The past several months have seen a flurry of activity surrounding the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Since HIPAA’s last significant update in 2013, advancements in technology and in the health care industry have left covered entities and business associates in need of more specific guidance. In response to these calls for action, the federal government has used the past several months to enact reforms, including proposing substantial changes to HIPAA’s Privacy Rule and amending the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
Proposed Changes to the Privacy Rule
On December 10, 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights released proposed regulations updating HIPAA’s Privacy Rule. The final regulations will be effective 60 days after publishing and covered entities will have 180 days after the effective date to comply with the new requirements. The proposed regulations have been placed on hold pending further review by President Biden’s administration. We will keep you updated on their status as more information becomes available, but covered entities and business associates may wish to begin planning now for implementation. While the proposed regulations affect the entire health care industry, some of the items specifically impacting health plan covered entities and their business associates are described below.
1. Individual’s Right to Access PHI. The proposed regulations are intended to increase an individual’s ability access to his or her protected health information (PHI) held in a designated record set. Health plans, and business associates if so delegated, will need to:
- Permit individuals to personally inspect and take notes or pictures of their PHI, free of charge;
- Respond to an individual’s request to access his or her PHI within 15 calendar days (reduced from the current 30 days), with an option for a 15 day extension (reduced from the current 30-day extension);
- Permit individuals to receive electronic PHI free of charge;
- Post estimated fee schedules for PHI access on the health plan’s website; and
- Not impose unreasonable identity verification measures on an individual requesting access to his or her PHI (e.g., by requiring notarization or in-person visits).
2. Health Records. The proposed regulations define the scope of a subset of health information, Electronic Health Records (EHR), and state how EHR are to be used, disclosed and documented. An individual will also have the right to have his or her health plan direct a request to a health care provider for electronic copies of PHI within an EHR.
3. Notice of Privacy Practices. The proposed regulations require new statements in a health plan’s Notice of Privacy Practices (aka Privacy Notice) describing an individual’s rights with respect to his or her PHI.
4. Care Coordination and Case Management. As the culmination of HHS’s Regulatory Sprint to Coordinated Care, the proposed regulations also represent an administrative effort to decrease regulatory impediments to care coordination and case management communications. Accordingly, the proposed regulations clarify that a health plan’s uses and disclosures of PHI for care coordination and case management activities are not limited to population-based activities, but also to individual-level care coordination and case management activities. The proposed regulations also add an exception to the Privacy Rule’s “minimum necessary” standard for disclosures and requests of PHI for care coordination and case management activities.
While the proposed regulations have not been finalized, health plans will need to work with their business associates and legal counsel to update their Notices of Privacy Practices, business associate agreements and HIPAA policies and procedures to incorporate the above requirements.
HITECH Act Amendment
Initially passed in 2009, with many provisions taking effect between 2010 and 2013, the HITECH Act modified and expanded many of HIPAA’s Privacy and Security Rule requirements. On January 5, 2021, President Trump signed into law an amendment to the HITECH Act requiring HHS to consider whether a covered entity or business associate has adopted “recognized security practices” when assessing penalties or taking other enforcement action under HIPAA. Unlike the Privacy Rule changes, which are still in the proposal stage, the HITECH Act amendment is effective immediately.
Specifically, the amendment directs HHS to reduce fines, decrease the length of audits, and mitigate settlement remedies for covered entities and business associates that have adopted existing cybersecurity frameworks under the National Institute of Standards and Technology (NIST), the approaches under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that are developed, recognized, or promulgated through regulations under other statutory authorities.
With the passage of this amendment, health plans and business associates should re-examine their cybersecurity and risk management processes, policies and procedures to ensure they conform to “recognized security practices.” Many of HIPAA’s Security Rule requirements align closely with the NIST’s publications (see, e.g., NIST Special Publication 800-66 rev.1), so health plans and business associates should already have some familiarity with the NIST framework and may have policies and procedures that were informed by these publications.