HHS Proposed Rule: Proposed Modifications to Health Insurance Portability & Accountability Act Privacy Rule to Support, Remove Barriers To, Coordinated Care, Individual Engagement

WASHINGTON, Jan. 22 -- The U.S. Department of Health and Human Services' has issued a proposed rule (45 CFR Part 160 and 45 CFR Part 164), published in the Federal Register, entitled: "Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement".

The proposed rule was issued by Alex M. Azar II, Secretary, Department of Health and Human Services.

DATES: Comments due on or before March 22, 2021.

ADDRESSES:

You may submit comments to this proposed rule, identified by RIN 0945-AA00 by any of the following methods:

* Federal eRulemaking Portal. You may submit electronic comments at http://www.regulations.gov by searching for the Docket ID number HHS-OCR-0945-AA00. Follow the instructions http://www.regulations.gov online for submitting comments through this method.

* Regular, Express, or Overnight Mail: You may mail comments to U.S. Department of Health and Human Services, Office for Civil Rights, Attention: Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM, RIN 0945-AA00, Hubert H. Humphrey Building, Room 509F, 200 Independence Avenue SW, Washington, DC 20201.

All comments received by the methods and due date specified above will be posted without change to content to http://www.regulations.gov, including any personal information provided about the commenter, and such posting may occur before or after the closing of the comment period.

The Department will consider all comments received by the date and time specified in the DATES section above, but, because of the large number of public comments normally received on Federal Register documents, the Department is not able to provide individual acknowledgments of receipt.

Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays. Electronic comments with attachments should be in Microsoft Word or Portable Document Format (PDF).

Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted.

Docket: For complete access to background documents or posted comments, go to http://www.regulations.gov and search for Docket ID number HHS-OCR-0945-AA00.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (800) 368-1019 or (800) 537-7697 (TDD).

* * *

The United States Department of Health and Human Services (HHS or "the Department") is issuing this Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).

These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens.

The proposals in this NPRM address these burdens while continuing to protect the privacy and security of individuals' protected health information.

SUPPLEMENTARY INFORMATION:

The discussion below includes an executive summary, a description of the statutory and regulatory background of the proposed rule, a section-by-section discussion of the need for the proposed rule, a description of the proposed modifications, and a regulatory impact statement and other required regulatory analyses. The Department solicits public comment on all aspects of the proposed rule. The Department requests that persons commenting on the provisions of the proposed rule precede their discussion of any particular provision or topic with a citation to the section of the proposed rule being discussed.

Table of Contents

I. Executive Summary

A. Overview

B. Summary of Major Provisions

C. Effective and Compliance Dates

D. Care Coordination and Case Management Described

II. Statutory Authority and Regulatory History

A. Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Rules

B. The Health Information Technology for Economic and Clinical Health (HITECH) Act and the 2013 Omnibus Rule

C. 21st Century Cures Act

III. Need for the Proposed Rule and Proposed Modifications

A. Individual Right of Access (45 CFR 164.524)

1. Adding Definitions for "Electronic Health Record" or EHR and "Personal Health Application" (45 CFR 164.501)

2. Strengthening the Access Right To Inspect and Obtain Copies of PHI

3. Modifying the Implementation Requirements for Requests for Access and Timely Action in Response to Requests for Access

4. Addressing the Form of Access

5. Addressing the Individual Access Right To Direct Copies of PHI to Third Parties

6. Adjusting Permitted Fees for Access to PHI and ePHI

7. Notice of Access and Authorization Fees

8. Technical Change to General Rules for Required Business Associate Disclosures of PHI

9. Request for Comments

B. Reducing Identity Verification Burden for Individuals Exercising the Right of Access (45 CFR 164.514(h))

1. Current Provision and Issues To Address

2. Proposal

3. Request for Comments

C. Amending the Definition of Health Care Operations To Clarify the Scope of Care Coordination and Case Management (45 CFR 160.103)

1. Current Provision and Issues To Address

2. Proposal

3. Request for Comments

D. Creating an Exception to the Minimum Necessary Standard for Disclosures for Individual-Level Care Coordination and Case Management (45 CFR 164.502(b))

1. Current Provision and Issues To Address

2. Proposal

3. Request for Comments

E. Clarifying the Scope of Covered Entities' Abilities to Disclose PHI to Certain Third Parties for Individual-Level Care Coordination and Case Management That Constitutes Treatment or Health Care Operations (45 CFR 164.506)

1. Current Provisions and Issues To Address

2. Proposal

3. Request for Comments

F. Encouraging Disclosures of PHI when Needed to Help Individuals Experiencing Substance Use Disorder (Including Opioid Use Disorder), Serious Mental Illness, and in Emergency Circumstances (45 CFR 164.502 and 164.510-514)

1. Current Provisions and Issues To Address

2. Proposals

3. Request for Comments

G. Eliminating Notice of Privacy Practices Requirements Related to Obtaining Written Acknowledgment of Receipt, Establishing an Individual Right To Discuss the NPP With a Designated Person, Modifying the NPP Content Requirements, and Adding an Optional Element (45 CFR 164.520)

1. Current Provision and Issues To Address

2. Proposal

3. Request for Comments

H. Permitting Disclosures for Telecommunications Relay Services for People Who are Deaf, Hard of Hearing, or Deaf-Blind, or Who Have a Speech Disability (45 CFR 164.512)

1. Current Provisions and Issues To Address

2. Proposal

3. Request for Comments

I. Expanding the Permission To Use and Disclose the PHI of Armed Forces Personnel To Cover All Uniformed Services Personnel (45 CFR 164.512(k))

1. Current Provision and Issues To Address

2. Proposal

3. Request for Comments

IV. Public Participation

V. Regulatory Impact Analysis

A. Executive Orders 12866 and 13563 and Related Executive Orders on Regulatory Review

1. Summary of the Proposed Rule

2. Need for the Proposed Rule

3. Cost-Benefit Analysis

4. Consideration of Regulatory Alternatives

5. Request for Comments on Costs and Benefits

B. Executive Order 13771

C. Regulatory Flexibility Act

D. Unfunded Mandates Reform Act

E. Executive Order 13132--Federalism

F. Assessment of Federal Regulation and Policies on Families

G. Paperwork Reduction Act of 1995

1. Explanation of Estimated Annualized Burden Hours

2. Tables Demonstrating Estimated Burden Hours

I. Executive Summary

A. Overview

In this notice of proposed rulemaking (NPRM), the Department proposes modifications to the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), issued pursuant to section 264 of the Administrative Simplification provisions of title II, subtitle F, of HIPAA.[1] The Privacy Rule is one of several rules, collectively known as the HIPAA Rules,[2] that protect the privacy and security of individuals' medical records and other protected health information (PHI), i.e., individually identifiable health information maintained or transmitted by or on behalf of HIPAA covered entities (i.e., health care providers who conduct covered health care transactions electronically, health plans, and health care clearinghouses).

The proposals in this NPRM support the Department's Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management--or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.

The Department, which delegated the authority to administer HIPAA privacy standards to the Office for Civil Rights (OCR), developed many of the proposals contained in this NPRM after careful consideration of public input received in response to the Department's December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (2018 RFI).[3]

B. Summary of Major Provisions

The Department proposes to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:

* Adding definitions for the terms electronic health record (EHR) and personal health application.

* Modifying provisions on the individuals' right[4] of access to PHI by:

* Strengthening individuals' rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;

* shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);

* clarifying the form and format required for responding to individuals' requests for their PHI;

* requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;

* reducing the identity verification burden on individuals exercising their access rights;

* creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual's access request to another health care provider and to receive back the requested electronic copies of the individual's PHI in an EHR;

* requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;

* limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;[5]

* specifying when electronic PHI (ePHI) must be provided to the individual at no charge;

* amending the permissible fee structure for responding to requests to direct records to a third party; and

* requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual's valid authorization[6] and, upon request, provide individualized estimates of fees for an individual's request for copies of PHI, and itemized bills for completed requests.

* Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.

* Creating an exception to the "minimum necessary" standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.

* Clarifying the scope of covered entities' abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,[7] and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.

* Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their "professional judgment" with a standard permitting such uses or disclosures based on a covered entity's good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity's good faith, but this presumption could be overcome with evidence of bad faith.

* Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is "serious and reasonably foreseeable," instead of the current stricter standard which requires a "serious and imminent" threat to health or safety.

* Eliminating the requirement to obtain an individual's written acknowledgment of receipt of a direct treatment provider's Notice of Privacy Practices (NPP).

* Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.

* Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.

* Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.

The Department carefully considered the extent to which each proposed modification would impact privacy protections compared to the likely benefit of making PHI more available for coordination of care or case management. These and other considerations are fully described for each proposal below.

C. Effective and Compliance Dates

The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the "compliance date" to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.[8]

The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus propose a compliance date of 180 days after the effective date of a final rule.[9] Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.

The Department requests comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the Department requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.

D. Care Coordination and Case Management Described

On January 30, 2017, President Donald Trump issued Executive Order (E.O.) 13771, "Presidential Executive Order on Reducing Regulation and Controlling Regulatory Costs,"[10] followed by E.O. 13777, "Enforcing the Regulatory Reform Agenda." These executive orders make clear "the policy of the United States to alleviate unnecessary regulatory burdens placed on the American people . . ."[11] In several public speeches, Secretary of Health and Human Services Alex M. Azar II identified the value-based transformation of the Nation's healthcare system as one of his top priorities for the Department, and described how it relates to a reduction of regulatory burden. In a 2018 speech to the Federation of American Hospitals, Secretary Azar committed to addressing "government burdens that may be getting in the way of integrated, collaborative, and holistic care for the patient, and of structures that may create new value more generally."[12] Secretary Azar also explained the need for regulatory reform in his remarks to the Better Medicare Alliance: "The barriers to effective coordination among providers are much steeper than just excessive paperwork. . . . Addressing these regulations that impede care coordination are part of a much broader regulatory reform effort at HHS."[13]

In support of this priority, HHS Deputy Secretary Eric D. Hargan explained, before the Joint Commission on May 29, 2019, that care coordination is a necessary component of achieving value-based care:

It's about coordination, above all--we're focused on understanding how regulations are impeding coordination among providers that can provide better, lower cost patient care, and then reforming these regulations consistent with the laws and their intents. And, finally, it's about care. Regulating health care means regulating some of the most intimate decisions and relationships in our lives--deciding where and when to seek health care, how to make decisions with our doctors and family members, and more.[14]

More recently, the Secretary praised the advancement of coordinated care with the publication of final rules on interoperability, access to health information, and certification of electronic health record technology. The Secretary stated, "These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination."[15] And, when announcing the publication of a final rule modifying regulations on the confidentiality of substance use disorder treatment records, the Secretary stated, "This reform will help make it easier for Americans to discuss substance use disorders with their doctors, seek treatment, and find the road to recovery."[16]

The Department intends for this proposed rule to support the full scope of care coordination and case management activities to further the Department's goal of achieving value-based health care. Although neither care coordination nor case management has a precise, commonly agreed upon definition, both refer broadly to a set of activities aimed at promoting cooperation among members of an individual's health care delivery team, including family members, caregivers, and community based organizations. To encompass these broad categories of activities, the Department offers a non-exhaustive list of examples for understanding care coordination and case management in the context of this NPRM, rather than proposing limited definitions. The Department welcomes comment on the examples and descriptions herein and on any additional definitions, examples, or scenarios that would be helpful for regulated entities and the public to understand what constitutes care coordination and case management.

For example, the Department's Office of Inspector General (OIG), in conjunction with the Department, issued a proposed rule as part of the Department's Regulatory Sprint to Coordinated Care. Under proposed safe harbors for the anti-kickback statute, OIG proposes to define "coordination and management of care" as the "deliberate organization of patient care activities and sharing of information between two or more value-based enterprise (VBE) participants or VBE participants and patients, tailored to improving the health outcomes of the target patient population, in order to achieve safer and more effective care for the target population."[17]

Additionally, as noted by the Centers for Medicare & Medicaid Services (CMS) in a recent RFI, "care coordination is a key aspect of systems that deliver value."[18] As CMS describes in guidance on the Medicaid benefit for children and adolescents, "care coordination" includes a range of activities that link individuals to services and improve communication flow. The guidance states that the various definitions of this term share three key concepts: Comprehensive coordination (involving coordination of all services, including those delivered by systems other than the health system), patient-centered coordination (designed to meet the needs of the patient), and access and follow-up (described as ensuring the delivery of appropriate services and information flow among providers and back to the primary care provider).[19] In 2019 CMS issued a fact sheet associated with the Medicaid health home benefit, which includes six mandatory core elements for access to and coordination of care: Comprehensive care management, care coordination, health promotion, comprehensive transitional care and follow-up, individual and family support, and referral to community and social services. The term "case management" is defined in the Medicaid context for state plans as "services furnished to assist individuals, eligible under the (Medicaid) State plan who reside in a community setting or are transitioning to a community setting, in gaining access to needed medical, social, educational, and other services."[20] In the context of HCBS waivers, case management "usually entails (but is not limited to) conducting the following functions: Evaluation and/or re-evaluation of level of care, assessment and/or reassessment of the need for waiver services, development and/or review of the service plan, coordination of multiple services and/or among multiple providers, linking waiver participants to other federal, state and local programs, monitoring the implementation of the service plan and participant health and welfare, addressing problems in service provision, and responding to participant crises."[21]

The Department's Agency for Healthcare Research and Quality (AHRQ) describes care coordination as "the deliberate organization of patient care activities between two or more participants (including the patient) involved in a patient's care to facilitate the appropriate delivery of health care services."[22] AHRQ describes a broad approach to care coordination as involving commonly used practices to improve health care delivery, including teamwork, care management, medication management, health information technology, and patient-centered medical homes. AHRQ also describes a "specific care coordination" approach that closely aligns with individual patient needs. Examples include creating a proactive care plan, patient monitoring and follow-up, supporting patient self-management goals, and linking to community resources.[23]

Another frequently cited definition comes from the National Quality Forum (NQF), the consensus-based entity recognized by the Department, which defines "care coordination" as "a multidimensional concept that includes effective communication among healthcare providers, patients, families, and caregivers; safe care transitions; a longitudinal view of care that considers the past, while monitoring present delivery of care and anticipating future needs; and the facilitation of linkages between communities and the healthcare system to address medical, social, educational, and other support needs that align with patient goals."[24]

Definitions of "case management" are equally varied. The Case Management Society of America (CMSA) defines case management as "a collaborative process of assessment, planning, facilitation, care coordination, evaluation and advocacy for options and services to meet an individual's and family's comprehensive health needs through communication and available resources to promote patient safety, quality of care, and cost effective outcomes."[25] The American Case Management Association (ACMA) describes case management in hospital and health care systems as "a collaborative practice model including patients, nurses, social workers, physicians, other practitioners, caregivers and the community." The ACMA's approach to case management encompasses communication and seeks to facilitate care along a continuum through effective resource coordination. The goals of case management include the achievement of "optimal health, access to care and appropriate utilization of resources, balanced with the patient's right to self-determination."[26]

Alex M. Azar II,

Secretary, Department of Health and Human Services.

[FR Doc. 2020-27157 Filed 1-19-21; 8:45 am]

BILLING CODE 4153-01-P

The document is published in the Federal Register: https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com