SARAH BOWEN, May 26, 2022
In late 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) proposed significant changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, aimed primarily at improving care coordination and data sharing. As the final rule on these changes is expected to be published this year, it’s a good time for HIPAA-covered group health plans to revisit the proposed changes and consider their potential impact. While the Proposed Rule generally applies to all HIPAA-covered entities, this article focuses on the proposed changes applicable to covered group health plans. We note that the final rule may deviate from the Proposed Rule described in this article.
The OCR first issued an initial request for information in December 2018 seeking feedback on how certain HIPAA rules and procedures could be streamlined to improve cooperation and data sharing among members of an individual’s health care delivery team, including family members, caregivers, and community-based organizations. The OCR subsequently released the
Notice of Proposed Rulemaking proposing modifications to the HIPAA Privacy Rule on December 10, 2020, and published the Proposed Rule in the Federal Register on January 21, 2021.1 After receiving a number of comments from stakeholders on the proposed changes, the OCR extended the comment period from its original end date of March 22, 2021, to May 6, 2021. While the final rule is expected to be issued later this year, there have been no further updates from the OCR to date.
Does the Proposed Rule apply to group health plans?
The proposed modifications to the HIPAA Privacy Rule apply to HIPAA-covered entities, which include (but are not limited to) ERISA fully insured and self-funded group health plans.2 The proposed changes also apply to “business associates” of covered entities, which generally include any person or entity that performs functions or activities involving the use or disclosure of protected health information (PHI) on behalf of the covered entity. For group health plans, common business associates include third-party administrators, claims administrators or other service providers that respond to PHI requests or otherwise use or disclose PHI on behalf of the plan.
How do the proposed changes impact group health plans?
The Proposed Rule includes several significant changes to the HIPAA Privacy Rule aimed at improving data sharing, expanding individual access to PHI, and removing barriers to care coordination and case management. The major proposed changes which may impact group health plans and their business associates are highlighted below.
1. Notice of Privacy Practices (NPP)
- Revises NPP content requirements. The Proposed Rule modifies the content requirements of the NPP to help increase the group health plan participants’ understanding of the covered entity’s privacy practices, and their rights with respect to their PHI. The proposed modifications require group health plans to modify the header of the NPP that is distributed to plan participants. The header of the NPP is required to state: 1) how a participant may access their health information; 2) how a participant may file a HIPAA complaint; and 3) that the individual has a right to receive a copy of the notice and to discuss its contents with a designated person. The header of the NPP must also specify whether the covered entity’s designated contact person for questions regarding the NPP is available onsite and include their phone number and email address. Providing this information at the beginning of the NPP is meant to improve the plan participants’ awareness of their Privacy Rule rights, explain what they can do if they suspect a HIPAA violation, and describe how the participant may contact a designated person to ask questions. The OCR has released model NPPs in the past and, based on the OCR’s request for comments relating to how the model notice can be improved, it is anticipated the OCR will provide an updated model NPP if the proposed changes become final.
Currently, group health plans which are HIPAA covered entities must provide the NPP to new participants with enrollment materials, and upon request. If the proposed changes are approved, plans will need to promptly update their NPP and ensure a copy of the updated notice is distributed as required.
2. Care Coordination and Case Management
- Clarifies definition of “Health Care Operations” to include individual care coordination and case management. Under HIPAA, “health care operations” are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment.3 The Privacy Rule allows for certain uses and disclosures of PHI without individual authorization for health care operations, including for the purpose of care coordination and case management. Guidance published in the preamble of the 2000 Privacy Rule4 clarified that the existing definition of health care operations contemplates that health plans would, as part of such operations, conduct care coordination and case management activities on both a population-level and individual-level. However, despite this guidance, many have interpreted the current definition of health care operations to be limited to population-based care coordination and case management only. Such an interpretation excludes individual-focused care coordination and case management by health plans, limiting a health plan’s ability to perform such individual-level care coordination or case management activities. The Proposed Rule addresses this issue by revising the definition of health care operations to clarify that both population-level and individual-level care coordination and case management are covered.
- Adds exception to minimum necessary requirement for health plan coordination and case management disclosures. The Privacy Rule generally requires that covered entities use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request. While there is a current exception from the minimum necessary standard for PHI disclosures and requests relating to care coordination and case management, it does not apply to group health plans. Because group health plans generally do not perform treatment functions, any care coordination or case management activity conducted by a health plan is considered a health care operation subject to the minimum necessary standard. As a result, a health plan is required to determine what information constitutes the minimum information necessary each time it discloses or requests PHI for an individual’s care coordination or case management, which takes time and administrative resources. Additionally, plans may be disincentivized from requesting or disclosing PHI if there is any uncertainty as to whether the information meets the minimum information necessary standard for fear of triggering an impermissible use or disclosure of PHI under the Privacy Act and incurring associated penalties. The Proposed Rule changes this by adding an express exception from the minimum necessary standard for disclosures to, or requests by, a health plan for care coordination and case management at the individual level.
If finalized, this change would promote more efficient and effective individual care coordination and case management by saving health plans the time and resources currently required to comply with the minimum information necessary requirements for such PHI disclosures and requests. Additionally, by expressly excepting such PHI disclosures and requests, the change eliminates any potential fears plans may have regarding triggering an impermissible use or disclosure of PHI and incurring a penalty when requesting or disclosing PHI for an individual’s care coordination or case management.
- Expressly permits disclosures to facilitate care with social and community services. The Proposed Rule expressly permits covered entities, including group health plans, to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS, which are services supported by, among other payors, state Medicaid programs) providers, or similar third parties that provide or coordinate health-related services which are needed for care coordination and case management at the individual level.
3. Individuals’ Right to Access PHI
- Access to PHI. The Proposed Rule allows individuals greater access to their PHI, including allowing individuals to take notes, videos and photographs and to use other personal resources to view and record PHI in person, barring unacceptable security risks. Additionally, under the proposed changes, covered entities would be prohibited from imposing unreasonable measures on an individual’s right to access PHI (for example, requesting extensive or unnecessary information, requiring notarization, or accepting written requests in paper form only). If approved, group health plans should consider reviewing their policies relating to individual PHI requests to ensure they do not contain procedures that could be construed as unreasonable measures.
- Form of PHI. The Privacy Rule requires that covered entities provide individuals access to PHI in the form or format requested by the individual, if “readily producible.” The Proposed Rule clarifies that “readily producible” copies of PHI include copies of electronic PHI (ePHI) requested through secure, standards-based application programming interfaces (APIs) using applications chosen by individuals, and any form or format required by applicable state or other laws. If approved, group health plans should confirm that they, or their business associates, have the ability to produce ePHI through standards-based APIs.
- Time period to provide PHI. Covered entities are currently required to provide individuals with access to their PHI upon request within 30 days, with one 30-day extension. The Proposed Rule shortens this period to 15 days, with one 15-day extension. The proposal to shorten the time for covered entities to provide individuals with access to their PHI would improve care coordination by allowing plan participants to share their records more rapidly with health care providers, informal caregivers, community-based support services, and family members — which could lead to improved health care communications and health outcomes. If approved, group health plans should ensure their written policies and operational procedures relating to PHI requests, and applicable contract language with business associates, are appropriately updated.
- Right to direct PHI to third parties. Currently, the Privacy Rule requires covered entities to transmit PHI to a third party (i.e., a family member, healthcare provider, researcher, or any other person) designated by the individual when directed by the individual. The individual’s direction must be in writing, signed, and clearly identify the designated person and where to send the PHI. Among the Proposed Rule’s changes relating to individual access rights, covered entities would be required to facilitate an individual’s request to direct ePHI in an electronic health record (EHR) to a third party upon the individual’s written request or clear, conspicuous and specific oral request, within 15 calendar days. While group health plans generally do not maintain EHRs, this proposed change would still require health plans to facilitate such a request if the individual requests that the health plan, as “Requester-Recipient,” obtain ePHI in an EHR from one or more covered health care providers, the “Disclosers,” on the individual’s behalf. In such a case, the health plan would be required to submit the individual’s request to the Discloser. If approved, group health plans will need to review and update their policies and procedures for responding to PHI requests, determining when to respond to oral requests and how to record such requests. If such requests are handled by business associates, plans should ensure business associate agreements are appropriately updated to address these changes.
- Clarifies fees and adds fee disclosure requirements. The Proposed Rule clarifies when PHI must be provided to individuals at no charge and when a covered entity is permitted to charge fees, with certain limitations, when responding to PHI access requests. The proposed changes also require covered entities to post a notice of access and authorization including a fee schedule on their website (if they maintain a website), as well as make the notice available at “point of service” and upon request. The notice must include all types of access available free of charge and a fee schedule for copies of PHI provided to individuals, copies of PHI in an EHR directed to third parties designated by the individual, and copies of PHI sent to third parties with the individual’s valid authorization. For health plans, the “point of service” could include a customer service call center that handles requests for records, or any location at which PHI is made available for individuals to inspect. The Proposed Rule also requires that, upon an individual’s request, covered entities provide an individualized estimate with the approximate fees to be charged for requested copies of PHI and, if also requested, an itemization of charges constituting the total fee.
What does this mean for group health plans?
Once the proposed changes are finalized, HIPAA-covered group health plans should, at minimum, review their HIPAA policies and procedures, Notice of Privacy Practices, and contract language in business associate agreements and other potentially impacted contracts, to determine what, if any, changes are needed. Health plans’ HIPAA training programs will also need to be updated to reflect any changes.
1 86 Fed. Reg. 6446 (proposed January 21, 2021) (to be codified at 45 C.F.R. pts. 160 and 164).
2 45 C.F.R. § 160.103. The definition of “group health plan” under HIPAA excludes self-administered group health plans with fewer than 50 participants.
3 45 C.F.R. 164.501.
4 65 Fed. Reg. 82462, 82627 (December 28, 2000).