Unpacking the proposed HIPAA Privacy Rule modifications

Only a month into 2021, and U.S. privacy professionals are already trying to keep up with fast-moving legislative developments and other privacy initiatives. The whirlwind of action spans across the privacy space, including some potential movement in the health care industry on the Health Insurance Portability and Accountability Act.

The U.S. Department of Health and Human Services' Office for Civil Rights announced Dec. 10, 2020, that a Notice of Proposed Rulemaking was drafted to modify provisions of the HIPAA Privacy Rule. The status of those proposals, which focus on patients' right of access and enhanced information sharing, was largely unknown when the NPRM went unpublished in the Federal Register during the final weeks of former President Donald Trump's administration. While the proposals were finally published to the register Jan. 21, President Joe Biden ordered a regulatory freeze the day prior, bringing further uncertainty on whether the proposals will remain.

"I assume at some level it's just a case of 'We did the work so we may as well take the next step,'" WilmerHale Partner Kirk Nahra, CIPP/US, said. "It was clear to me that (OCR) knew what the problem was, but had no idea how to fix it. They've worked to figure out what to do about it, but it just took them too long. There's still no downside to getting your message out."

Some aspects of the reform process will proceed despite the lack of clarity on the proposals' fate under the Biden administration. The Federal Register indicates the 60-day public comment period for the proposals is ongoing through March 22.

Early reactions from health care privacy pros vary, but many agree the proposals were hardly the final product of some quick judgments and analysis from Trump's OCR team.

"A lot of what's in here reflects the thinking of the office over a number of years," said Ciitizen Chief Regulatory Officer Deven McGraw, who served as OCR Deputy Director of Health Information Privacy from July 2015 to October 2017. "It's not necessarily an attempt at a last-ditch effort to make a major law change for political reasons."


Right of access
Streamlining patients' access to their health records has been a goal of OCR for some time. Shortening timelines to obtain access to records from 30 days to 15, prohibiting "unreasonable identity verification measures" to obtain access and simplified facilitation of requests to share records with third parties are the big changes on access outlined in the proposal.

"They're designed to facilitate patient access and they seem to be useful. I'm sure some industry folks object to some of them, but I don’t think it’s going to be a heavy lift," Nahra said. "They're not particularly controversial. I don’t know that the next administration would object to anything at all."

Boosting patient rights looks simple enough on paper, but actually enabling better access won't be an easy process. Potentially the most challenging of the changes is the reduced timeframe to supply access, which applies to both paper and digital health records.

"We've got this kind of disconnect where OCR is hanging on to this concept of the HIPAA Privacy Rule as applying equally regardless of the information's format," McGraw said.

Johns Hopkins Health System Regional Deputy Privacy Officer Joyce Yeager, CIPP/US, CIPM, CIPT, FIP, is skeptical about new rules on how providers are expected to act on patient requests to disclose data to other entities or third parties. Per the proposed rule, the provider has 15 days to process requests and then another 15 to fetch the requested records. However, Yeager said patients "often don't have the correct name of their former provider or know where they are located, or they remember the name incorrectly," which may result in processing delays. Additionally, the proposals on these requests don't make clear the obligations of the provider as far as distributing and holding records.

"Patients may expect all their providers to play this role with every provider holding every record," Yeager said. "This customer service process is not really contemplated in the current regulations. In fact, other provisions of the proposed regulation focus on the fact that the covered entity should use minimum necessary information except when providing treatment or coordinating care. It is unclear how collecting personal health information for someone who may not become a patient is consistent with the current standard or the proposed revisions to the minimum necessary standard."


Beyond timeframes, McGraw noted the tangled nature of the approach to third-party disclosures within the proposal could be problematic.

"What do they do with the ability for individuals to get their information using an app or a service versus when that app is really a third party?" McGraw said. "There are big differences within the HIPAA provisions, especially with a response to patients being mandatory while responding to a third party is discretionary. The rule gets complicated as they try to wind through this maze of circumstances."

Information sharing
While moves on the right of access are aimed to empower patients, OCR's proposed information sharing may compromise its balance between patient privacy interests and a functional health system.

When the modifications were unveiled, HHS Deputy Secretary Eric Hargan noted the proposed sharing rules "reduce the burden on providers and support new ways for them to innovate and coordinate care on behalf of patients." This initiative includes, among other things, new permissions for providers to supply personal health information without patient consent for services related to care coordination and case management, as well as further empowering providers to share data under "good faith belief" rather than an "exercise of professional judgment."

"They're all perfectly legitimate goals, but whether impediments within the HIPAA rules are in fact relevant to the inhibiting achievement of those goals is very much an open question," Nahra said. "They believe that health care providers, in particular, don't share enough because they’re nervous about HIPAA penalties. I don't know if that's true really. For example, I'm not sure a doctor not sharing information in connection with the opioid crisis is a fear of penalties as much as it is that they just don’t think they should share."

The disclosures potentially create a new tension between providers and their patients. Despite the benefits that may stem from this sharing, patients may ultimately prefer to have the information kept private. The scenario begs the question: Does a patient get to decide what’s in their best interest or does the provider?

GDPR-Ready_300x250-Ad
"I’m anticipating patients and patient advocates won't be on board with some of these," Hintze Law Partner Sheila Sokolowski said, noting OCR has already acknowledged potential discrepancies. "There's potential for more changes there, but the question I think is whether they've gone beyond what patients deem appropriate. Is it necessary to take away what’s essentially a patient’s right to object to allow these disclosures to happen?"

Springboard to expanded reform?
Regardless of what the Biden administration does with the proposals, the drafting resurfaces the question of whether HIPAA needs an overhaul. With this particular effort, though, McGraw expected more in terms of what was addressed and what could have been looked at.

"You don't get very many opportunities as a regulator to do a re-think and update your regulations to meet the demands of a modern era and I feel like OCR missed its chance here," McGraw said. "They took care of some stuff in this proposal, but there are so many other ways they could’ve modernized HIPAA and they just didn’t do it."

Then there's the question of whether HIPAA needs to be updated at all. Nahra is of the mind that the law continues to work as currently constituted when it remains focused on its intended scope.

"The problems that people talk about are things that aren't covered by HIPAA. We’re talking about Fitbits, a mobile app and things like that, and there's nothing a regulator can do to fix that," Nahra said. "These proposals are modest tweaks to the existing system, so I’m not sure there’s a next step."

Sokolowski also leans toward the current version of HIPAA remaining workable so long as it's applied to its original targets.

"It was enacted in a world where the classic business associate was a billing company and now we're in a world of laptops that store millions and millions of records, apps and all sorts of data. This is a world HIPAA did not foresee," Sokolowski said. "For all that, I think it works OK. You recognize certain limitations, but it works decent enough, so I don't see this massive overhaul as an option."

Photo by National Cancer Institute on Unsplash