Buckle Up for Big Regulatory Shifts for HIPAA, HITECH, OCR, & CMS
Published On December 18, 2020
Blog Post by Brian Selfridge, Partner at Meditology Services
New regulations and enforcement have healthcare organizations scrambling to maintain compliance
The era of highly digitized healthcare is upon us. However, there remain multiple obstacles on the patient information superhighway that have been preventing health information transmission from reaching top speeds. That is all about to change due to a fleet of new regulations introduced for HIPAA, HITECH, OCR, and CMS that are scheduled to go into effect in 2021.
Recent regulatory updates have been announced that are designed to side-step and remove several obstacles that have been impeding the sharing of patient information across the continuum of care. One obstacle is competing healthcare delivery organizations and competing vendors that service the healthcare industry (e.g. EHR vendors) that have been reluctant to share patient information with one another. Another obstacle has been HIPAA and CMS regulatory red tape and disincentives, real or sometimes perceived, that have stifled the sharing of patient records.
We saw this trend of increased interoperability begin in earnest with the 21st Century Cures Act (see our related blog post and webinar replay) and we now see it continuing with big changes for HIPAA, HITECH, OCR enforcement, and CMS requirements. This blog summarizes each of the new regulations and enforcement updates and the potential impact to healthcare security and privacy programs.
HIPAA Privacy & OCR Proposed Rule Changes
OCR announced proposed modifications to the HIPAA Privacy Rule on December 10, 2020. The changes are designed to strengthen individuals right to access their own information, improve care coordination and case management, facilitate family and caregiver access during emergencies, and provide more flexibility for disclosures during emergencies.
The Secretary of Health and Human Services was quoted in the proposed rule saying, “These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination.”
Specifically, the rule changes proposed the following adjustments (note: this is a summary only, the full proposed rule is available on OCR’s website in its complete 357-page format).
- Modifying provisions on the individuals’ right of access to PHI. Specifically through:
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days)
- Clarifying the form and format required for responding to individuals’ requests for their PHI
- Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
- Reducing the identity verification burden on individuals exercising their access rights
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge
- Amending the permissible fee structure for responding to requests to direct records to a third party
- Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests
- Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations
- Creating an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures
- Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP)
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights
- Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deafblind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services
Analysis of the Proposed Privacy Rule Changes
The implementation of the new rule and discussion of the proposed changes is still very much in flux. Here are some initial impressions of the impact of these new requirements on the privacy and security programs for healthcare entities:
- There is a 60-day review and comment period that started on December 10, 2020; healthcare privacy and security leaders will need to dig though the regulation and submit feedback to OCR early in the new year
- Compliance with the new rules is required within 180 days, so expect a busy second quarter into the summer as healthcare entities need to be poised to implement policies and procedures in alignment with the new changes in the first half of 2021
- OCR enforcement activity begins 240 days after the rules are finalized; there is little margin of error in time to wait to start updating related processes and policies
- The removal of the requirement to have patients sign a written acknowledgement of the NPP is a change that has been rumored for some time. We believe this is a welcome adjustment, as the requirement for patients to sign the NPP has been perceived to add administrative burden with only marginal benefit to the patient
- The exception for sharing information “during emergencies” may introduce too broad a “loophole” and could adversely impact patient privacy if not properly handled. The examples the cite are COVID-19 and the opioid crisis; this is a very large segment of the population that may fall into such an exception. However, OCR has historically been good at threading the needle with exceptions and making sure they are narrow enough to avoid abuse. We also need to be careful about making permanent rule changes that are designed to address a pandemic that is a point-in-time event.
- Reducing the time to provide patients with their records from 30 to 15 days is also a welcome change. We still see some organizations struggling and getting fined over the timing of patient access to records, including the recent case where the University of Cincinnati Medical Center took over 6 months plus legal discovery before a patient was able to get a copy of their record.
- Reducing the identify verification requirements prior to providing access to records is designed to ease access to records, however, we need to watch closely that this doesn’t apply too widely into electronic formats and requests, which could enable fraud and unauthorized access to electronic records if not implemented properly
CMS Proposed Rule Changes
CMS has also proposed a rule change designed to improve interoperability and the exchange of patient information. According to CMS, the rule “emphasizes improving health information exchange and achieving appropriate and necessary access to complete health records for patients, providers, and payers, while simultaneously reducing payer, provider, and patient burden by improving prior authorization processes, and helping to ensure that patients remain at the center of their own care.”
The rule applies to Medicaid and CHIP managed care plans and includes the following high-level components (note: this is a summary only and the full 347-page proposed rule change is available on the CMS website):
- Patient Access API – requires payers to implement patient API’s that are aligned with HL7’s FHIR standard including related security controls (see our webinar replay from our joint presentation with HHS to learn more about this model). The API would also have to support sharing patients’ prior authorizations and require payers to maintain an attestation from third-party privacy protections.
- Provider Access API – providers will also be required to maintain APIs for communication of patient information with providers to share claims data, USCDI data, and authorization details.
- Documentation and Prior Authorization – the proposed change notes the unintended consequences of additional administrative burden for payers, providers, and patients associated with managing authorization requirements. The changes are designed to alleviate much of these administrative burdens through the implementation of technology automation to track and share authorizations.
- Payer to Payer Data Exchange (Using FHIR Standards) – CMS is augmenting its existing requirements for payer to payer data exchange to include requirements for aligning with HL7’s FHIR standard and protocols.
- Adoption of Health IT Standards – recommended implementation specifications are being proposed in support of a nationwide health information technology infrastructure.
Comments on the proposed rule are being accepted through January 4, 2021.
HITECH Proposed Changes for Adoption of Security Standards (e.g. HITRUST, NIST)
A proposed bill in the House (HR 7898) would require the Department of Health and Human Services to recognize and promote best practice security for meeting HIPAA requirements. Specifically, the bill is designed “To amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes.”
In more plain terms, the law would incentivize business associates to adopt industry best practices like HITRUST CSF certifications and NIST CSF standards. This would shift incentives for third parties to adopt certifications and best practices primarily to address contractual requirements and risk management objectives; organizations would also now have regulatory enforcement relief and potentially some degree of safe harbor from fines if they adopt these practices.
We will continue to monitor each of the momentous rule changes as they unfold. We are available to help support your team in interpreting these requirements and implementing policies and procedures to maintain compliance in the new year.