Health Information Compliance Alert

New Notice Aims to Modify Right of Access

See proposed response-time updates.

Last month, the Department of Health and Human Services (HHS) released a policy proposal focused on updating various parts of the HIPAA Privacy Rule — including adjustments to patients’ access to their protected health information (PHI).

Context: On Dec. 10, 2020, HHS issued a notice of proposed rulemaking (NPRM) that centers on aligning HIPAA with patient-centered, value-based care. The NPRM addresses previous proposals outlined under HHS’ Regulatory Sprint to Coordinated Care agenda. According to the notice, “the Department, which delegated the authority to administer HIPAA privacy standards to the Office for Civil Rights (OCR), developed many of the proposals contained in this NPRM after careful consideration of public input received in response to the Department’s December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (2018 RFI).”

“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” maintains HHS Secretary Alex Azar in a release. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”

Among the agency’s top proposals are several that highlight the importance of patients’ rights to be part of their health journeys and expand on Right of Access policies. Take a look at the following NPRM proposals that address Right of Access:

  • HHS wants to cut covered entities (CEs) response time for records’ requests from 30 calendar days to 15.
  • The NPRM offers a more in-depth definition of what “readily producible” forms and formats would look like for patients’ requests. “The proposed modifications would clarify that ‘readily producible’ includes secure, standards-based APIs using applications chosen by the individuals, such as a ‘personal health application,’” explain attorneys at Foley & Lardner LLP in online legal analysis. “Individuals would also have the right to take notes, videos, and photographs, or use other personal resources to view or capture PHI in person,” the Foley lawyers expound.
  • HHS wants to reorganize the fee rules for Right of Access. Proposal highlights include free access for patients to inspect and obtain their PHI in person or via the internet, amend third-party fee structures for labor and such, post fee schedules online for review, and offer fee estimates when applicable.
  • “The right of an individual to direct the transmission of electronic copies of PHI in an EHR to a third party is established by the HITECH Act and interpreted by the Ciox v. Azar decision to apply only to PHI in an EHR. The proposed rule would codify the Ciox v. Azar limits into regulatory text at 45 CFR 164.524(d),” the NPRM notes.
  • According to the notice, the agency seeks to get rid of “unreasonable barriers” to individuals’ access. The NPRM points to “unreasonable identity verification” such as CEs’ notarization or written form requirements for patients’ to get their health records.

Stay tuned: HHS does not offer a publication date but will accept public comments for 60 days on the NPRM in the Federal Register. Health Information Compliance Alert will delve into other proposals in future issues.

Resources: Read the notice at www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf and review the HHS release at www.hhs.gov/about/news/2020/12/10/hhs-proposes-modifications-hipaa-privacy-rule-empower-patients-improve-coordinated-care-reduce-regulatory-burdens.html.