Skip to content

Menu

ChannelsPublishersSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
ProductsSub-MenuBlogsPortalsTwentySyndicationMicrositesResource Center
Join
Search
Close
Join the Movement. Blog 4 Good

Relaxing Privacy Requirements? Department of Health and Human Services Proposes Changes to HIPAA

By Wakaba Tessier, Kelsey Anderson, Erica M. Ash & Tracey Toll on December 17, 2020
EmailTweetLikeLinkedIn

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.

Relaxing Requirements. HHS is proposing some changes that would loosen the standards for disclosing PHI in certain instances and for technical compliance with HIPAA. For example, the privacy standard currently permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment.” This standard permits such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive and would presume a covered entity’s good faith; however, this presumption could be overcome with evidence of bad faith. Another example is the proposal to expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety. Finally, HHS is also proposing to eliminate the requirement that covered entities must obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices.

Strengthening Individuals’ Right to Access. Consistent with the underlying objectives of the Information Blocking Rule, the proposed rule seeks to increase the ability of individuals’ access to their PHI. Key proposals include:

  • Requiring Covered Entities to permit individuals to take notes, videos, and photographs using personal resources after arranging a mutually convenient time and place at no cost to the individual. For example, such inspection may occur in conjunction with a health care appointment whereby the individual inspects x-rays or lab results.
  • Decreasing the timeframe allowed for covered entities to respond to requests for access. Presently, covered entities must provide access in no later than 30 days from receipt of the request, which may be extended for an additional 30 days if certain criteria are met. However, the proposed rule would require access be provided “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension.

Payer-to-Payer Data Exchange on Fast Healthcare Interoperability Resources (FHIR). CMS also set forth three proposals to enhance and expand the payer-to-payer data exchange, which is again, consistent with the Information Blocking Rule :

  1. At a patient’s request, clinical data as defined in the USCDI version 1 (“Clinical Data”), claims and encounter data, and information regarding pending and active prior authorization decisions will be exchanged via a FHIR-based Payer-to-Payer API;
  2. The payer-to-payer data exchange is extended to state Medicaid and CHIP FFS programs; and
  3. A patient can opt-in to data sharing during enrollment requiring the payors to share Clinical Data, claims and encounter data, and information about pending and active prior authorization decisions at enrollment.

Disclosures to Social Service Organizations. The proposed rule would modify 45 CFR 164.506(c) and add a new subsection 164.506(c)(6), which would expressly permit covered entities to disclose PHI for certain social services. Specifically, it would allow covered entities to disclose PHI to social services agencies, community based organizations, home and community based service providers, and other similar third parties that” provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider or health plan.”

The proposed changes along with the Information Blocking Rule, signals the government’s direction related to sharing, coordination, and accessibility of electronic health records.

Photo of Wakaba Tessier Wakaba Tessier

Wakaba’s work requires mastery not just of the law but also the rapidly changing healthcare marketplace and its many regulations. She focuses on the unique issues faced by specialty pharmacies, such as licensing and other compliance challenges.

Read more about Wakaba TessierEmail Wakaba's Linkedin Profile
Photo of Kelsey Anderson Kelsey Anderson

Kelsey works closely with hospitals, health systems, cooperatives, health care associations, physician specialty groups, assisted living facilities, clinical laboratories, and durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) suppliers on a wide range of healthcare compliance issues including:

  • False Claims Act (FCA)
  • Anti-Kickback
…

Kelsey works closely with hospitals, health systems, cooperatives, health care associations, physician specialty groups, assisted living facilities, clinical laboratories, and durable medical equipment, prosthetics, orthotics and supplies (DMEPOS) suppliers on a wide range of healthcare compliance issues including:

  • False Claims Act (FCA)
  • Anti-Kickback Statute (AKS)
  • Physician Self-Referral Law (Stark Law)
  • Licensing
  • Medicare and Medicaid enrollment and payment
  • Health Insurance Portability and Accountability Act (HIPAA)
Read more about Kelsey AndersonEmail Kelsey's Linkedin Profile
Show more Show less
Photo of Erica M. Ash Erica M. Ash

Erica helps healthcare clients navigate regulatory matters so they can get back to the business of patient care. She assists clients with compliance, transactional and licensure matters, including Health Insurance Portability and Accountability Act (HIPAA) compliance, Medicare and Medicaid reimbursement procedures, Stark Law

…

Erica helps healthcare clients navigate regulatory matters so they can get back to the business of patient care. She assists clients with compliance, transactional and licensure matters, including Health Insurance Portability and Accountability Act (HIPAA) compliance, Medicare and Medicaid reimbursement procedures, Stark Law compliance, and fraud, waste and abuse issues.

Read more about Erica M. AshEmail Erica's Linkedin Profile
Show more Show less
Photo of Tracey Toll Tracey Toll

Tracey focuses her practice on healthcare and regulatory compliance and works with a wide range of clients, including pharmacies, durable medical equipment suppliers, home health agencies, and hospitals. She advises clients on state and federal regulatory and compliance issues, transactional matters, licensure issues…

Tracey focuses her practice on healthcare and regulatory compliance and works with a wide range of clients, including pharmacies, durable medical equipment suppliers, home health agencies, and hospitals. She advises clients on state and federal regulatory and compliance issues, transactional matters, licensure issues, and Medicare and Medicaid reimbursement procedures.

Read more about Tracey TollEmail Tracey's Linkedin Profile
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Byte Back
  • Organization:
    Husch Blackwell LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Products

  • Products
  • Blogs
  • Portals
  • Twenty
  • Syndication
  • Microsites

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • The Capital Commitment
  • Delaware Intellectual Property Litigation
  • Restrictive Covenant Report
  • PFAS and Emerging Contaminants
  • Privacy Law Blog
Copyright © 2021, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog