On December 10, 2020, the Department of Health and Human Services (HHS) issued a proposed rule that would make certain changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The proposed changes are intended to:
- support individuals’ engagement in their care,
- remove barriers to coordinated care, and
- reduce regulatory burdens on the healthcare industry.
While many of the proposals primarily impact healthcare providers and their patients, a number of proposed provisions will also have an impact on employer-sponsored health plans. As a reminder, the HIPAA Privacy Rule establishes national standards to protect individuals’ personal health information (PHI). The Privacy Rule applies to covered entities—health plans, healthcare clearinghouses and most healthcare providers—and their business associates.
The Privacy Rule applies to both self-funded and fully insured health plans. However, employers that sponsor fully insured plans and do not have access to PHI (other than certain limited types) have minimal compliance obligations.
The Proposed Rule
The proposed changes to the HIPAA Privacy Rule affecting employer-sponsored plans include:
- Amending the definition of “healthcare operations” to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute healthcare operations.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual, regardless of whether those activities constitute treatment or healthcare operations.
- Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting uses or disclosures based on a covered entity’s good faith belief that it is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith. The proposed rule would also expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices and modifying the content requirements of the Notice of Privacy Practices to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI, and shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
- Adding a definition for the term “electronic health record” (EHR), as well as requirements for EHRs. The proposed rule would create a pathway for individuals to direct the sharing of PHI in an EHR among covered healthcare providers and health plans, by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
- Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
These proposed rules have not been finalized and may not be relied upon. HHS is requesting comments on the provisions in the proposed rules. Public comments on the proposals are due 60 days after the proposed rule is published in the Federal Register.
If finalized, the provisions in the final rule would take effect 60 days after publication. Covered entities would generally have 180 days from the effective date to comply.
The above information does not constitute advice. Always contact your employee benefits broker or trusted adviser for insurance-related questions.