American Academy of Dermatology Association Issues Public Comment on HHS Proposed Rule
* * *
Dermatologists diagnose and treat more than 3,000 diseases, including skin cancer, psoriasis, immunologic diseases and many genetic disorders./1
One in four Americans suffers or will suffer from a skin disease. As dermatologists at the forefront of the fight against skin cancer and treating numerous skin diseases, the Academy recognizes the importance of ensuring the exchange of patients' protected health information (PHI) between and among patients, hospitals, physicians, payers, and other legitimate third parties while reducing unnecessary burdens.
The Academy's health information technology (HIT) policy aligns with the principles and objective of this proposed rule, supporting the need for privacy and security of patients' PHI./2
While we believe the OCR's proposed rule is well intentioned--aiming to expand and enhance patients access to their PHI, increase the flow of information between and among physicians, health plans, and other legitimate entities as well as reduce administrative burdens on physicians and their patients--we have some general concerns and specific recommendations about the need for proposing these policy changes at the present time.
General Recommendations
While the objectives of this proposed rule are commendable, the Academy remains concerned about some of the proposed provisions that would be challenging for smaller practices to implement and comply with by the proposed deadline. The public health emergency (PHE) caused by novel coronavirus (COVID-19) has had a significant and uneven impact on smaller medical practices. Many are still struggling to survive and overcome economic hardship and disruption; and even then, these smaller medical practices will lag in their recovery given their limited resources and budget. Mindful of these sobering realities, the Academy recommends that the OCR consider:
1. Modifying certain sections of this proposed rule that add technical and administrative complexities as well as cost increases and regulatory burdens on smaller medical practices.
2. As part of any future compliance deadline, delay implementation of (or at least prioritize) proposed provisions so that deadlines are feasible for smaller practices.
3. The timing of this proposed rule comes in the wake of physicians adapting to the compliance demands brought on by the information blocking regulations finalized by the
Therefore, we question the need at this time for another significant regulatory change that would create new unintended consequences and impose additional burdens on physicians and their medical practice despite the best policy intentions of this proposed rule. Any proposal to expand access to information, should also include greater compliance flexibility that affords physicians administrative latitude in managing and exchanging PHI while ensuring data privacy.
4. Historically, both the HIPAA Privacy and Security Rules have resulted in widespread misunderstanding and confusion, especially about the use and exchange of PHI. To remedy this, we request that any future final rule provides physicians and their patients with more meaningful guidance based on frequent and real-world scenarios. The Academy calls on the OCR to develop an educational campaign that includes a range of practical resources to assist smaller medical practices in preparing to meet future compliance requirements.
Smaller medical practices are willing to contribute to advancing patient access to health data and improving care coordination. However, this proposed rule, as currently written, will make it more costly and difficult for them to achieve.
Effective and Compliance Dates
The proposed rule, revising the Privacy Rule standards, would require the OCR to finalize and implement a compliance date of 180 days after the effective date of a final rule, with a 240-days follow-on enforcement after the final rule is published.
Before finalizing a compliance deadline, the Academy urges the OCR to carefully factor in when a final implementation deadline would be feasible, especially for smaller medical practices impacted by the COVID-19 PHE and the resultant uncertainty and devastating economic hardship. Assuming this proposed rule is finalized, small and medium-sized medical practices would need additional time to recover from the economic pressures and uncertainties caused by the current public health crisis. We urge the OCR to delay all implementation and enforcement deadlines for these most critically vulnerable medical practices. Small and medium-sized medical practices should be afforded an additional two years to assess cost factors, technology preparedness needs, compliance policies and procedures to help patients with understating their access rights to their protected health information. Facing such uncertainties, small and medium-sized medical practices are vulnerable to additional administrative and regulatory burdens when treating patients. Any premature deadline will likely harm the physician-patient relationship.
Tangential to this proposed rule, is the OIG's proposed enforcement of information blocking by health IT software developers and EHR vendors, and a future rulemaking that would apply to physicians and hospitals./3
Pursuant to this NPRM and in anticipation of a subsequent rule proposal, the OIG indicated that to address the blocking of patient information, it would coordinate and refer such complaints to the appropriate agency (e.g., CMS, ONC, OCR), depending on the nature, details and scope of the investigation for enforcement action and impose appropriate disincentive and fines. For example, the OIG indicated instances where it would conduct interagency consultations when needed to assess any bearing the HPAA Privacy and Security Rules may have on resolving information blocking claims. Before finalizing any or all provisions of this proposed rule, we urge the OCR to delay this further until the COVID-19 PHE is declared over by the Secretary of the
Strengthening the Access Right To Inspect and Obtain Copies of PHI
The OCR proposes to expand patients' access rights by permitting them to inspect their PHI. Dermatology practices would be required to allow patients to take notes, videos, and photographs, and use other personal resources to view and capture PHI in their medical records, billing records or other designated record sets after arranging a mutually convenient time--including, during a patient's office visit when the PHI is "readily available," (which remains undefined). Dermatology practices would not be permitted to delay the patient's right to inspect their PHI. Dermatology practices, however, would not be required to allow a patient to connect a personal device-such as a thumb drive--to the practice's information systems for patient's PHI inspection to mitigate security risk.
The Academy understands the OCR's intent and goal by proposing to expand the rights of patients to include taking notes, video recordings, taking photos or through other personal means to capture and view their full medical records. As proposed, this requirement represents an impractical overreach and a potential intrusion to the daily workflow of a medical practice. Administrative and clinical staff would struggle to meet any final requirement because of the disruption to clinical space, by trying to accommodate patient inspection compliance obligations. Compliance would result in added operational costs for smaller practices seeking to accommodate patient inspection rights. We urge the OCR to withdraw this proposed expansion of patients' right of inspection for the time being as medical practices in general, and smaller groups in particular, still are coping with the hardships caused by the COVID-19 PHE.
We recommend that the OCR consider the 2017 GAO report on the underutilization of patient portals and the need to optimize this opportunity for patient access.4 Concerns about the underuse, unrecognized value and lingering socio-economic barriers to patient portals serving as a means to access PHI and communicate with physicians need to be addressed.5 Patients' interest in and access to their PHI are better served by promoting optimal use of patient portals rather than requiring practices to overhaul daily clinical and administrative workflows to meet this proposed inspection requirement.
In addition to making a more robust educational push, encouraging patients to adopt, use and optimize their patient portals, the OCR should consider issuing sub regulatory guidance in the event this proposed expansion is finalized. In such an event, educational and preparedness guidance should include technical instructions and practical recommendations on how smaller practices would, facing restrictive physical space constraints, limited fiscal budgets, and reduced medical staff personnel, address this new regulatory mandate. In addition and under certain circumstances, the OCR should provide an exemption or waiver to physicians and their small medical practices that do not consent to potentially intrusive and disruptive requests to inspect records. Patients taking pictures of or videorecording PHI may create breaches of confidentiality in a busy medical practice where clinical and administrative staff are either scheduling, conducting confidential discussions with other patients about their PHI, or managing functions related to treatment, payment or other healthcare operations. In a small practice with limited space and staffing resources, this potential scenario could result in accidental or incidental breaches that pose an unfair violation risk for small, covered entities. We are concerned that this expanded right would lead to unintended consequences that may undermine the physician-patient relationship, producing harm to the reputation of the medical practice, or worse, resulting in an unfair patient complaint to OCR.
Modifying the Implementation Requirements for Requests for Access and Timely Action in Response to Requests for Access
The OCR proposes to expressly prohibit a dermatology practice from imposing unreasonable measures that would impede a patient exercise of their right of access. The response time dermatology practices would have under this proposal would be no later than 15 calendar days (less than the current 30 days) with the opportunity for an extension of no more than 15 calendar days (less than the current 30-day extension). Dermatology practices would be required to establish written policies for prioritizing urgent or other high priority access requests (especially those related to health and safety) to help limit the need to use 15 calendar-day extensions for such requests. Regardless of whether the information sought by either the patient of the designated representative is stored either on paper or electronically, the 15 calendar days response time would apply.
The Academy broadly supports this proposed provision and urges the OCR not to shorten it under the 15 calendar days response time. While patients should be able to obtain their copies of their medical records in a timely manner, it is also important to factor in that medical practices vary by size and specialty, technical means, as well as human resources. This proposed shortened response time may create additional compliance burdens on smaller medical practices, and we urge the OCR to factor this potential unintended consequence when finalizing this rule.
The Academy recommends that the OCR develop and publish a model urgent request policy for voluntary compliance. In the event of a potential HIPAA investigation related to access of PHI and brought on a patient's complaint, we urge the OCR to account for a medical practice's written urgent request policy as a mitigating factor during an audit.
Addressing the Form of Access
Under the current HIPAA Privacy Rule, patients have the right to request electronic access to their PHI and a dermatology practice must produce a response to a patient's request in the appropriate readable, electronic form and format. This proposed rule seeks to clarify the form and format required for responding to a patient's request for their PHI as well as would require dermatology practices to inform patients of their rights to obtain or direct copies of their PHI to a third party when a summary of their PHI is offered in lieu of a complete copy.
The Academy appreciates the policy objective of these proposed changes and is a steadfast advocate of patient access to Board-certified dermatologists in treating, managing and diagnosing skin conditions. Moreover, we believe that access to dermatologic care is facilitated through patient access to their PHI, data privacy and information transparency. However, physicians in general should not be placed in a position to inform or educate patients about data privacy and security risks that may result from third-party apps created and made available by software developers or any other entity outside the sanctity of the physician-patient relationship. Rather, the OCR should coordinate its policy goals closely with other HHS agencies, including the ONC, CMS and the OIG to address how patients need to be educated about using third-party software that carry certain data integrity or technical exposure risks. Equally, health IT software developers should be encouraged and incentivized on how to promote trust through their respective patient data sharing technologies. Finally, physicians, especially those in smaller medical practices using EHRs, should not be required to shoulder the burden and cost of implementing API software, especially when patients now have choice of options to access their medical records. While API technology would benefit the use and exchange of health information, this proposed rule presumes that costs would be both affordable and absorbable without distinguishing between medical practice size and specialties, as well as without carefully assessing potential software upgrades and add-ons that smaller practices would face in actuality.
Addressing the Individual Access Right To Direct Copies of PHI to Third Parties
The OCR proposes to expand a patient's right to request from their physicians to transmit their PHI in electronic copy of PHI in an EHR to a third party. The proposed requirement clarifies that requests for PHI to third parties will be limited to electronic copies of PHI (e-PHI), specifically applying to physicians, medical practices and hospitals with EHRs. Dermatology practices would be required to transmit e-PHI to a patient's designated third party when such requests are "'clear, conspicuous, and specific''--either orally or in writing (including electronically executed requests). The OCR is proposing to create a pathway for patients to permit and direct the sharing their e-PHI with other physicians, clinicians and health plans, which would mean that a dermatology practice and health plans would need to comply with this electronic exchange of patient information when requested.
The Academy appreciates the intent of this proposed provision. Nonetheless, we believe this proposal ignores certain real-world realities and risks. Dermatologists and their practice depend on their respective EHR vendors when managing, sharing or communicating PHI to patients and their designated third parties. This technological dependence can sometimes result in situations where a medical practice may incur response delays and unforeseen or unbudgeted costs associated with the EHR vendor needing to update their proprietary software or data format to meet the request to export of PHI to third parties. We urge the OCR not to adopt requirements that would unfairly impose financial costs or create risks of breach on physicians for things beyond their control. For example, physicians and their medical practices should not be held accountable or penalized for instances that result from either their own or the patient's third-party health IT vendor where e-PHI is non-transmissible, unreadable, unviewable or inaccessible for reasons that may include but not limited to: technical disruption or connectivity difficulties through no fault of their own, or either because of the limited capabilities of the practice's EHR vendor that lead to or causes e-PHI submission via an unsecure channel to meet a patient's access request or care coordination timeframe, or where technical problems arise with a patient portal or even a future API. Due to health IT barriers and complexities that may arise from time to time, we urge the OCR not to extend waivers to small medical practices, based on a case-by-case basis and subject to their good faith efforts.
Adjusting Permitted Fees for Access to PHI and ePHI
The proposed rule would further modify the access provision under the Privacy Rule by establishing two types of access to PHI that the dermatology practice must make available to the individual for free: a.) in-person inspections of PHI, which may include recording or copying PHI in a designated record set with the individual's own devices or resources; b.) use of an internet-based method (e.g., a patient portal or a standards-based API) to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity. The second proposed free method of access would align with the Cures Act Final Rule--that health care providers should make electronic health information available through APIs free of charge to patients as well as personal health application developers seeking access through the API on behalf of the patient. The Cures Act Final Rule prohibits developers of certified APIs from charging fees to personal health application developers to access the certified API.
While the AAD/A appreciates the intent of this proposed provision--specifying when PHI must be provided to patients at no charge and revising the fee structure governing permissible charges when responding to third party request for patient's PHI--we generally oppose mandating that dermatology practices be required to charge specific fees for copies of medical records under specific scenarios or, alternatively, prohibit any medical practices from charging for the cost of producing copies of medical records. Moreover, the OCR should recognize the difference between facilitating access to a patient's particular health information as distinguished from charging a third party any applicable and permissible fees for covering medical record production costs.
We agree, however, that part of the physician-patient relationship includes the imperative of ensuring that patient have timely access to care and able to obtain, share and exchange their PHI with their physician(s) as needed. Notwithstanding, physicians not only have a care responsibility to their patients, they also must be able to address and balance the daily pressures incurred from the business demands of running a medical practice, without which patient access to care would be curtailed.
Notice of Access and Authorization Fees
The OCR proposes to require dermatology practices to provide advance notice of approximate fees for copies of PHI requested under the access right and with a patient's valid authorization. Dermatology practices would be required to post a fee schedule on their website and make the fee schedule available to individuals at the point of service; upon a patient's request, a dermatology practice would also be required to provide, individualized fee estimates for any patient's request for copies of PHI, along with itemized bills for completed requests. Patients' request for a fee estimate would not automatically extend the time permitted for the covered entity to provide copies of PHI under the right of access.
While on the surface this proposed disclosure and cost estimate requirement would appear reasonable for medical practices to meet, nevertheless it raises concerns about potential unintended pitfalls. This "notice of access and authorization fees" proposed revision would represent another administrative obligation for medical practices to comply with, and since it is often difficult or impossible to have advance knowledge of what fulfilling a patient's record request would involve, we believe that it would be premature to create compliance consequences with respect to failing to fully estimate the final and actual fees associated with producing and sharing PHI copies with patients. We urge OCR to adopt a more flexible approach that would give medical practices the option to inform the patient, their representative or other requestors, of a potential and justifiable higher cost of producing and sharing PHI regardless of the original, good faith estimate and within the legally allowable fee charges. We recommend that OCR withdraw this proposal as currently written, and instead adopt a more flexible course for compliance that would better minimize penalty risks for medical practices.
Reducing Identity Verification Burden for Individuals Exercising the Right of Access
The OCR proposes to prohibit dermatology practices from imposing "unreasonable measures" when verifying a patient's rights to access PHI or other rights under the Privacy Rule. Such measures would involve causing a patient to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the dermatology practice. "Unreasonable measure" is defined as one causing a patient to expend unnecessary effort or resources when a less burdensome verification measure is practicable for the dermatology practice. A dermatology practice, for example, would be permitted to require patients to complete a standard form containing the information the practice needs to process the request (a.) requiring a patient to provide proof of identity in person when a method for remote verification is practicable for the dermatology practice and more convenient for the patient, or b.) requiring a patient to obtain notarization of their signature on a written request).
The Academy also supports this proposed provision and agree that verifying patients' identification should not involve unreasonable hurdles for patients accessing their health information. We also agree that any method of patient verification should be deferred to the medical practice's judgement and discretion (for example, any form of valid government ID) rather than requiring any particular method of verification, provided that patients do not incur barriers to, or unreasonably delay, when seeking to obtaining access to their PHI. If finalized, this provision would represent a meaningful and practical opportunity for OCR to educate both medical practices and patients abut this right of access under the Privacy Rule.
Eliminating Notice of Privacy Practices Requirements Related to Obtaining Written Acknowledgment of Receipt, Establishing an Individual Right To Discuss the NPP With a Designated Person, Modifying the NPP Content Requirements, and Adding an Optional Element
Under the current Privacy Rule, dermatology practices are required to provide patients with a Notice of Privacy Practices (NPP) during their first office visit, with a good faith effort to obtain the patient's written acknowledgment of receipt of the NPP and documentation of this requirement being retained for six years. The proposed rule would eliminate the current written acknowledgement requirement, along with the associated six-year record retention obligation, by replacing through proposed changes to the actual content of the NPP form and clarifying new patient's rights of access to their health information through additional protocol methods and administrative processes.
The Academy welcomes and supports this proposal to eliminate the compliance requirement for patients to acknowledge and sign a receipt, from their dermatologists, of the Notice of Privacy Practices (NPP), and for removing the recordkeeping compliance obligation for medical practices to retain said, signed acknowledgment form and retain it in the patient's records for six years. We are encouraged that this proposed alleviation from routine compliance requirements will deliver further administrative burden relief, leading to cost savings and staff time in other opportunity costs consistent with of dermatologic care delivery.
Based on and consistent with past patient misunderstanding of the NPP compliance procedure, we recommend that the OCR adopt more meaningful and practical ways to educate patients and medical practices with respect to the proposed changes to the NPP compliance procedure. On the one hand, any future NPP revisions should be made readily available to patients online; however, patients, should be expected to be educated and understand their full rights and responsibilities with accessing, using, or sharing their PHI, and equally know the nexus of other covered entities when conducting treatment, payment or other health care operations, especially as health care, value-based delivery models evolve. To improve patient education and understanding of their "HIPAA rights", it would be beneficial to revise, streamline and simplify the model NPP form to a one-page resource that would better explain the privacy rights and compliance practices.
Permitting Disclosures for Telecommunications Relay Services for People Who are Deaf, Hard of Hearing, or Deaf-Blind, or Who Have a Speech Disability
The rule proposes to exclude Telecommunications Relay Service (TRS) from being included as a "Business Associate", eliminating the need for dermatology practices to formalize such agreements with third-party companies that provide translations/interpretive services between hearing-impaired/other patients needing assistance by telephone with their physicians to relay care needs. The proposed changes would mean that TRS assistants would be privileged and have access to patients' PHI to then facilitate physician-patients communications. For dermatologists using TRS companies, this means one less BA compliance arrangement to formalize.
The Academy recognizes and appreciates the critical, auxiliary role that communications assistants play across the health care spectrum by providing patients access to their clinicians. We welcome this proposal and support the goal of expressly permitting disclosures to Telecommunications Relay Service (TRS) facilitators and agree with the proposed modification of the definition of business associate that would exclude these intermediaries as business associates. This welcomed proposed change would, if finalized, represent another administrative burden that would be removed from the physician-patient relationship, and that would ease and enhance patient access to smaller dermatology practices.
The Academy welcomes due consideration of its recommendations and appreciates the OCR's efforts to attempt to balance the complexities of this proposed rule while avoiding unintentional harm to the physician-patient relationship and allowing patients to continue to access their PHI. We look forward to additional opportunities to provide feedback that may help guide policy development. Please contact
Sincerely,
President
CC:
* * *
Footnotes:
1/ The Academy's Burden of Skin Disease briefs are a set of informational resources that capture the scope and importance of various skin conditions and can be accessed at https://www.aad.org/about/burden-of-skin-disease/burden-of-skin-disease-briefs.
2/ Position Statement on Health Information Technology.
4/ GAO-17-305: Health Information Technology: HHS Should Assess the Effectiveness of Its Efforts to Enhance Patient Access to and Use of Electronic Health Information, Published:
5/ Anthony, Denise, Campos-Castillo, Celeste, Lim, Paulina. Who Isn't Using Patient Portals And Why? Evidence And Implications From A National Sample Of US Adults. Health Affairs. 2018. https://pubmed.ncbi.nlm.nih.gov/30633673/#:~:text=Patient%20portals%20that%20provide%20secure,communication%20can%20improve%20health%2 0care.
* * *
The proposed rule can be viewed at: https://www.regulations.gov/document/HHS-OCR-2021-0006-0001
TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact
RTT Collaborative Issues Public Comment on Centers for Medicare & Medicaid Services Proposed Rule
Halo Investing Adds AIG Life & Retirement to Its Annuities Platform
Advisor News
- Is there a mismatch between advisor marketing and consumer preferences?
- State health plan users may see premium increases under SC House budget proposal
- Advisor: SEC trying to ambush my defense on bad annuity sales charges
- Partner split: Grant Cardone and Gary Brecka swap charges in dueling lawsuits
- 4 things every federal worker should do to safeguard their benefits
More Advisor NewsAnnuity News
Health/Employee Benefits News
- President of Insurance Brokerage Firm and CEO of Marketing Company Charged in $161M Affordable Care Act Enrollment Fraud Scheme
- STATEHOUSE: Senate Republicans approve limiting health insurance program for Hoosiers
- State health plan users may see premium increases under SC House budget proposal
- Senate Republicans approve limits on health insurance program
- Health agents ‘optimistic’ as a new administration takes charge
More Health/Employee Benefits NewsLife Insurance News
- IUL vs. annuities: Settling the debate
- While U.S. mortality spike is normalizing, 5 troubling trends continue
- Whole life vs. term life: The great debate
- Prudential launches OneLeave
- Annual financial and audit reports – JPMORGAN CHASE & CO.
More Life Insurance News