New HIPAA Rule Aims to Promote Access to Medical Records and Care Coordination
As 2020 closes, the Department of Health & Human Services has announced the most significant proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) rules since 2013. These changes to the regulations implementing the 1996 law would affect the privacy, security, and availability of health records and other protected health information (PHI).
The proposed rule, if finalized, will encourage individual access to PHI and increase health care providers’ ability to coordinate care and respond to emergency situations. While some covered entities have raised security and privacy concerns about increasing PHI access, the proposed rule would give providers greater flexibility in how they manage and transmit PHI in connection with appropriate requests and disclosures.
Health care providers already familiar with the current HIPAA rules understand that HIPAA compliance depends largely on the definitions of terms in the HIPAA Rules. The proposed rule would clarify several important definitions.
For example, HHS proposes to add a new definition of “personal health application.” Such electronic applications used by individuals to access health care information about themselves that are controlled by the individual, and not by a covered entity or third party, would not be subject to HIPAA privacy and security obligations. Excluding personal health applications from HIPAA requirements will likely encourage third-party development of consumer-directed health care information devices and software applications.
The Individual Right of Access
In line with recent HIPAA enforcement actions, the proposed rule takes special interest in ensuring that individuals have a right to inspect and obtain copies of their PHI and a separate, but related, right to direct the transmission of electronic copies of their PHI to third parties.
HHS proposes to allow an individual to take notes, videos, and photographs, and use other personal resources to view and capture PHI as part of the right to inspect PHI in person. Such record inspection would take place at a mutually convenient time and place. However, the covered entity would not be required to allow the individual to connect a personal device, such as a thumb drive, to the covered entity’s information systems. HHS invites comments on whether covered entities may provide copies of PHI in lieu of in-person inspections when necessary to protect health and safety, such as during a pandemic.
HHS seeks comment on a proposal to explicitly prohibit a covered entity from imposing unreasonable measures that would impede an individual’s right to access their PHI in a designated record set. Specifically, this proposal would clarify that, while a covered entity may require individuals to make access requests in writing, an entity may not do so in a way that impedes access to the records.
Currently, the Privacy Rule requires covered entities to respond to access requests by individuals within 30 days of receipt of the request, with the possibility for one 30-day extension. HHS proposes to reduce both of these time limits to 15 calendar days. HHS proposes to require covered entities to establish written policies for prioritizing urgent or other high priority access requests to limit the need to use 15-day extensions.
The current Privacy Rule allows a covered entity to provide a summary of PHI in lieu of providing access to the requested PHI if the individual agrees to receive this summary. HHS proposes that, when a covered entity offers a summary in lieu of PHI access, the covered entity must inform the individual that the individual retains a right to obtain a copy of the requested PHI if he does not agree to receive the summary. Under a parallel proposal, if the covered entity offers to provide a summary, the covered entity must also inform the individual about the right to direct a copy of the requested PHI to a designated third-party. These new requirements would not apply if the summary is provided by the covered entity because it is denying the request for access on reviewable or unreviewable grounds, as the appropriate denial procedures must be followed instead.
HHS proposes significant changes to the current provision allowing individuals to direct copies of their PHI to third parties. HHS proposes to limit such requests to electronic copies of PHI in an electronic health record (EHR). Further, HHS proposes to require the covered entity to respond to such a request when it is “clear, conspicuous, and specific.” Such requests may be made orally or in writing. This would replace the current requirement that such requests be in writing, signed by the requesting individual, and clearly identify the designated person and where to send the PHI.
HHS further proposes that if an individual makes a “clear, conspicuous, and specific” request that his provider or plan (“Recipient”) obtain an electronic copy of PHI in an EHR from one or more covered health care providers (“Discloser”) then the Recipient would be required to submit the request to the Discloser on the individual’s behalf. The Recipient would only be able to direct these records be sent to the Recipient. The Recipient must submit such a request no later than 15 days after receiving all information needed to send the request. The Discloser would then have 15 days to respond to the request. Currently, health care providers seeking records from another provider have few tools to compel disclosure of records. The proposed rule would help facilitate the timely exchange of records between health care providers when requested by a patient.
Requests to send non-electronic copies of PHI in an EHR and electronic copies of PHI that is not in an EHR would no longer be within the right of access. Therefore, if a covered entity decided to honor such a request, the fee schedule requirements described below would not apply.
New Fee Schedule Requirements
In the Ciox v. Azar decision, a Federal court held that HHS had improperly imposed fee limitations in the access right to direct a copy of PHI to a third party without notice and comment rulemaking. In response, HHS proposes to establish a regulatory fee structure in the proposed rule. The proposed fee structure breaks down into two categories: (1) access for which covered entities cannot charge a fee and (2) allowable costs that may be charged when an access fee is permitted. HHS proposes that no fee be permitted when an individual inspects their PHI in person or uses an internet-based method to view or obtain PHI. When an individual requests a non-electronic copy of PHI through other than an internet-based method, HHS proposes that the fee be reasonable and limited to the cost of:
(1) labor for copying the PHI requested,
(2) supplies for making non-electronic copies,
(3) postage and shipping, and
(4) preparing an explanation or summary of PHI when agreed to by the individual.
When an individual requests an electronic copy of PHI through other than an internet-based method or directs a copy of PHI in an EHR to a third party, if the PHI is to be transmitted to a third party through other than an internet-based method, the entity may charge a reasonable fee for labor in copying the PHI requested and preparing an explanation or summary at the individual’s request. These changes largely track current HHS guidance.
HHS also proposes to require covered entities to provide advance notice of approximate fees for PHI requested. Covered entities would have to post a fee schedule on their websites and make the fee schedule available at the point of service upon request. The notice must include all types of access available free of charge and a fee schedule for PHI copies in a designated record set provided to individuals under the access right, PHI copies in an EHR directed to third-parties by an individual, and PHI copies sent to third-parties under an individual’s valid authorization. Further, upon request, covered entities must provide an individualized, itemized estimate of the approximate fees to be charged for the requested PHI copies. The individualized estimate should be provided within the 15-day access request window, prior to providing the requested PHI, and in sufficient time to allow the individual to consider and make a meaningful decision on the estimate before the PHI must be provided.
Finally, HHS proposes that a business associate (BA) must disclose PHI to a covered entity so the covered entity can meet its access obligations. However, if the BA’s agreement with the covered entity provides that the BA will provide access to PHI in an EHR directly to individuals or their designees, then the BA must do so.
HHS proposes to expressly prohibit a covered entity from imposing unreasonable identity verification measures on individuals exercising their access rights. Unreasonable verification would be those that require an individual to expend unnecessary effort or expense when there is a practicable, less burdensome alternative. Requiring individuals to obtain notarization of requests or provide in-person proof of identity would be explicitly considered unreasonable when there is a more convenient and practicable option for remote verification.
Other Proposed Disclosure Changes
The proposed rule includes additional changes, such as:
HHS’ proposed rule appears to encourage individual access to their PHI and increases the ability of health care providers to coordinate care and respond to emergency situations. While some covered entities have raised legitimate security and privacy concerns about the increased access to PHI these proposals will provide, as a whole these rules will give providers greater flexibility in how they manage and transmit PHI in connection with appropriate requests and disclosures. Covered entities should continue to ensure the privacy and security of PHI remains a top priority.
HHS will accept comments on the proposed rule until 60 days after the proposed rule is published in the Federal Register. If you or your practice have any questions about this guidance, please contact Peter Mellette, Harrison Gibbs, Elizabeth Dahl Coleman, or Scott Daisley at Mellette PC.
This client advisory is for general educational purposes only. It is not intended to provide legal advice specific to any situation you may have and does not cover all the provisions of the proposed rule. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice.
 Ciox Health, LLC v. Azar, 435 F. Supp.3d 30 (D.D.C. 2020).
 These changes would occur in 45 CFR 164.502(g)(3)(ii)(C), 164.510(a)(3), 164.510(b)(2)(iii), 164.510(b)(3), and 164.514(h)(2)(iv).