The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the agency that enforces the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is the latest federal agency to jump on the HHS rulemaking bandwagon issuing a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposes pivotal changes to key standards, definitions, and patient rights under the HIPAA Privacy Rule, which are geared toward promoting care coordination and value-based care, and empowering patients with greater access to their health information.

As we recently flagged, even amidst the chaos of a global pandemic, multiple HHS agencies, including the Office of the National Coordinator for Health Information Technology (ONC), the Centers for Medicare & Medicaid Services (CMS), and most recently, CMS and OIG, have focused their attention in 2020 on facilitating and enforcing patients’ rights to access their health information, encouraging interoperability among health information technology (IT) systems, prohibiting information blocking by key health industry stakeholders such as health care providers and health IT developers, and promoting value-based care. OCR’s NPRM is no different.

Most notably, the NPRM –

  • Shortens response time for patient health record requests from 30 days to 15 days (with a 15 day extension under limited circumstances).
  • Reduces identity verification burdens on patients (or their personal representatives) exercising a right under the Privacy Rule.
  • Amends the definition of health care operations to permit disclosure of patient information for care coordination and case management activities, whether population-based or focused on particular individuals.
  • Clarifies the minimum necessary standard with respect to care coordination and case management activities.
  • Removes antiquated elements of Notice of Privacy Practices (NPP) requirements.
  • Amends the permissible fee structure for responding to patient health record requests and requires covered entities to post estimated fees on their website for access and for disclosures with a patient’s authorization.
  • Clarifies and facilitates family and caregiver involvement in the care of individuals experiencing emergencies or health crises.

If finalized, these proposals will require HIPAA-regulated entities to update their policies and procedures that impact daily business operations, train workforce members on updated processes, revise their Notice of Privacy Practices, renegotiate business associate agreements (BAAs) to comply with the new requirements, and coordinate compliance with the conglomerate of overlapping privacy, interoperability, information blocking, patient access, and value-based regulatory frameworks – each of which is actively transforming the way in which the health care industry shares patient information.

Further Reed Smith analysis on the NPRM is forthcoming, particularly with respect to the implications of the proposed changes on the value-based rulemakings and the new interoperability, information blocking, and patient access rules.