HHS Proposes Loosening Some of HIPAA’s Privacy Provisions

WASHINGTON — Those privacy notice acknowledgements that physicians must get patients to sign would become a thing of the past under a proposed rule to modify the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) released Thursday by the Department of Health and Human Services (HHS).

“Anybody who has gone to a doctor’s office has been asked to sign a form acknowledging the receipt of a notice of privacy practices,” Roger Severino, JD, director of HHS’s Office for Civil Rights, said on a phone call with reporters. “This has been a tremendous waste of time and effort and has caused massive confusion, and has not fulfilled the original intended goal. People have wondered whether or not they were waiving their right to privacy by signing the form, or entering a new contractual relationship. Some medical providers actually insisted that if people didn’t sign the acknowledgement, they would not receive medical care … The signature requirement has been an additional, unnecessary burden where providers had to keep paper copies for 6 years of these signed forms.”

“We’re proposing to eliminate the signature requirement while retaining the requirement that the notice of privacy practices be provided and readily be available. In fact, we’re improving the requirement so it’s in much plainer English with the most important rights put up front, and if they want more information, how they could get more information,” said Severino. “I think it’s a very clear cost-saver and a reduction of unnecessary burden without sacrificing privacy.”

Another provision of the proposed rule addresses the length of time physicians have to provide patients with their requested medical records. “Currently if patients request their records, providers have 30 days to respond,” he said. “We think this is a relic of a pre-Internet age that should be dispensed with; we’re proposing to reduce that time period to 15 days.”

The rule also addresses the amount providers can charge to provide medical records to patients. “We’re clarifying that providers must have their fee schedule posted and publicly available so people know what it costs to get their own records,” he said. In addition, if there is already a patient portal with “view/download/transmit” functionality and it doesn’t add labor costs for providers to send the patients their records via the portal, “they cannot be charging fees for it. We do not believe a patient’s personal medical records should be profit centers for providers.”

The rule would also:

• Strengthen individuals’ rights to inspect their protected health information (PHI) in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI. “If a patient wants a picture of a sonogram of their child, and if it doesn’t interfere with the provision of medical care, providers must allow that real-time provision of medical information,” said Severino. “If the patient wants a record right on the spot, we’re saying they should be provided if it doesn’t interfere with provision of care.”

• Clarify the scope of providers’ abilities to disclose PHI to social service agencies, community-based organizations, home- and community-based service providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management.
• Replace the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual. For example, a provider would not need to second-guess “whether or not they need to have specific training in substance use disorder before they make full information available to people who are in a position to help. We think this would go a long way toward allowing doctors to act in good faith to help people … in life-or-death circumstances.”
• Expand the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard that requires a “serious and imminent” threat to a patient’s health or safety. “We don’t want medical providers who know there’s a threat to an individual or others to second-guess themselves as to whether or not to share that information with people who could possibly save lives … We don’t want doctors saying, ‘Is it really imminent? Is it not imminent enough?’ If it’s reasonably foreseeable, you don’t have to worry about violating HIPAA to get people the help they need.”

HHS Deputy Secretary Eric Hargan said he hoped the new administration would go forward with the proposed rule after the comment period ends in February. “These are very bipartisan and very common-sense reforms and don’t particularly have any partisan leaning,” he said. “I hope that given that this represented a lot of thoughtful consideration on the part of the public responding to our request for information and the formulation by the staff here of these reforms … that this will be viewed as something they could carry on and make part of their own reforms and legacy.” HHS has estimated that the rule would save $3.2 billion over 5 years through deregulation.

Physician groups have so far been quiet about the proposal, with one group — the Medical Group Management Association (MGMA) — posing questions instead of making a comment. “Will the rule facilitate convenient and timely patient access to healthcare information? Will it support medical practices in their duty to safeguard patient privacy? And will the rule impose reasonable requirements on medical practices that avoid costly administrative burdens?” asked Anders Gilberg, MGMA’s senior vice president for government affairs, in a statement Thursday. “Medical practices take seriously their responsibility to care for patients while protecting their privacy. We look forward to the opportunity to provide detailed feedback on today’s important proposal.”

The Healthcare Leadership Council said the proposed changes “appear to provide some much-needed improvements and modernization to patient privacy regulations,” although more time is needed to review them.