring the patient to a local medical society to see whether the group recommends any particular specialists. Finally, especially if the case is unusually complicated, it might be appropriate for the primary care provider to refer the patient to a medical school.

If the patient wants to see a specialist with whom the primary care provider is not familiar, the provider should indicate to the patient that he/she simply has no knowledge of the specialist and cannot offer any opinion as to whether this particular specialist would be a good choice.

A more difficult situation occurs if the patient wants to see a specialist who does not inspire the primary care provider’s confidence. One option is for the provider to indicate that he/she has not worked with this specialist to any extent and would feel more comfortable if the patient sees a doctor on the recommended list of specialists from the primary care provider.

Sometimes the patient can be generally resistant to a referral, preferring instead to have the primary care provider treat the condition. Once the provider decides on a referral, he/she should stick with that decision despite any appeals from the patient. The likelihood of a suboptimal outcome increases when providers stretch the boundaries of their expertise or competency.

In Summary

Specialty referral is an integral part of a healthcare practice. From a risk perspective, primary care providers should limit their scopes of practice to procedures for which they are well trained and experienced, and refer difficult cases to qualified specialists. Involving patients in decision-making and offering options for appropriate specialists can support the ultimate goal of high-quality and patient-centered care.

---

This document should not be construed as medical or legal advice. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.

MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and/or may differ among companies.

© 2020 MedPro Group Inc. All rights reserved.

Preparing Your Healthcare Practice for Environmental Emergencies

By Laura M. Cascella, MA, MedPro Group

2019 NCMGMA Alliance sponsor article provided courtesy of MedPro Group

Laura M. Cascella, MA, of MedPro Group has penned the article “Preparing Your Healthcare Practice for Environmental Emergencies.” In the article, Ms. Cascella explains that “History has shown society’s vulnerability to a myriad of disasters – but it also has shown how preparedness efforts can have a significant impact on disaster outcomes. Despite an element of unpredictability that is inherent in many natural and man-made environmental emergencies, planning and preparation are powerful and effective tools for managing these situations.”

To read the complete article on MedPro Group’s website, please follow this link.