HHS’ proposed changes to HIPAA will require hospitals to revamp how they respond to record requests, as the proposed rule gives both patients and providers more decision-making power over when and how to disclose health data.
HHS’ Office for Civil Rights last week proposed a slew of changes to the Health Insurance Portability and Accountability Act designed to give patients more control over their health data and make it easier for clinicians to share patient data with other providers, insurers and social service agencies for coordinating patient care.
It follows a request for information on possible changes to HIPAA that OCR released in 2018.
Early responses to the 357-page proposed rule have been positive.
“I give OCR a lot of credit for trying to come up with some proposals to really thread the needle in some difficult disclosure situations,” said Deven McGraw, chief regulatory officer at data-sharing startup Ciitizen and a former deputy director for health information privacy at OCR.
Under the proposed rule, providers would be able to disclose patient data, such as to family members, if they believe that it’s in the patient’s best interest. It’s designed to allow more data-sharing than the current rules, which only allow providers to base decisions on “professional judgment.”
The new standard would be more permissive, since it “presume(s) a covered entity’s good faith,” according to the proposed rule.
But it could be tough for providers to put the new standard into practice because “it’s not always clear what that means … it’s a little fuzzy,” said Michelle De Mooy, a data privacy and ethics consultant.
The changes would also make it easier for providers to disclose patient data to third-parties like law enforcement when they believe a threat to health or safety is “serious and reasonably foreseeable,” rather than the current, stricter standard that only allows disclosures when there’s a “serious and imminent” threat to health or safety.
“These are not easy judgment calls to make,” McGraw said.
“You don’t really want regulators making the call on this one,” she added. “Ideally, you want medical professions to be sharing when they should share and not sharing when they shouldn’t—but it’s very hard to get the legal standard right.”
The proposed HIPAA changes are in line with the Trump administration’s focus on ensuring regulations don’t stand in the way of patients being able to access their own health information, with updates like shortening the period in which covered entities’ are required to respond to patients’ record requests from 30 to 15 days.
It builds on the “Right of Access Initiative” that OCR announced last year and HHS Deputy Secretary Eric Hargan’s push to eliminate barriers to coordinated care, as well as aligning with the Office of the National Coordinator for Health Information Technology’s recent rule regulating interoperability and information blocking.
“It’s clear that there should not be barriers to individuals getting their own information into their own hands. It’s long overdue (and) feet are going to be held to the fire,” said Matthew Fisher, partner and chair of the health law group at Mirick O’Connell.
But it’s unlikely that there will be an immediate sea change, he said. Many providers may start with complaints or readily accessible information rather than releasing a slew of information that could spark privacy complaints.
De Mooy supported HHS’ proposal to stop requiring patient signatures for privacy notices because “it’s basically useless for everybody involved.” She said it’s smart to keep HIPAA notices “short and sweet” so that patients can easily understand their rights and how to exercise them.
“It seems like it’s shifting the burden … off of individuals and on to doctor’s offices,” De Mooy said.
She’s less sure about the Trump administration’s proposal to restrict the identity verification measures that providers can use to safeguard patient health information—like requiring a notary for access—because HHS hasn’t sufficiently described what identity verification measures it would consider “reasonable.”
De Mooy also questioned the agency’s plan to create an exception to the “minimum necessary standard” that covered entities are expected to follow for individual care coordination and management activities. She worried the exception would threaten patient privacy by allowing providers to collect and share more data than necessary.
HHS should narrow the exception and give providers clearer guidance about what’s allowed to protect privacy, she said.
The agency has been remarkably consistent in its promotion of value-based care during the Obama and Trump administrations.
Experts expect President-elect Joe Biden’s administration to carry on that legacy.
Industry watchers expect a Biden administration to pick up the proposed rule and continue work on a final version after the public comment period closes, particularly since data-sharing and patient privacy are largely bipartisan issues that have also been touted by Biden.
“I would anticipate that this (proposed rule) keeps moving forward,” said Tom Leary, senior vice president of government relations at the Healthcare Information and Management Systems Society.
But many of the proposed changes—like requiring providers to respond to patients’ record requests in 15 days and restructuring how to verify patient identities—will require hospitals to revisit procedures for sharing records and maybe even hire new staffers to avoid creating more burden for those workers.
“There’s a lot of process changes,” said Randi Seigel, an attorney and partner in Manatt Health.
Robert Tennant, director of health information technology policy at the Medical Group Management Association, said that providers usually give patients access to their health information as quickly as possible. But it can be challenging to do that when patient data is stored in multiple locations.
For example, paper records might be stored across multiple practice locations or “in storage lockers across town,” Tennant said.
“We like the option of having a little more time,” he said.
That’s partly why group practices balked at HHS’ proposal to force providers to post their fees for processing requests for patient health information, since such requests are often handled on a case-by-case basis, which could make it difficult to create a fee schedule. Tennant said HHS needs to give patients access to their data without creating more burden for providers.
To prepare for the final regulations, Seigel suggested hospitals ensure health information management or medical records departments have enough staff to review and respond to patient requests within the required 15-day window and IT systems are up-to-date so they can hook up to third-party apps, as well as educating staff on possible changes.
“This recent shift … to thinking more about sharing (data) and not erring on the side of protecting is a very significant shift in the mindset of a provider,” she said.
The public comment period for the HIPAA proposed rule closes in February.