By Nadine E. Roddy, J.D.
The department believes such modifications are necessary to facilitate its planned transition to a value-based health care system.
HHS has proposed modifications to the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The proposed modifications address standards that HHS believes may impede the transition to value-based health care by limiting or discouraging care-related communications among individuals and covered entities (Proposed rule, 86 FR 6446, January 21, 2021).
The Privacy Rule is one of several rules that protect the privacy and security of individuals' medical records and other protected health information (PHI). Such information consists of individually identifiable health information that is maintained or transmitted by covered entities, such as health care providers conducting health care transactions electronically, health plans, and health care clearinghouses. The proposed rule would amend provisions of the Privacy Rule that HHS believes have the potential to (1) create barriers to coordinated care and case management, or (2) impose other regulatory burdens without sufficiently compensating for them through privacy protections. These regulatory barriers and burdens could impede the department’s planned transformation of the health care system from one that pays for procedures and services to one of value-based health care that pays for quality care.
Some of the ways in which the Privacy Rule would be amended in order to improve care coordination and case management include:
- modifying provisions on the individuals' right of access to PHI in 11 different ways;
- increasing permissible disclosures of PHI in several ways, including:
- creating an exception to the "minimum necessary" standard for individual-level care coordination and case management uses and disclosures. The proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider concerning an individual, regardless of whether such activities constituted treatment or health care operations;
- replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their "professional judgment" with a standard permitting such uses or disclosures based on a covered entity's good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity's good faith, but this presumption could be overcome with evidence of bad faith;
- expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is "serious and reasonably foreseeable," instead of the current stricter standard which requires a "serious and imminent" threat to health or safety; and
- eliminating the requirement for a direct treatment provider to obtain an individual's written acknowledgment of receipt of a Notice of Privacy Practices.
The department, which delegated the authority to administer HIPAA privacy standards to the Office for Civil Rights, developed many of these proposals after consideration of public responses to its December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care.
MainStory: TopStory ConfidentialityNews EHRNews HITNews HIPAANews
Interested in submitting an article?
Submit your information to us today!Learn More
Health Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on health legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.