COVID-19 PHE Renewed

Originally published in the January 12, 2023, issue of MGMA’s Washington Connection
Reprinted with permission from MGMA

U.S. Department of Health and Human Services (HHS) Secretary Xavier Becerra renewed the COVID-19 public health emergency (PHE) yesterday. This renewal extends the PHE through mid-April 2023 and has implications for Medicare telehealth, COVID-19 testing, and other waivers. HHS has reiterated its promise to give a 60 days’ notice before letting the PHE expire.

While many telehealth flexibilities are tied to the PHE, it is important to note that the recently passed Consolidated Appropriations Act, 2023, does ensure certain ones will remain in effect through Dec. 31, 2024, regardless of PHE status.

More information may be found in MGMA Government Affairs’ newly updated telehealth resource.

Changes Are Coming to the HIPAA Privacy Rule: Are You Prepared?

By Laura M. Cascella, MA, CPHRM

2022 Alliance sponsor article provided courtesy of MedPro Group

With a turn of the calendar year, 2022 will likely usher in the most significant changes to the HIPAA Privacy Rule in almost a decade. These changes will come on the heels of several years of information-gathering, proposals, and public comments, which kicked off December 2018 when the U.S. Department of Health and Human Services (HHS) Office for Civil Rights issued a request for information on HIPAA rules. HHS subsequently released and published the Notice of Proposed Rulemaking (NPRM) in December 2020 and January 2021, respectively. A public comment period on the NPRM followed, which concluded May 6, 2021.¹

The proposed changes to the HIPAA Privacy Rule are targeted at helping fulfill HHS’ Regulatory Sprint to Coordinated Care by breaking down barriers to care coordination, information-sharing, and interoperability (in alignment with the 21st Cures Act and the HITECH Act); supporting value-based care; enhancing patient engagement and right of access; and reducing unnecessary administrative and regulatory burdens.²

Some of the significant provisions of the Proposed Rule include introducing and modifying key definitions, strengthening patients’ rights to access their information, supporting information sharing and care coordination, allowing broader disclosures, and modifying policies and information associated with the Notice of Privacy Practices (NPP).

Key Definitions

As part of the Proposed Rule, HHS seeks to add definitions for two key terms — electronic health record (EHR) and personal health application (PHA). Neither of these terms currently is defined in the HIPAA Privacy Rule, although the HITECH Act does include a definition of EHR.

The Proposed Rule seeks to expand on and clarify the HITECH definition, defining EHR as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”³

Likewise, the Proposed Rule aims to build on HITECH’s definition of personal health record by defining PHA as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual . . .”⁴

The addition of both of these definitions — EHR and PHA — to the Privacy Rule are intended to address the gap in current regulatory definitions as well as clarify and support individuals’ right of access related to electronic protected health information (ePHI).⁵

The Proposed Rule also addresses confusion regarding the term “healthcare operations.” The current Privacy Rule permits uses and disclosures of PHI for treatment, payment, and healthcare operations without patient authorization. The definitions of treatment and healthcare operations overlap to some extent in terms of the type of activity and who is performing it — for example, case management activities performed by a healthcare provider (treatment) vs. a health plan (healthcare operations). However, the definition of healthcare operations specifically mentions population-based activities but not individual-level care. Thus, HHS proposes to clarify that healthcare operations includes both individual-level and population-based care coordination and case management activities.⁶

Right of Access

A predominant focus in healthcare legislation and reform is giving patients more access to and control over their health information. The proposed changes to the HIPAA Privacy Rule reflect this goal and aim to enhance patients’ right of access through various provisions, including:

• Strengthening patients’ right to inspect their PHI in person. The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI, as long as it does not pose unacceptable security risks. However, providers are not required to let patients connect personal devices to their information systems.
• Condensing the current timeline to respond to requests for PHI. Providers currently have 30 days to response to patients’ requests for PHI, with an optional 30-day extension. The Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
• Clarifying patients’ right to receive their PHI in the form and format requested, if it is readily producible. Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by individuals. Providers also would be required to provide copies of PHI in any form and format required by applicable state and other laws.
• Easing identity verification requirements. Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or onerous identity verification requirements can create barriers to patients’ right of access. The Proposed Rule would prohibit covered entities from imposing unreasonable verification measures, such as requiring a notarized signature or showing proof of identification in person (when another credible, more convenient method is available).
• Providing more information about fees associated with obtaining PHI. The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third-parties. Providers also would be required to (a) post estimated fee schedules on their websites, (b) offer individualized fee estimates, and (c) provide itemized bills for completed requests.⁷

Information Sharing and Care Coordination

Certain aspects of the current HIPAA Privacy Rule can be construed as restrictive or limiting the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients. The Proposed Rule seeks to address this issue and break down some of the barriers to information sharing.

As noted earlier, the more detailed definition of healthcare operations facilitates the sharing of individual patient data to support individual-level care coordination and case management. The Proposed Rule also establishes a pathway for patients to direct sharing of ePHI among providers and health plans by allowing patients to request that a provider or health plan submit an access request for PHI in an EHR to another healthcare provider.⁸ The provider or health plan (the “requester-recipient”) would facilitate requesting the information from the other provider (the “discloser”) and receive an electronic copy of the PHI.

The proposed changes also modify the rules related to “minimum necessary standard.” Under the current Privacy Rule, covered entities must use, disclose, or request only the minimum PHI that is required to accomplish the task at hand. The Proposed Rule makes an exception to the minimum necessary standard for use by, disclosure to, or requests from a covered entity for care coordination and case management.

The Proposed Rule also permits covered entities to disclose PHI to third-party organizations that provide health-related services for the purposes of individual-level care coordination and case management (for treatment or healthcare operations). Examples of such third parties include social service agencies, community-based organizations, home-based and community-based service providers, and other similar organizations. HHS notes that, in some cases, these organizations might not be subject to HIPAA.

Expanded Disclosures

In addition to supporting measures that facilitate sharing information and coordinating care, the Proposed Rule also aims to increase flexibility around the disclosure of PHI to an individual’s family members or other caregivers who are trying to assist the individual with a serious condition or emergency situation. Examples of such conditions and situations include substance use disorders, serious mental illnesses, incapacitation, and health-related emergencies.

To do this, HHS proposes replacing the “exercise of professional judgment” standard with a “good faith belief” standard, which would permit certain uses and disclosures of PHI if they are in the best interests of individuals. HHS also notes that the exercise of professional judgment standard implies disclosure by a licensed healthcare provider, while the good faith belief standard “may be exercised by other workforce members who are trained on the covered entity’s HIPAA policies and procedures and who are acting within the scope of their authority.”⁹

Five areas of the Privacy Rule would be amended based on this proposal. Those areas relate to disclosing information (1) to parents, guardians, or others acting in loco parentis; (2) for facility directories; (3) when the individual is present; (4) when the individual is not present due to incapacitation or an emergency; and (5) in relation to verification requirements.¹⁰

HHS also proposes to increase flexibility in relation to disclosing PHI to family, friends, and caregivers for the purposes of avoiding harm. The current Privacy Rule allows a covered entity to disclose PHI when a threat to health and safety is “serious and imminent.” HHS acknowledges that determining with certainty whether a threat is imminent may be impossible; thus, the Proposed Rule would permit disclosure of PHI when the threat to health and safety is “serious and reasonably foreseeable.” The proposed change would include a definition of “reasonably foreseeable” to help guide decision-making about disclosure.

Notice of Privacy Practices

To help eliminate an administrative burden of the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the providers’ NPP. However, to ensure that patients are able to understand and act on information in the NPP, they would have the right to discuss the NPP with a person whom the healthcare provider designates.

Further, HHS proposes modifying the header of the NPP to specify that the notice provides individuals with information about how to access their information, how to file a HIPAA complaint, and their right to receive a copy of the notice. The NPP header also would need to include a phone number and email address for the designated contact person.¹¹

Next Steps

Although the changes detailed in this article are still proposed and not final, healthcare providers (and other covered entities) should be aware of them and their potential implications. These changes will require providers to update their policies, procedures, NPP, authorization and disclosure materials, and contracts.¹² Further, the significance and breadth of these modifications will necessitate retraining staff on the HIPAA Privacy Rule.

The proposed changes will become effective 60 days after the Final Rule is published, and providers will have 180 days following the effective date to comply. With less than a year to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help providers prepare for the changes and identify any issues with current or future processes that could hinder implementation or compliance.

The following strategies may prove helpful:

• Make sure your current policies and procedures for the HIPAA Privacy, Security, and Breach Notification Rules are complete and up to date. Doing so will make implementing the proposed changes more straightforward and help avoid confusion.
• Review your current processes related to patients’ requests to inspect and obtain copies of their PHI to determine how well they work and what will need to change based on the Proposed Rule.
• Be aware of any state laws related to the release or disclosure of PHI. HHS notes that the Privacy Rule does not preempt other law that is more protective of individuals’ privacy.
• Make sure your identity verification process to access PHI does not impose unreasonable measures on patients, such as requiring a notarized authorization or other burdensome requirements.
• Consider how the shortened timeframe to respond to patients’ requests for PHI (from 30 days to 15 days) will affect workflow processes. Review your current process and ability to comply with 30-day timeframe to identify potential obstacles for future compliance.
• Review your current forms, materials, and contracts affected by the Privacy Rule to consider what changes will need to be made and the best way to approach those changes. Consider also what updates you will need to make to your website information.
• Begin to educate staff members about the changes in the Proposed Rule, and include them in planning efforts and discussions about new processes and workflows.¹³

More Information

For more complete information and details about all of the proposed changes to the HIPAA Privacy Rule, see the Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement published in the Federal Register on January 21, 2021.

Endnotes

1 Linna, A., & Ishee, J. (2021, October 14). Preparing for major HIPAA changes in 2022 [Webinar]. McGuireWoods. Retrieved from http://www.mcguirewoods.com/events/firm-events/2021/10/preparing-for-major-hipaa-changes-in-2022; Sheppard Mullin Richter & Hampton LLP. (2021, May 24). HIPAA Privacy Rule modification – removing barriers and promoting coordinated care at what cost? SheppardMullin Healthcare Law Blog. Retrieved from
http://www.jdsupra.com/legalnews/hipaa-privacy-rule-modification-7104453/
2 Ibid; Hales, M. (2021, June 1). HIPAA changes ahead. The HIPAA E-Tool. Retrieved from
https://thehipaaetool.com/hipaa-changes-ahead/; Allen, A. L. (2021, August 16). HIPAA at 25 remains a work in progress. The Regulatory Review. Retrieved from http://www.theregreview.org/2021/08/16/allen-hipaa-at-25-remains-a-work-in-progress/
3 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (Jan. 21, 2021) (to be codified at 45 CFR pts. 160 & 164).
4 Ibid.
5 Ibid; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
6 Linna, et al., Preparing for major HIPAA changes in 2022. Hales, HIPAA changes ahead; Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
7 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Hales, HIPAA changes ahead; Compliancy Group. (n.d.). Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS. Retrieved from
https://compliancy-group.com/proposed-changes-to-hipaa-privacy-rule/
8 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Linna, et al., Preparing for major HIPAA changes in 2022; Compliancy Group, Proposed changes to HIPAA Privacy Rule for 2021 announced by HHS.
9 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446.
10 Ibid; Linna, et al., Preparing for major HIPAA changes in 2022.
11 Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446; Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
12 Sheppard Mullin Richter & Hampton LLP, HIPAA Privacy Rule modification; Linna, et al., Preparing for major HIPAA changes in 2022.
13 Hales, HIPAA changes ahead; Linna, et al., Preparing for major HIPAA changes in 2022.

The HIPAA Privacy Rule’s Right of Access

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

One of the key goals of The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is to ensure patients have the ability to access their protected health information (PHI) in a timely manner and in the format most convenient for them. Some providers have implemented electronic health record systems that offer patients the ability to view and download their health records at any time. However, patients do not always take advantage of that option. Some rather have a hardcopy of their records, or certain records might not be stored electronically. In these cases, a patient will submit a request for a copy of their health records.

HIPAA requires a provider to respond to a request from a patient for their health records (with some exceptions, like psychotherapy notes) as quickly as possible. The provider has up to 30 days to respond to the request, but The U.S. Department of Health & Human Services (HHS) strongly encourages providers to respond sooner, especially if the information is already in electronic format. An extension of 30 additional days is permitted, but the patient must be provided notice of the extension in writing along with the reason for the extension within the first 30 days. Some state laws require requests to be addressed in a shorter period of time.

A provider cannot refuse a patient’s request to send health records to them via unencrypted email if the patient has been informed of and has accepted the risk associated with the unencrypted transmission of their health record. The provider’s access request form should include an area where the patient can acknowledge that they accept the risk of having their records sent via unencrypted email.

Last year, HHS launched an initiative to “vigorously enforce the rights of patients to get access to their medical records promptly, without being overcharged, and in the readily producible format of their choice.” Since then, the HHS Office for Civil Rights (OCR) has settled 2 cases regarding a patient’s right to access health records. The most recent one was in December 2019. A penalty of $85,000 and a 1-year corrective action plan were imposed by the OCR. The first enforcement action was in September 2019 under the same terms. The decision emphasized, “This right to patient records extends to parents who seek medical information about their minor children.” It is hard to say whether that will be the OCR’s standard enforcement arrangement, but history shows that generally, penalties have been decided on a case by case basis.

A reasonable, cost-based fee can be assessed, but HHS encourages providers to give records (especially if in electronic format) to patients at no cost when possible. It is important to note, though, that a patient does not lose their right to access their health record even if they have an outstanding balance with a provider. The fundamental point is clear: a patient’s access to their health record may not be obstructed or delayed by a provider, so it is important to be diligent and address a patient’s request as soon as possible.

HIPAA Privacy and Coronavirus

2020 Alliance sponsor feature article courtesy of Total Medical Compliance

While preparing and treating patients that have or might have novel coronavirus (2019 nCoV), it is important to remember your patient’s privacy rights. HIPAA permits the sharing of patient’s protected health information (PHI) for public health activities such as this without a patient authorization.

With whom and when can you share PHI for public health activities? Generally, PHI can be shared with:

• entities that are permitted by law to collect and receive health information for the purpose of preventing or controlling disease such as the CDC or a state or local health department,
• organizations such as the American Red Cross,
• others at risk of contracting or spreading a disease or condition if state law authorizes the covered entity to notify others as necessary to prevent or control the spread of the disease, and
• others involved in the patient’s care such as family and friends. Providers should use their professional judgement here and obtain verbal consent from the patient, if possible.

PHI should not be shared with the media or others not involved in a patient’s care without the patient’s authorization.

The HIPAA minimum necessary standard still applies to the use and disclosure of PHI. The U.S. Department of Health and Human Services says that entities may rely on representations from the CDC or other public health department that the PHI requested by them about all patients exposed to or suspected or confirmed to have novel coronavirus (2019-nCoV) is the minimum necessary. In addition, a covered entity should continue to limit access to PHI to only those workforce members who need it to carry out their duties.