Deadline to file comments to the HIPAA NPRM is fast approaching – Privacy Matters

Deadline to file comments to the HIPAA NPRM is fast approaching – Privacy Matters


Authors: Emily Maus and Anna Spencer

HIPAA covered entities and business associates should finalize their comments soon, before the comment period for the 2020 Health Insurance Portability and Accountability Act (HIPAA) Notice of Proposed Rulemaking (NPRM) closes on May 6.  The Office for Civil Rights (OCR), which is the federal agency within the US Department of Health and Human Services (HHS) that enforces HIPAA, released the NPRM on December 10, 2020 and later extended the deadline for submission of comments from March 22 to May 6.

The NPRM proposes a number of significant modifications to HIPAA, including changes to the provisions on the right of access to Protected Health Information (PHI), the use and disclosure of PHI for care coordination and case management, and permitted disclosures to assist persons in situations involving Substance Use Disorders (SUDs), Severe Mental Illness (SMI), and emergencies. Key elements of the proposed changes include:

  • Adding a definition of the term “electronic health record” (EHR) to implement the HITECH provision allowing individuals to direct a covered entity to transmit a copy of an EHR directly to the individual’s designee. The NPRM defines an EHR as “an electronic record of health related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.” Consistent with the Ciox Health case, [1] HHS proposes to limit the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR. Prior to the Ciox Health case, HHS took the position that the HIPAA right of access included the right of an individual to direct any PHI in a designated record set to a third party.
  • Adding a definition of the term “personal health application.” HHS proposes to revise the right of access to clarify that one of the mechanisms by which a request for access may be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health application used by the individual. The NPRM defines “personal health application” as “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.” Essentially, personal health applications would not be treated as third parties under the NPRM.
  • Multiple proposals to strengthen the right of individuals to access their PHI. These include provisions permitting individuals to take notes, videos, and photographs of their PHI in a designated record set while onsite at a covered entity, shortening the timeframes for responding to access requests from 30 calendar days to 15 calendar days, and prohibiting “unreasonable measures” that create a barrier to or unreasonably delay the individual from obtaining access (eg, requiring notarized requests or making records available only through a patient portal).
  • Modifications to the access fee provisions based on the type of request. A summary of how different types of access and recipients would affect allowable fees is outlined below. Notably, no fees would be permitted where the individuals use an Internet-based method to obtain PHI.
Type of Access Recipient of PHI Allowable Fees
In-person inspection – including viewing and self-recording or -copying

 

 Individual (or personal representative)

 

 Free
Internet-based method of requesting and obtaining copies of PHI (eg, using View-Download-Transmit functionality (VDT), or a personal health application connection via a certified-API technology)

 

 Individual Free
Receiving a non-electronic copy of PHI in response to an access request

 

 Individual Reasonable cost-based fee, limited to labor for making copies, supplies for copying, actual postage and shipping, and costs of preparing a summary or explanation as agreed to by the individual

 
Receiving an electronic copy of PHI through a non-Internet-based method in response to an access request (eg, by sending PHI copied onto electronic media through the US Mail or via certified export functionality)

 

 Individual Reasonable cost-based fee, limited to labor for making copies and costs of preparing a summary or explanation as agreed to by the individual
Electronic copies of PHI in an EHR received in response to an access request to direct such copies to a third party

 

 Third party as directed by the individual through the right of access

 

 Reasonable cost-based fee, limited to labor for making copies and for preparing a summary or explanation agreed to by the individual

 
    • A requirement that covered entities provide advance notice of applicable fees for individuals accessing or directing a copy of their PHI, including posting a fee schedule on the covered entity’s website and providing individuals with an estimate of fees upon request.
  • Clarifying that business associates are required to disclose PHI to the covered entity in response to an individual access request, except in circumstances where the Business Associate Agreement (BAA) provides that the business associate will provide access directly to individuals. It is unclear how this proposal would be interpreted in light of a provision in the 21st Century Cures Act that gives business associates broader authority to provide individuals with access to their PHI.
  • Clarifying that care coordination and case management activities by health plans which are critical to value based purchasing of health care services do not have to be population-based to fit within the definition of health care operations; individual-level activities may also qualify.
  • Creating an exception to the minimum necessary standard to permit disclosures for additional care coordination and case management activities, including population-based care coordination and case management activities, claims management, review of health care services for appropriateness of care, utilization reviews, and formulary development.
  • Adding language permitting covered entities to disclose PHI to social services agencies, community-based organizations, community-based providers and other third parties that provide health related services to the individuals for care coordination and case management.
  • Replacing the “professional judgment” standard for disclosures in situations involving emergencies, SUDs or SMI with language permitting disclosures made pursuant to a “good faith belief” that such disclosure is in the best interest of the individual.
  • Removing the requirement for covered entities to obtain a written acknowledgement of their Notice of Privacy Practices (NPP) and establishment of a right for individuals to discuss the NPP with a designated individual.

 

[1] In Ciox Health, LLC v. Azar, et al., 435 F. Supp. 3d 435 (D.D.C. 2020), the US District Court for the District of Columbia vacated: (1) the Department’s expansion of the HITECH Act’s “third-party directive” (ie, the right of an individual to direct a copy of PHI to a third party) beyond requests for an electronic copy of PHI in an EHR; and (2) the extension of the individual “patient rate” for fees for copies of PHI directed to third parties.

Consistent with the court’s opinion, which HHS did not appeal, HHS seeks public comment on proposals to: (1) narrow the scope of the access right to direct records to a third party to only electronic copies of PHI in an EHR; and (2) apply new fee limitations to the access right to direct such copies to a third party. With these proposed changes, individuals would have to rely on authorizations to request that covered entities send non-electronic copies of PHI, or electronic copies of PHI that are not in an EHR, to third parties. HIPAA covered entities responding to requests based on an authorization would not be subject to the access fee limitations; however, HHS states that the fees would be limited by the Privacy Rule’s provisions on the sale of PHI and by applicable state law. According to statements in the Preamble of the NPRM, if a covered entity (or its business associate) charges a fee for records disclosed pursuant to an authorization, it would have to either (1) satisfy an exception to the provisions on the sale of PHI which permits only a reasonable, cost-based fee or a fee expressly permitted by other law; or (2) include language in the authorization disclosing the fact that the covered entity or business associate received remuneration in exchange for the disclosure of records.

 



Source link

The post Deadline to file comments to the HIPAA NPRM is fast approaching – Privacy Matters appeared first on SecuritNEWS.


http://ifttt.com/images/no_image_card.png
https://securitnews.com/deadline-to-file-comments-to-the-hipaa-nprm-is-fast-approaching-privacy-matters/

Comments

Post a Comment

Popular posts from this blog

Hey Rudy and/or the FBI, Pick Up Your Phone

Hey Rudy and/or the FBI, Pick Up Your Phone Photo: Samuel Corum (Getty Images) On Wednesday, the feds raided the home and office of Rudy Giuliani, noted flask with legs and former personal attorney to ex-President Donald Trump. According to one of Giuliani’s neighbors at his Upper East Side apartment building, the agents in question seized and “were bringing out a lot of stuff.” Search warrants require investigators to provide a judge with sufficient reason to believe a crime may have been committed, and the bar is higher when the target is an attorney, even one of Giuliani’s… stature. Gizmodo called and texted a phone number that Giuliani has used in the past to determine whether or not the search warrants executed on Wednesday were related to, as the New York Times reported, the suspicion that he was picking up a little illegal scratch on the side by working for Ukrainian officials or businesses that shared Trump’s interest in removing U.S. ambassador Marie L. Yovano...
Read more

Understanding Where the Internet Isn’t Good Enough Yet

Image
Understanding Where the Internet Isn’t Good Enough Yet Since March 2020, the Internet has been the trusty sidekick that’s helped us through the pandemic. Or so it seems to those of us lucky enough to have fast, reliable (and often cheap) Internet access. With a good connection you could keep working (if you were fortunate enough to have a job that could be done online), go to school or university, enjoy online entertainment like streaming movies and TV, games, keep up with the latest news, find out vital healthcare information, schedule a vaccination and stay in contact with loved ones and friends with whom you’d normally be spending time in person. Without a good connection though, all those things were hard or impossible. Sadly, access to the Internet is not uniformly distributed. Some have cheap, fast, low latency, reliable connections, others have some combination of expensive, slow, high latency and unreliable connections, still others have no connection at all. Close to 60...
Read more

Migrating to hosted Exchange: Do’s and don’ts

Migrating to hosted Exchange: Do’s and don’ts Make no mistake: moving from an on-premises Microsoft Exchange deployment to Exchange in the cloud is a gargantuan undertaking. Earlier this year, I explored the major issues you’ll need to consider and decisions you’ll need to make when moving to hosted Exchange. But for most folks, further guidance is necessary. What are some of the gotchas to watch out for? What are some best practices to factor into your planning? Here, I’ll take a look at several important do’s and don’ts when it comes to getting your organization into Exchange Online. Note: This story focuses on migrating from Exchange Server on-premises to some version of Microsoft’s hosted Exchange service (under an Exchange Online , Office 365 , or Microsoft 365 subscription), or to a hybrid configuration with the “365” apps in the cloud and Exchange remaining in some fashion on-premises in production. It is not intended to apply to migrations to other providers’ services. ...
Read more