HIPAA covered entities and business associates should finalize their comments soon, before the comment period for the 2020 Health Insurance Portability and Accountability Act (HIPAA) Notice of Proposed Rulemaking (NPRM) closes on May 6. The Office for Civil Rights (OCR), which is the federal agency within the US Department of Health and Human Services (HHS) that enforces HIPAA, released the NPRM on December 10, 2020 and later extended the deadline for submission of comments from March 22 to May 6.
The NPRM proposes a number of significant modifications to HIPAA, including changes to the provisions on the right of access to Protected Health Information (PHI), the use and disclosure of PHI for care coordination and case management, and permitted disclosures to assist persons in situations involving Substance Use Disorders (SUDs), Severe Mental Illness (SMI), and emergencies. Key elements of the proposed changes include:
- Adding a definition of the term “electronic health record” (EHR) to implement the HITECH provision allowing individuals to direct a covered entity to transmit a copy of an EHR directly to the individual’s designee. The NPRM defines an EHR as “an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” Consistent with the Ciox Health case,  HHS proposes to limit the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR. Prior to the Ciox Health case, HHS took the position that the HIPAA right of access included the right of an individual to direct any PHI in a designated record set to a third party.
- Adding a definition of the term “personal health application.” HHS proposes to revise the right of access to clarify that one of the mechanisms by which a request for access may be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health application used by the individual. The NPRM defines “personal health application” as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.” Essentially, personal health applications would not be treated as third parties under the NPRM.
- Multiple proposals to strengthen the right of individuals to access their PHI. These include provisions permitting individuals to take notes, videos, and photographs of their PHI in a designated record set while onsite at a covered entity, shortening the timeframes for responding to access requests from 30 calendar days to 15 calendar days, and prohibiting “unreasonable measures” that create a barrier to or unreasonably delay the individual from obtaining access (eg, requiring notarized requests or making records available only through a patient portal).
- Modifications to the access fee provisions based on the type of request. A summary of how different types of access and recipients would affect allowable fees is outlined below. Notably, no fees would be permitted where the individuals use an Internet-based method to obtain PHI.
|Type of Access||Recipient of PHI||Allowable Fees|
|In-person inspection – including viewing and self-recording or -copying
|Individual (or personal representative)
|Internet-based method of requesting and obtaining copies of PHI (eg, using View-Download-Transmit functionality (VDT), or a personal health application connection via a certified-API technology)
|Receiving a non-electronic copy of PHI in response to an access request
|Individual||Reasonable cost-based fee, limited to labor for making copies, supplies for copying, actual postage and shipping, and costs of preparing a summary or explanation as agreed to by the individual
|Receiving an electronic copy of PHI through a non-Internet-based method in response to an access request (eg, by sending PHI copied onto electronic media through the US Mail or via certified export functionality)
|Individual||Reasonable cost-based fee, limited to labor for making copies and costs of preparing a summary or explanation as agreed to by the individual|
|Electronic copies of PHI in an EHR received in response to an access request to direct such copies to a third party
|Third party as directed by the individual through the right of access
|Reasonable cost-based fee, limited to labor for making copies and for preparing a summary or explanation agreed to by the individual
- A requirement that covered entities provide advance notice of applicable fees for individuals accessing or directing a copy of their PHI, including posting a fee schedule on the covered entity’s website and providing individuals with an estimate of fees upon request.
- Clarifying that business associates are required to disclose PHI to the covered entity in response to an individual access request, except in circumstances where the Business Associate Agreement (BAA) provides that the business associate will provide access directly to individuals. It is unclear how this proposal would be interpreted in light of a provision in the 21st Century Cures Act that gives business associates broader authority to provide individuals with access to their PHI.
- Clarifying that care coordination and case management activities by health plans which are critical to value based purchasing of health care services do not have to be population-based to fit within the definition of health care operations; individual-level activities may also qualify.
- Creating an exception to the minimum necessary standard to permit disclosures for additional care coordination and case management activities, including population-based care coordination and case management activities, claims management, review of health care services for appropriateness of care, utilization reviews, and formulary development.
- Adding language permitting covered entities to disclose PHI to social services agencies, community-based organizations, community-based providers and other third parties that provide health related services to the individuals for care coordination and case management.
- Replacing the “professional judgment” standard for disclosures in situations involving emergencies, SUDs or SMI with language permitting disclosures made pursuant to a “good faith belief” that such disclosure is in the best interest of the individual.
- Removing the requirement for covered entities to obtain a written acknowledgement of their Notice of Privacy Practices (NPP) and establishment of a right for individuals to discuss the NPP with a designated individual.
 In Ciox Health, LLC v. Azar, et al., 435 F. Supp. 3d 435 (D.D.C. 2020), the US District Court for the District of Columbia vacated: (1) the Department’s expansion of the HITECH Act’s “third-party directive” (ie, the right of an individual to direct a copy of PHI to a third party) beyond requests for an electronic copy of PHI in an EHR; and (2) the extension of the individual “patient rate” for fees for copies of PHI directed to third parties.
Consistent with the court’s opinion, which HHS did not appeal, HHS seeks public comment on proposals to: (1) narrow the scope of the access right to direct records to a third party to only electronic copies of PHI in an EHR; and (2) apply new fee limitations to the access right to direct such copies to a third party. With these proposed changes, individuals would have to rely on authorizations to request that covered entities send non-electronic copies of PHI, or electronic copies of PHI that are not in an EHR, to third parties. HIPAA covered entities responding to requests based on an authorization would not be subject to the access fee limitations; however, HHS states that the fees would be limited by the Privacy Rule’s provisions on the sale of PHI and by applicable state law. According to statements in the Preamble of the NPRM, if a covered entity (or its business associate) charges a fee for records disclosed pursuant to an authorization, it would have to either (1) satisfy an exception to the provisions on the sale of PHI which permits only a reasonable, cost-based fee or a fee expressly permitted by other law; or (2) include language in the authorization disclosing the fact that the covered entity or business associate received remuneration in exchange for the disclosure of records.