American Association for Justice Issues Public Comment on HHS Proposed Rule

WASHINGTON, June 28 -- Tobias L. Millrood, president of the American Association for Justice, has issued a public comment on the Department of Health and Human Services proposed rule entitled "Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement". The comment was written on May 6, 2021, and posted on June 24, 2021:

* * *

The American Association for Justice (AAJ), formerly the Association of Trial Lawyers of America (ATLA), submits its response to the Department of Health and Human Services, Office of Civil Rights (OCR) January 21, 2021 notice of proposed rulemaking (NPRM) to increase patient privacy and access rights for protected healthcare information (PHI)./1

AAJ, with members in the United States, Canada, and abroad, is the world's largest trial bar. It was established in 1946 to safeguard victims' rights and strengthen the civil justice system. AAJ members represent patients that rely upon prompt access to accurate and complete medical records to make informed healthcare choices and seek accountability for medical harms.

AAJ commends OCR's efforts to strengthen patient access rights and increase quality of care. Many of the proposals in the NPRM will achieve this goal to promote effective delivery of coordinated, value-based treatment. Still, there are some NPRM proposals that deter from that stated goal. More specifically, the NPRM should not allow covered entities to limit access to certain types of PHI with an added assumption of good faith compliance with federal access and privacy laws. Clarifications should also be made to covered entity requirements to "act" following a PHI request, as well as set policies and procedures surrounding oral requests by the patient or their designee. With these recommended additions to the NPRM, AAJ supports moving forward to finalize this rulemaking.

I. Positive Proposals that Increase Patient Access to PHI and Promote Privacy.

The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule), under the umbrella of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), are rules that protect the privacy and security of individuals' medical records and other PHI. OCR's NPRM contains numerous modifications to the Privacy Rule that would increase privacy rights for patients and limit burdens on access to PHI. Specifically, the following provisions are important additions that AAJ supports:

* Strengthened right of access, inspection, and ability to obtain PHI in the form and format designated by the individual;/2

* Requiring access to PHI requests "as soon as practicable," but no later than 15 calendar days after receipt of request with the possibility of one 15 calendar-day extension;/3

* Prohibiting unreasonable identity verification measures for PHI requests;/4 and

* Requiring transparent online price notices and fee schedules for all PHI requests at the point of service, including individualized cost estimates upon request.

Finalizing these standards will increase quality of care. It will also provide patients with enhanced access rights to medical records that can help determine theories of liability when injuries or death occur due to medical negligence.

II. Negative Proposals that Limit Access Rights and Increase Regulatory Burdens.

The Privacy Rule, incorporated within HIPAA, the HITECH Act, and the 21st Century Cures Act, are a set of laws that increase obligations on covered entities to utilize technologies that promote patient access to medical records, while also emphasizing privacy and interoperability. The Privacy Rule encourages covered entity compliance and prioritization of patient medical record access with enforceable standards that increase quality of care. These obligations flow not only to patient access rights, but also to patient third party designations to individuals such as their attorney of record. To that end, provisions of the NPRM that are not patient-focused should be amended to adequately reflect the spirit of the Privacy Rule.

A. OCR Should Include Indirect Treatment Relationship Information in its Definition of an "Electronic Health Record."

The Privacy Rule does not define the term "electronic health record" for purposes of access rights and covered entity duties. OCR therefore proposes to define an "electronic health record" as: An electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. Such clinicians shall include, but are not limited to, health care providers that have a direct treatment relationship with individuals, as defined at Sec. 164.501, such as physicians, nurses, pharmacists, and other allied health professionals. For purposes of this paragraph, "health-related information on an individual" covers the same scope of information as the term "individually identifiable health information" as defined at Sec. 160.103./5

(Emphasis Added.)

A "direct treatment relationship" is a "treatment relationship between an individual and a health care provider that is not an indirect treatment relationship."/6

(Emphasis added.) An "indirect treatment relationship" is health care provided treatment "based on the orders of another health care provider" that typically "provides services or products, or reports the diagnosis or results associated with healthcare."/7

Put altogether, OCR proposes to limit the definition of an electronic health record to exclude treatment records that a patient's provider recommends outside and in addition to current treatment, regardless of whether the patient's provider has direct access to such records. If finalized, this change would exclude important and relevant records from third-party pathologists, lab testing, therapists, and many others. For example, often a treating provider will require a patient to undergo physical therapy from an outpatient facility while still under the care of the treating provider. Records that are compiled by the physical therapist would be considered "indirect treatment records" and outside the scope of an electronic health record, even if the treating provider regularly receives access to those records for purposes of evaluating further treatment.

Excluding relevant records that are in the control of a provider, whether directly or indirectly, would be contrary to the Privacy Rule and would increase regulatory burdens on covered entities. For example, OCR purposes to define an electronic health record as one that "covers the same scope of information as the term 'individually identifiable health information' as defined in 160.103."/8

Individually identifiable health information (IIHI) is a "subset of information," created or received by the provider, that includes, and is related to, the physical OR mental health of the individual; OR the provision of healthcare; OR the payment for provision of healthcare./9

(Emphasis added.) In summary, if the record is electronic and is created by a health care provider, it is part of the electronic health record under the definition of IIHI.

Confusingly, OCR's proposed definition would both include and exclude this information from electronic health records. Despite being equivocal for purposes of the definition, an "electronic health record," which only requires direct treatment relationships, and "health-related information on an individual," which would include indirect treatment relationships, causes a direct conflict in interpretation. This conflation would lead to increased regulatory burdens on covered entities and patients.

Major issues arise from incomplete and inaccurate medical records, potentially leading to significant medical errors. Maintaining a record with integrity is essential to providing safe patient care, assuring accurate billing, and increasing quality assurance reviews. It is also essential to patients to better understand medical treatment choices and any intervening factors which led to care decisions. Since OCR is attempting to limit regulatory burdens on covered entities and patients, clarifications should be made to ensure that all relevant direct and indirect treatment records are inclusive within the definition of an electronic health record. Without this critical information, records will be incomplete and inaccurate.

B. OCR Should Not Assume Good Faith Compliance with HIPAA Access Rights.

OCR proposes to apply a presumption of compliance when a covered entity makes a disclosure based upon a good faith belief that the disclosure is in the best interest of the patient./10

The presumption of compliance could only be overcome by a showing by a patient that the covered entity acted in bad faith./11

OCR believes that this change will improve treatment and recovery outcomes, especially in those who are suffering from substance use disorders.

While attempting to improve outcomes for substance use disorders is a laudable goal, broadly providing covered entities with a presumption of good faith compliance for all access rules would place unnecessary burdens on patients that access their PHI. This assumption would allow covered entities to avoid compliance by placing burdens on patients to prove on a case-by-case basis that an entity is acting in bad faith. Indeed, covered facilities already engage in bad faith by denying patient requests for records or by charging exorbitant fees when a patient exercises their right to send PHI to a third-party designee./12

By codifying a provision that assumes good faith, covered entities will use new carve-outs or attempt to employ ambiguous interpretations of the Privacy Rule to limit patient access or to charge excessive fees for record requests.

An assumption of good faith will also limit enforcement by requiring an entirely new analysis of what constitutes bad faith. Although OCR's purpose is to encourage better care coordination for substance-abuse disorder and other similar treatments, the current language could make enforcement of the Privacy Rule difficult when covered entities provide incorrect estimates for access fees or authorization requests, especially to other designated third parties./13

For these reasons, OCR should not finalize the NPRM with this assumption because it will conflict with the agency's intent to "broaden the circumstances in which covered entities will use or disclose PHI in order to help address the needs of individuals."/14

C. Only Requiring an "Act" Within 15 Days for Access Requests is Inadequate.

OCR argues and concludes that covered entities must "provide copies" of PHI to a patient or the patient's designee within 15-calendar days following a request./15

OCR further clarifies that any discussions between the covered entity and the individual during that 15-day window will not extend the time limit for providing access./16

While AAJ supports OCR's intention to provide quicker access to PHI, its proposed regulatory language will not reflect the Department's goal.

Specifically, OCR would amend current law to require that a "covered entity must act on a request for access as soon as practicable, but no later than 15 calendar days after receipt of the request."/17

(Emphasis added.) The proposed regulatory language does not fix existing access issues because covered entities currently interpret the word "act" to only require initial review of the request or beginning to assemble patient records within the 15-day period. Put another way, the current proposed language would not be interpreted to align with OCR's clear intention to require actual delivery of PHI within the 15-calendar day period.

To fix this issue, and the broader issue with access to records, OCR should amend 45 CFR Sec. 164.524(b)(2)(i) to clarify OCR's clear intention for an actual transfer of accurate and complete PHI within the 15-calendar day period, with the possibility of one extension if a covered entity can demonstrate a reasonable need. AAJ additionally recommends that OCR require covered entities to submit relevant PHI no later than five business days before any scheduled court hearing or other similar legal event. These changes will better align with current state and federal access requirements and will avoid mischaracterization of covered entity's Privacy Rule access duties./18

D. OCR Should Require Covered Entities to Properly Document PHI Oral Requests.

OCR proposes to permit patient record requests to direct an electronic copy of PHI to a designated third party either orally or in writing./19

This proposal would replace current burdensome requirements that mandate strict writing and signature standards for all patient requests./20

While removing some of the burdens associated with requesting PHI is admirable, special care must be taken to ensure that oral record requests are adequately noted in a patient record by covered entities, or their representatives, who respond to such requests. Without adequate notation, there may be incomplete information regarding whether oral requests met "clear and conspicuous" PHI access standards, that patients arbitrarily missed a request deadline, or that a full and complete request was never officially made.

To fix this issue, OCR should require all oral requests to be entered into a patient's medical record with indications of the date, time, and nature of each request. Also included should be the title of the representative acting on behalf of the covered entity to certify that all information notated is accurate. This will ensure that both covered entities and patients understand exactly what was requested and when, limiting burdens on covered entity duties and patient access rights.

III. Conclusion.

In its NPRM, OCR seeks to empower patients to receive increased access rights to their full and complete PHI. With AAJ's recommendations, the NPRM will increase quality of patient care and promote effective delivery of coordinated, value-based health care. If you have any other questions or comments, please contact Susan Steinman at [email protected] or Brian McMillan at [email protected].

Sincerely,

Tobias L. Millrood

President

American Association for Justice

* * *

Footnotes:

1/ 86 FR 6446

2/ While AAJ agrees and supports this policy, it also believes that copies of medical records requested by a patient to a third-party designee should include both electronic and paper records in the form and format requested by the patient. OCR proposed fee schedules should also accurately reflect that covered entities may only charge a reasonable, cost-based fee for electronic or paper copies. Finally, requests for copies of medical records where the individual is unable to pay should never lead to a denial simply because the patient is indigent.

3/ While AAJ agrees and supports this policy, edits to regulatory text should ensure access to PHI is acquired within the 15-day period, consistent with OCR's stated goals.

4/ While AAJ agrees and supports this policy, requirements to repeatedly and frequently update identity verification measures should also be added to the scope of "unreasonable verification measures."

5/ 86 FR at 6456

6/ 45 CFR Sec. 164.501

7/ Id.

8/ 86 FR at 6456

9/ 45 CFR Sec. 160.103

10/ 86 FR at 6502

11/ Id.

12/ See, e.g., Webber v. Bactes Imagine Solutions, Inc, Case No.: 2D18--2964; 2D18--4813 (Fla. 2d DCA, January 15, 2020)

13/ For example, under interpretation of the proposed rule, a covered entity may prevent reasonable access, both in administration of records and cost, to PHI to a family member legal guardian of an incapacitated individual.

14/ 86 FR at 6526

15/ 86 FR at 6460; Included in this requirement would be the possibility of one 15 calendar-day extension.

16/ Id.

17/ 86 FR at 6535; see also 45 CFR Sec. 164.524

18/ At least eight states require health care entities to provide records within 15 days or less. Three states require access within 10 days or less.

19/ 86 FR at 6463

20/ See 45 CFR Sec. 164.524(c)(3)(ii)

* * *

The proposed rule can be viewed at: https://www.regulations.gov/document/HHS-OCR-2021-0006-0001

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com