Last week, ACEP responded to a proposed regulation released by the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) that would make changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposed reg was released last December under the Trump Administration—but the Biden Administration gets to ultimately decide whether to finalize any of the proposals included in it.
As you all know, HIPAA is tremendously complex— and in many cases, you as physicians are afraid to release any information out of fear of breaching data, violating HIPAA, and receiving a (sizable) penalty. Further, HIPAA is frequently, and inappropriately, cited as a reason to not disclose information to you or to require burdensome paperwork to get vital information about your patients. Understanding and fully complying with HIPAA is now even more of a challenge given the new data sharing regulations instituted by the Office of the National Coordinator for Health Information Technology (ONC). These changes just went into effect in early April 2021 and you and your hospital are likely still trying to figure out what data sharing and exchange of information are permissible and/or required under both HIPAA and the ONC regulations (ACEP has released a poll assessing your initial experience implementing the ONC data sharing requirements. Fill it out here!).
Since there are already a lot of changes around data sharing policies that you have to deal with, we don’t think this is the best time to modify HIPAA. Therefore, one of the points ACEP made up front in our response was that OCR should consider delaying when these HIPAA modifications (if finalized) would become effective.
Besides expressing our overall concern about timing, we did submit comments on specific proposals. Overall, we support a few proposed policies that we believe would reduce administrative burden or enhance your ability to treat patients. However, we also express concerns about proposals that may actually add burden or jeopardize the privacy and security of your patients’ health information. Some key highlights of ACEP’s response include:
1. Strengthening the Access Right to Inspect and Obtain Copies of Personal Health Information (PHI)
Proposal: OCR proposes to add a new right that generally would enable an individual to take notes, videos, and photographs, and use other personal resources to view and capture PHI in a designated record set as part of the right to inspect PHI in person.
ACEP Response: ACEP is very concerned with the proposed relaxed restrictions on personal photos and/or videos taken by patients of their PHI. While OCR states that covered entities can work with patients to arrange a mutually convenient time and place for them to inspect their PHI, in emergency situations and in the emergency department (ED) setting overall, this could be quite challenging or even impossible. Therefore, ACEP requests that OCR NOT finalize this proposal. However, if OCR does decide to finalize it, it should create an exception for care delivered in the ED.
2. Modifying the Implementation Requirements for Requests for Access and Timely Action in Response to Requests for Access
Proposal: OCR proposes to shorten the timeframe for health care providers to respond to PHI access requests from patients to be as “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension.
ACEP Response: ACEP understands OCR’s rationale for proposing to shorten the timeframe for responding to PHI access requests and does not believe that the new requirement is unreasonable. However, we do request that OCR build some exceptions into this policy to account for national disasters or other emergency situations that may cause unavoidable delays in responding to PHI requests. Further, we oppose any effort to establish a time limit shorter than 15 calendar days for a covered entity to submit, or respond to, an individual’s access request.
3. Addressing the Individual Access Right to Direct Copies of PHI to Third Parties
Proposal: OCR is proposing to require a health care provider to respond to an individual’s request to direct an electronic copy of PHI to a third party designated by the individual when the request is “clear, conspicuous, and specific” -- which may be orally or in writing.
ACEP Response: ACEP has several concerns about this proposal. First, we believe that health care providers should be protected in cases where an individual makes a clear, conspicuous, and specific request orally, but then later recants the request (or denies making it in the first place). Second, we believe this proposal, if finalized, may increase the potential for healthcare fraud. Since it would be easier to obtain a patient’s consent to send PHI directly to a third party, entities could develop scams where they convince patients that they are legitimate entities, and they tell patients to make a “clear, conspicuous, and specific” request to their physicians to send their PHI directly to them. Thus, overall, although we support the concept of a “clear, conspicuous, and specific” standard, we do not think that this phrase should include oral communications.
4. Creating an Exception to the Minimum Necessary Standard for Disclosures for Individual-level Care Coordination and Case Management
Proposal: OCR is proposing to add an express exception to the minimum necessary standard for requests by a health plan for individual-level care coordination and case management activities that constitute treatment or health care operations.
ACEP response: ACEP supports the intent of the proposal. However, we are concerned that providing additional information to health plans could lead to selective, discriminatory reimbursement models and intrusion on physician medical decision-making power. Thus, if OCR were to finalize this proposal, it must institute appropriate security or privacy guardrails to protect patients or physicians from PHI data abuse. For example, if health plans request PHI for a patient, they must use the information exclusively for care coordination or case management purposes. If OCR does not add these security measures, restrict how health plans can use PHI, and establish a monitoring mechanism to enforce the requirement, it should not make this change to the minimum necessary standard.
5. Encouraging Disclosures of PHI when Needed to Help Individuals Experiencing Substance Use Disorder (Including Opioid Use Disorder), Serious Mental Illness, and in Emergency Circumstances
Proposal: OCR is proposing to modify specific standards and definitions within HIPAA that currently restrict health care providers’ ability to share information about their patients during emergencies or threatening circumstances. For example, under the proposed changes, a physician could reach out to the family of a patient suffering from opioid use disorder, if, in good faith, the physician thought that reaching out to the family would help the patient.
Response: ACEP overall supports these changes, but specifically in the context of emergency medicine. We believe that the proposals recognize the difficult decisions you as emergency physicians face on a day-to-day basis dealing with patients and their families. They would provide more flexibility for you to do what you believe is in the best interests of your patients, their family, and the broader community. However, we urge OCR to institute guardrails to the policies to ensure that the new standards would still appropriately protect patients and not potentially undermine the fabric of trust between patients and physicians.
6. Notice of Privacy Practices Requirements
Proposal: The HIPAA Privacy Rule currently requires a health care provider who has a direct treatment relationship with an individual to make a good faith effort to obtain a written acknowledgment of receipt of the provider’s Notice of Privacy Practices (NPP). Based on a large amount of negative feedback from stakeholders about the NPP, OCR proposes to eliminate the requirement.
ACEP Response: ACEP supports the elimination of this requirement. We agree with those stakeholders who believe that patients are often confused when presented with the NPP, as they mistakenly believe that their signature or written acknowledgment of the NPP is required to receive treatment. Many other patients simply sign the NPP without actually reading it. Therefore, we do not believe the requirement to sign the NPP is useful and thank OCR for proposing to eliminate it.
It will be interesting to see if OCR chooses to finalize any of the proposals, and if it does, whether it will delay their effective dates. Since comments were just due last week and OCR still needs to go through all of them before making any final decisions, we likely won’t find out for a while!
Until next week, this is Jeffrey saying, enjoy reading regs with your eggs.