Proposed Changes to Privacy Regulations Would Clarify Individual Access Rights and Make Other Targeted Changes

HHS has announced proposed regulations that would make significant changes to targeted aspects of the HIPAA privacy rule, focused primarily on clarifying individual access rights. Highlights of interest to health plans include:

• Individual access right. Key provisions, many of which incorporate guidance issued in 2016 (see our Checkpoint article), include—

  • Scope. The proposal would clarify that individuals’ right to inspect their PHI includes the right to view, take notes or photographs, and use other personal resources to capture their PHI free of charge, except that covered entities need not allow individuals to connect personal devices to electronic information systems and may impose safeguards to ensure that individuals see only their own PHI. An individual invoking the access right could instruct a covered entity to transmit PHI to the individual’s designated personal health application, a newly defined term.
  • Requests for Access. Although covered entities may require individuals to submit written access requests electronically or on paper, they may not impose measures that unreasonably impede access (such as requiring extensive information not necessary to fulfill the request; notarization of the individual’s signature; or paper-only, electronic-only, or in-person-only requests).
  • Action on Request. The proposal would require covered entities to act on access requests “as soon as practicable” and would shorten the deadline for action from 30 to 15 days. Extensions would continue to be permitted but would be 15 (instead of 30) days and would be available only if the covered entity has implemented a policy to prioritize urgent or other high-priority requests. Other federal or state laws requiring faster action would take precedence.
  • Third Parties. An individual’s right to direct transmission of PHI to a third party would apply only to electronic health records (EHRs) maintained by covered health care providers; it would not apply to other types of PHI or to health plans. Health plan participants could, however, instruct their health plan to request EHRs from covered health care providers, which would then be required to disclose the requested EHRs directly to the plan. Also, individuals could still exercise their access right to obtain their PHI and then provide it to a third party themselves, or ask (but not require) the covered entity to send the PHI to a third party pursuant to an authorization. [EBIA Comment: The proposal responds to a 2020 court decision invalidating aspects of the current regulations (see our Checkpoint article) and would significantly narrow an individual’s ability to require covered entities to transmit PHI to third parties.]
  • Fee Notice and Limitations. A covered entity that charges for copies of PHI would have to post a fee schedule on its website and make the schedule available at the point of service and upon request. The schedule would specify (1) types of access available free of charge; and (2) standard fees in other situations. Individualized fee estimates would have to be provided upon request, as would an itemized list of billed charges. Modifications to the recoverable fees are also proposed.
• Notice of Privacy Practices. The conspicuous header language would be expanded to emphasize the Notice’s information about the individual access and other rights applicable to PHI. A new optional element would explain how individuals can furnish their PHI to third parties when the direct transmission requirement does not apply.
• Care coordination and case management. Although the preamble to the original privacy rule indicated that a nurse working for a health plan could use PHI to contact individuals to discuss follow-up care, some covered entities apparently have interpreted the existing definition of health care operations to permit disclosures only for health plans’ population-based activities. The proposal would clarify that health plans’ care coordination and case management activities—whether based on broad populations or particular individuals—are considered health care operations. The proposal also would provide that the “minimum necessary” standard does not apply to disclosures to, or requests by, a health plan for individualized care coordination and case management activities.

Other provisions would facilitate disclosures of PHI to family members and others involved in an individual’s health care and make other technical changes.

EBIA Comment: It is not surprising that the individual access right figures prominently in the proposal, as HHS has made it an enforcement priority. Also, HHS must address the portions of the access rule that were invalidated by the 2020 court decision. Still, the proposal faces an uncertain future given the impending change in administrations, and at least some revisions are likely as the proposal goes through the rulemaking process. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.B (“Uses and Disclosures for Treatment, Payment, and Health Care Operations”), XXVII.B (“Right to Access PHI in Designated Record Set”), and XXVII.G (“Right to Receive Notice of Privacy Practices”).

Contributing Editors: EBIA Staff.