Office for Civil Rights, Office of the Secretary, HHS.
Notice of proposed rulemaking.
The United States Department of Health and Human Services (HHS or “the Department”) is issuing this Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals in this NPRM address these burdens while continuing to protect the privacy and security of individuals' protected health information.
Comments due on or before March 22, 2021.
You may submit comments to this proposed rule, identified by RIN 0945–AA00 by any of the following methods:
•
•
The Department will consider all comments received by the date and time specified in the
Please allow sufficient time for mailed comments to be timely received in the event of delivery or security delays. Electronic comments with attachments should be in Microsoft Word or Portable Document Format (PDF).
Please note that comments submitted by fax or email and those submitted after the comment period will not be accepted.
Marissa Gordon-Nguyen at (800) 368–1019 or (800) 537–7697 (TDD).
The discussion below includes an executive summary, a description of the statutory and regulatory background of the proposed rule, a section-by-section discussion of the need for the proposed rule, a description of the proposed modifications, and a regulatory impact statement and other required regulatory analyses. The Department solicits public comment on all aspects of the proposed rule. The Department requests that persons commenting on the provisions of the proposed rule precede their discussion of any particular provision or topic with a citation to the section of the proposed rule being discussed.
In this notice of proposed rulemaking (NPRM), the Department proposes modifications to the Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), issued pursuant to section 264 of the Administrative Simplification provisions of title II, subtitle F, of HIPAA.
The proposals in this NPRM support the Department's Regulatory Sprint to Coordinated Care (Regulatory Sprint), described in detail below. Specifically, the proposals in this NPRM would amend provisions of the Privacy Rule that could present barriers to coordinated care and case management—or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections. These regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care.
The Department, which delegated the authority to administer HIPAA privacy standards to the Office for Civil Rights (OCR), developed many of the proposals contained in this NPRM after careful consideration of public input received in response to the Department's December 2018
The Department proposes to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:
• Adding definitions for the terms electronic health record (EHR) and personal health application.
• Modifying provisions on the individuals' right
○ Strengthening individuals' rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
○ shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
○ clarifying the form and format required for responding to individuals' requests for their PHI;
○ requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
○ reducing the identity verification burden on individuals exercising their access rights;
○ creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual's access request to another health care provider and to receive back the requested electronic copies of the individual's PHI in an EHR;
○ requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
○ limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
○ specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
○ amending the permissible fee structure for responding to requests to direct records to a third party; and
○ requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual's valid authorization
• Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
• Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities
• Clarifying the scope of covered entities' abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,
• Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity's good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity's good faith, but this presumption could be overcome with evidence of bad faith.
• Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
• Eliminating the requirement to obtain an individual's written acknowledgment of receipt of a direct treatment provider's Notice of Privacy Practices (NPP).
• Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
• Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
• Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
The Department carefully considered the extent to which each proposed modification would impact privacy protections compared to the likely benefit of making PHI more available for coordination of care or case management. These and other considerations are fully described for each proposal below.
The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.
The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus propose a compliance date of 180 days after the effective date of a final rule.
The Department requests comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the Department requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.
On January 30, 2017, President Donald Trump issued Executive Order (E.O.) 13771, “Presidential Executive Order on Reducing Regulation and Controlling Regulatory Costs,”
In support of this priority, HHS Deputy Secretary Eric D. Hargan explained, before the Joint Commission on May 29, 2019, that care coordination is a necessary component of achieving value-based care:
It's about coordination, above all—we're focused on understanding how regulations are impeding coordination among providers
More recently, the Secretary praised the advancement of coordinated care with the publication of final rules on interoperability, access to health information, and certification of electronic health record technology. The Secretary stated, “These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination.”
The Department intends for this proposed rule to support the full scope of care coordination and case management activities to further the Department's goal of achieving value-based health care. Although neither care coordination nor case management has a precise, commonly agreed upon definition, both refer broadly to a set of activities aimed at promoting cooperation among members of an individual's health care delivery team, including family members, caregivers, and community based organizations. To encompass these broad categories of activities, the Department offers a non-exhaustive list of examples for understanding care coordination and case management in the context of this NPRM, rather than proposing limited definitions. The Department welcomes comment on the examples and descriptions herein and on any additional definitions, examples, or scenarios that would be helpful for regulated entities and the public to understand what constitutes care coordination and case management.
For example, the Department's Office of Inspector General (OIG), in conjunction with the Department, issued a proposed rule as part of the Department's Regulatory Sprint to Coordinated Care. Under proposed safe harbors for the anti-kickback statute, OIG proposes to define “coordination and management of care” as the “deliberate organization of patient care activities and sharing of information between two or more value-based enterprise (VBE) participants or VBE participants and patients, tailored to improving the health outcomes of the target patient population, in order to achieve safer and more effective care for the target population.”
Additionally, as noted by the Centers for Medicare & Medicaid Services (CMS) in a recent RFI, “care coordination is a key aspect of systems that deliver value.”
The Department's Agency for Healthcare Research and Quality (AHRQ) describes care coordination as “the deliberate organization of patient care activities between two or more participants (including the patient) involved in a patient's care to facilitate the appropriate delivery of health care services.”
Another frequently cited definition comes from the National Quality Forum (NQF), the consensus-based entity recognized by the Department, which defines “care coordination” as “a multidimensional concept that includes effective communication among healthcare providers, patients, families, and caregivers; safe care transitions; a longitudinal view of care that considers the past, while monitoring present
Definitions of “case management” are equally varied. The Case Management Society of America (CMSA) defines case management as “a collaborative process of assessment, planning, facilitation, care coordination, evaluation and advocacy for options and services to meet an individual's and family's comprehensive health needs through communication and available resources to promote patient safety, quality of care, and cost effective outcomes.”
The Administrative Simplification provisions of HIPAA provide for the establishment of national standards to protect the privacy and security of individuals' health information and established civil money and criminal penalties for violations of the requirements, among other provisions.
The Department issued its first regulation to implement HIPAA, the Privacy Rule, on December 28, 2000.
The Privacy Rule protects individuals' medical records and other individually identifiable health information created, received, maintained, or transmitted by or on behalf of covered entities, which are collectively defined as PHI. The Privacy Rule protects individuals' PHI by regulating the circumstances under which covered entities and their business associates may use or disclose PHI and by requiring covered entities to have safeguards in place to protect the privacy of PHI. As part of these protections, covered entities are required to have contracts or other arrangements in place with business associates that use PHI to perform functions for or on behalf of, or provide services to, the covered entity and that require access to PHI to ensure that these business associates also protect the privacy of PHI. The Privacy Rule also establishes the rights of individuals with respect to their PHI, including the right to receive adequate notice of a covered entity's privacy practices, the right to request restrictions of uses and disclosures, the right to access (
The Department established the right of individuals to access their PHI in the 2000 Privacy Rule,
OCR has delegated authority from the Secretary to make decisions regarding the implementation, interpretation, and enforcement of the Privacy Rule. Under this authority, OCR also administers and enforces the Security Rule, which requires covered entities and their business associates to implement certain administrative, physical, and technical safeguards to protect ePHI; and the Breach Notification Rule, which requires covered entities to provide notification to affected individuals, the Secretary of HHS, and, in some cases, the media, following a breach of unsecured PHI, and requires a covered entity's business associate that experiences a breach of unsecured PHI to notify the covered entity of the breach.
With respect to the HIPAA Enforcement Rule, which contains provisions addressing compliance, investigations, the imposition of civil money penalties for violations of the HIPAA Rules, and procedures for hearings, OCR also acts based on its delegated authority.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009,
Section 13405(e) of the HITECH Act strengthened the Privacy Rule's right of access with respect to covered entities that use or maintain an EHR. Under Subtitle D of Title XIII of the HITECH Act, “The term “electronic health record” means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”
On July 14, 2010, the Department issued an NPRM to modify the HIPAA Rules consistent with the HITECH Act (2010 NPRM).
As such, the Department proposes to use its authority under section 264(c) of HIPAA to prescribe the rights individuals should have with respect to their individually identifiable health information to strengthen the right of access as provided under section 13405(e) of the HITECH Act more uniformly to all protected health information in one or more designated record sets electronically, regardless of whether the designated record set is an electronic health record.
The 2013 Omnibus Rule finalized 45 CFR 164.524(c)(2)(ii), providing that if the individual's requested PHI is maintained in one or more designated record sets
The 2013 Omnibus Rule also finalized 45 CFR 164.524(c)(3)(ii) providing that covered entities must transmit a copy of an individual's PHI directly to a third party designated by the individual if the individual's request for access directs the covered entity to do so.
With respect to fees for access, the 2000 Privacy Rule permitted a covered entity to impose only a reasonable, cost-based fee for a copy of PHI under the right of access, which was limited to: (1) The costs of supplies and labor for copying; (2) postage to mail the copy; and (3) preparation of a summary or explanation of PHI if agreed to by the individual.
In the 2013 Omnibus Rule, the Department described the labor for copying PHI, whether in paper or electronic form, as one factor that may be included in a reasonable, cost-based fee.
In 2016, to educate the public about the individual right of access and clarify covered entities' obligations to fulfill this right, OCR issued extensive guidance (2016 Access Guidance) on how OCR interprets and implements 45 CFR 164.524. The 2016 Access Guidance comprises a comprehensive fact sheet and a set of frequently asked questions (FAQs) that provide additional detail.
Among other clarifications, the guidance included the Department's interpretation and intention that, as an expansion of the individual right of access, the right to direct a copy of PHI to a third party incorporated the general access right's pre-existing conditions and requirements, including its fee limitations. Accordingly, the guidance expressly stated that the access fee limitation applied, regardless of whether the individual requested that the copy of PHI be sent to the individual, or directed the copy of PHI to a third party designated by the individual.
On January 23, 2020, by memorandum opinion and order in
Consistent with the court's opinion, which the Department did not appeal, the Department takes the opportunity of this NPRM to seek public comment on proposals to: (1) Narrow the scope of the access right to direct records to a third party to only electronic copies of PHI in an EHR; and (2) apply new fee limitations to the access right to direct a copy of PHI to a third party, as described more fully below.
The 21st Century Cures Act (Cures Act)
The Office of the National Coordinator for Health Information Technology (ONC) published a final rule
Based on authority granted to it by the Cures Act, the OIG has proposed a rule that addresses enforcement.
The Cures Act also requires health IT developers participating in the ONC Health IT Certification Program
For example, by requiring developers of certified health IT, including EHR technology, to make secured, standards-based APIs (certified APIs) available, ONC's rule creates mechanisms by which individuals can readily exercise their Privacy Rule right of access, thus empowering individuals to electronically access, share, and use their electronic health information. This approach gives individuals the ability to electronically access and share their health information with mobile applications of the individuals' choice. Likewise, CMS's new interoperability rule contains requirements similar to the ONC Cures Act Final Rule.
Taken together, implementation of the above Cures Act requirements through the ONC and CMS rules will support covered entities (and their business associates) that use health information technology in a manner that enables them to respond more timely to individual requests for access to ePHI. Further, the ONC Cures Act Final Rule requirements for certified health IT to use secure, standards-based APIs will allow individuals to more readily access their ePHI and support disclosures of PHI by covered health care providers and health plans for individual-level care coordination and case management purposes. This regulatory context informs the proposals that follow.
In light of ongoing concerns that regulatory barriers across the Department impede effective delivery of coordinated, value-based health care, in June 2018, the Department launched the Regulatory Sprint to Coordinated Care to promote care coordination and facilitate a nationwide transformation to value-based health care. The Department initiated the Sprint by publishing a series of RFIs to solicit public input on regulatory barriers to coordinated care that it should modify, remove, or clarify through guidance and subsequent proposed regulations. After considering public comment, on August 26, 2019, the Department published a NPRM to modify 42 CFR part 2, the regulatory scheme protecting the confidentiality of substance use disorder (SUD) treatment information held by HHS-funded treatment programs.
This NPRM, proposing modifications to the Privacy Rule, continues the Department's Regulatory Sprint, taking into consideration public comment received on the 2018 RFI published by OCR. The 2018 RFI solicited public input on 53 questions asking whether and how the Department could modify the HIPAA Rules to support care coordination and case management, and promote value-based care, while preserving the privacy and security of PHI. The Department organized the 2018 RFI questions around several key themes for which it sought input and examples of how best to address care coordination through three specific content areas:
•
•
•
In addition to the three major topics described above, the RFI sought information about implementing a requirement of the HITECH Act to include disclosures by a covered entity for treatment, payment, and health care operations through an EHR in an accounting of disclosures.
The Department received over 1,300 comments in response to the 2018 RFI, from many types of individuals and entities, including covered entities, patients, family caregivers, professional associations, privacy advocates, mental health professionals and advocates, business associates, researchers, and government organizations. The Department provides a more complete description of the 2018 RFI topics and responsive comments below.
The ability of individuals to access and direct disclosures of their own health information is key to the coordination of their care. Patients are at the center of each health care encounter. As such, 45 CFR 164.524 of the Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers)
While OCR has issued extensive guidance and performed outreach to the public and regulated entities regarding the individual right of access, OCR continues to hear—through complaints, comments on the 2018 RFI, reports,
The 2018 RFI also requested information about current barriers or delays that health care providers face when attempting to obtain PHI from covered entities for treatment purposes. Specifically, the RFI asked whether the Privacy Rule could be modified to improve care coordination and case management by requiring covered entities and business associates to disclose PHI when requested by another covered entity for treatment purposes, for payment and health care operations purposes generally, or, alternatively, only for specific payment or health care operations purposes. The RFI further requested input on the effects of various potential requirements, including the creation of unintended burdens for covered entities or individuals, how much it would cost covered entities to comply, and whether any limitations should be placed on such disclosure requirements.
After careful review of the responses to the 2018 RFI and the Department's analysis of the current Privacy Rule, the Department proposes to amend the Privacy Rule to strengthen the individual right of access and to remove barriers that may limit or discourage coordinated care or case management among covered entities and individuals, or otherwise impose regulatory burdens. Additionally, consistent with the court's decision in
The Department proposes to amend the individual right of access by incorporating definitions into the Privacy Rule that are necessary to implement key privacy provisions of the HITECH Act. The Department's proposed definitions for electronic health record and personal health application in 45 CFR 164.501 build on language from the HITECH Act definitions of electronic health record
• The individual right to inspect and obtain copies of PHI within the current rule requires covered entities to provide the requested information (with some exceptions) within a specific time limit and for a limited fee. This NPRM proposes to retain this individual right to inspect and obtain copies of PHI at 45 CFR 164.524(c).
• The right of an individual to direct the transmission of electronic copies of PHI in an EHR to a third party is established by the HITECH Act and interpreted by the
• The Department also proposes to create a pathway for individuals to direct the sharing of an electronic copy of PHI in an EHR among covered health care providers and health plans. The NPRM proposes to require a covered health care provider or health plan (the “Requestor-Recipient”), at the individual's direction, to submit the individual's access request regarding his or her own ePHI to another covered health care provider (the “Discloser”), requesting that the Discloser transmit the ePHI maintained by or on behalf of the Discloser in its EHR to the Requestor-Recipient. This new right would be inserted within the right to direct an electronic copy of PHI in an EHR to a third party, at proposed 45 CFR 164.524(d)(7).
Finally, with respect to fees charged by covered entities to individuals exercising the right of access, the Department proposes to adjust and clarify the fees that covered entities may charge for copies of PHI, and require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right or with an individual's valid authorization. The Department also proposes technical clarifications to the Privacy Rule provision requiring business associates to disclose PHI as needed for the covered entity to fulfill its obligations under the right of access.
The Privacy Rule currently does not define the term “electronic health record.” However, the HITECH Act codifies a definition of EHR that applies to that Act's privacy and security provisions for covered entities and business associates.
The Privacy Rule does not define the term “clinician” and the Department has not identified a uniform statutory or regulatory definition. For example, the term “clinician” is not included among the several definitions of “Health care provider” in the Social Security Act, which includes a long list of health care professionals as well as “any other person furnishing health care services or supplies.”
Consistent with the breadth of these various definitions, the Department proposes to interpret “authorized health care clinicians and staff” to at least include covered health care providers who are able to access, modify, transmit, or otherwise use or disclose PHI in an EHR, and who have direct treatment relationships with individuals; and their workforce members (as workforce is defined at 45 CFR 160.103)
For example, an EHR would include electronic lab test reports created by workforce members of a large health system who are licensed clinical laboratory personnel, and who perform clinical lab tests for patients treated by the health system. Likewise, electronic billing records created, gathered, managed, and consulted by workforce members of a covered health care provider that has a direct treatment relationship with an individual (
In contrast, the term EHR would not include health-related electronic records of covered health care providers that only supply durable medical equipment to other providers, who then provide the equipment to individuals, and thus do not have direct treatment relationships with individuals.
With respect to the types of information in an EHR, the Department proposes to equate “health-related information on an individual” in regulatory text with the scope of the familiar, defined term, individually identifiable health information or IIHI.
Further, the Department interprets “on an individual,” for HIPAA purposes to refer to information that is “individually identifiable.” Health information that is not individually identifiable (
The Department also believes it is necessary to define a new term in the Privacy Rule, “Personal health application” (or “personal health app”), by drawing on the definition of a personal health record in the HITECH Act.
The Department requests comment on the proposed definition of personal health application, including the types of activities encompassed in the terms “managed,” “shared,” and “controlled,” and on the Department's assumptions about the use of such applications by individuals. The proposed definition of personal health application is meant to be consistent with the HITECH Act definition of personal health record (PHR),
Taken together, the proposed definitions for EHR and personal health application would help clarify the proposed modifications to the right of access, including the scope of the modified right of individuals to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a designated third party.
The individual right of access under the Privacy Rule includes a right to “inspect and obtain a copy of” PHI in a designated record set at 45 CFR 164.524(a)(1).
Under this proposal, covered entities generally would be required to allow individuals to take notes, videos, and photographs using personal resources after arranging a mutually convenient time and place for the individual to inspect their PHI in a designated record set, such as in a medical records office. This would be accomplished by redesignating the first paragraph of 45 CFR 164.524(a)(1) as subsection (i) and creating a new subsection (ii). Covered entities would be required to provide such access without imposing a fee under proposed 45 CFR 164.524(c)(4(ii). Additionally, the Department proposes to extend the right to inspect to situations where mutually convenient times and places include points of care where PHI in a designated record set is readily available for inspection by the patient, for example, by viewing x-rays, ultrasounds, or lab results in conjunction with a health care appointment with a treating provider. The Department anticipates that the time and place where an individual obtains health care treatment generally would be considered a convenient time and place for the individual to inspect the PHI that is immediately available in the treatment area. This provision would be added to 45 CFR 164.524(c)(3) as part of the implementation specifications regarding the time and manner of access, as follows: “When protected health information is readily available at the point of care in conjunction with a health care appointment, a covered health care provider is not permitted to delay the right to inspect.”
In these circumstances, a covered health care provider would not be permitted to delay the right to inspect. The Department believes that it is common for individuals to take notes during a visit where health care
The Department seeks comment on whether to require covered health care providers to allow individuals to record PHI in this manner as part of the Privacy Rule access right; whether conditions or limitations should apply to ensure that a covered health care provider does not experience unreasonable workflow disruptions (
Under proposed section 164.524(a)(1)(ii), the Department would not require a covered entity to allow the individual to connect a personal device, such as a thumb drive, to the covered entity's information systems. The Department does not expect a covered entity to tolerate unacceptable security risks (which would violate the HIPAA Security Rule) in order to accomplish a non-secure mode of data transfer to the requestor.
The Department believes that the proposed changes would eliminate persistent barriers that individuals face when seeking to inspect or obtain copies of their PHI, as described above in Section III.A. At the same time, a provision at the end of the new subsection (ii) of 45 CFR 164.524(a)(1) would provide, “[A] covered entity is not required to allow an individual to connect a personal device to the covered entity's information systems and may impose requirements to ensure that an individual records only protected health information to which the individual has a right of access.” Consistent with this provision, a covered entity could establish reasonable policies and safeguards to ensure, for example, that an individual's use of personal resources minimizes disruptions to the covered entity's operations, and is used in a way that enables the individual to copy or otherwise memorialize only the PHI in the individual's designated record set to which the individual is entitled pursuant to the right of access. However, a covered entity would not be permitted to establish such policies and safeguards that impose unjustified or unreasonable barriers to individual access. See proposed 45 CFR 164.524(b)(1)(ii).
Section 164.524(b)(1) of title 45 CFR requires a covered entity to permit an individual to inspect or to obtain a copy of PHI about the individual that is maintained in a designated record set, and to require individuals to make such a request in writing, provided the covered entity informs the individual of the writing requirement. Although the Department did not solicit commit in the 2018 RFI about this section of the Privacy Rule, the Department believes it is appropriate to solicit comment on a proposal to expressly prohibit a covered entity from imposing unreasonable measures that would impede an individual's right of access. The Department believes such a proposal would support the goal of improving coordination of care for individuals, as further discussed below.
Section 164.524(b)(2) of title 45 CFR requires a covered entity to act on an individual's request to exercise their right of access no later than 30 days after receipt of the request, with an option to extend the time to take action by an additional 30 days after providing written explanation and the date by which the entity will complete its action on the request. To assess whether the time limit could be shortened to better serve individuals seeking to exercise their right to access their records, in the 2018 RFI, the Department solicited public comments on this timeframe, the feasibility of covered entities meeting a shorter time limit, recommended time limits, and whether access to PHI maintained by covered entities in electronic format should be subject to different timeliness requirements than non-electronic records (
Many commenters on the 2018 RFI preferred a uniform standard for providing access to PHI regardless of the record format (
Citing these factors, health care providers who commented on this topic generally did not believe that requiring access to electronic records more quickly than non-electronic records would improve the overall speed of providing access to all of an individual's requested PHI, and some commenters expressed concern that doing so may negatively affect timely access to non-electronic records. To support this point, many described how fulfilling a single access request may encompass the production of both electronic and non-electronic records (sometimes referred to as a “hybrid” request or record). Commenters also reported that applying different time requirements for different parts of an individual's record would add complexity, potentially creating additional administrative burdens and barriers to compliance.
Of the commenters who offered specific timeframes concerning current practices, about half reported providing records within 15 days and half stated that they take up to 30 days. Health care entities subject to shorter response times required under state law (including requirements in California and Texas)
Individual commenters described delays in obtaining access, including inconsistent or incomplete uploading of electronic records to health information exchanges, entities that routinely respond to access requests on day 29 with a demand for additional clarifying information in writing in order to process the requests, and entities that only respond when threatened with legal action. They also described the harmful effects on health when the process to access records is too complicated or when the provision of records is delayed or denied.
Examples from consumers included needing to repeat tests and procedures because medical history information was not available, which is both expensive and leads to delays in needed treatment; delayed referrals and inaccurate diagnoses based on incomplete information; and lack of timely information needed for self-care. Sometimes health decisions have to be made quickly, and individuals need access to information in a timely manner to fully participate in their care or obtain an urgent second opinion from another medical professional.
Among commenters that opposed shorter timelines, many stated that covered entities would be burdened if they had to provide access within a shorter period. Several commenters stated that they would have to increase expenditures on staff, diverting resources from treating patients, and at least one mentioned the need to increase investment in information technology. Some commenters expressed particular concern that shorter access time limits would place an undue burden on smaller entities.
To address the barriers to timely access described above, the Department proposes to modify the Privacy Rule as follows.
Section 164.524(b) of title 45 CFR currently requires covered entities to permit individuals exercising their right of access to inspect or to obtain a copy of their PHI that is contained in a designated record set, and permits covered entities to require access requests in writing, provided that the covered entity informs the individual of that requirement. The Department proposes to modify the Privacy Rule to expressly prohibit a covered entity from imposing unreasonable measures on an individual exercising the right of access that create a barrier to or unreasonably delay the individual from obtaining access.
To help define “unreasonable measures” for covered entities, the Department proposes to include and compare, in regulatory text, non-exhaustive specific examples of reasonable and unreasonable measures that some covered entities have imposed (as described in public comments or individuals' complaints submitted to the Department), or may be likely to impose. For example, proposed section 164.524(b)(1)(ii) compares a standard form containing the minimum information that is needed to process a request for access against a form requiring extensive information from the individual that is not necessary to fulfill the request; requiring the use of the form containing unnecessary information is an unreasonable measure. Other examples of unreasonable measures in the proposed regulatory text include requiring the individual to obtain notarization of the individual's signature, or accepting individuals' written requests only in paper form, only in person at the covered entity's facility, or only through the covered entity's online portal. Similarly, the Department proposes below to amend the Privacy Rule by adding section 164.514(h)(2)(v) to prohibit a covered entity from imposing an unreasonable identity verification requirement on an individual attempting to exercise the right of access, and includes examples of such measures.
The Department assumes a prohibition against “unreasonable measures” for requesting access would not result in adverse unintended consequences for individuals, but acknowledges that covered entities may have concerns about potential implementation burdens associated with this proposal. The Department solicits comment on its assumptions, and seeks examples of unreasonable measures that individuals and covered entities believe could reduce an individual's ability to participate in the coordination of his or her own healthcare. The Department also requests comment on burdens that covered entities believe may result from this proposed change.
As noted above, the Privacy Rule generally requires covered entities to respond to requests by individuals to exercise their right of access no later than 30 days after receipt by either providing access or a written denial that meets certain requirements.
The Department believes that entities can provide individuals access to their information within a time limit shorter than 30 days. Therefore, to strengthen the individual's right of access to their PHI in a designated record set, the Department proposes to modify section 164.524(b)(2)(i) and (ii) of the Privacy Rule to require that access be provided “as soon as practicable,” but in no case later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension. Where another federal or state law (
At least eight states have statutory requirements to provide patients with copies of their health records in less time than the Privacy Rule's current 30-day limits, and at least five states require the opportunity to view or inspect the record in fewer than 30
The Department is strongly persuaded by these examples and by comments from entities operating in states with 10 to 15-day access provisions that, when mandated, covered entities are able to adapt to shorter access time limits. A majority of states do not impose time limits on health care entities that are as short as 15 days, so access to PHI in those states will be markedly improved. Additionally, these shorter timelines would better support the Department's initiatives to improve health care price transparency to empower and assist consumers with making more informed health care decisions. In support of these goals, the Administration has proposed and finalized other rules to require health insurance issuers and plans, as well as hospitals, to make health care prices more readily available to consumers in real-time. For example, in November 2019, CMS, along with the Internal Revenue Service, Department of the Treasury; and the Employee Benefits Security Administration, Department of Labor, proposed rules regarding transparency in coverage to give consumers real-time, personalized access to cost-sharing information. The proposed rules include a proposal for non-grandfathered health insurance plans and issuers in the individual and group markets to provide an estimate of participants', beneficiaries', and enrollees' cost-sharing liability for all covered health care items and services through an online self-service tool, or in paper form, upon request. The rule also would require issuers and plans to disclose in-network provider negotiated rates and historical out-of-network allowed amounts through two machine-readable files posted on an internet website, thereby allowing the public, including personal health application developers (and other application developers that are not providing the application on behalf of or at the direction of a covered entity), to have access to health insurance coverage information.
Therefore, the Department proposes to amend the individual access right provisions to require covered entities to provide copies of PHI as soon as practicable, but no later than 15 calendar days (with the possibility of one 15 calendar-day extension) or where another federal or state law requires a covered entity to provide an individual with access to the PHI requested in less than 15 calendar days, that shorter time period will be deemed practicable under the Privacy Rule. The same timeliness requirements would be applied when an individual requests direct access under proposed 45 CFR 164.524(b)(2) and when an individual requests that an electronic copy of PHI in an EHR be directed to a third party under proposed 45 CFR 164.524(d)(5).
To limit compliance complexity, the Department proposes to uniformly apply this timeliness requirement, regardless of the form or format of the PHI (
The Department also proposes to add a requirement that a covered entity may use one 15-day extension of time for providing access to requested PHI if it has established a policy to address urgent or high-priority requests. This proposal is not intended to limit the use of extensions to urgent or high-priority requests, but to provide flexibility for entities that have this type of policy. The Department does not propose to define what constitutes an urgent or high priority request, and does not intend with this proposal to encourage covered entities to require individuals to reveal the purposes for their requests for access. However, examples of urgent or high priority requests could include when an individual voluntarily reveals that the PHI is needed in preparation for urgent medical treatment, or that the individual needs documentation of a diagnosis of severe asthma to be allowed to bring medication to school.
Finally, the Department also proposes at 45 CFR 164.524(c)(3) to expressly provide that, while a covered entity may discuss aspects of the individual's access request with the individual before fulfilling the individual's request, such clarification of the request would not extend the time limit for providing access. This modification would put into regulatory language the Department's interpretation of the access deadlines in the 2016 Access Guidance
Shortening and clarifying the Privacy Rule time limits for access requests would strengthen individuals' rights with respect to their health information, advance the aims of patient-directed
The Privacy Rule requires a covered entity to provide the individual with access to the PHI in the form and format requested, if readily producible in that form and format, or if not, in a readable hard copy form, or other form and format as agreed to by the covered entity and individual.
The Department is examining how best to address individuals' privacy and security interests when they use a personal health application that receives PHI from a covered entity and has outlined several approaches in the request for comment at the end of this section. The Department requests information about the costs and benefits of options for educating individuals in a manner that does not delay or create a barrier to access. The options presented are consistent with the intent expressed in the ONC Cures Act Final Rule: Although “an actor may not prevent an individual from deciding to provide its EHI to a technology developer or application despite any risks noted regarding the application itself or the third party developer,” ONC “strongly encourage[s] actors to educate patients and individuals about the risks of providing other entities or parties access to their EHI.”
In addition, the Department proposes, at 45 CFR 164.524(c)(2)(iii), to provide that if other federal or state law (
The Department seeks comments on related situations: Whether to require a health care provider that has EHR technology that incorporates a secure, standards-based API without extra cost, to implement the API; whether to require a health care provider that could implement such an API at little cost to do so; and how to measure the level of cost that would be considered a reasonable justification for not implementing an API.
Section 164.524(c)(2)(iii) of the current Privacy Rule, which would be redesignated as sections 164.524(c)(2)(iv) and 164.524(d)(4), allows a covered entity to provide a summary in lieu of providing access to the requested PHI, or an explanation of the PHI to which access has been provided, if the individual agrees. To ensure that individuals are able to fully exercise their right of access, the Department proposes to add new sections 164.524(c)(2)(iv)(B) and 164.524(d)(4)(ii) to require that, when a covered entity offers a summary in lieu of access, it must inform the individual that the individual retains the right to obtain a copy of the requested PHI (or direct an electronic copy of PHI in an EHR to a third party) if they do not agree to receive the summary. The proposed requirement would not apply when the covered entity offers a summary because it is denying the request for a copy on unreviewable or reviewable grounds, in which case the covered entity must implement the required procedures for such denial. For example, if a covered physician offered to provide a summary in lieu of an entire medical record requested by an individual (or in lieu of “all PHI about the individual in a designated record set,” if that is the request), the physician would be required to inform the individual of the
The Privacy Rule right of access requires covered entities to transmit a copy of PHI directly to another person designated by the individual when directed by the individual.
The access right to direct a copy of PHI to a third party is distinct from the provision that permits a covered entity to disclose PHI to a third party with an individual's valid authorization in at least four key respects:
The right of access does not specifically address provider-to-provider exchanges of PHI because the Privacy Rule permits such disclosures without the individual's authorization for treatment, payment, and health care operations, among other specified purposes. The Privacy Rule also does not address fees for those disclosures. However, the Department believes that some patients have been using the right to direct PHI to a third party as a means of having one covered health care provider send records to another provider. The proposed changes to the right to direct copies of PHI to third parties, such as limiting the right to electronic copies in an EHR and allowing fees for copying ePHI onto electronic media may affect those exchanges of PHI, if health care providers choose to charge fees when sending copies of PHI to other providers when previously they did not.
The Department proposes to create a separate set of provisions for the right to direct copies of PHI to a third party at subsection (d) of 45 CFR 164.524. Proposed subsection (d) will better align the Privacy Rule with the HITECH Act right to direct to a third party only electronic copies of PHI in an EHR,
Under the first part of this proposal, at 45 CFR 164.524(d)(1), requests to direct copies of PHI to a third party will be limited to only electronic copies of PHI in an EHR. Therefore, if an individual directs a covered health care provider to transmit an electronic copy of PHI contained in an EHR (as defined in proposed 45 CFR 164.501) to a third party, the covered health care provider must provide a copy of the requested PHI to the person designated by the individual.
The
However, in some cases, ePHI might be exported from legacy health IT systems in a proprietary format that would be unreadable for the average person. Further, many data systems offer the capability to export data in multiple formats for portability, and not all of the formats are equally accessible, usable, and readable. For example, a comma-separated value (CSV) file is a common format for sharing data between databases and spreadsheets. However, if a designated third party received PHI in a CSV file from a covered health care provider, the third party may lack the necessary context to read and use such information. Because the right to direct PHI to a third party is a part of the individual right of access, the Department encourages covered health care providers to respond to such requests in a manner that does not frustrate individuals' efforts to exercise those rights in a meaningful way or potentially require the individual to make a second request to obtain a copy of the requested information directly.
As discussed above in reference to individual access, as new forms of information and communications technologies emerge, the “form and format” and the “manner” of producing or transmitting a copy of electronic PHI may become indistinguishable. For example, if a covered entity has implemented a secure, standards-based API that is capable of providing access to ePHI in the form and format used by an individual's personal health application, that ePHI is considered to be
Under the second part of this proposal, in proposed 45 CFR 164.524(d)(1), a covered health care provider would be required to respond to an individual's request to direct an electronic copy of PHI in an EHR to a third party designated by the individual when the request is “clear, conspicuous, and specific”—which may be orally or in writing (including electronically executed requests).
Under these proposals, a written access request such as that contemplated in the current rule would be one means of exercising this right of access, but an oral request could also be actionable if it is clear, conspicuous, and specific. For example, an oral request that identifies the designated recipient and where to send the PHI could meet this standard. Additionally, this provision would allow an individual to use an internet-based method,
The third part of this proposal, at 45 CFR 164.524(d)(7), would create a requirement within the right of access for a covered health care provider or health plan to facilitate an individual's request to direct an electronic copy of PHI in an EHR to a third party designated by the individual, which in this case would be the covered entity facilitating the request. If an individual makes a clear, conspicuous, and specific request that his or her covered health care provider or health plan (“Requester-Recipient”) obtain an electronic copy of PHI in an EHR from one or more covered health care providers (“Discloser”), Requester-Recipient would be required to submit the individual's request to Discloser, as identified by the individual.
The HITECH Act right of an individual to direct an electronic copy of their PHI in an EHR to a third party does not limit the type of entity that may be designated as a third party recipient. As such, covered entities already are potential third party recipients under the right of access, if designated as such by an individual. Under this proposal, a Requester-Recipient would be required to assist an individual in submitting their request for Discloser to direct PHI in an EHR maintained by or on behalf of the Discloser to Requester-Recipient; however, the Department does not propose to change any obligations of the Requester-Recipient once it receives the PHI. For example, the Privacy Rule does not require that a covered health care provider retain PHI it receives about individuals, and the Department does not propose to change this. While Requester-Recipient might be subject to a records retention requirement under state law, its obligations with respect to PHI it receives as a designated third party would be no different under this proposal than its existing obligations when it receives ePHI from other health care providers,
In summary, the proposed requirement offers a second mechanism (in addition to the permitted disclosure for TPO) for a covered health care provider or health plan to obtain an electronic copy of PHI in an EHR from another covered health care provider through a required disclosure initiated by an individual's exercise of the right of access. This requirement differs from the scenario in which, for example, one provider queries a health information system or health information exchange (HIE) for records from another provider pursuant to an applicable disclosure
The Department's proposal would require that Requester-Recipient submit such access requests to Discloser on behalf of the individual as soon as practicable, but no later than 15 calendar days after receiving the individual's direction and any information the Requester-Recipient needs to submit the access request to Discloser. For example, Discloser may need the name and birthdate of the individual, as well as the name of the Requester-Recipient, a link to a secure electronic document exchange portal, or a physical address where the Discloser may deliver electronic media. The time limit for Requester-Recipient to submit an individual's access request to Discloser would be distinct from covered entities' obligations to provide copies in response to an individual's access request, and a 15 calendar day extension would not be available to Requester-Recipient when submitting the request. Pursuant to the access right to direct an electronic copy of PHI in an EHR to a third party, Discloser would be required to provide the requested electronic copy to Requester-Recipient according to the shorter time proposed for all access requests when the individual directs the information to a third party under 45 CFR 164.524(d)(5) (“as soon as practicable, but not later than 15 calendar days after receiving the request”), provided that the request is clear, conspicuous, and specific. The proposal would permit one 15 calendar day extension under the same conditions described above with respect to the Discloser fulfilling other access requests. Thus, Requester-Recipient would be required to submit an individual's clear, conspicuous, and specific request to Discloser within 15 calendar days of receipt of the request from the individual, and Discloser would then be required to respond by providing the electronic copy to Requester-Recipient, in accordance with proposed 45 CFR 164.524(d)(7). As explained above with respect to requests to direct electronic copies of PHI in an EHR to a third party, individuals may choose to use an internet-based method, such as a personal health application, to ask Requester-Recipient to submit a request to Discloser to transmit an electronic copy of the individual's PHI in an EHR to Requester-Recipient, so long as it is “clear, conspicuous, and specific.” The Department welcomes comments on whether a Requester-Recipient should be permitted to refuse to submit a request for an individual in some circumstances (
The Department also seeks comments on approaches it may take to clarify that the Privacy Rule permits covered entities to use HIEs to make “broadcast” queries on behalf of an individual to determine which covered entities have PHI about the individual and request copies of that PHI. Section 164.506(c)(1) permits a covered entity to disclose PHI for its own health care operations purposes, including customer service activities, which could include forwarding an access request to other providers using a trusted exchange network. The Department is considering approaches to clarifying this permission to enhance the right of access and seeks comment on how to do so effectively.
The Department's proposal regarding individual-directed disclosures of PHI in an EHR among certain covered entities would strengthen and clarify the individual's ability to direct the sharing of such PHI. The proposed changes are not intended to replace or frustrate prompt transfers of PHI and ePHI that covered health care providers and health plans already make voluntarily for purposes of treatment, payment, and health care operations. Instead, as was urged by commenters on the 2018 RFI, the proposed changes would require covered entities to submit certain requests for PHI and require covered health care providers to make certain disclosures, pursuant to the exercise of the individual's right to access. This mechanism creates a new required disclosure to covered entities, but in a manner that respects individual preferences and control over the disclosure of PHI through his or her exercise of the right of access.
Finally, parallel to the proposal with respect to the individual right to obtain copies of PHI (and discussed in III.a.4), the Department proposes to require covered entities to inform individuals about their right to direct the requested electronic copies of PHI in an EHR to designated third parties when a covered entity offers to provide a summary in lieu of the requested copies of PHI in 45 CFR 164.524(d)(4)(ii). Consistent with the earlier proposal, the new requirement would not apply when the covered entity offers a summary because it is denying the request for a copy on unreviewable or reviewable grounds, in which case the covered entity must implement the required procedures for such denial.
The Privacy Rule allows covered entities to charge a reasonable, cost-based fee to fulfill access requests from individuals for copies of their PHI. Section 45 CFR 164.524(c)(4) limits the allowable fees to the costs of (i) labor for copying (whether the PHI is in paper or electronic form), (ii) supplies for creating the paper copy or electronic media if requested, (iii) postage, and (iv) preparing any agreed-upon summary or explanation of the requested PHI. Section 13405(e) of the HITECH Act expands the individual right of access to include the right to direct an electronic copy of PHI in an EHR to a third party. Because the HITECH Act expressly placed the new right within 45 CFR 164.524, the long established right of access, the Department interpreted the 2013 Omnibus Rule as applying the component parts of the existing access right to the new type of access right. This interpretation applied the limitation on fees that covered entities may charge individuals exercising the access right. However, the Department first explained its interpretation in the 2016 Access Guidance, not the 2013 Omnibus Rule. As a result, the
The Department proposes to modify the access fee provisions to establish a fee structure with two elements based on the type of access request. The first element describes categories of access for which covered entities cannot charge a fee. The second element describes the allowable costs that may be included when an access fee is permitted. The modified fee provisions will be separately located within the enumerated sections for the individual right to inspect and obtain copies of PHI and for the right to direct electronic copies of PHI in an EHR to third parties, as summarized below.
(1) Always free of charge (
(a) an individual inspects PHI about the individual in person, which may include recording or copying PHI in a designated record set with the individual's own device(s) or resource(s).
(b) an individual uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity. This includes, for example, access obtained by an individual through the covered entity's certified health IT (
(2) A reasonable, cost-based fee, in proposed 45 CFR 164.524(c)(4)(i), provided that the fee includes only the cost of:
(a) Labor for copying the PHI requested by the individual in electronic or non-electronic (
(b) Supplies for making non-electronic copies;
(c) Actual postage and shipping for mailing non-electronic copies; and
(d) Preparing an explanation or summary of electronic or non-electronic PHI, if agreed to by the individual as provided in paragraph (c)(2)(iii) when an individual requests an electronic or non-electronic copy of PHI about the individual through a means other than an internet-based method.
Under proposed 45 CFR 164.524(d)(6), a reasonable, cost-based fee for an access request to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party through other than an internet-based method, provided that the fee includes only the cost of:
(a) Labor for copying the PHI requested by the individual in electronic form; and
(b) Preparing an explanation or summary of the electronic PHI, if agreed to by the individual as provided in paragraph (d)(4).
This category would apply to requests for a copy of PHI that cannot be fulfilled through an automated process. For example, requests to copy PHI in an EHR onto electronic media and mail it to a physical address would fall within this category.
A summary of how different types of access and recipients of the PHI would affect the proposed allowable access fees is outlined in the chart below.
The proposed approach, described in further detail below, also would allow covered entities to recoup their costs for handling certain requests to send copies of PHI to third parties, while ensuring that covered entities do not profit from disclosures of PHI made at the individual's request.
As noted above, the current Privacy Rule permits a covered entity to impose a reasonable, cost-based fee for providing copies of PHI that may include only the cost of labor for copying the PHI requested; supplies for creating the copy (
Based on its beliefs regarding likely costs, the Department proposes to expressly require that covered entities allow an individual to exercise the access right to inspect their PHI in person without charging a fee.
The Department requests comment on any new costs that covered entities would likely incur when providing individuals with opportunities to
The Department believes that access through an internet-based method likely occurs without involvement of covered entity workforce members, and thus believes that the covered entity likely incurs no allowable labor costs or expenses. The Department requests comment on its view of the costs of providing access through an internet-based method, including any internet-based methods described in the ONC Cures Act Final Rule.
Based on its views regarding costs, and to further the policy goal of removing unnecessary barriers to individuals' exercise of the right of access, the Department proposes to prohibit covered entities from charging a fee to provide access through an internet-based method, as described below. While covered entities currently use patient portals and APIs to provide individuals and/or their designated third party recipients with electronic access, the Department proposes that the term “internet-based method” would apply to portals and APIs, as well as similar successor technologies. The Department does not intend free access to apply to situations where the individual is simply using an online portal to submit a request for copies of PHI to be sent to him or her in a manner that would require the covered entity to incur allowable costs for supplies, postage, or labor for copying.
When providing copies of PHI to an individual, covered entities would remain subject to the current access fee limits.
The Department understands that such methods may require special effort on the part of the covered entity, which may include, for example, copying PHI onto electronic media and mailing it to the individual or, under some circumstances, using the export functionality of certified EHR technology to transmit ePHI.
In response to the
Section 13405(e) of the HITECH Act created a new way for an individual to exercise the right of access by choosing to send a copy of PHI to a third party, and thus changed the assumptions previously expressed in the 2000 Privacy Rule that disclosures at the individual's initiation are made only to the individual, while disclosures to third parties are always initiated by others. For example, the 2000 Privacy Rule preamble contrasted the limited fees to provide PHI “for individuals” based on the individual's request with fees allowed for “the exchange of records not requested by the individual”
Under this proposal, the allowable fees would include, for example, the labor involved in transferring electronic copies of PHI from an EHR onto electronic media when requested by the individual, but would exclude the costs of the electronic media, the labor involved in shipping or mailing the media, and the costs of shipping or postage. Additionally, as under the current rule, a covered entity would be permitted to charge for the costs of preparing a summary or explanation of the requested PHI to be directed to a third party as agreed to by the individual in advance. With these proposed changes, individuals would rely on a valid authorization to send non-electronic copies of PHI in an EHR, or electronic copies of PHI that is not in an EHR, to third parties. Covered entities responding to requests based on an authorization would not be subject to the access fee limitations; however, the fees would remain limited by the Privacy Rule's provisions on the sale of PHI
Although covered entities would be restricted from recouping some costs that are allowed under the current rule, the effect of limiting the right to direct PHI to a third party to only electronic copies of PHI in an EHR would significantly reduce covered entities' burdens by increasing the number of requests based on an authorization. For example, many states have laws permitting health care entities to impose fees for providing copies of medical records that may be higher than the Privacy Rule allows. The states, for example, may permit covered entities to charge for costs other than supplies, labor for copying, and postage, or may establish a per page fee in excess of what the Privacy Rule allows. However, under the current Privacy Rule, when an individual exercises his or her access right, including when directing an electronic or non-electronic copy of PHI to any third party, covered entities are not permitted to impose higher fees for copies of PHI that may be permitted by state law.
The Department anticipates that no fees would be charged when an individual uses an internet-based method to direct an electronic copy of PHI in an EHR to any third party, when an individual uses such a method to direct a covered health care provider or health plan to submit an access request to another covered health care provider, or when an individual submits a request through a health care provider or health plan to other providers and plans using such method. The rationale for this understanding is the same as discussed above in relation to the individual right to access or obtain copies of PHI available via an internet-based method—that there are no associated costs incurred by the covered entity for responding to the specific request. The Department requests comment on whether the assumption that no costs will be incurred to provide access using an internet-based method applies to each of the internet-based access scenarios described in this paragraph.
As a consequence of the proposed limits on the right to direct transmission of electronic copies of PHI in an EHR, covered entities would be permitted to charge less restricted fees when fulfilling requests to send non-electronic copies of PHI in an EHR, or electronic copies of PHI that is not in an EHR, to third parties, because these requests would no longer be within the right of access.
The Department does not propose to change how covered entities currently charge for disclosing records to health plans and providers. It is the Department's understanding that frequently there is no charge for permitted disclosures of PHI to another covered entities for core health care activities such as treatment, payment, or health care operations. This proposal is not intended to cause covered entities to begin charging fees for such disclosures, but to recognize individuals as the center of their own health care and empower individual-initiated transfers of electronic copies of PHI in an EHR.
To increase an individual's awareness of the cost of copies of PHI, and to make the access fee requirements more uniform, the Department proposes to add a new subsection 525 to 45 CFR 164 to require covered entities to provide advance notice of approximate fees for copies of PHI requested under the access right and with an individual's valid authorization. Readily available public information about access fees would also serve to promote compliance with the Privacy Rule because covered entities will want to avoid posting fee schedules that show noncompliance with fee limitations,
With respect to fee schedule availability at the point of service, the Department would expect that a covered health care provider would make the fee schedule available upon request, in paper or electronic form, at the point of care or at an office that is responsible for releasing medical records, as well as orally (
Additionally, the Department proposes to require that covered entities provide an individualized estimate to an individual of the approximate fees to be charged for the requested copies of PHI, upon request. The Department would expect that the covered entity would provide the individualized estimate upon request and within the initial time (or in many cases sooner) in which the covered entity has to fulfill the access
The Department also proposes in 45 CFR 164.525 to require covered entities to provide, upon an individual's request, an itemization of the charges for labor for copying, supplies, and postage, as applicable, which constitute the total fee charged to the individual for copies of PHI.
The Privacy Rule does not prohibit a covered entity from requiring individuals to pay a fee for copies of PHI “upfront” before receiving such copies. The Department does not propose to amend the Privacy Rule to require covered entities to fulfill the requests of individuals (by providing copies of PHI) before fees are paid. However, because the Department believes that providing individuals with access to their health information is an important component of delivering and paying for healthcare, the Department continues to encourage covered entities that charge fees for copies of PHI to waive fees or provide flexibility in payment (such as delaying charges or accepting payment in installments, without delaying the provision of copies) for individuals who are unable to pay upfront due to an emergency or a lack of resources.
Finally, an individual's request for a fee estimate under this proposal would not automatically extend the time permitted for covered entities to provide copies of PHI under the right of access; however, a covered entity would have the ability to inform the individual if one 15-day extension is needed.
The Department proposes to insert clarifying language in 45 CFR 164.502(a)(4)(ii), which currently requires business associates to provide copies of PHI to covered entities, individuals, or individuals' designees, to satisfy the covered entity's obligations under the right of access. To clarify when a business associate must disclose PHI and to whom, the proposal would specify that a business associate is required to disclose PHI to the covered entity so the covered entity can meet its access obligations. However, if the business associate agreement provides that the business associate will provide access to PHI in an EHR directly to the individual or the individual's designee, the business associate must then provide such direct access. This proposed clarification is consistent with the preamble discussion on this topic in the 2013 Omnibus Rule
The Department seeks comment on the foregoing proposals, including any benefits or unintended consequences, and the following considerations in particular:
a. Whether the Department's proposed definition of EHR is too broad, given the context of the HITECH Act, such that the definition should be limited to clinical and demographic information concerning the individual.
b. Whether an electronic record can only be an EHR if it is created or maintained by a health care provider, or whether there are circumstances in which a health plan would create or maintain an EHR.
c. Whether the Department should instead define EHRs to align with the scope of paragraphs (1)(i) and (2) of the definition of designated record set.
d. Whether the proposed definition of EHR includes PHI outside of an electronic designated record set, whether it should, and examples of such PHI.
e. Whether the proposed interpretation of “health care clinicians and staff” as it relates to the proposed EHR definition is appropriate, too broad, or too narrow, and in what respects.
f. Should “health care clinicians and staff” be interpreted to mean all workforce members of a covered health care provider? What are the benefits or adverse consequences of such an interpretation? Does the same interpretation apply regardless of whether the provider has a direct treatment relationship with individuals, and why or why not?
g. Are there other health care industry participants that have access to or maintain EHRs that should be explicitly recognized in the definition of EHR or that OCR should consider when establishing such a definition?
h. Whether EHR should be defined more broadly to include all ePHI in a designated record set, and benefits or drawbacks of doing so.
i. Should the definition of EHR for Privacy Rule purposes be aligned with other Department authorities or programs related to electronic health information? If so, which ones and for what purposes?
j. Any other effects, burdens, or unintended consequences of the proposed definition of EHR or of including a definition for EHR in the Privacy Rule.
k. What types of activities should be encompassed in the terms “managed,” “shared,” and “controlled” in the proposed definition of personal health application, and whether other terms would improve the clarity of the definition.
l. State laws or other known legal restrictions that might affect the ability of individuals to take photos of or otherwise capture copies of their PHI in a designated record set.
m. The frequency with which covered entities currently receive requests to inspect PHI in person, and estimated annual costs to covered health care providers and health plans of fulfilling such requests.
n. Whether a time limit shorter than 15 calendar days for a covered entity to submit, or respond to, an individual's access request would be appropriate. The Department seeks comment on time limits for covered entities to respond to access requests, requests to direct electronic copies of PHI in an EHR to a third party, and requests to submit a request to another provider on behalf of the individual. The Department welcomes data on the burdens and
o. Whether a covered health care provider should be required to inform an individual who requests that PHI be transmitted to the individual's personal health application of the privacy and security risks of transmitting PHI to an entity that is not covered by the HIPAA Rules. What are the benefits or burdens of different approaches? For example: Accepting the individual's judgment without requiring covered entities to provide education, notice, or warning; requiring a covered entity to provide a warning verbally and/or electronically at the time the individual requests transmission of PHI to a personal health application; providing education about the application developer's privacy and security policies and practices through an automated attestation and warning process; or adding information about risks to PHI disclosed to a personal health application in the covered entity's NPP.
p. The Department also invites comment on whether to apply any potential education, notice, or warning requirement to only health care providers or also to health plans. Whether the Department should consider requiring a covered health care provider or health plan to provide any specific educational or advisory language to individuals who may choose to share their PHI with other individuals through applications that are not regulated by the Privacy Rule.
q. Whether the Department should specify in regulatory text that if a Requestor-Recipient discusses the request with the individual (
r. Whether any federal or state law time limit shorter than 15 calendar days that applies to disclosures of PHI to a third party (
s. Whether and how a covered entity should be required to implement a policy for prioritizing urgent or otherwise high priority access requests, so as to minimize the use of the 15-calendar-day extension. Would there be unintended adverse consequences of such a requirement—
t. Any benefits or drawbacks of the proposal to require a covered entity to act on an oral access request to either direct an electronic copy of PHI in an EHR to a third party or direct a covered entity to submit such a request, provided the oral communication is clear, conspicuous, and specific.
u. Whether there would be unintended consequences for the covered entity that has received PHI as a result of a request that was made to another covered entity by an individual.
v. “Clear, conspicuous, and specific” is a statutory standard
w. Whether the Department should specify any bases for a Requester-Recipient to deny an individual's request to submit an access request to a Discloser, for example, if the requested disclosure is prohibited by state or other law or if the Requester-Recipient already has the information.
x. Whether there are certain types of individual requests to submit an access request to a Discloser that would place an undue burden on the Requester-Recipient, such as submitting large numbers of requests to multiple Disclosers, or other factors affecting the potential burden on or benefit to a Requester-Recipient.
y. Whether a covered health care provider or health plan that uses an HIE to make a broadcast query to identify other HIE participants that have PHI about that individual, and that requests the PHI on behalf of an individual, should be considered to be making a permissible disclosure of PHI for customer service or other administrative or management activities that are part of the covered health care provider or health plan's health care operations.
z. Information from individuals and covered entities about how covered entities currently respond to “imperfect” requests to send PHI to a third party (
aa. Whether the term “internet-based method” or alternative terms adequately describe online patient portals, mobile applications, APIs, and other related technologies. If there are unintended consequences associated with using such broad terminology, are there ways in which any unintended adverse effects could be minimized?
bb. Should the Privacy Rule prohibit covered entities from charging fees for copies of PHI when requested by certain categories of individuals (
cc. Whether the Privacy Rule should prohibit covered entities from denying requests to exercise the right of access to copies of PHI when the individual is unable to pay the access fee. If so, how should a covered entity determine when an individual is unable to pay?
dd. The fees (if any) that covered entities currently charge when sending records to another provider or covered entity at the request of an individual.
ee. What fees, if any, are charged for disclosures among covered entities made at the request of the entities?
ff. How covered entities currently treat access requests that involve converting non-electronic PHI into an electronic format, the fees that are charged for such requests, and how that compares to fees charged for similar requests for copies of PHI made by a third party with an individual's valid authorization.
gg. How the proposals to narrow the access right to direct PHI to third parties to electronic copies of PHI in an EHR will affect fees for copies of PHI.
hh. How covered entities currently calculate reasonable, cost-based fees for copies of PHI under the right of access. For example, OCR's 2016 Access Guidance offered three illustrative methods for calculating allowable access fees: (1) Actual labor costs for copying, plus supplies and postage; (2) average labor costs for copying, plus supplies and postage; and (3) a flat fee of $6.50 for electronic copies of ePHI, inclusive of labor, supplies, and any
ii. Comment on whether the Department should specify one or more of the three methods listed above, or another method, in the regulatory text as the exclusive acceptable method of calculating access fees. This NPRM does not propose to require any particular method of calculation; however, the Department requests comment on the benefits and burdens of doing so. The Department also requests comment on the reasonableness of the $6.50 flat fee for electronic copies of PHI maintained electronically, and whether another flat rate would be more appropriate. Finally, the Department requests comment on whether other methods of calculating fees should be required in regulation or offered as options in guidance.
jj. Whether the Department should establish in regulation a separate required timeframe for covered entities to respond to individuals' requests for access fee estimates or an itemized list of charges, and what timeframe(s) would be appropriate, and whether the time to respond to a request for access should be tolled pending an individual's confirmation that it desires the requested information given the fee estimate.
kk. Whether there should be a legal consequence to covered entities for the bad faith provision of an incorrect estimate of fees for access and authorization requests, and if so, what actions should be considered evidence of bad faith sufficient to subject a covered entity to potential penalties.
ll. More information from covered entities and individuals about their experiences with records requests (including when made at the direction of the individual or with an individual's valid authorization) and any unintended consequences that may result from the Department's proposals.
mm. What are commonly available electronic forms and formats that covered entities and business associates generally provide to individuals or third parties? How many requests per month for electronic copies of PHI on electronic media do covered entities and business associates receive from individuals? How many requests per month are received for electronic copies provided through internet-based methods? How long does it take to fulfill each type of request?
nn. Do individuals or third parties ever receive requested PHI in unreadable electronic forms and formats? What are those forms and formats, and do covered entities or business associates provide another form and format if they are told the first copy of PHI they provided is unreadable or unusable?
Section 45 CFR 164.514(h) of the Privacy Rule generally requires a covered entity to take reasonable steps to verify the identity of a person requesting PHI before disclosing the PHI to help ensure that unauthorized persons do not obtain an individual's PHI.
As OCR has explained in guidance,
Despite OCR's guidance explaining the Department's interpretation of the verification and individual access provisions in 45 CFR 164.514(h) and 164.524,
To address these ongoing challenges and barriers to an individual's access to their health information, the Department proposes to modify paragraph (2)(v) of 45 CFR 164.514(h) to expressly prohibit a covered entity from imposing unreasonable identity verification measures on an individual (or his or her personal representative) exercising a right under the Privacy Rule. In addition, the Department proposes to clarify within the regulatory text that unreasonable verification measures are those that require an individual to expend unnecessary effort or expense when a less burdensome verification measure is practicable for the particular covered entity. Unreasonable measures would include requiring individuals to obtain notarization of requests to exercise their Privacy Rule rights and requiring individuals to provide proof of identity in person when a more convenient method for remote verification is practicable for the covered entity. The Department would consider the application of the practicability standard for verification measures to encompass considerations related to an entity's fulfillment of its Security Rule obligations including its size, complexity and capabilities; its technical infrastructure, hardware, and software security capabilities; the costs of security measures related to verification and implementing measures that may be more convenient for individuals; and the probability and criticality of potential risks to ePHI in the covered entity's systems.
As explained above, the Department proposes to clarify that a covered entity that implements a requirement for individuals to submit a request for access in writing would not be permitted to do so in a way that imposes unreasonable burdens on individuals. The proposed change to prohibit a covered entity from implementing unreasonable identity verification requirements complements the first proposal to ensure that an individual is afforded as much flexibility as reasonable when accessing his or her own records. In contrast, a covered entity that is responding to an individual's request to direct an electronic copy of ePHI in the covered entity's EHR to a third party must do so if the oral or written request is clear, conspicuous, and specific. The Department assumes that a covered entity holding records of an individual in an EHR has necessarily established a treatment relationship with such individual, and therefore, imposing additional verification requirements is unnecessary. The Department seeks comments on this assumption.
Consistent with the verification provisions described above, unreasonable measures for submitting an access request in writing would be measures that impede the individual from obtaining access when a measure that is less burdensome for individuals is practicable for the particular covered entity. For example, requiring individuals to complete a form with only the limited information needed for the entity to provide access would be considered reasonable because it only requests information necessary for verification and does not require the individual to expend unnecessary effort. In contrast, requiring individuals to fill out a form with the extensive information contained in a HIPAA authorization form may impose an unreasonable burden to individuals. In addition, while covered entities are encouraged to provide individuals with the option to submit access requests through online portals, it generally would be unreasonable for a covered entity to require that requests for access be made only through the covered entity's online portal, depending on factors such as the covered entity's analysis of security risks to ePHI.
The Department's view is that, under the Privacy Rule access requirements, covered entities generally must allow every application that wants to register with the API to provide access for an individual, the ability to do so, assuming that it is practicable for the covered entities and absent any Security Rule concerns.
The Department recognizes that due to the variety of circumstances of individuals and entities, a given measure to complete identity verification or request access, such as using an online portal, may be convenient for some individuals and burdensome for others, and practicable for some entities but not for others. Due to this variability, the Department does not propose to require that covered entities implement any particular measure, nor require covered entities to analyze and adopt the least burdensome measure possible for each individual. Further, the Department does not intend to impede the ability of covered entities to comply with any applicable federal or state law provisions that provide greater privacy or security protections related to verification of identity to access medical records, provided that the identity verification measures used and the manner in which they are implemented do not impose unreasonable burdens on an individual's exercise of the right of access.
The Department requests comments on the above proposal, including:
a. Please describe any circumstances in which individuals have faced verification barriers to exercising their Privacy Rule rights, as well as examples of verification measures that should be encouraged as convenient and practicable, in comparison to those that should be prohibited as per se unreasonable. Please also describe any circumstances related to unreasonable verification measures imposed on third parties to whom an individual directs a copy of PHI.
b. What verification standard should apply when a covered health care provider or health plan submits an individual's access request to another covered health care provider or health plan? Specifically, should the covered entity that holds the requested PHI be required to verify the identity and authority of the covered entity that submitted the request, but be permitted to rely on the requesting entity's verification of the identity of the individual (or personal representative)?
c. How could or should covered entities consider the costs of implementation when evaluating whether a verification method is practicable?
d. Whether the proposal would support individuals' access rights by reducing the verification burdens on individuals, and any potential unintended adverse consequences.
e. Whether a different identity verification standard should apply when an individual requests access, as compared to when a personal representative requests access on the individual's behalf.
f. Examples of state law identity verification requirements that apply when a covered entity provides PHI to an individual or personal representative, or fulfills an individual's request to direct a copy of PHI to a third party. Please provide input on whether any state law identity verification requirements create a barrier to or unreasonably delay an individual's exercise of the right of access in a manner that should be considered inconsistent with the Privacy Rule.
The Privacy Rule expressly permits certain uses and disclosures of PHI, without an individual's valid authorization, for treatment and certain health care operations, among other important purposes.
The preamble to the 2000 Final Privacy Rule states that certain activities “may be considered either health care operations or treatment, depending on whether population-wide or patient-specific activities occur, and if patient-specific, whether the individualized communication with a patient occurs on behalf of a health care provider or a health plan. For example, a telephone call by a nurse in a doctor's office to a patient to discuss follow-up care is a treatment activity. The same activity performed by a nurse working for a health plan would be a health care operation.”
Despite this guidance published in the preamble to the 2000 Privacy Rule,
While the 2018 RFI did not specifically request comment on the definitions of treatment or health care operations, both of which include care coordination activities, some covered entities expressed uncertainty regarding whether the use or disclosure of PHI for a particular care coordination or case management activity is permitted as part of treatment, health care operations, both, or neither. Some covered entities reported that, due to uncertainty about which provisions apply in certain circumstances, they do not request or disclose PHI even when doing so would support coordinated care and the transformation of the health care system to value based care.
The Department proposes to clarify the definition of health care operations in 45 CFR 164.501 to encompass all care coordination and case management by health plans, whether individual-level or population-based. The proposal would provide clarity to covered entities and individuals regarding which Privacy Rule standards apply to which care coordination and case management activities, and thereby facilitate those beneficial activities. The clarification also would complement and enhance the proposal in this NPRM to modify the minimum necessary standard to promote uses and disclosures for care coordination and case management for treatment or health care operations by covered health care providers and health plans. The Department believes that, as drafted, the placement of commas separating the list of activities following the term “population-based activities” permits the interpretation that the term “population-based activities” modifies (
The Department believes this change in punctuation would clarify that health care operations encompasses all care coordination and case management activities by health plans and covered health care providers, whether population-based or focused on particular individuals, and thus would increase the likelihood of these entities' using and disclosing PHI for such beneficial activities.
The Department requests comments on the benefits and costs of clarifying the definition of health care operations, including information on how, if at all, this clarification would affect covered
The Privacy Rule generally requires that covered entities use, disclose, or request only the minimum PHI necessary to meet the purpose of the use, disclosure, or request.
The Privacy Rule's minimum necessary requirements are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity and to avoid creating unnecessary barriers to information sharing for permitted purposes. Accordingly, the minimum necessary standard gives a covered entity that receives a request for PHI from another covered entity (and certain non-covered entities) the ability to rely on the requestor's assessment of what it needs, if such reliance is reasonable under the circumstances.
The minimum necessary standard also includes important exceptions to facilitate the provision of health care to individuals. Most importantly, the minimum necessary standard does not apply to disclosures to, or requests by, a health care provider for treatment purposes
The Privacy Rule also permits certain uses and disclosures of PHI for care coordination and case management that are considered health care operations activities, and thus are subject to the minimum necessary standard.
Finally, under the Privacy Rule, because health plans generally do not perform treatment functions, any care coordination or case management activity conducted by a health plan generally is a health care operation subject to the minimum necessary standard.
In the 2018 RFI, the Department requested public input on whether it should expand the exceptions to the minimum necessary standard to include uses and disclosures for additional activities related to care coordination and case management.
Many commenters supported expanding the exceptions to the minimum necessary standard for care coordination and case management. These commenters stated that such an expansion would allow providers to better coordinate and manage patient care across systems and delivery models. Some health care professionals who supported additional exceptions expressed concern that their interpretation of “necessary” might not be correct, and that they would be “punished” under the existing standard for an impermissible use or disclosure of PHI. Some commenters reported that this uncertainty about compliance requirements creates fears that may result in less information sharing, and
In contrast, over half of the responsive commenters opposed adding exceptions to the minimum necessary standard. Many commenters expressed strong concerns that a broader exception could undermine patient privacy or lead to unspecified harm to patients, some specifically noting that the minimum necessary standard is the only requirement for covered entities to consider what information is reasonably needed for their purpose before making a request, use, or disclosure. Others asserted that if health care operations activities were excepted from the standard, there would be no clear boundaries and covered entities likely would disclose entire patient records to each other, when convenient, without effective limit. In addition, some covered health care provider commenters expressed fear of an increase in requests for large volumes of data that would overwhelm their capacity.
To consistently promote permissible disclosures of PHI for care coordination and case management, the Department proposes to add an express exception to the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management.
Health plans and covered health care providers would continue to be responsible for meeting the minimum necessary requirements that apply to: (1) Disclosures of PHI for health care operations other than individual-level care coordination and case management; (2) disclosures of PHI for care coordination and case management to most entities other than health care providers and health plans, such as social services agencies or transitional supportive housing authorities; (3) uses of PHI for care coordination and case management, whether as part of treatment or health care operations; and (4) uses, requests, and disclosures of PHI for other purposes, including all population-based activities, when applicable.
This proposal would relieve covered entities from the requirement to make determinations about the minimum information necessary when the request is from, or the disclosure is made to, a covered health care provider or health plan to support individual-level care coordination and case management activities. The proposal would also remove the disincentive to disclose and request PHI to support care coordination and case management based on uncertainty about applicable permissions and fear of being subject to penalties for noncompliance resulting from such uncertainty. For example, when a health plan requests a disclosure for care coordination or case management to facilitate an individual's participation in the plan's new wellness program, a requesting health plan or covered health care provider would be relieved of the responsibility for determining the minimum necessary amount of PHI for the purpose and the disclosing health plan or covered health care provider would be relieved of the responsibility of assessing whether reliance on the health plan's determination of the minimum necessary PHI for its purpose is reasonable under the circumstances. As another example, when a covered health care provider contacts a health plan to coordinate potential mental health treatment referrals for a patient, the provider would not need to consider what information is the minimum necessary to disclose to the health plan for this purpose. In fact, the ONC Cures Act Final Rule would prohibit a health care provider from limiting a permissible disclosure to what the provider believes to be the minimum necessary information when the Privacy Rule specifically excepts the disclosure from the minimum necessary standard. However, the provider still could honor an individual's request for restrictions on disclosures of PHI,
This proposed exception would enable health plans and covered health care providers to more easily and efficiently request and disclose PHI for care coordination and case management for individuals, and would complement the proposal in this NPRM to create an express permission for covered entities to disclose PHI for care coordination and case management, which is described below.
The Department requests comments on the above proposal, and the following considerations in particular:
a. Would the proposed exceptions improve the ability of covered entities to conduct care coordination and case management activities? Why or why not? Please provide any cost or savings estimates that may apply both on the entity level and across the health care system.
b. Please provide examples of particular care coordination or case management activities that would be furthered or impeded by this proposal.
c. Please describe any unintended negative consequences of the proposed changes for the privacy of PHI or the health information rights and interests of individuals. Would there be any negative impact, in particular, on certain populations (
d. Would the proposed changes have similar or different effects on the activities of health plans versus health care providers? Are there unintended consequences for other ancillary providers including social services agencies, community based organizations, and HCBS providers? Please describe.
e. What alternative regulatory modifications or clarifying guidance might achieve the same or greater improvements in care coordination or case management?
f. A health care provider that refused to disclose PHI would not be considered to be information blocking when a state or federal law requires one or more preconditions for providing access, exchange, or use of electronic health information and the precondition has not been satisfied.
g. Some disclosures for payment purposes with respect to an individual's health care are related to care coordination and case management (
h. Please provide additional examples of circumstances in which it should be considered reasonable, or unreasonable, to rely on the representations of another entity that it is requesting the minimum necessary PHI.
Section 45 CFR 164.506 sets forth the permissible uses and disclosures of PHI to carry out TPO. Section 45 CFR 164.506(b)(1) permits, but does not require, covered entities to obtain an individual's consent to use or disclose their PHI for TPO purposes,
A health care provider may disclose a patient's PHI for treatment purposes without having to obtain the authorization of the individual. Treatment includes the coordination or management of health care by a health care provider with a third party. Health care means care, services, or supplies related to the health of an individual. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, the individual's health or mental health care may disclose the minimum necessary PHI to such entities without the individual's authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a service agency that arranges such services for individuals.
The guidance explains the circumstances in which the Privacy Rule permits a covered health care provider to disclose PHI about an individual to a third party when the third party is part of the broader health treatment plan, or participating in the coordination of care, for an individual.
Under the Privacy Rule, a covered health care provider is able to make a disclosure for treatment purposes of an elderly or disabled patient by disclosing PHI to a home and community based services (HCBS)
Despite the guidance on this topic, OCR has heard that many covered entities make disclosures to third parties that are commonly referred to as social services agencies and community based organizations, and to HCBS providers, only after obtaining a valid authorization from the individual. Similarly, some covered entities never disclose PHI to these health-related service providers, even when a treating provider specifies the service as part of a treatment plan or when it would enable the covered health care provider's treatment of the individual across a care continuum (
The 2018 RFI requested comments on whether the Department should modify the Privacy Rule to clarify the scope of and eliminate any confusion about a covered entitity's ability to disclose PHI to third parties, such as social services agencies, community based organizations, and HCBS providers,
Some supportive commenters urged the Department to clarify the permissions for covered entities by modifying the regulation text to reduce any confusion on the part of covered entities about their ability to disclose
Some health plan commenters stated that an express regulatory permission for covered entities to disclose PHI to social services agencies for care coordination and case management purposes would be helpful, but recommended placing some limits on the permission, such as only permitting disclosures with patient consent. Several health plans described the care coordination and case management activities they would like to provide to their plan members, including working closely with community based organizations and/or multi-disciplinary teams to address the social determinants of health, without first receiving the individual's valid authorization; and coordinating comprehensive wraparound services, including clinical and behavioral health care, social services, and patient advocates to support certain populations, such as people experiencing SMI or SUD. The Department finds the comments by health plans to be persuasive in demonstrating the need to propose an express permission to disclose PHI for individual-level care coordination and case management activities that constitute health care operations.
Not all commenters supported addressing disclosures to third parties including social services agencies, community based organizations, and HCBS providers through rulemaking. Some correctly stated that covered health care providers already are permitted to make such disclosures, and therefore the commenters did not believe a change in the regulation was needed. Others specifically opposed expanding disclosures to any law enforcement entity that may be part of a multi-disciplinary team, expressing concern that law enforcement intrusions into health records can deter patients from seeking needed care, especially if law enforcement has broad access to SUD treatment information.
The Department proposes to modify 45 CFR 164.506(c) to add a new subsection 164.506(c)(6). This new subsection would expressly permit covered entities to disclose PHI to social services agencies, community based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management, either as a treatment activity of a covered health care provider or as a health care operations activity of a covered health care provider or health plan. Under this provision a health plan or a covered health care provider could only disclose PHI without authorization to a third party that provides health-related services to individuals; however, the third party does not have to be a health care provider. Instead, the third party may be providing health-related social services or other supportive services—
The Department notes that there may be instances in which some disclosures for care coordination and case management, for treatment or health care operations, will be made to business associates engaged by a covered entity, such as a health plan, to provide health-related services to an individual, or that relate to an individual's health care, on behalf of the plan. In such cases, the covered entity must have a HIPAA compliant business associate agreement in place prior to disclosing the PHI for this purpose. In other cases, the entity receiving the PHI will be providing health-related services on its own behalf, and not performing covered activities or functions for or on behalf of the disclosing covered entity. In the latter situation, a business associate agreement is not required, because the entity receiving the PHI does not meet the definition of a business associate.
The express permission for disclosures to these third party entities is being proposed primarily to facilitate the treatment and health care operations of the disclosing covered entities in cases where a disclosure will serve the health care or health-related needs of individuals. The Department's understanding is that, in general, the third party entities receiving PHI under this proposed permission would not be covered entities and thus, the PHI disclosed to them would no longer be protected by the HIPAA Rules. However, because some of these third party recipients of PHI may be health care providers or covered health care providers under HIPAA,
Although the Department believes that such disclosures generally are permitted under the existing Privacy Rule for treatment or certain health care operations, this additional, express regulatory language would provide greater regulatory clarity, and help ensure that covered entities are able to disclose PHI to coordinate care for individuals with social services agencies, community based organizations, and HCBS providers or other similar third parties that are providing health-related services to those individuals. The Department acknowledges that some RFI commenters expressed concerns about expressly permitting such disclosures without individuals' authorization or consent. In response, the Department notes that, similar to its proposal to except certain care coordination and case management disclosures from the minimum necessary standard, it also proposes to limit the scope of this permission to disclosures by covered entities for care coordination and case management for individuals (whether as treatment or health care operations, depending on whether the covered entity is a health care provider or a health plan, respectively), rather than population-based activities. The Department believes that the limitation to individual-level activities will ensure that the disclosures made under this permission would be akin to disclosures for treatment, which individuals expect to occur without their needing to provide an authorization or consent. The existing Privacy Rule right to request restrictions on disclosures for treatment, payment, and health care operations purposes under 45 CFR 164.522(a) also remains available for individuals to request more limited disclosures.
The Department believes this change would facilitate and encourage greater wraparound support and more targeted care for individuals, particularly where it would be difficult to obtain an individual's authorization or consent in advance, because the individual cannot easily be contacted (
The Department requests comments on the above proposal, and the following considerations in particular:
a. Whether the proposal to create an express permission to disclose PHI to certain third parties for individual level treatment and health care operations would help improve care coordination and case management for individuals, and any potential unintended adverse consequences.
b. Whether the proposal poses any particular risks for individuals related to permitting disclosures without authorization for individual-level care coordination and case management activities that are health care operations (
c. Would the proposed change remove perceived barriers to disclosure of PHI, as appropriate, to social services agencies, community-based organizations, and HCBS providers to better enable care coordination and case management? Are there other entities the Department should identify in regulatory text as examples of appropriate recipients of PHI under the proposed permission?
d. Should the proposed change be limited to care coordination and case management for a particular individual as proposed, or should it also include population-based efforts?
e. Would this permission to disclose PHI for case management and care coordination to the entities described above interact with the ONC information blocking requirement to create any unintended adverse consequences for individuals' privacy? Please explain.
f. Should the Department specify the types of organizational entities to be included as recipients of PHI in this express permission in regulation text, as well as limitations or exclusions, if any, that should be placed on the types of entities included? If yes, what types of organizational entities should be included or excluded?
g. Should the Department limit the proposed permission to disclose PHI to circumstances in which a particular service provided by a social services agency, community-based organization, or HCBS provider is specifically identified in an individual's care plan and/or for which a social need has been identified via a screening assessment? Should the Department require, as a condition of the disclosure, that the parties put in place an agreement that describes and/or limits the uses and further disclosures allowed by the third party recipients?
h. To what extent are social services agencies, community-based organizations, and HCBS providers covered health care providers under HIPAA? How many are non-covered health care providers? Are any such entities covered under HIPAA as health plans?
Support from family members, friends, and caregivers is key to helping people experiencing substance use disorder (SUD) or serious mental illness (SMI).
Under 45 CFR 164.502(g) of the Privacy Rule, a personal representative is a person with authority under applicable law (
Under 45 CFR 164.510, covered entities, including health care providers, generally must provide an individual with the opportunity to agree or object before using or disclosing the individual's PHI for inclusion in a facility directory or disclosing PHI to family members, caregivers, or others involved in care or payment for care. However, individuals are not always able to agree or object to such uses or disclosures, particularly in emergency situations.
Accordingly, 45 CFR 164.510(a)(3) permits a covered health care provider to disclose facility directory information, including name, location within the provider's facility, general condition, and religious affiliation to clergy and others, such as family members, who ask for the individual by name, when the individual cannot agree or object due to incapacity or an emergency treatment circumstance, if: (A) Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and (B) the disclosure is in the individual's best interests, as determined by the covered health care provider, in the exercise of professional judgment.
A similar rationale applies to 45 CFR 164.510(b), which recognizes that family members and other caregivers have a legitimate need to obtain the information that will permit them to continue to participate in the individual's care when it is in the individual's best interests, particularly in emergency circumstances. Currently, 45 CFR 164.510(b)(2)(iii) permits a covered entity to disclose relevant PHI about an individual who is present and has decision-making capacity, if the covered entity can reasonably infer, based on the exercise of professional judgment, that the individual does not object to the disclosure. Further, 45 CFR 164.510(b)(3) permits a covered entity to disclose relevant PHI about an individual who cannot agree or object due to incapacity or an emergency circumstance to family members and other caregivers involved in the individual's care or payment for care, if the covered entity, based on professional judgment, determines that the disclosure is in the best interests of the individual.
Section 164.514(h)(2)(iv) of title 45 CFR generally requires covered entities to establish and use written policies and procedures reasonably designed to verify the identity and authority of the requestor of PHI.
Section 164.512(j) of title 45 CFR permits covered entities, “consistent with applicable law and standards of ethical conduct,” to rely on a good faith belief to use or disclose PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.
On October 27, 2017, in response to the nation's opioid crisis, OCR issued guidance titled
The guidance further clarifies when a covered health care provider may rely on another permission, 45 CFR 164.512(j), in an overdose situation:
For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or care-givers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.
In addition to guidance addressing the opioid epidemic, OCR has issued guidance to assist individuals experiencing SMI, their families, and other caregivers as required by the Cures Act.
Despite issuing extensive guidance, OCR continues to hear that some covered entities are reluctant to disclose information to persons involved in the care of individuals experiencing these health issues, even when the Privacy Rule permits such disclosures. For example, since the guidance was published and as recently as July 11, 2018, a patient advocate testified before the Federal Commission for School Safety (FCSS) that, despite OCR's efforts to disseminate guidance, providers continue to “stonewall” families when asked to disclose PHI and routinely withhold medical information from family members, out of concerns of potentially violating HIPAA.
The Department has similarly heard anecdotal accounts that some health care providers are reluctant to disclose needed health information about an incapacitated patient to even their closest friends and family, due to concerns about potential penalties under HIPAA. OCR understands that this reluctance to disclose, even when the Privacy Rule permits disclosure, creates particular difficulties, and potential risks for patients and others, when a patient is unable to agree or object to the disclosure due to incapacity related to SMI, SUD, or another cause.
In addition, in the wake of the incidents of mass violence in recent years, such as shootings and acts of terrorism, the Department has heard anecdotes claiming that HIPAA impedes health care providers from disclosing PHI, even when such disclosure could prevent or lessen a serious and imminent threat of harm or violence. According to these accounts, the reluctance to disclose persists even though the HIPAA Rules permit disclosure in such circumstances.
In the 2018 RFI, the Department solicited public input to determine whether and how to modify the Privacy Rule to help combat the opioid crisis, treat SMI, and promote family involvement in the care of individuals experiencing these health situations. It also sought comment on how the Department could amend the Privacy Rule to increase disclosures of PHI by covered health care providers with family members and other caregivers experiencing difficulties obtaining health information about their minor and adult children or parents, spouses, and other individuals when needed to coordinate their care or otherwise be involved in their treatment. Noting anecdotal information suggesting that some covered entities are reluctant to involve the caregivers of individuals facing health crises for fear of violating the Privacy Rule, the Department asked for examples of circumstances in which the Privacy Rule has presented real or perceived barriers to family members attempting to access information.
Many commenters asked the Department to align the Privacy Rule with 42 CFR part 2 (Part 2), which requires certain federally funded SUD treatment programs (called “Part 2 programs”) and downstream recipients (called “lawful holders”) of their patient-identifying information to maintain the confidentiality of records related to the diagnosis and treatment of SUD.
On March 27, 2020, Congress enacted the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) which requires greater alignment of the part 2 regulations with the HIPAA Rules.
Nearly all commenters who identified as family members of patients agreed that in many cases more information related to an individual's SMI or SUD should be disclosed to family caregivers, and shared personal stories about the devastating consequences—such as suicide, missed appointments, homelessness, and lack of continuity in treatment and medication—that occurred because of a lack of information disclosure. A few commenters suggested that HIPAA should preempt all state laws that restrict disclosures of mental and behavioral health information to family members or coordinating health and social services agencies. A few other commenters expressed concern that the inability to disclose PHI related to mental health to social services agencies largely impacts poor individuals and minorities.
Commenters who identified as patients or privacy advocacy groups almost universally opposed modifying the Privacy Rule to expand permitted disclosures of information related to SMI and opioid use disorder or other SUDs. Many commenters expressed fear of family members and employers having access to this information, citing potentially adverse consequences, including fear of discrimination, abuse, and retaliation. Many health care providers expressed concern about the chilling effect that increased disclosures would have on individuals seeking treatment for opioid use disorders and stated that the Privacy Rule is already flexible enough to permit the amount of disclosure needed to address the opioid epidemic. Many suggested issuing clarifying guidance on existing regulatory permissions as a preferred approach to increasing disclosures of PHI. A few pointed to the need to leverage technology, such as consent management and data segmentation, pursuant to the health information certification standards
As the Department noted in the 2018 RFI, the Privacy Rule generally defers to state law with respect to the circumstances in which a parent or guardian is treated as the personal representative of an unemancipated minor child, and under which information may not be disclosed to parents. Many commenters recognized state law, not the Privacy Rule, as the source of the more restrictive provisions (
The Department received a few comments related to adult children being able to access the records of their parents. For example, one commenter suggested that the Department create a “relative caregiver” category with a right to access the medical records of elderly parents; another commenter provided a similar suggestion to address the care of individuals experiencing dementia. In contrast, several commenters raised concerns about impinging on the individual autonomy of their adult parents or other adults, and stressed the importance of protecting privacy for older adults.
The Department believes more can be done to encourage health care providers to disclose PHI when families and other caregivers of individuals are attempting to assist with health related emergencies, SUD (including opioid disorder) or SMI, and other circumstances in which individuals are incapacitated or otherwise unable to express their privacy preference. To address these concerns, the Department proposes several modifications to the Privacy Rule to encourage covered entities to use and disclose PHI more broadly in scenarios that involve SUD, SMI, and emergency situations, provided that certain conditions are met. In particular, the Department proposes to amend five provisions of the Privacy Rule to replace “exercise of professional judgment” with “good faith belief” as the standard pursuant to which covered entities would be permitted to make certain uses and disclosures in the best interests of individuals. The professional judgment standard presupposes that a decision is made by a health care professional, such as a licensed practitioner, whereas good faith may be exercised by other workforce members who are trained on the covered entity's HIPAA policies and procedures and who are acting within the scope of their authority. The Department also proposes a presumption that a covered entity has complied with the good faith requirement, absent evidence that the covered entity acted in bad faith. Together, these proposed modifications would improve the ability and willingness of covered entities to make certain uses and disclosures of PHI as described below.
The Department acknowledges prior comments expressing concern that a good faith standard offers individuals less privacy protection. However, covered entities still must take into account the facts and circumstances surrounding the disclosures, such as an individual's prior expressed privacy preferences and knowledge of any abusive relationship between the person to whom the covered entity would disclose PHI and the individual. Similarly, the Department would treat disclosures for any improper purpose as “bad faith” disclosures. Examples of bad faith could include knowledge that information will be used to harm the individual or will be used for crime, fraud (including defrauding the individual), or personal enrichment. As another example, a provider who is sued for malpractice and demands a signed statement of satisfactory care
The Department's proposal to replace “professional judgment” with a standard based on the good faith belief of the covered entity in the five provisions listed above should improve care coordination by expanding the ability of covered entities to disclose PHI to family members and other caregivers when they believe it is in the best interests of the individual, without fear of violating HIPAA. The requirement under the current rule to exercise “professional judgment” could be interpreted as limiting the permission to persons who are licensed or who rely on professional training to determine whether a use or disclosure of PHI is in an individual's best interests. While professional training and experience naturally inform a health care provider's good faith belief about an individual's best interests, a good faith belief does not always require a covered entity or its workforce member to possess specialized education or professional experience. Rather, a good faith belief may be based on, for example, knowledge of the facts of the situation (including any prior expressed privacy preferences of the individual, such as those in an advance directive), or the representations of a person or persons who reasonably can be expected to have knowledge of relevant facts.
At the same time, as illustrated by the following scenarios, a standard of “good faith” anticipates that a covered entity or workforce member would exercise a degree of discretion appropriate for its role when deciding to use or disclose PHI, and to comply with any other conditions contained in the applicable permissions. For example, “good faith” would permit a licensed health care professional to draw on experience to make a good faith determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose information to a parent who is involved in the patient's treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient's recovery from the overdose. In this circumstance, the professional's good faith belief should be informed by professional judgment, but the professional would be assured that the Department would not second-guess the decision made for the patient's best interests by, for example, requiring the professional to prove that the decision was consistent with his or her professional training.
Likewise, front desk staff at a physician's office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose information about upcoming appointments when the patient is not present, based on the staff's knowledge of the person's involvement and a “good faith” belief about the patient's best interests. The extent of the disclosure of PHI would be limited to the level of involvement of the family member or caregiver of which the staff is aware, consistent with the covered health care provider's policies and procedures for disclosures of PHI by workforce members. In contrast, front desk staff would not be permitted to decide whether to provide access to records under the individual right of access at 45 CFR 164.524 to a parent who is not their minor child's personal representative, because the applicable permission at 45 CFR 164.502(g)(3)(2)(C) requires that the decision be made by a licensed health care professional.
The Department understands that these proposals may raise concerns about unintended consequences where a covered health care provider is asked to disclose sensitive information to family members or other caregivers about individuals at risk of, or experiencing, abuse by the requesting family members or caregivers. The Department assumes that health care providers would incorporate relevant concerns about an individual's risk of abuse as a key factor in whether a disclosure of PHI is in an individual's best interest. Disclosures to suspected abusers are not in the best interests of individuals and health care providers' workforce members should feel confident that this proposal would not negate their ability to consider all relevant factors when making decisions about disclosing PHI to an individual's family and other caregivers related to their involvement in the individual's care or payment for care.
The following examples illustrate the operation of a good faith standard in each provision this proposal would modify:
•
•
•
•
•
“Requiring written proof of identity in many of these situations, such as when a family member is seeking to locate a relative in an emergency or disaster situation, would create enormous burden without a corresponding enhancement of privacy, and could cause unnecessary delays in these situations. The Department therefore believes that reliance on professional judgment provides a better framework for balancing the need for privacy with the need to locate and identify individuals. . . . As with many of the requirements of this final rule, health care providers are given latitude and expected to make decisions regarding disclosures, based on their professional judgment and experience with common practice, in the best interest of the individual.”
A hospital may not have a good faith basis for believing the requestor's representations about the requestor's identity and relationship with the individual if, for example, a workforce member receives a request from an unfamiliar and unverified email address or the requestor is unknown and not named as a contact in an individual's record. Additionally, this proposal would not remove a covered entity's obligation(s) under other applicable laws, such as laws requiring providers to obtain documentation of a relationship before disclosing information, including laws governing requests for access to medical records by a person who claims to be an individual's personal representative.
The Department also proposes to amend the Privacy Rule at 45 CFR 164.502 by adding a new paragraph (k), which would apply a presumption of compliance with the “good faith” requirement when covered entities make a disclosure based upon a belief that the disclosure is in the best interests of the individual with regard to those five provisions.
As noted above, 45 CFR 164.512(j)(1)(i)(A) permits covered entities to use or disclose PHI, consistent with applicable law and standards of ethical conduct, if the covered entity has a good faith belief that the use or disclosure is necessary to prevent or lessen a “serious and imminent threat” to the health or safety of a person (including the individual) or the public.
To clarify that the Privacy Rule permits covered entities to address threats of harm, the Department proposes to amend the Privacy Rule at 45 CFR 164.512(j)(1)(i)(A) to replace the “serious and imminent threat” standard with a “serious and reasonably foreseeable threat” standard. The Department seeks to prevent situations in which covered entities decline to make uses and disclosures they believe are needed to prevent harm or lessen threats of harm due to concerns that their inability to determine precisely how imminent the threat of a harm is may make them subject to HIPAA penalties for an impermissible use or disclosure. The proposed modification would permit covered entities to use or disclose PHI without having to determine whether the threatened harm is imminent (which may not be possible in some cases); instead, they may determine whether it is reasonably foreseeable that the threatened harm might occur. The Department further proposes to add a new paragraph (5) to define “reasonably foreseeable” using a reasonable person standard.
The Department recognizes that some covered health care providers, such as licensed mental and behavioral health professionals, have specialized training, expertise, or experience in assessing an individual's risk to health or safety (
Threats to public health or safety would include, for example, mass shootings, the use of explosive devices to attack a crowd, or other acts of terrorism. These examples are intended to highlight for covered health care providers their ability to use or disclose PHI to lessen the threat of, or prevent harm due to, potential mass violence and are not intended to limit the scope or type of serious and reasonably foreseeable threats covered by this provision. That is, a covered entity (or a member of a covered entity's workforce) need not have such specialized training, expertise, or experience in order to meet the reasonably foreseeable standard.
The Department does not propose to change the existing “presumption of good faith belief” at 45 CFR 164.512(j)(4), which explains the circumstances in which a covered entity is presumed to have acted in good faith with regard to a belief that a use or disclosure is necessary to prevent harm or lessen a threat.
The Department expects that the proposed modification would improve the timeliness of disclosures that would have occurred, but for the covered entity's uncertainty regarding whether a threatened harm is “imminent.” As such, this proposed change would improve covered entities' ability to disclose PHI to persons who are reasonably able to lessen the threat and to prevent harm to the individual, other persons, or the public—with sufficient time for such persons to act.
Thus, for example, adopting a “serious and reasonably foreseeable threat” standard could further enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is likely to occur “imminently.” For an individual who poses a threat to public safety, a “serious and reasonably foreseeable threat” standard may afford a health care provider sufficient time to notify a person, such as a law enforcement official, who is in a position to avert a serious harm that may occur and ensure the safety of the individual and others.
By referencing mental and behavioral health professionals in the proposed definition of reasonably foreseeable, the Department does not mean to imply that individuals with mental or behavioral health conditions are more likely than other individuals to commit acts of violence. As the Department has stated previously,
The Department also proposes non-substantive revisions to 45 CFR 164.512(j) to refer to preventing a harm or lessening a threat, rather than preventing or lessening a threat. These proposed revisions are intended to clarify the standard, not change it; however, the Department requests comment on whether any unintended adverse consequences may result from the revisions.
Finally, the Privacy Rule does not preempt other law that is more protective of the individual's privacy.
The Department requests comments on the above proposal, and the following considerations in particular:
a. Would the proposed change in standard from “professional judgment” to “good faith belief” discourage individuals from seeking care?
b. Should the Department apply the good faith standard to any or all of the other nine provisions in the Privacy Rule that call for the exercise of professional judgment? Are there circumstances in which it would be inappropriate to apply a presumption of compliance across the other nine provisions?
c. Should 45 CFR 164.510(b)(3) be revised to permit a covered entity to disclose the PHI of an individual who has decision making capacity to the individual's family member, friend, or other person involved in care, in a manner inconsistent with the individual's known privacy preferences (including oral and written expressions), based on the covered entity's good faith belief that the use or disclosure is in the individual's best interests, in any situations outside of an emergency circumstance? Put another way, are there examples in which the totality of the facts and circumstances should or would outweigh an individual's preferences, but do not rise
d. When should overriding an individual's prior expressed preferences constitute bad faith on the part of the covered entity, which would rebut the presumption of compliance? Are there instances in which overriding an individual's prior expressed preferences would not constitute bad faith on the part of the covered entity?
e. Would the proposed “serious and reasonably foreseeable threat” standard discourage individuals from seeking care?
f. Would the proposed standard improve a covered entity's ability to prevent potential harm, such that the benefits of the change would outweigh potential risks? Please provide examples.
g. How often do mental and behavioral health professionals perceive that HIPAA constrains their ability to report such threats? Please provide specific examples, when available, including relevant state law.
h. Are there potential unintended consequences related to granting extra deference to a covered health care provider based on specialized risk assessment training, expertise, or experience when determining that a serious threat exists or that serious harm is reasonably foreseeable? Are there unintended consequences related to specifying mental and behavioral health professionals as examples of such providers?
i. As an alternative to the existing proposal, should the Department establish a specific permission for mental and behavioral health professionals to disclose PHI when in the view of the professional, the disclosure could prevent serious and reasonably foreseeable harm or lessen a serious and reasonably foreseeable threat to the health or safety of a person or the public? What would be potential unintended consequences of such an alternative?
The Privacy Rule, at 45 CFR 164.520, requires a covered health care provider that has a direct treatment relationship with an individual to make a good faith effort to obtain a written acknowledgment of receipt of the provider's NPP. If the provider is unable to obtain the written acknowledgment, the provider must document its good faith efforts and the reason(s) for not obtaining an individual's acknowledgment, and maintain such documentation for six years.
The Department has heard anecdotally and in public comments on the 2018 RFI that the acknowledgment requirements impose paperwork burdens that are perceived as unnecessary and that create confusion for individuals (who may erroneously believe they are signing an authorization or waiver of some kind), as well as front office staff (who may erroneously believe that individuals must sign the acknowledgment to obtain care).
In the 2018 RFI, the Department asked whether it should eliminate the signature and recordkeeping requirements in 45 CFR 164.520 to reduce administrative burden on covered health care providers and free up time and resources for providers to spend on treatment, including care coordination. In addition, the 2018 RFI asked providers to suggest alternative ways to document that they provided an NPP to an individual if the written acknowledgment were no longer required. The Department also asked whether and how to modify other NPP requirements to alleviate covered entity burdens without compromising transparency about providers' privacy practices or an individual's awareness of his or her rights. In particular, the Department requested feedback on how to improve the NPP content and dissemination requirements.
Most commenters stated that the acknowledgment requirement was unduly burdensome, but did not provide cost estimates. Many covered entities and associations that commented reported experiencing a large administrative burden to document the good faith effort to obtain the acknowledgment in cases where the patient is unconscious or otherwise incapacitated or cannot sign the acknowledgment due to communication barriers.
Covered entities and large associations agreed with the Department's concern in the 2018 RFI that some individuals may mistakenly believe that their signature or written acknowledgment of the NPP is required to receive treatment. Commenters of all types reported their observations of individuals not reading the NPP when presented with it. Commenters also noted that physician offices frequently provide the NPP form to patients as part of a large bundle of paperwork at the time of the visit. Some commenters perceived the bundling of the NPP and acknowledgment with other paperwork as diminishing the likelihood that individuals pay attention to NPP content.
Associations and health systems/hospitals supported eliminating the requirement of a written acknowledgment of receipt of the NPP and believed the expected benefits would outweigh any adverse consequences. Professional associations, hospitals, and physicians commented that the signed NPP acknowledgment or the documentation of good faith efforts to obtain the written acknowledgment was of little or no use, and was an unnecessary burden.
In contrast, a number of commenters opposed removing the requirement relating to the written acknowledgment of receipt of the NPP, asserting that the acknowledgment helps to ensure that individuals are aware of their HIPAA rights. These commenters expressed concern that eliminating the written acknowledgment requirement would make it difficult or even impossible to track whether an individual was actually given the NPP and made aware of his or her rights under HIPAA.
Some commenters suggested alternative policy solutions or other actions that the Department could take to improve consumer awareness of the NPP, such as requiring providers to post the NPP electronically and increasing consumer education about the contents of the NPP.
Regarding NPP content, ONC, in collaboration with OCR, developed several model NPPs, which are publicly available on the OCR website.
Some commenters stated that they use the model NPP as a reference when creating their own forms, or modify a model to conform to state law and other organizational requirements. Some professional associations supported creating a safe harbor for entities using a model NPP, but several commenters pointed out potential challenges that such a safe harbor could create. For example, some commenters stated that a safe harbor would lead to greater confusion, with some entities having to incorporate provisions from state or local law into model NPP language. Others stated that utilizing the model NPP form would lead to longer and harder-to-understand notices. Most commenters urged that, rather than creating a safe harbor, the Department instead focus on developing consumer-focused educational materials.
Additional issues to address in connection with the NPP would arise from the NPRM's proposal to limit the individual right to direct PHI to a third party only to an electronic copy of ePHI in an EHR. Covered entities may receive requests from individuals to direct to third parties copies of PHI that are not ePHI in an EHR and therefore are outside the scope of the access right to direct a copy of PHI to a third party. The current NPP content does not address these limitations. For example, an individual submits a request to her health plan to direct ePHI in a designated record set to a third party, but that ePHI is not in an EHR. As another example, an individual requests that a paper copy, rather than an electronic copy, of PHI in an EHR be sent to a third party. Neither of these requests would be included in the individuals' right of access to direct an electronic copy of their PHI in an EHR to a third party. In addition, the Department is aware that many requests to send PHI to a third party may be for a “complete medical record” that exists in multiple forms and formats (electronic and in paper),) which are hybrid in nature. The current NPP content requirements do not help the individual understand how to obtain such records.
To alleviate paperwork burdens and reduce confusion for individuals and covered health care providers, the Department proposes to eliminate the requirements for a covered health care provider with a direct treatment relationship to an individual to obtain a written acknowledgment of receipt of the NPP and, if unable to obtain the written acknowledgment, to document their good faith efforts and the reason for not obtaining the acknowledgment.
To ensure that individuals are able to understand and make decisions based on the information in the NPP, the Department proposes at 45 CFR 164.520(b)(1)(iv)(G) to replace the written acknowledgment requirements with an individual right to discuss the NPP with a person designated by the covered entity. In addition, the Department proposes at 45 CFR 164.520(b)(1)(i) to modify the content requirements of the NPP to help increase patients' understanding of an entity's privacy practices and their rights with respect to their PHI. First, the Department proposes to modify the required header of the NPP to specify to individuals that the notice provides information about (1) how to access their health information; (2) how to file a HIPAA complaint; and (3) individuals' right to receive a copy of the notice and to discuss its contents with a designated person.
Second, the required header would specify whether the designated contact person is available onsite and must include a phone number and email address the individual can use to reach the designated person. This header content requirement would apply to all covered entities, and not just covered health care providers with direct treatment relationships with individuals, ensuring consistency in how NPP content is presented to individuals. Providing this information at the beginning of the NPP would improve patients' awareness of their Privacy Rule rights, what they can do if they suspect a violation of the Privacy Rule, and how to contact a designated person to ask questions.
Further, consistent with the proposed header language, and to ensure that individuals are fully informed of their access rights, the Department proposes at 45 CFR 164.520(b)(1)(iv)(C) to modify the required element of an NPP that addresses the access right, to describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge, and the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party. Finally, the Department proposes to add an optional element to the NPP to include information to address instances in which individuals seek to direct their PHI to a third party, when their PHI is not in an electronic health record or is not in an electronic format. This optional element would help make individuals aware that they retain the right to obtain the PHI directly and give it to a third party or they can request to send a copy of PHI directly to a third party using a valid authorization. The Department believes these proposals to remove the acknowledgment of the NPP requirements would eliminate a significant documentation and storage burden for health care providers. The Department also believes the proposals would help individuals better understand how to exercise their rights, including what they can do if they suspect a violation of the Privacy Rule, and who to contact with specific questions.
Based on public comments on the 2018 RFI, the Department does not propose to create a safe harbor to deem those entities that use the model NPP compliant with the NPP content requirements. Instead, the Department requests comment on ways the model NPP could be changed to improve consumer understanding. For example, the Privacy Rule requires that the NPP contain a description, including at least one example, of the types of uses and disclosures the covered entity is permitted to make for health care operations (as well as for treatment and payment), and the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required.
Based on the Department's experience, many individuals are not aware of the scope of activities that constitute health care operations, and thus the description and example currently in the model NPP may not provide sufficient detail to inform the individual of how their health information may be used and disclosed for health care operations purposes. To that end, the Department requests recommendations for how best to impart to individuals how health information can be used and disclosed under the health care operations permission in the model NPP.
Finally, consistent with public feedback, the Department will continue to consider how to best educate and conduct outreach to inform individuals about their Privacy Rule rights and entities' privacy practices.
The Department requests comments on the above proposal, and the following considerations in particular:
a. Would the proposed changes to the NPP requirements have any unintended adverse consequences for individuals or regulated entities?
b. Would the revised NPP content requirements improve individuals' understanding of, and ability to exercise, their rights under the Privacy Rule?
c. Are there ways that OCR can improve the model NPPs to be more informative and easier to understand?
d. Should the model NPP's description of health care operations be modified? If so, please provide suggested language for modifying the description in the model NPP to reflect how your organization uses PHI for health care operations purposes.
e. Are there specific examples that should be included in a model NPP to explain to individuals how PHI can be used or disclosed for health care operations?
f. Specific examples of amounts spent and any other costs incurred by a covered entity to comply with the requirements relating to the acknowledgement of receipt of the NPP, when the covered entity fulfills the requirements using paper-based or electronic forms, signatures, or document filing systems.
Telecommunications Relay Service (TRS) facilitates telephone calls between individuals who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and others.
TRS facilitates such telephone communication by using a communications assistant
OCR has a longstanding FAQ on the use of TRS by a covered entity to communicate with an individual who is deaf, hard of hearing, or deaf-blind, or who has a speech disability. The FAQ states that a covered entity is permitted to disclose an individual's PHI to a TRS communications assistant when communicating with the individual, without the need for a business associate agreement with the TRS provider.
Since the FAQ was created, the Department has become aware that advances in technology now allow people who are deaf, hard of hearing, or deaf-blind, or who have a speech disability to communicate with the help of a TRS communications assistant in a seamless manner, with immediate connection and instantaneous transliteration of text or interpretation of ASL to voice and vice versa, such that the other party to the call may not know that a person is using a TRS communications assistant. In addition, TRS is used to not only connect patients and providers, but also to assist communications between workforce members of covered entities and business associates. For these reasons, the original assumption that individuals would always have the opportunity to agree or object to a use or disclosure of PHI to a communications assistant no longer holds when it is a workforce member of the covered entity or business associate, rather than an individual (
The Department proposes to expressly permit covered entities (and their business associates, acting on the covered entities' behalf) to disclose PHI to TRS communications assistants to conduct covered functions by adding a new paragraph (m) to 45 CFR 164.512.
The Department also proposes to add a new subsection (v) to paragraph (4) of the definition of business associate at 45 CFR 160.103 to expressly exclude TRS providers from the definition of business associate. The proposed exclusion would apply regardless of whether the workforce member is an employee, contractor, or business associate of the covered entity. This proposal would ensure that covered entities and business associates do not bear the burdens of analyzing whether they need business associate agreements with TRS providers and, potentially, establishing such agreements.
Together, these modifications would help ensure that workforce members and individuals who are deaf, hard of hearing, or deaf-blind, or who have a speech disability are able to communicate easily using TRS for care coordination and other purposes.
The Department requests comments on this proposal, including the following questions:
a. Would the proposed change achieve the anticipated effects?
b. Are there any potential unintended, adverse consequences of the proposal?
c. Please share data related to the number of covered entity and business associate workforce members who are deaf, hard of hearing, or deaf-blind, or who have a speech disability and currently utilize TRS to perform their duties.
d. Please provide data on the amount of time and other resources covered entities and business associates have spent on determining whether they need a business associate agreement with a TRS provider, or actually entering into business associate agreements with TRS providers.
The original Privacy Rule
Like the Secretaries of the Armed Services, the Secretaries of HHS and the Department of Commerce are responsible for ensuring the medical readiness of the Uniformed Services personnel in the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps, respectively. Pursuant to 42 U.S.C. 204a(a)(1), while on active duty, the ongoing medical standards require USPHS personnel to be medically fit to deploy in response to urgent and emergent public health crises, as well as for any necessary military mission, and for duty in various environments. These medical standards include physical, dental, and mental health requirements. The NOAA Commissioned Corps has a similar standard, requiring personnel to meet U.S. Coast Guard medical standards to maintain individual medical readiness for deployment on aircraft and shipboard missions. Further, when personnel in the Uniformed Services are no longer fit for duty, they are entitled to retirement pay and compensation, and once separated they are entitled to receive veterans' benefits. In order to confirm the medical fitness of personnel, the USPHS and NOAA Commissioned Corps must have access to personnel's medical records.
In addition, the USPHS Commissioned Corps and NOAA Commissioned Corps routinely align their policies and practices with those of the Armed Forces. Members of the USPHS and NOAA Commissioned Corps may be assigned to the Armed Services and must meet medical readiness standards consistent with the various military missions of the Armed Services. In times of war, the President may declare the USPHS and the NOAA Commissioned Corps to be a military service.
However, the members of the USPHS and NOAA Commissioned Corps are not members of the Armed Services, and thus covered entities currently are not permitted to use and disclose the PHI of such Commissioned Corps personnel for the same purposes as for Armed Forces personnel unless the member is actively assigned to the Armed Services. The Department proposes to expand the existing permission at 45 CFR 164.512(k)(1) in recognition that ensuring the health and well-being of Uniformed Services personnel is essential, whether such personnel are serving in the continental United States or overseas or whether such service is combat-related. In all environments, operational or otherwise, the Uniformed Services must be assured that personnel are medically qualified to perform their responsibilities and medically ready for deployment at all times.
Although the issue was not raised in the 2018 RFI, the Department received a joint comment in response to the 2018 RFI from the Directors of the Commissioned Corps of NOAA and USPHS suggesting that the current permission for covered entities to use and disclose the PHI of Armed Forces personnel be broadened to also include non-armed Uniformed Services personnel. The Directors of the NOAA and USPHS Commissioned Corps stated that the existing rule limits the ability of the NOAA and USPHS Commissioned Corps to facilitate health care coordination and case management for Commissioned Corps personnel,
The Department agrees that expanding the Armed Forces permission may facilitate coordinated care and enhance USPHS and NOAA Commissioned Corps' readiness. Therefore, to improve care coordination and case management for individuals serving in the Uniformed Services, the Department proposes in 45 CFR 164.512(k)(1) to expand to all Uniformed Services personnel the current Armed Forces permission for covered entities to use and disclose PHI for mission requirements and veteran eligibility.
The Department requests comments on this proposal, including on whether the proposed change would achieve the anticipated effects and any potential unintended consequences.
The Department seeks comment on all issues raised by the proposed regulation, including any unintended adverse consequences. Because of the large number of public comments normally received on
Because mailed comments may be subject to security delays due to security procedures, please allow sufficient time for mailed comments to be timely received in the event of delivery delays. Any attachments submitted with electronic comments on
The Department has examined the impact of the proposed rule as required by Executive Order 12866 on Regulatory Planning and Review, 58 FR 51735 (October 4, 1993); Executive Order 13563 on Improving Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); Executive Order 13132 on Federalism, 64 FR 43255 (August 4, 1999); Executive Order 13175 on Consultation and Coordination with Indian Tribal Governments, 65 FR 67249 (November 6, 2000); Executive Order 13771 on Reducing Regulation and Controlling Costs, 82 FR 9339 (January 30, 2017); the Congressional Review Act, Public Law 104–121, sec. 251, 110 Stat. 847 (March 29, 1996); the Unfunded Mandates Reform Act of 1995, Public Law 104–4, 109 Stat.48 (March 22, 1995); the Regulatory Flexibility Act, Public Law 96–354, 94 Stat. 1164 (September 19, 1980); Executive Order 13272 on Proper Consideration of Small Entities in Agency Rulemaking, 67 FR 53461 (August 16, 2002); the Assessment of Federal Regulation and Policies on Families, Public Law 105–277, sec. 6545, 112 Stat. 2681 (October 21, 1998); and the Paperwork Reduction Act of 1995, Public Law 104–13, 109 Stat. 163 (May 22, 1995).
Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). Executive Order 13563 is supplemental to, and reaffirms the principles, structures, and definitions governing regulatory review as established in, Executive Order 12866.
This proposed rule is deregulatory. The Department has estimated that the effects of the proposed requirements for regulated entities would result in new costs of $996 million within 12 months of implementing the final rule. The Department estimates these first year costs would be partially offset by $880 million of first year cost savings, followed by net savings of $825 million annually in years two through five, resulting in overall net cost savings of $3.2 billion over five years.
The Department estimates that the private sector would bear approximately 60 percent of the costs, with state and federal health plans bearing the remaining 40 percent of the costs. All of the costs savings experienced from the first year through subsequent years would benefit covered entities. As a result of the economic impact, the Office of Management and Budget (OMB) has determined that this proposed rule is an economically significant regulatory action within the meaning of section 3(f)(1) of E.O. 12866. Accordingly, OMB has reviewed this proposed rule.
The Department presents a detailed analysis below.
This NPRM proposes to modify the Privacy Rule to improve individuals' access to their PHI, increase permissible disclosures of PHI, and improve care coordination and case management by:
• Adding definitions for electronic health records (EHRs) and personal health applications.
• Modifying the provisions on the individuals' right of access to protected health information (PHI) by: Strengthening the individual's right to inspect their PHI, which includes allowing individuals to take notes or use other personal resources to view and capture copies of their PHI in a designated record set; shortening covered entities' response time to 15 calendar days (from the current 30 days); clarifying what constitutes a readily producible form and format when providing requested copies of PHI, which may be ePHI transmitted via a personal health application, while requiring covered entities to inform individuals about their right to obtain or direct copies of PHI to a third party when a summary or explanation is offered; requiring covered health care providers and health plans to respond to certain record requests from other covered health care providers and health plans made at the direction of an individual; clarifying when ePHI must be provided to the individual free of charge; amending the fee structure for certain requests to direct ePHI to a third party; and requiring covered entities to post fee schedules on their websites (if they have a website) for common types of requests for copies of PHI, and, upon request, provide individualized estimates of fees for copies and an itemized list of actual costs for requests for copies.
• Reducing the identity verification burden on individuals exercising their access right.
• Amending the definition of health care operations to clarify the scope of care coordination and case management activities encompassed in the term.
• Creating an exception to the minimum necessary standard for disclosures to, or requests from, a health plan or covered health care provider for individual-level care coordination and case management activities.
• Clarifying the scope of covered entities' ability to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate individual-level care coordination and case management activities that constitute treatment- or health care operations.
• Replacing the privacy standard that permits covered entities to make decisions about certain uses and disclosures based on their “professional judgment” with a standard permitting covered entities to use or disclose PHI in some circumstances based on a good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard would presume a covered entity's compliance with the good faith requirement; the presumption could be overcome with evidence that a covered entity acted in bad faith.
• Expanding the ability of covered entities to use or disclose PHI to avert a serious threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current standard which requires a “serious and imminent” threat to health or safety.
• Eliminating the requirement to obtain an individual's written acknowledgment of receipt of a direct treatment provider's Notice of Privacy Practices and modifying the content requirements of the Notice of Privacy Practices to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
• Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants and modifying the definition of business associate to exclude TRS providers.
• Expanding the Armed Forces permission to use or disclose PHI to all Uniformed Services, which would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
The proposed changes to the Privacy Rule offer some estimated costs, and numerous and substantial estimated cost savings and expected benefits which the Department is unable to quantify, but are described in depth below. These include improved care coordination and health outcomes; improved harm reduction; greater adherence to treatment for persons experiencing health emergencies, SUD, and SMI; improved understanding of individuals' rights and covered entities' privacy practices; improved access to care; quicker, more convenient access to PHI by individuals; improved access to PHI by health care providers and health plans; reduction in access fee disputes, resulting in improved ability to collect of fees for copies of PHI; increased certainty about allowable fees; increased adoption and utilization of EHR technology; improved employment conditions and opportunities for workforce members of HIPAA covered entities and business associates who are deaf, hard of hearing, or deaf-blind, or who have a speech disability; and improved compliance with non-discrimination laws that require accessibility for individuals with disabilities.
The Department has identified three general categories of costs arising from these proposals which mostly relate to activities by HIPAA covered entities, particularly health care providers and health plans: (1) Administrative activities (first-year and ongoing); (2) revising or creating policies and procedures, the NPP, and an access fee schedule; and (3) revising training programs for workforce members.
The Department estimates that the first-year costs will total $996 million. These costs are attributable to covered entities revising or developing new policies and procedures, at a cost of $696 million; revising training programs for workforce members, at a cost of $224 million; and additional administrative tasks, at a cost of $76 million. For years two through five, estimated annual costs of $55 million are attributable to ongoing administrative costs, primarily related to improvements to the right of access to PHI.
The Department estimates annual cost savings of $880 million per year, over five years, attributable to eliminating the NPP acknowledgment requirements (cost savings of $537 million) and clarifying the minimum necessary standard ($343 million).
The Department estimates net costs for covered entities totaling $116 million in the first year followed by net savings of $825 million annually in years two through five, resulting in overall cost savings of $3.2 billion over five years. Covered entities would experience an average net savings of approximately $1,065 per entity in years two through five after expending costs of $150 per entity in the first year.
The Department estimates that the proposed adjustments to costs that can be charged to individuals for copies of PHI in an EHR on electronic media would result in a transfer of those expenses from individuals to covered entities in a total estimated amount of $1.4 million. The Department also estimates that the proposed changes to the right to direct the transmission of copies of PHI to a third party and to allowable access fees would result in an annual transfer of $43 million in costs incurred by covered entities to individuals for directing copies of PHI to third parties. The net result of these proposals likely would be a transfer of an estimated $41.6 million in costs from covered entities to individuals and some third party recipients of PHI in the form of higher fees for copies of PHI.
The Privacy Rule balances protecting the privacy of individuals' PHI with facilitating the use and disclosure of PHI for important public interest purposes, such as facilitating efficient care coordination and case management. This proposed rule would improve on this balance with modifications to promote the transformation to value-based health care and reduce regulatory burdens by removing unhelpful or unnecessary requirements. Based on public comments on the 2018 RFI and OCR's experience administering and enforcing the Privacy Rule, the Department has identified areas where the Privacy Rule could be modified to improve the flow of PHI for such purposes in a manner that would continue to protect individuals' privacy. These include changes strengthening the individual's ability to gain access to his or her own PHI; enhancing the
Individual access to PHI is a core right established by the Privacy Rule. Delays or lack of access inhibit care coordination and may contribute to worse health outcomes for individuals. Individuals frequently face barriers to obtaining timely access to their PHI, in the form and format requested, and at a reasonable, cost-based, and transparent fee. A recent cross-sectional study of medical records request processes conducted in 83 top-ranked US hospitals found numerous indications of noncompliance with the access right.
To address multiple barriers to individual access, the Department proposes to: Add definitions of EHR and personal health application; expressly provide that the right to inspect PHI in person includes the right of an individual to take notes and photographs of, and use other personal resources to capture, PHI; clarify what constitutes a readily producible form and format for copies of PHI, while requiring covered entities to inform individuals about access rights when offering a summary in lieu of providing or directing copies; shorten the time limits for covered entities to respond to access requests; empower individuals to use the right of access to direct the disclosure of PHI among their health care providers and health plans; adjust and clarify the fees covered entities may impose; and require covered entities to provide individuals with notice of the fees charged for copies of PHI. Additionally, the Department proposes to limit the scope of the right to direct the transmission of copies of PHI to a third party to electronic copies of PHI in an EHR, consistent with the
The Department proposes to add a definition of EHR for the purpose of clarifying the scope of the individual right to direct an electronic copy of PHI in an EHR to a third party. For purposes of harmonizing the proposed regulatory changes and the right of the individual to obtain an electronic copy, the Department interprets the EHR as health information “created, gathered, managed, and consulted by authorized health care clinicians and staff.” The definition would be tied to clinicians with direct treatment relationships with individuals and consistent with the defined terms in the current rule. The proposed definition would improve understanding of whether certain aspects of a covered entity's electronic records are or are not part of an EHR to enable a covered entity to assess whether such electronic PHI is subject to the HITECH Act right of access requirements to respond to requests from an individual to direct electronic copies of PHI in an EHR to designated third parties. Although covered health care providers have substantial flexibility in determining the composition of an EHR, an EHR may vary across different health care providers. The definition is intended to provide a clear standard by which health care providers would be able to identify what PHI is subject to HITECH Act requirements for electronic PHI in an EHR. As noted earlier, the Department proposes that only covered health care providers would provide such access because only providers would maintain EHRs as defined in proposed 45 CFR 164.501, and that an EHR would also include billing records.
The Department also proposes to add a new definition for the term “Personal health application” that is similar to the HITECH Act definition of personal health record (PHR),
The individual right of access under the Privacy Rule includes a right to “inspect and obtain a copy of” PHI in a designated record set.
Timely access to an individual's own PHI can be a key component to patient-directed care (see discussion of harms due to lack of timeliness above in section III.A.3.a.). The Department proposes to modify the Privacy Rule to require that access be provided as soon as practicable, but no later than 15 calendar days after receipt of the request, with the possibility of one 15 calendar-day extension, provided certain conditions are met. Where another federal or state law (
The Department lacks sufficient data to correlate shorter required access times with health care costs. The Department examined state health expenditure data
Finally, the Department also proposes to expressly provide that while a covered entity may discuss aspects of the individual's access request with the individual before fulfilling the individual's request, such discussions to clarify the scope of the request would not extend the time limit for providing access. This modification would help address the issue raised in individual complaints and comments on the 2018 RFI that covered entities may contact individuals for the first time nearly 30 days after receiving a request for access to discuss the request or obtain additional information, and then take additional time beyond the 30-day period to fulfill the request.
The Department proposes to clarify that “readily producible” includes access through APIs and personal health applications and to add a set of parallel requirements related to the form of access that applies to both the individual right to obtain copies of PHI and the access right to direct the transmission of electronic copies of PHI in an EHR to a designated third party. As new forms of information and communications technologies emerge, the “form and format” and the “manner” of producing or transmitting a copy of electronic PHI may become indistinguishable. For example, if a covered entity or its EHR developer business associate has chosen to implement a secure, standards-based API—such as one consistent with ONC's Cures Act certification criteria,
Additionally, when a covered entity offers a summary in lieu of providing or directing the requested copies of PHI, the Department would require the covered entity to inform the individual of the right to obtain or direct the requested copies if the individual does not agree to the offered summary. This requirement would not apply when the covered entity denies the access request for a copy on unreviewable or reviewable grounds, in which case the covered entity must implement the required procedures for such denial.
The Department proposes to implement the
The Department proposes to extend the right to direct copies of PHI to a third party by adding an express right to request that covered health care providers and health plans submit an access request to covered health care providers for electronic copies of PHI in an EHR on behalf of the individual. Under this proposal, if an individual is a current or prospective new patient of a covered health care provider, or an enrolled member or dependent of a health plan, and the individual makes a clear, conspicuous, and specific request that their health care provider or health plan submit an access request for electronic copies of PHI in an EHR to another covered health care provider, the first health care provider or health plan (“Requester-Recipient”) would be required to submit the request on behalf of the individual as soon as practicable, but no later than 15 calendar days after receiving the individual's direction and any information needed to make the access request. The requirement would be limited to requests to send the electronic PHI back to the covered entity that submitted the request on behalf of the individual.
A covered health care provider that receives an individual's access request (“Discloser”) for an electronic copy of PHI maintained in an EHR by or on behalf of the Discloser, from a health care provider or health plan Requester-Recipient that is clear, conspicuous, and specific (
These proposed changes would empower individuals' ability to direct the transmission of PHI in an EHR through a health care provider or health plan. The costs for implementing these changes generally would be one-time expenditures for updating policies and
Based on enforcement experience and comments received on the 2018 RFI, the Department is aware that individual access is at times expensive for individuals. At the same time, some large organizations have complained about the time and cost needed to respond to multiple, voluminous requests to provide PHI to third parties under the individual access right and reported struggling to meet the time limitations for such requests while also fulfilling requests for access received directly from individuals and provider-to-provider requests for PHI for continuity of care purposes. Additionally, commenters explained that requests to send medical records to a third party often ask for production of non-electronic copies, even when the PHI is in an EHR and could be provided electronically.
To address these multiple concerns and the
(1) Under proposed 45 CFR 524(c)(4)(ii), always free of charge (
(a) An individual inspects PHI about the individual in person, including capturing images or video recordings of PHI in a designated record set with the individual's own device.
(b) An individual uses an internet-based method to view or obtain a copy of electronic PHI maintained by or on behalf of the covered entity.
(2) Under proposed 45 CFR 164.524(c)(4)(i), fee permitted, subject to the existing access right fee limits, when an individual requests electronic or non-electronic copies of PHI through a means other than an internet-based method.
Under proposed 45 CFR 164.524(d)(6), a reasonable, cost-based fee for an access request to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party through other than an internet-based method, provided that the fee includes only the cost of:
(a) Labor for copying the PHI requested by the individual in electronic form; and
(b) Preparing an explanation or summary of the electronic PHI, if agreed to by the individual as provided in paragraph (d)(4).
The Department proposes the two types of no-charge access (for inspecting PHI in person or internet-based access, including directing electronic copies of EHRs to third parties) because there are no additional allowable labor costs or expenses for this type of access. The Department does not anticipate additional costs from adding this regulatory requirement because the current rule has no provision for fees for inspecting PHI and the proposal is based on the 2016 Access Guidance, which the Department understands many entities had been voluntarily following.
The proposal to limit the allowable costs for requests to direct PHI to third parties to only electronic copies of PHI in EHRs to the labor for making the electronic copies would increase covered entities' and business associates' costs for electronic media, labor for mailing and shipping, and actual postage and shipping. However, the concurrent proposal to narrow the right of individuals to direct only electronic copies of PHI in an EHR to third parties would allow covered entities and business associates to recoup additional costs for handling many requests, while maintaining the Privacy Rule's prohibitions on the sale of PHI
Individuals report some barriers to accessing PHI due to surprisingly high bills for requested copies. To increase an individual's awareness of the cost of access and of sending copies to third parties and to enhance the ability for an individual to plan for such expenses, the Department proposes to expressly require in regulation that covered entities provide advance notice of approximate fees for copies of requested PHI by: (i) Posting a fee schedule online for all readily producible electronic and non-electronic forms and formats for copies if the covered entity has a website; (ii) providing the notice of fees to individuals upon request; and (iii) providing an individualized estimate of access and authorization fees upon request. The Department expects that this advance notice of fees requirement would provide certainty and improve access to PHI and payment for copies of PHI, to the benefit of individuals and covered entities. The Department also believes that many entities already provide such notice of fees, and thus the requirement to post the fee schedule should create only minimal additional expense beyond revising the fee schedule itself.
The Department proposes a technical amendment to clarify in 45 CFR 164.502(a)(4)(ii) that a business associate is required to disclose PHI to the covered entity so the covered entity can meet its access obligations, but if the business associate agreement provides that the business associate will provide access directly to the individual or the individual's designee, the Privacy Rule requires the business associate to do so. The proposed change would expressly insert a reference to the business associate agreement as the factor triggering required disclosures by the business associate to the individual or the individual's designee instead of to or through the covered entity.
Some covered entities impose seemingly unreasonable verification requirements on individuals seeking to obtain their PHI pursuant to the individual right of access. Examples include requiring individuals to request their PHI in person, or even to go through the process (and potential added expense) of obtaining a notarization on a written request, to exercise their right of access.
To address these barriers to an individual's access to their health information, the Department proposes to modify 45 CFR 164.514(h)(1) to expressly prohibit a covered entity from imposing unreasonable identity verification measures on an individual requesting PHI pursuant to the individual right of access. In addition, the Department would clarify that unreasonable verification measures include requiring individuals to provide proof of identity in person when a more convenient remote verification measure is practicable for the covered entity, requiring individuals to obtain notarization of access requests, or any other measure that creates a barrier to, or unreasonably delays, an individual's exercise of their rights. The Department also proposes to clarify that a covered entity that implements a requirement for individuals to submit a request for access in writing, pursuant to 45 CFR 164.524(b)(1), would not be permitted to do so in a way that imposes unreasonable burdens on individuals. This proposed change would provide additional clarity regarding the interaction between the individual right of access provisions and the verification provisions of the HIPAA Rules, and ensure that individuals do not have to expend unnecessary effort or expense when other methods are practicable for the covered entity.
While some covered entities would review and update their policies and procedures as a result of these proposals, which would cause them to incur some additional costs, the Department believes that entities would benefit from the regulatory certainty, and most entities would not need to change their policies and procedures because they currently do not impose unreasonable requirements on individuals.
Some covered entities reported that, due to uncertainty about which provisions of the Privacy Rule apply in certain circumstances, they do not request or disclose PHI even when doing so would support care coordination and case management activities that constitute health care operations, which would facilitate the transformation of the health care system to value based care. Some have interpreted the existing definition of health care operations to include only population-based case management and care coordination, which would appear to exclude individual-focused case management and care coordination by health plans. Because health plans do not perform treatment functions under HIPAA, such an interpretation could limit a health plan's ability to perform such individual-level care coordination and case management activities.
The Department proposes to modify the definition of health care operations
Uncertainty about how to apply the minimum necessary standard creates fears of HIPAA enforcement action among covered entities that could inhibit information sharing, and may result in less efficient and effective care. Because entities that qualify only as health plans do not perform treatment functions, any care coordination or case management activity conducted by such a health plan is a health care operation, subject to the minimum necessary standard. Disclosures by health care providers for treatment, including care coordination and case management, are subject to the minimum necessary standard only when the disclosure is made to a third party that is not a health care provider. Thus, the rule imposes greater restrictions on health plans than on covered providers when conducting care coordination and case management activities related to an individual.
The Department proposes to add an express exception to the minimum necessary standard for disclosures to or requests by a health plan or covered health care provider for individual-level care coordination and case management activities that constitute treatment or health care operations. This proposal would relieve covered entities from the requirement to make determinations about the minimum information necessary (or whether it is reasonable to rely on the requestor's representation that it is the minimum necessary PHI) when the request is from, or the disclosure is made to, a covered health care provider or health plan for individual-level care coordination and case management activities. This proposed exception would apply only to those activities that support individual-level care coordination and case management, and not population-based activities. As the Department described above, commenters on the 2018 RFI, including covered entities, expressed concern about permitting additional disclosures without minimum necessary restrictions. The Department believes drawing a distinction between disclosures for individual-level versus population-based activities is responsive to these concerns, as disclosures for population-based activities lack the same nexus that individual-level activities have to the treatment of specific individuals.
As such, the proposal would enable health plans and covered health care providers to more easily request and disclose PHI for care coordination and case management for individuals. This proposal, in conjunction with the proposed clarification to the definition of health care operations, would result in significant cost savings to covered entities on an ongoing basis as they are relieved of conducting minimum necessary evaluations for care coordination and case management requests and disclosures among covered health care providers and health plans. Health plans and covered health care providers would continue to be responsible for meeting the minimum necessary requirements that apply to the
Many covered entities that are health care providers make disclosures to social services agencies and community based organizations only after obtaining a valid authorization from the individual, or never disclose PHI to these health-related services—even when it would facilitate the individual's treatment. Some covered entities may not be aware that the Privacy Rule generally permits disclosure to social services agencies and community-based organizations for care coordination and case management.
The Department therefore proposes to expressly permit covered entities to disclose PHI to social services agencies, community-based organizations, HCBS providers, or similar third parties that provide or coordinate health-related services that are needed for care coordination and case management with respect to an individual. Although such disclosures generally may be permitted as treatment or certain health care operations activities under the Privacy Rule, creating an express permission would provide clarity and assurance to covered entities about their ability to disclose PHI to such third parties for individual-level care coordination and case management. In addition, the premable explains when these third parties are business associates of the disclosing entities, and thus when a business associate agreement is required. This proposed change would facilitate greater wraparound care and targeted services for individuals, leading to better health outcomes. The Department expects that the costs for implementing this proposed change would be limited to changing policies and procedures, to the extent that some covered entities have limited their disclosures to agencies and organizations due to uncertainty about current policies.
Some covered entities are reluctant to disclose PHI to family members and other caretakers of individuals facing health crises, including individuals experiencing SMI and SUD (including opioid use disorder), for fear of violating the Privacy Rule. To help address this reluctance, the Department proposes to amend the five following provisions of the Privacy Rule to replace “the exercise of professional judgment” with a “good faith belief” as the standard to permit uses and disclosures in the best interests of the individual: (1) Parent or guardian not the individual's personal representative, (2) Facility directories, (3) Emergency contacts, (4) Emergencies and incapacity, and (5) Verifying requestor's identity. The Department also proposes to apply a presumption of compliance when covered entities make a disclosure based upon a good faith belief that the disclosure is in the best interests of the individual with regard to those five provisions (by adding a new subsection (k) to 45 CFR 164.502), and to replace “serious and imminent threat” with “serious and reasonably foreseeable threat” in 45 CFR 164.512(j)(1)(i)(A) as the standard under which uses and disclosures needed to prevent or lessen a threat are permitted.
The Department believes modifying the Privacy Rule to further encourage such disclosures would help health care providers, individuals, families, and caregivers assist in treatment and recovery. The Department also believes these proposed modifications would address the specific circumstances where more information disclosure is needed to better coordinate care for individuals experiencing SUD, SMI, and health related emergencies.
The Department anticipates that covered entities would incur costs to implement the changes due to revising policies and procedures and updating workforce member training, covered entities likely would experience (unquantified) cost savings due to improved patient care and harm reduction (
Comments on the 2018 RFI described the requirement for covered entities to make a good faith effort to obtain an individual's signed acknowledgment of receipt of the NPP as unduly
The Department proposes to eliminate the requirements for a covered health care provider to obtain a written acknowledgment of receipt of the NPP (and to retain such documentation for six years) and to replace them with an individual right to discuss the NPP with a person designated by the covered entity. In addition, the Department proposes to modify the content requirements of the NPP to specify to individuals that the notice provides information about: (1) How to access their health information, (2) how to file a HIPAA Privacy Rule complaint, and (3) individuals' right to receive a copy of the notice and ability to discuss its contents with a designated person. The required header also would specify whether the designated contact person is available onsite and must include a phone number and email address by which to reach the designated person. Further, the Department proposes to modify the required element of NPPs to describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge, and to direct a covered health care provider to transmit an electronic copy of PHI in an electronic health record to a third party. Finally, the Department proposes to add an optional element to the NPP to inform individuals of alternatives for obtaining or requesting to send copies of PHI to a third party when the individuals seek to send PHI to a third party in a manner that does not fall within the access right.
To implement these proposed changes, covered entities would incur one-time costs for revising policies and procedures and training, as well as for updating the NPP. However, by replacing the acknowledgment process for all new patient encounters with a right to discuss the NPP, upon request, covered health care providers would experience ongoing costs savings from reduced paperwork burdens and the (likely small) proportion of individuals who contact the designated person would benefit from having meaningful discussions about an entity's privacy practices.
Stakeholders have requested that the Department ensure that covered entities and business associates are able to disclose PHI to TRS communication assistants for individuals and workforce members, and to specifically address the use of TRS by covered entity and business associate workforce members to share PHI with other workforce members or outside parties as needed to perform their duties. These stakeholders have shared anecdotal accounts in which a covered entity or business associate refuses to allow a workforce member to use this essential service because of concerns about violating the Privacy Rule if they do not have a business associate agreement with the TRS provider.
The Department proposes in 45 CFR 164.512(m) to expressly permit covered entities (and their business associates, acting on the covered entities' behalf) to disclose PHI to TRS communications assistants to conduct covered functions.
The existing rule limits the ability of the USPHS and NOAA Commissioned Corps to facilitate care coordination and case management for Corps personnel, because the Armed Forces permission to use and disclose PHI—which is important for ensuring that personnel meet medical readiness standards, and thus for fulfilling the Commissioned Corps' missions—does not apply to the USPHS and NOAA Commissioned Corps. The permission is important because personnel and the broader population are put at risk when personnel do not disclose medical conditions to Commissioned Corps leaders and are deployed on a Commissioned Corps mission, which often involve emergency situations or austere circumstances.
To improve care coordination and case management for individuals serving in the Uniformed Services, the Department proposes to expand to all Uniformed Services the Armed Services express permission for covered entities to use and disclose PHI, thus permitting USPHS and NOAA Commissioned Corps to use and disclose the PHI of such personnel for mission requirements and veteran eligibility.
For purposes of this RIA, the proposed rule adopts the list of covered entities and costs assumptions identified in the Department's 2019 Information Collection Request (ICR).
In addition, the Department quantitatively analyzes and monetizes the impact that this proposed rule may have on covered entities' actions to re-train their employees on, and adopt policies and procedures to implement, the legal requirements of this proposed rule. The Department analyzes the remaining benefits and burdens qualitatively because of the uncertainty inherent in predicting other concrete actions that such a diverse scope of covered entities might take in response to this proposed rule. The Department requests comment on the estimates, assumptions and analyses contained herein—and any relevant information or data that would inform a quantitative analysis of proposed reforms that the Department qualitatively addresses in this RIA.
For reasons explained more fully below, the proposed changes to the right of access, acknowledgment of the NPP, and several use and disclosure permissions would result in net
The Department based its assumptions for calculating estimated costs and benefits on a number of publicly available datasets, including data from the U.S. Census, the U.S. Department of Labor, Bureau of Labor Statistics (BLM), CMS, and the Agency for Healthcare Research and Quality (AHRQ). All calculations using mean hourly wages include benefits and overhead by multiplying the mean hourly pay for an occupation by two.
Implementing the proposed regulatory changes likely would require covered entities to engage workforce members or consultants for certain activities. The Department assumes that a lawyer would draft or review needed changes to HIPAA policies, including revisions to the NPP and the access fee schedule, and that a medical and health services manager (
The Department assumes that the vast majority of covered entities would be able to incorporate changes to their workforce training into existing HIPAA training programs because the total time frame for compliance from date of finalization would be 240 days, just short of a year. In addition, the Department has included additional time spent in training by medical records technicians to the calculation of burden hours, due to the number of proposed changes to the right of access for which they would be responsible.
For a number of proposals where the Department is incorporating existing interpretive guidance into regulation, the Department assumes that a portion of covered entities are already voluntarily engaging in the best practices highlighted in OCR guidance. For example, the Department is aware that 35 percent of hospitals in one study had posted an access fee schedule online,
With respect to cost savings, the Department proposes to recognize a previously unquantified burden associated with covered entities making minimum necessary determinations. The Department assumes that this burden, associated with time spent by workforce member equivalent to a Medical and Health Services Manager, would necessarily be reduced by alleviating the need to make the determination for disclosures for care coordination or case management on behalf of an individual. For cost savings associated with the proposal to remove the requirement that covered entities obtain a signed acknowledgement of the covered entity's NPP or document a good faith effort to do so, the Department assumes that time spent by clerical staff for a direct treatment provider, such as a Receptionist or Information Clerk, will vary widely depending on the practice of that provider in managing its own NPP process and whether the process is paper-based or electronic. For all of the proposed regulatory changes that covered entities are currently allowed to implement, consistent with its interpretive guidance, the Department seeks comment on the extent to which covered entities are already voluntarily implementing the proposed requirements, and thus would not incur additional costs or realize savings as a result of the proposed changes.
This proposed rule would apply to HIPAA covered entities (
The Department expects that covered health care providers and health plans would be most directly affected by the proposed rule. While certain proposed changes would affect some providers and plans differently than others, all affected covered entities would need to adopt or change some policies and procedures and re-train some employees. Affected health care providers would include many federal, state, local, tribal, and private sector providers. The Department has not separately calculated the effect on business associates because the primary effect is on the covered entities for which they provide services. To the extent that covered entities engage business associates to perform activities under the proposed rule, the Department assumes that any additional costs will be borne by the covered entities through their contractual agreements with business associates. The Department requests data on the number of business associates (which may include health care clearinghouses acting in their role as business associates of other covered entities) that would be affected by the proposed rule and the extent to which they may experience costs or other burdens not already accounted for in the estimates of covered entity burdens.
According to Census data, there are 880 Direct Health and Medical Insurance Carrier firms compared to 5,350 Insurance Carrier firms, such that health and medical insurance firms make up 16.4% of insurance firms. Also, according to Census data, there are 2,773 Third Party Administration of Insurance and Pension Funds firms. The Department assumes that 16.4% of these firms service health and medical insurance. As a result, the Department estimates that 456 of these firms are affected by this proposed rule. Similarly, the Department estimates that 783 associated establishments would be affected by this proposed rule. See Table 5 below.
There were 67,753 community pharmacies (including 19,500 pharmacy and drug store firms identified in US Census data) operating in the U.S. in 2015.
Unless otherwise indicated, the Department relies on data about the number of businesses from the U.S.
The Department believes that, by having some contact with a HIPAA covered entity, a large proportion of the 329 million individuals in the United States
To calculate the potential monetary effect on individuals for the proposed changes to allowable fees for certain copies of PHI, the Department first estimated a baseline average cost for an access request under the current Privacy Rule requirements. The Department increased the estimated average time for providing a copy of PHI requested from 3 minutes in its prior analyses to 5 minutes, resulting in an average labor cost of $3.73 per request.
The Department believes the persons most affected by the proposed changes to the rule permitting certain disclosures based on “good faith” would include individuals who are unable to agree or object to the use or disclosure of PHI due to incapacity or who are at risk of harming themselves or others and loved ones and caregivers of such individuals. This would include those experiencing a health emergency, SUD, or SMI; and individuals to whom permissible disclosures would be made as a result of the rule, such as family members and other caregivers, and persons in a position to prevent or lessen (
The individuals most affected by the proposal to add a regulatory permission for workforce members to disclose PHI to a TRS communications assistant, would be the estimated 170,000 persons employed in the health care sector who are deaf, hard of hearing, deaf-blind, or who have a speech disability.
The Department proposes to add a new definition within the Privacy Rule at 45 CFR 164.501 for the term “Electronic health record” or EHR to clarify the intended scope of the Privacy Rule provisions pertaining to ePHI in an EHR. Additionally, the Department proposes to add a new definition for the
The Department proposes to add a new subsection to amend the right of access provision at 45 CFR 164.524(a)(1) to establish that the right to inspect PHI generally includes the right to take notes, take photographs, and use other personal resources to capture their PHI in a designated record set, but that a covered entity is not required to allow an individual to connect a personal device to the covered entity's information systems when it would create a risk to the security of the covered entity's electronic systems. Expressly enabling individuals to take notes and photographs when inspecting their own PHI in person would help individuals exercise their right of access in a convenient way. Most individuals who inspect, rather than request a copy, of their PHI otherwise would be unable to retain the amount or details of PHI that would assist them with decision-making.
The Department proposes to amend 45 CFR 164.524(b) to shorten the allowable time limit for covered entities to provide copies of PHI by half, from 30 days (with the possibility of one 30-day extension) to 15 calendar days (with the possibility of one 15 calendar-day extension). In addition, where other federal or state law time limit requires covered entities to provide individuals with access to the PHI requested in less than 15 calendar days, the Department proposes to deem such time limits “practicable” under the Privacy Rule. The Department also proposes to add a requirement for covered entities to develop and implement a policy to explicitly prioritize urgent or otherwise high priority requests (especially with respect to health and safety) so as to limit the need to use a 15 calendar day extension for such requests. The Department does not propose to define what constitutes an urgent or high priority request, and does not intend with this proposal to encourage covered entities to require individuals to reveal the purposes for their requests for access. However, examples of urgent or high priority requests could include when an individual voluntarily reveals that the PHI is needed in preparation for urgent medical treatment, or that the individual needs documentation of a diagnosis of severe asthma to be allowed to bring medication to school the next day.
The proposal to shorten the time for covered entities to provide individuals with access to their PHI would improve patient-centered care by empowering individuals to review their health information in a timely manner and enhance patient decision making. It also would improve care coordination by enabling individuals to share their records more rapidly with other providers, informal caregivers, community based support services, and family members, as just a few examples. The Department believes that the overall effect would lead to improved health care communications and improved health outcomes. It also may reduce health expenditures due to a reduction in unnecessary, duplicative medical testing, reductions in medical errors, and more timely care delivery. For example, a research study found that the use of health information is “important for improving patient attitudes regarding their health status and confidence in caring for themselves. Perceived health-status and patient confidence, in turn, are associated with preventative health behaviors.”
Although nine states require some health care entities to provide access within 15 days or a lesser period,
The Department proposes to modify 45 CFR 164.524(c)(2) to clarify that where a covered entity is subject to other federal law that requires the provision of access to individuals in a particular form and format, such form and format is deemed readily producible under the Privacy Rule's individual access right. To the extent that other applicable federal laws require production of copies of PHI in a certain form and format, the proposed inclusion of these finalized requirements within the Privacy Rule would not significantly increase covered entities' compliance burdens. However, by providing that a form and format required to be produced under other federal law are readily producible under the Privacy Rule, the change would allow the Department to enforce the individual's right to receive their PHI in that form and format. Although quantifying the impacts of this provision is challenging, the Department believes the proposed clarification would benefit individuals by enhancing their ability to receive PHI in the form and format requested. It also would benefit covered entities by providing greater certainty about the Department's expectations regarding when a requested form and format is “readily producible.”
The Department also proposes in 45 CFR 164.524(c)(2(iv) and (d)(4) to add a new set of parallel requirements so that when covered entities offer to provide or direct a summary of PHI in lieu of requested copies, they must inform individuals that they retain the right to obtain or direct the requested copies if they do not agree with the offered summary. These requirements would not apply when the covered entity denies access on unreviewable or reviewable grounds, in which case the covered entity must implement the required procedures for such denial under 45 CFR 164.524(e). These requirements would benefit individuals by ensuring that they are aware of their access rights and empowered to make choices about the form of access with full knowledge about the available options under the right of access. The proposals would benefit covered entities by engaging individuals in more robust discussions about requested forms of access early in the process, thus reducing potential complaints and fee disputes.
The Department proposes to modify 45 CFR 164.524(c)(3)(ii) (and redesignate it as 45 CFR 164.524(d)) to clarify the access right to direct the transmission of an electronic copy of PHI in an EHR to another person designated by the individual and add a new provision for access requests to be submitted by covered health care providers and health plans at the request of the individual in 45 CFR 164.524(d)(7). The Department proposes to require covered health care providers and health plans to submit individuals' requests directing electronic copies of PHI in an EHR to be transmitted back to the entity that submitted the request. The new provision would specify that a covered health care provider or health plan must submit an individual's request to transmit an electronic copy of PHI in an EHR from another health care provider or health plan when the request is clear, conspicuous, and specific (which may be orally or in writing, including electronically) and that the covered health care provider or health plan must submit the access request as soon as practicable, but no later than 15 calendar days after receiving the individual's direction and information needed to make the request. The Department also proposes to add language clarifying that covered entities that receive access requests under this new provision are required to respond based on an individual's clear, conspicuous, and specific request.
The proposal to expressly include individual access requests submitted by health care providers and health plans as part of the right to direct the transmission of ePHI in an EHR to a third party would improve care coordination and patient-centered care by enhancing the individual's ability to direct the sharing of ePHI among health care entities. The change would improve health care communications and assist individuals' decision-making as they consult with various health care providers and health plans, and evaluate treatment alternatives, recommendations, and health plan coverage. All health care providers and health plans would benefit from receiving electronic records from other covered entities more quickly under the shortened timeframe, and the proposal to explicitly require covered health care providers and health plans to submit requests for copies of ePHI as directed by the individual within the right of access would enhance covered entities' compliance with responding to such requests received from other covered entities because such disclosures would be mandatory. This means of obtaining access also would ease the burden on individuals to separately contact their other providers and request that they transmit electronic records to their treating physician. Instead, the individual may initiate such requests through the provider (or health plan) with whom they are currently communicating or receiving services, and who will receive the ePHI. Taken together, these changes would empower individuals by clarifying the scope of a patient's HIPAA rights and providing a convenient means to effectuate certain mandatory transfers of electronic medical records between covered entities.
The Department proposes to modify 45 CFR 164.524(c)(4) to prohibit covered entities from charging fees for access when an individual inspects PHI about the individual in person or accesses an electronic copy using an internet-based application method. The Department proposes to expressly provide that covered entities may not charge a fee when an individual, in the course of inspecting PHI, takes notes or photographs, or uses other personal resources to capture the information.
All individuals would benefit from improved access to their PHI and regulatory requirements stating the circumstances in which access is always to be provided free of charge. In addition to any quantifiable increases in the number of access requests fulfilled without charge, the Department believes that individuals' abilities to manage their own health care and payment for care would be improved by improving access to their own PHI.
Additionally, although the Department is not expressly prohibiting fees when an individual uses an internet-based method to direct the transmission of an electronic copy of PHI in an EHR to a third party, the Department expects that, in most cases, there will be no allowable labor costs for such access.
The Department proposes to add a new subsection 525 to 45 CFR 164 to require a covered entity to provide advance notice to individuals of the fees the entity charges for providing access to and copies of PHI. Specifically, the Department proposes to require a covered entity to post a fee schedule online (if they have a website) and make the fee schedule available to individuals at the point of service upon request. The notice must include: (i) All types of access to PHI available free of charge; (ii) approximate fees for copies of PHI provided to individuals under 45 CFR 164.524(a), to third parties designated by the individual under 45 CFR 164.524(d), and to third parties with the individual's valid authorization under 45 CFR 164.508; (iii) provide, upon request, an individualized estimate of the approximate fee that may be charged for the requested copy of PHI; and (iv) upon request, provide an individual with an itemized list of charges for labor, supplies, and postage, if applicable, that constitute the total fee charged.
The Department anticipates that all individuals interested in access to PHI would benefit from having advance notice of a covered entity's approximate fee schedule for standard or common data access requests for PHI, by learning about how they may access their PHI for free, and obtaining pricing information for copies prior to or at the time of making an access request or a request for copies with a valid authorization. Readily available public information about access fees would also serve to promote compliance with the Privacy Rule because covered entities will want to avoid posting fee schedules that show noncompliance with fee limitations,
Providing an access and authorization fee schedule, and an individualized estimate of fees for an individual's request for copies of PHI upon request, would also benefit covered entities because this information is likely to prevent or resolve potential fee disputes that occur when individuals are surprised by unexpectedly high fees.
The Department proposes to add an exception to the minimum necessary standard in 45 CFR 164.502(b)(2) for
The Department proposes to add an express permission for a covered entity to disclose PHI for individual-level care coordination and case management to a social services agency, community based organization, HCBS provider, or other similar third party that provides health-related services to those specific individuals, as a new paragraph (6) in 45 CFR 164.506(c). The Department believes the proposed changes and clarifications about the disclosures permitted for care coordination and case management would help covered entities and others achieve their health-related missions, particularly those that are not health care providers or HIPAA covered entities. The Department has continued to hear that health care providers and health plans want to refer individuals to such organizations for health-related supportive services, but are reluctant to do so because of uncertainty regarding the applicable permissions and obligations. The Department interprets the Privacy Rule to allow health care providers to disclose PHI for their own treatment activities to both covered entities and entities that are not subject to HIPAA, which may include supportive services in the community related to health. By expressly identifying social services agencies, community based organizations, and HCBS providers and similar third parties as entities to which PHI may be disclosed for individual-level care coordination and case management that constitute treatment or health care operations, the Department will remove regulatory uncertainty and ease the ability of covered health care providers to facilitate comprehensive transitions of care. The Department believes these proposed clarifications would affect at least 137,052 organizations providing social assistance to individuals.
The Department proposes to amend five provisions of the Privacy Rule to replace the exercise of “professional judgment” with a “good faith belief” as the standard to permit uses and disclosures in the best interests of the individual, and include a presumption of compliance with the good faith requirements. These proposed modifications would apply to uses and disclosures involving a parent or guardian who is not the individual's personal representative (45 CFR 502(g)(3)(ii)(c)), facility directories (45 CFR 164.510(a)(3)(i)(B)), emergency contacts (45 CFR 164.510(b)(2)(iii)), limited uses and disclosures when the individual is not present or incapacitated (45 CFR 164.510(b)(3)), and verifying a Requester-Recipient's identity (45 CFR 164.514(h)(2)(iv)). The proposed presumption of compliance could be overcome with evidence that a covered entity acted in bad faith.
The Department believes that replacing the professional judgment standard with one based on good faith, as proposed, would result in improved treatment and recovery outcomes for individuals who are most affected, for example, by the current opioid crisis, as well as those experiencing SMI or other SUD, by facilitating the increased disclosure of PHI by covered entities to persons who care about the individual and who need to be involved in the individual's care. The Department expects that health care providers who have confidence in their ability to disclose information to individuals' family members, friends, and others involved in care or payment for care when it is in an individual's best interests, without fear of violating HIPAA, would be more likely to disclose PHI that could be used by those persons to provide needed care and support.
The Department does not have data to quantify such benefits, but research supports the conclusion that family involvement improves the engagement in treatment and recovery of these individuals.
The Department proposes to amend the Privacy Rule at 45 CFR 164.512(j)(1)(i)(A) to replace the “serious and imminent threat” standard with the “serious and reasonably foreseeable threat” standard. This proposed change would permit covered entities to use or disclose PHI without determining whether the threat is imminent (which may be impossible to determine with any certainty), but rather whether it is likely to happen. The Department expects this proposed modification to improve the timeliness of uses and disclosures of PHI that would have otherwise occurred, but for the covered entity's uncertainty about whether a threat is “imminent.” The Department believes that individuals, covered entities, and communities would benefit from threat reduction and improved health and safety as a result. The Department also proposes to add a new paragraph (5) to this provision to define “reasonably foreseeable.” The Department's proposed definition of “reasonably foreseeable” would apply a reasonable person standard to permit uses and disclosures by covered health entities in instances where similarly situated covered entities would use or disclose PHI to avert a threat based on facts and circumstances known at the time of the disclosure. The proposed definition also would include an express presumption that threats to health or safety identified by a covered health care provider with specialized training, expertise, or experience in assessing an individual's risk to health or safety (such as a licensed mental or behavioral health professional)—and whose assessment relates to their specialized training, expertise, or experience—meet the definition of “reasonably foreseeable.” A covered entity, however, need not have such specialized training, expertise, or experience in order to meet the reasonably foreseeable standard. The Department expects that these proposed changes to the standard at 45 CFR 164.512(j) would improve communication and coordination between health care providers, caregivers and others in a position to lessen harm and avert threats, including opioid overdose and incidents of mass violence.
The Department proposes to add subsection (G) to 45 CFR 164.520(b)(1)(iv), to give individuals the right to discuss the NPP with a person designated by the covered entity as the contact person pursuant to section 164.520(b)(1)(vii). The Department proposes to include information about this right in the header of the NPP to ensure that individuals are aware of their ability to discuss the NPP with a designated person. Requiring that an entity's NPP include the name or title and contact information for a designated person who is available to provide further information about the covered entity's privacy practices, and adding an individual right to discuss the notice with the designated person, would help improve an individual's understanding of the covered entity's privacy practices and the individual's rights with respect to his or her PHI. Even for individuals who do not request a discussion under this proposal, knowledge of the right may promote trust and confidence in how their PHI is handled.
The Department proposes to amend the Privacy Rule at 45 CFR 164.512, by adding a new standard in paragraph (m) to expressly permit covered entities (and their business associates, when acting on the covered entities' behalf) to disclose PHI to Telecommunication Relay Service (TRS) communications assistants when such disclosures are necessary for a covered entity, or a business associate to conduct covered functions. This permission would cover all disclosures to TRS communications assistants, including communications necessary for care coordination and case management, relating to any covered functions performed by or on behalf of covered entities. The Department also proposes to expressly exclude TRS providers from the definition of business associate. The Department intends for these new provisions to ensure that regulated entities do not bear the burdens of analyzing whether they need a business associate agreement with a TRS and, potentially, establishing one before a workforce member discloses PHI to a TRS communications assistant, to assist the workforce member, in the course of performing their duties. Adding an express permission for covered entities' workforce members to share PHI via a TRS communications assistant would improve communications for health care delivery and benefit covered entities by supporting their compliance with employment nondiscrimination laws, such as the ADA. Further, by enhancing the ability of an estimated 170,000 workforce members
The Department requests comment or examples that could assist the Department in quantifying costs or cost savings in relation to the following:
• Any relationship between individuals' access to medical records and improved health outcomes, including data about any health effects related to the amount of time between a request for access and the provision of access;
• Any relationship between fees individuals pay to obtain medical records and the frequency with which the individual seeks treatment;
• Any relationship between the ease or difficulty faced by covered health care providers and health plans to make minimum necessary determinations and
• Any relationship between the ease or difficulty faced by covered health care providers' and health plans' to disclose PHI based on a professional judgment standard or a good faith belief standard, and the frequency with which an individual will seek care from that provider or enroll with that plan, especially for treatment or coverage related to substance use disorders or serious mental illness.
• The frequency with which different types of covered entities currently disclose PHI based on:
○ Professional judgement about an individual's best interests; and
○ A good faith belief that a threat or harm is serious and imminent, and the type of harm; and
• Any relationship between improved compliance with non-discrimination laws, such as the ADA, and health outcomes of populations protected by those laws.
The Department provides below the basis for its estimated costs and savings due to the proposed changes to specific provisions of the Privacy Rule and invites comments on the Department's assumptions, data, and calculations, as well as any additional considerations that the Department has not identified here. Many of the estimates are based on assumptions formed through OCR's experience in its compliance and enforcement program and accounts from stakeholders received at outreach events. The Department welcomes information or data points from commenters to further refine its estimates and assumptions.
To evaluate the potential benefit and burden of changes to the right of access, the Department calculated a range of estimated total annual numbers of access requests for covered entities, from 1.5 million to 3.3 million. The Department's initial projections were drawn from prior rulemaking and burden estimates; however, based on its experience and comments received on the 2018 RFI, the Department believes an upward adjustment to the estimated number of access requests is needed. The Department developed the estimates herein based on three datasets: The total number of covered entities; the total number of U.S. health care encounters with a health care provider in a year; and the total population of the U.S. The calculated results are as follows: (1) 1.5 Million, by estimating that 774,331 covered entities receive an average of two access requests per year; (2) 2.46 million, by estimating that in one year one-tenth of a percent of health care encounters
The Department received widely varying reports from covered entities that commented on the RFI regarding the number of access requests they receive annually and it was unclear whether the numbers included requests that are not part of the right of access, such as disclosures accompanied by a valid authorization, disclosures for purposes of treatment, payment, or health care operations, or other disclosures permitted by the Privacy Rule.
The Department believes that covered entities would benefit from the certainty offered by its interpretation of the proposed definition of EHR; however, the Department lacks sufficient data to develop a quantifiable estimate. The Department does not anticipate additional costs for covered entities from the proposal to codify in regulation a definition of EHR because the definition itself imposes no requirements, the proposed definition is based on the statutory definition in the HITECH Act which has been in effect for more than a decade, and the proposed definition incorporates existing Privacy Rule definitions, such as direct treatment relationship, that are familiar to regulated entities. Costs savings and costs related to limiting the scope of the access right to direct a copy of PHI to a third party to PHI in an EHR are addressed elsewhere.
The Department proposes to add a requirement to the right of access at 45 CFR 164.524 (a)(1) to establish that the right to inspect PHI in a designated record set includes the right to take notes, take photographs, and use other personal resources to capture the information, but that a covered entity is not required to allow an individual to connect a personal device to the covered entity's information systems. The Department assumes that requests to inspect PHI may result in a reduction in requests for covered entities to make copies because individuals may choose to capture the information they need through notetaking, photographing, or other means, and that reviewing the PHI may enable individuals to narrow the scope of any request for copies. This could reduce costs for covered entities; however, the Department lacks sufficient data about the number of inspection requests received by covered entities to make a reasonable estimate of the projected savings. For individuals who prefer to view PHI in person and use their own resources, the proposed changes may offer out-of-pocket cost savings. Individuals who would not want to view their PHI in person would simply not exercise this new right, but would continue to access their PHI as before, thus not incurring any new costs or achieving any new savings. The Department requests data on the number of requests to inspect PHI received by covered entities and the experiences of entities and individuals with how the inspection of PHI affects the number, frequency, or scope of requests for copies.
Upon consideration of the instances where PHI is readily available at the point of service, such as when viewing x-rays or lab results, the Department anticipates that there may be a much greater demand by individuals for the ability to use one's own device to capture the images or other PHI as a result of this proposal. The Department anticipates this would result in
To the extent that covered entities are currently prohibiting individuals from notetaking, photographing, or other ways of capturing PHI using their own devices, they would incur costs involved in changing the existing policy for in-person access. The Department anticipates that a covered entity would need 25 minutes of lawyer time
The Department proposes to shorten the time for covered entities to provide copies of PHI from 30 days (with the possibility of one 30-day extension) to 15 calendar days, or shorter where practicable (with the possibility of one 15 calendar-day extension). The Department lacks sufficient data to quantify any potential cost savings to covered entities resulting from this proposal; however, the receipt of PHI more rapidly from other covered entities may create efficiencies throughout the entire health system and contribute to improved health outcomes and decreased treatment costs. While the Department believes that many covered entities already are providing copies of PHI in far less than 30 days, the increased certainty provided by the proposed regulatory time limit would create additional benefits. For individuals, shortened access times may result in cost savings due to an improved ability to make timely and cost-effective decisions about treatment options and a reduction in duplicative procedures, such as repeat lab tests. For example, an individual who is able to receive a timely copy of a lab result would be able to share it with a consulting provider who otherwise may need to re-order the test, thus saving time and money and enabling timely treatment; or a patient considering surgery who is able to receive a timely copy of PHI would be able to evaluate treatment alternatives with different providers to select which best fits the patient's circumstances. In short, the Department projects that the ability to obtain health information faster may result in cost savings overall. The Department invites comments providing data on projected cost savings from shortening the access time limits from 30 days to 15 calendar days.
The Department estimates that at least 50 percent of access requests are already being fulfilled in 15 calendar days or less, taking into account those covered entities (primarily health care providers) subject to state laws with 15-day (or shorter) requirements
The Department proposes to clarify that a readily producible form and format includes access through an application programming interface (API) using a personal health application. It also proposes that a covered entity must inform any individual to whom it offers to provide a summary in lieu of a copy of PHI that the individual retains the right to obtain a copy of the requested PHI if the individual does not agree to receive such summary. The Department lacks sufficient information to quantify the potential costs or cost savings from these proposals and requests information about how these proposals would affect covered entities, business associates, and individuals.
The Department proposes to limit the access right to direct a copy of PHI to a third party to only electronic copies of PHI in an EHR. The Department proposes to implement this proposal by adding an optional element to the Notice of Privacy Practices and changing the allowable fees for transmitting such copies—thus, most of the estimated costs and cost savings for those changes are discussed as cost transfers in separate sections on those topics. However, the Department recognizes that covered entities may incur some labor costs for requests by individuals under the right of access to direct electronic copies of ePHI to a third party and estimates that costs may increase for 25 percent of the estimated annual 615,000 such requests (153,750) in the amount of 2 minutes of labor at the hourly wage of a medical records technician ($44.80) or $1.49 per request that cannot be charged to the individual as an allowable fee for copies.
The Department also assumes that many covered entities correctly interpret the current HIPAA right to direct the transmission of electronic copies of PHI in an EHR to a third party to apply to individuals' requests to direct the transmission of such ePHI to another provider or to their health plan. With respect to such requests, the Department assumes that many covered health care providers and health plans are already disclosing PHI to other providers and plans in a timely manner, which in most instances would be far less than 30 days. The Department further expects that providers using HIEs and certified EHR technology (CEHRT) are disclosing ePHI to other providers in much less than 15 calendar days, as indicated by comments the Department received in response to the RFI. Thus, the Department projects that the costs for complying with the proposed changes for sending electronic copies of PHI in an EHR to health care providers and health plans in no more than 15 calendar days would be limited to a small percentage of covered entities and that those costs would mostly be attributable to changes in 45 CFR 164.524(c)(3), as described in the section above. However, in recognition that covered entities are unlikely to recoup costs for requests by individuals under the right of access to direct electronic copies of ePHI to health plans and health care providers, the Department estimates that costs may increase for 25 percent of the estimated annual 615,000 of such requests (153,750) in the amount of 4 minutes of labor at the hourly wage of a medical records technician ($44.80) or $2.99 per request. This is greater than the uncompensated burden estimate for copies sent to other third parties because the Department understands that health care providers and health plans may not routinely charge any fees for disclosures to other covered entities.
Additionally, the Department proposes, at 45 CFR 164.524(d)(7), to require that a covered health care provider or health plan must submit a request for an electronic copy of PHI in an EHR from another health care provider, to be directed to the requesting covered entity (
Based on comments on the 2018 RFI, in many instances covered entities are already requesting copies of PHI from other health care providers within 30 days or less of communicating with an individual who requests such information to be added to his or her health record. The disclosure of PHI to the covered entity that submitted the request is permitted without an individual's authorization for purposes of treatment, payment, and certain health care operations, as applicable, and required under the current right of access when an individual submits a written request.
The Department anticipates that once individuals and third party recipients learn about the changes (
As stated in the discussion of changes to the proposed access fees, the Department estimates a total of 2.46 million access requests per year and that half of these are for the individual to obtain his or her own records, one-fourth (615,000) are to direct the transmission of records to a health care provider or health plan, and the remaining one-fourth (615,000) are to direct the transmission of records to a third party. Of the 615,000 estimated requests to direct the transmission of PHI to a third party other than a health care provider or health plan, the
The cost savings associated with these changes are discussed separately as cost transfers in the sections on the proposed changes to access fees.
The Department estimates that covered entities, primarily providers, would incur some costs from the proposed new requirement to submit requests for access on behalf of individuals who are seeking to direct the transmission of electronic copies of PHI in an EHR from another health care provider (“Discloser”) to the requesting entity (“Requester-Recipient”). The Department estimates that the proposed requirement would increase costs for 15 percent of the 615,000 annual requests to direct copies of ePHI to health plans and providers (92,250) by 3.5 minutes per request at the adjusted labor rate of a medical assistant ($34.34, see Table 4), for a total of 5,381 burden hours at a total annual cost of $184,792. These costs are presented in Table 12 as ongoing costs of the proposed rule.
The Department does not anticipate that covered entities would incur a significant additional burden from an express inclusion of health care providers and health plans as recipients to whom disclosures are mandated when the individual exercises the right to direct the transmission of electronic copies of PHI in an EHR to a third party. Based on a notable lack of comments or concerns expressed by stakeholders about directing PHI to covered entities as part of the right of access, the Department expects that most covered entities have correctly interpreted the Privacy Rule and included individuals' requests to direct the transmission of ePHI to health care providers and health plans into their access request fulfillment process. The small proportion of covered entities or business associates who are not already fulfilling individuals' access requests to transmit ePHI to health care providers or health plans may experience a small increase in costs resulting from their current noncompliance. The Department estimates that 25 percent of these requests (153,750 total) would result in transmitting an electronic copy of ePHI via a non-internet based means (
Overall, the Department believes that, for covered health care providers and health plans, any costs to fulfill requests made under this proposal would be counterbalanced by the increased responsiveness from other covered entities that would transmit records to them, when requested, on a timelier basis, which would improve care and contribute to cost reductions.
The Department proposes to expressly prohibit covered entities from charging fees for access when an individual inspects PHI about the individual in person and for copies of PHI that an individual accesses using an internet-based method.
Expressly permitting individuals to copy and photograph their PHI for free during an in-person inspection may reduce the number and scope of subsequent access requests made by such individuals. In addition, to the extent that covered entities increase the free availability of PHI via an internet-based method, they may experience a decrease in other types of access requests for which costs are incurred. The Department expects that individuals may increasingly choose to initiate and obtain access via an internet-based method, which will result in cost savings to individuals.
Prohibiting covered entities from recouping certain costs for providing electronic copies of PHI, or transmitting an electronic copy of PHI in an EHR to third parties, would increase expenses for these items: electronic media onto which copies of PHI from an EHR are transferred, and actual mailing and shipping costs for electronic copies.
Under the Department's proposed changes, covered entities would be disallowed from charging for certain expenses that the Privacy Rule currently allows when providing copies to an individual and when directing an electronic copy of PHI in an EHR to a third party under the right of access. The non-chargeable expenses would be the portion of costs attributable to emailing, mailing, or shipping the electronic copies and the costs of electronic media requested by individuals. Labor costs for copying or transferring EHR records to another electronic format (such as a PDF) or onto electronic media (
The Department has not estimated postage or shipping costs in earlier Privacy Rule rulemaking because the rule permitted actual costs for those expenses to be passed on to the individual making the request for copies of PHI. To estimate how the proposed changes would affect covered entities, the Department has estimated that a 100-page paper record (one pound of material) can be shipped via U.S. Mail for $7.50 and a CD or USB drive can be shipped for $3.00.
To readily compare the potential burden or burden reduction from various types of requests to direct copies of PHI to third parties, the Department presents its estimates in the charts below and provides detailed explanations of the included cost items for each calculation under the current rule, state law, and the proposed rule in the paragraphs that follow. State law remains a relevant consideration in two ways. First, to the extent that state law limits on fees for copies of medical records for individuals are lower than the limits in the Privacy Rule, the state law applies. For instance, some states require a free copy for individuals who are indigent or who are applying for public benefits. Second, for copies of PHI provided in response to a valid authorization, the Privacy Rule limits the allowable fee to “a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law”
The Department's estimate of allowable costs that may be charged for a 200-page hybrid record directed to a third party under the current right of access is approximately $14.73 (estimating $3.73 for 5 minutes of labor
In addition to the costs that may be charged as fees for providing copies, the Department estimates a previously unacknowledged burden of 2 minutes of labor per request that is not allowed to be charged to the individual or the third party recipient of the ePHI for copies that are sent via a non-internet method (
The Department estimates that the average charge allowed by state law for a 200-page hybrid record directed to a third party is $123 per request (including a handling or administrative fee
The estimated average allowable fee under the proposed rule (100 pages in electronic format) is $1.49 per request (estimating 2 minutes for labor).
In developing its estimated costs and cost benefits the Department employed several methods to arrive at a range of costs and cost benefits and average estimated costs and cost benefits for the proposed adjustments to the allowable access fees.
The Department applied its estimated fees to a 200-page hybrid record and compared the costs under the proposed changes to a baseline of $25.23 in estimated allowable costs under the current right of access. See Table 8. The resulting estimated cost savings for three different types of requests are as follows.
Under the proposed rule, a covered entity could charge the state law rate ($133.50) or $108.27 more for the request than allowed under the current rule.
Under the proposed rule, a covered entity could charge the state law rate for copying and sending 100 electronic pages not in an EHR ($76.70) plus the allowable labor for copying the 100 EHR pages ($1.49) for a total of $78.19 or $52.96 more per request than allowed under the current rule.
Under the proposed rule, a covered entity could charge the state law rate for copying and sending 100 non-electronic pages ($88.16) based on a valid authorization, plus the allowable labor for copying the 100 EHR pages ($1.49) under the right of access, for a total of $89.65 or $64.42 more per request than allowed under the current rule.
To summarize, under the options presented above, the Department estimates that the cost savings of the proposed changes to the access right to direct an electronic copy of PHI in an EHR to a third party and allowable fees for directing copies of PHI to third parties, would range from $53 to $108 per request.
The Department also applied a second method for estimating the potential costs and cost savings of the proposed fee changes. Under the second approach, the Department assumed that half of the 615,000 annual requests to direct copies of PHI to a third party would be for electronic copies of PHI in an EHR (307,500) and that half would no longer fall within the right of access (307,500), but then would be disclosed with a valid authorization. Costs for covered entities would increase for the estimated 307,500 requests that are accepted (for electronic copies of PHI in an EHR) by an estimated $7 per request in supplies and postage they would no longer be able to recoup in fees, for a total estimate of $2,152,500 annually.
Under the proposed changes, a covered entity would be allowed to charge less per request to transmit an electronic copy of PHI to a third party under the right of access and significantly more per request to send non-electronic copies or electronic copies not maintained in an EHR to a third party with a valid authorization, as compared to what is allowed under the current right of access. Under the several methods for calculating estimated fees for copies of PHI the Department estimates total annual cost savings for covered entities ranging from $31 million to $67 million, or an average of $43 million. However, the Department estimates that all of these cost savings on the part of covered entities would be transferred to individuals and/or their third party designees as costs. The Department estimates that 50 percent of these costs savings would be transferred as an additional cost imposed on individuals and the other 50 percent would be transferred to the third parties to whom the PHI is directed. For each of the estimated 615,000 requests that would have been made under the current rule to direct the transmission of copies of PHI to a third party under the right of access the allowable fee for copies would increase by an estimated average of $70 ($43 million in estimated annual cost savings divided by 615,000 requests).
The Department seeks comments on these estimates, averages, and assumptions underlying its analysis and invites comments on the number and type of access requests received by covered entities, costs incurred, and fees charged.
The Department anticipates that the burden on covered entities for drafting or updating their access fee schedules would include the one-time costs for lawyer to review the new HIPAA provisions and evaluate the entity's fee structure based on changes to allowable access fees. This would include lawyer time at an adjusted mean hourly rate of $139.72. For each covered entity, the Department estimates an average of three hours for a lawyer to make policy and procedure revisions related to all the proposed changes to the right of access, including allowable fees. In total, the Department estimates 2,322,993 burden hours, for approximately $325 million in lawyers' costs related to the proposed changes to the right of access.
Covered entities also would need to add new access fee policies and procedures to their HIPAA training content. In its estimates, the Department includes two hours and thirty minutes of a training specialist's time for each covered entity to revise the training content for all of the proposed changes to the right of access, including fees and responding to requests for fee estimates, at an adjusted mean hourly rate of $63.12. The Department believes this estimate is reasonable, but welcomes comment and data to further inform its assumption. In total, the Department estimates 1,935,828 burden hours for all of the revisions to training content related to the right of access and costs of approximately $122 million. The Department assumes, for all of the proposed changes, that entities would incorporate the updated training content into their ongoing HIPAA training program, and that for most workforce members there would be no additional training costs for the time spent in HIPAA training. However, for medical records technicians, the Department has estimated an average seven minute increase in the time for spent in training on the proposed right of access changes in the first year of implementation, for a total estimate of 90,339 burden hours at a total estimated cost of $4 million.
The Department proposes, in a new subsection 525 to 45 CFR 164, to require a covered entity to provide advance notice to individuals of the fees the entity charges for providing copies of PHI. Specifically, the Department proposes to require a covered entity to (i) post a fee schedule for standard or common types of access requests, including all types of access which are free, on the entity's website (if it has one), and make the fee schedule available to individuals; (ii) provide, upon request, an individualized estimate of the approximate fee that may be charged for the requested copy of
The Department thinks it is likely that covered entities that provide fee estimates for access and disclosures pursuant to a valid authorization would find that such action results in a narrower scope for some requests than would exist without the changes, improved collection rates for access fees, and reduced time needed for workforce members to resolve access payment disputes and complaints. Thus, the Department believes that the benefits of changing covered entities' access procedures in a way that incentivizes individuals to make more targeted access requests and informs them of fees in advance would counterbalance the burdens on covered entities. However the Department has no data with which to estimate the reduction in burden and welcomes comments on this change, including covered entities' experiences with the collection of access and authorization fees, the factors affecting the scope of individuals' requests for copies, and the costs to covered entities for handling fee disputes.
The Department seeks comments on the number of covered entities that charge fees only for copies provided based on a valid authorization, no fees for fulfilling requests pursuant to the right of access.
The Department assumes that all entities that charge for providing copies of PHI already have some type of standard fee structure. The Department also presumes that some covered entities have already posted an online access and authorization fee schedule consistent with existing guidance recommending this practice, although this is not required by the Privacy Rule, and have been making it available to individuals. For those covered entities that have not yet posted the fee schedule online, the costs of doing so should be minimal because this requirement only applies to entities that have a website. The Department anticipates that posting an online notice of access and authorization fees would require the costs of reviewing, formatting, and posting one document. Making the notice available may include, for example, having copies available in the office where individuals make access and authorization requests or emailing it to individuals upon request.
Because the proposed change requires covered entities to make the access and authorization fee schedule available at the point of service and upon request (in addition to posting online when a website is utilized), it may be least burdensome for entities to add the fee schedule to their access and authorization request forms (although the Department does not propose to require this, or to require the use of a standard form for access requests), resulting in no additional labor costs for distribution. Further, for covered entities that already have a fee schedule, the proposed change would only require revisions to an existing document, resulting in no additional costs for paper. The Department estimates the potential burden on all covered entities (774,331) as the cost of 10 minutes of a web developer's time at a rate reported in Table 4, for a total labor cost of approximately $10 million. Although the Department assumes that 35 percent of covered entities have already posted an access and authorization fee schedule available, as discussed in the baseline assumptions following Table 4, it recognizes that all covered entities may need to post an updated fee schedule and accounts for this in its estimates. In addition, the Department estimates that all covered entities will incur first-year and ongoing capital costs for making the fee schedule available at a cost of $0.10 for paper and printing or a total of $232,299. This assumes each covered entity prints an average of three copies of the fee schedule as a separate document. We anticipate that covered entities will provide the fee estimate in a variety of ways, not all of which will incur additional costs, such as including the fee schedule on the access and/or authorization form and providing it electronically. The Department seeks comments and data on its assumptions, and on the number of covered entities that require individuals to use an access request form and how many currently make an access and/or authorization fee schedule available to individuals, either online or through other means, such as email or telephonically.
Providing the individual, upon request, with an individualized estimated access and/or authorization fee: The proposed changes would require billing information to be provided to individuals in advance as an estimate, upon request. Providing advance notice of the fees for providing the requested PHI would require a statement of charges pertinent to the individual's request (
Providing an itemized list of allowable access and authorization charges for labor, copying, and postage: The Department assumes that: (a) Many entities are already providing this information when requested by an individual as recommended in OCR's existing guidance, although it is not required by the Privacy Rule; and (b) a small proportion of individuals who request copies of PHI will make such requests. Limiting this requirement to instances when the cost details are requested would further minimize the burden of this proposed change. The Department estimates the potential labor costs as one minute of a medical records technician's time at the hourly rate of $44.80 for an estimated 24,600 annual requests for an itemized list of access charges, or a total of 410 burden hours and $18,368 in total costs. The Department estimates that covered entities would incur capital costs for printing one sheet of paper at a cost of $0.10 per request for an itemized list of charges and no additional postage because the itemized list of charges would be included with the copies of PHI sent to the individual, for a total cost of $2,460 annually. The Department seeks comments on the number (and relative volume) of requests for the specific details of allowable charges for copies of PHI that covered entities receive from individuals or their personal representatives.
The Department proposes to add a new paragraph (v) to 45 CFR 164.514(h)(1), which would state that a covered entity may not impose identity verification requirements on an individual that would serve as a barrier to or unreasonably delay the individual from exercising an individual right under HIPAA when a less burdensome measure is practicable for the covered entity. Individuals would accrue cost savings by reductions in expenses for obtaining notarized documents, traveling in person to request access, paying verification fees, or meeting other unreasonable verification practices. Because the Department assumes that most entities do not impose such barriers to individual access, the Department anticipates that the total cost savings will be modest, but they may be significant for any particular affected individual. The Department invites comment and examples of the extent to which covered entities impose measures that some may view as unreasonable and create costs for individuals when seeking to request access to PHI.
The Department, based on OCR's experience with HIPAA enforcement and recommendations in guidance, anticipates that most entities already are avoiding unreasonable verification measures. However, OCR has received some complaints and anecdotal reports that some entities are forcing individuals to engage in these burdensome practices, such as obtaining a notarized signature or appearing in-person to make an access request. The Department estimates that 5% of covered entities (38,717), and any business associates that fulfill requests for access on their behalf, would need to modify their verification policies and forms and update related HIPAA workforce training content. The Department estimates that these covered entities would incur costs for 30 minutes of a lawyer's time (or $69.86) to revise these policies and procedures, and costs for 10 minutes of a training specialist's time (or $10.52) to update the HIPAA training content on this provision for a total of approximately $80.38 per covered entity. As the Department does not have data upon which to refine its assumptions and estimates, the Department invites comments in this regard for future consideration, as well as on any costs associated with implementing the proposed changes.
The Department proposes to add, at 45 CFR 164.502(b)(2), an express exception to the minimum necessary standard for disclosures to or requests by a covered health care provider for individual-level care coordination and case management activities that constitute treatment or health care operations. The Department expects to achieve significant cost savings from this proposal. The Privacy Rule generally requires a covered entity to make reasonable efforts to limit use of, disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose and to make an assessment of what PHI is reasonably necessary for a particular purpose. These requirements apply to all requests for, and disclosures of PHI for payment and health care operations purposes, including care coordination and case management. In some circumstances, a covered entity may, but is not required to, rely on representations by a requesting covered entity that the amount of PHI requested is the minimum necessary. In such cases, the disclosing covered entity remains responsible for determining when such reliance is reasonable under the circumstances.
The Department lacks quantifiable data on the number of such determinations that occur in every covered entity and requests comment on the number of determinations, the type and level of workforce members making the determinations, and how such determinations are made consistent with an entity's minimum necessary policies and procedures. The Department assumes that any covered entity makes numerous minimum necessary determinations daily as to whether a request or disclosure related to patient information can be made consistent with the covered entity's policies and procedures. The Department estimates that each covered health care provider and health plan would save 25 minutes per month in time currently spent considering requests for care coordination and case management disclosures, to determine whether the information requested could be provided consistent with its internal minimum necessary policies, and to follow the requisite procedure for doing so.
The Department assumes that this proposal would relieve covered entities from the requirement to make determinations about the minimum information necessary to accomplish the purpose of a disclosure (or whether it is reasonable to rely on the requestor's representation that it is requesting the minimum necessary) when the request is from, or the disclosure is made to, a covered health care provider or health plan for individual-level care coordination and case management activities. In the 2000 Privacy Rule, the Department estimated that the minimum necessary requirement was one of the two largest cost items of the Privacy Rule, imposing a likely burden of $926.2 million in the first year and $536.7 million annually in subsequent years.
The Department has attempted to refine its estimates related to minimum necessary by reviewing publically available materials from the Agency for Healthcare Research and Quality Medical Expenditure Panel Survey,
The public comments on the 2018 RFI make clear that there is a burden associated with making minimum necessary determinations with respect to uses and disclosures of PHI for care coordination and case management, and therefore savings will be associated with relief from the burden. The Department's proposed estimates are informed first by the cost burdens the Department first identified in the 2000 Privacy Rule and for which the Department has not received public input to the contrary. The proposed estimates also are informed by the understanding that a covered entity is able to rely on the representations of certain requestors about the minimum necessary information to accomplish the purpose of a use or disclosure, and that minimum necessary determinations are a component of every covered entity's workflow. For purposes of calculating burden, the Department assumes that minimum necessary determinations generally are made outside of a patient encounter by workforce members at a registered nurse level, although the Department believes workforce members at a variety of levels in an organization may apply a covered entity's minimum necessary policies and procedures to routine disclosures of PHI. Recognizing the variability among the types and complexity of requests for PHI received by various types of covered health care providers and health plans, and that some record requests are not subject to the minimum necessary standard (
The Department proposes to adopt the mid-range estimate of burden reduction, which is 4 hours per covered entity per year for an annual reduced total of 3,097,324 burden hours and $342,997,660 in total annual projected cost savings. The estimate assumes that covered entities already are making minimum necessary determinations as part of normal workflow. These proposals do not introduce a new process into that workflow, but likely will tilt the scale in favor of disclosure rather than non-disclosure. The difference in the low and high end of the range is based on the Department's assumption that there is a wide range in the level of complexity of minimum necessary determinations that each covered entity makes for routine and non-routine requests for, or disclosures of, PHI. Using the mid-range estimate, the Department estimates that under the current rule covered entities spend, on average, one and a half hours of workforce member time per month evaluating uses and disclosures to comply with the minimum necessary requirement, or 18 hours annually. The Department estimates that the cost savings from its proposed changes with respect to uses and disclosures in connection with care coordination and case management would equal 25 minutes of burden reduction for each covered entity for a total annual burden reduction of 4 hours per covered entity, resulting in remaining annual burden for complying with the minimum necessary requirement of 14 hours on average. The Department welcomes comments and information about its estimates and the assumptions underlying its proposed burden calculations and cost savings, including:
• The level of workforce member (
• Time spent by a covered health care provider or health plan to make a minimum necessary determination;
• The frequency with which a covered health care provider or health plan makes minimum necessary determinations (
• The frequency with which a covered health care provider or health plan currently obtains individuals' authorizations prior to making a disclosure of PHI for care coordination or case management for that individual.
The proposed changes to the minimum necessary standard are deregulatory in nature, so the Department anticipates that the costs arising from the proposal to add an exception to the minimum necessary standard would be due primarily to time spent revising policies and procedures for using and disclosing information and updating the content of workforce
The Department proposes to amend five provisions of the Privacy Rule to replace the exercise of “professional judgment” with a “good faith belief” as the standard to permit certain uses and disclosures in the best interests of the individual, to apply a presumption of compliance with the good faith requirement, and to replace “serious and imminent threat” with “serious and reasonably foreseeable threat” in 45 CFR 164.512(j)(1)(i)(A). As discussed in the analysis of non-quantifiable benefits, the Department does not have data sufficient to estimate the reduction in professional time spent analyzing the risk of harm; however the Department believes this change would result in cost savings to covered entities, in addition to the cost savings from improved patient safety and treatment outcomes, as well as, potentially, the decreased costs due to avoided public safety incidents The Department seeks comment on the potential cost savings from this proposed change.
The Department anticipates that some covered entities, such as covered entity facilities that maintain patient directories and covered entity facilities and providers that routinely treat patients with SMI or SUD, would need to update their policies and procedures and train their workforce about the modifications to the Privacy Rule. The Department estimates that these costs would be due to one hour of a lawyer's time to update policies and procedures (for a total of 768,169 burden hours at a cost of $107,328,573) and 40 minutes of a training specialist's time to update related HIPAA training content (for a total of 512,113 burden hours at a cost of $32,324,552). The Department believes there may be some initial increase in costs for health plans, including Medicare and state Medicaid agencies, who pay for treatment or recovery of individuals experiencing substance use disorder due to the increase in disclosures to family members and other caregivers. In this regard, the Department believes that family members and caregivers are likely to encourage and support these individuals in seeking treatment, and thus that these individuals will be more likely to seek or remain in treatment. However, the Department would expect lower long-term costs for potentially avoiding public safety incidents, emergency health care services to offset any initial higher utilization costs. The Department also acknowledges the concerns that the proposed changes could have the unintended adverse effect of deterring some individuals from seeking care, due to concerns about providers disclosing PHI to family members and others. The Department seeks comment on the extent to which the proposed changes would support or frustrate access to effective treatment, or impose costs and burdens on individuals or covered entities.
The Department proposes to eliminate the requirements in 45 CFR 164.520 for certain covered health care providers
In the 2018 RFI, the Department solicited public input to evaluate the accuracy of its burden estimates associated with obtaining an individual's acknowledgement of receipt of the NPP. Question 43 of the 2018 RFI asked “[w]hat is the burden, in economic terms, for a covered health care provider that has a direct treatment relationship with an individual to make a good faith effort to obtain an individual's written acknowledgement of receipt of the provider's NPP? OCR requests estimates of labor hours and any other costs incurred, where available.”
The Department acknowledges the uncertainty and wide variability in how different covered health care providers disseminate the NPP acknowledgement and make a good faith attempt to obtain the signed acknowledgement and store and maintain it. The comments to the 2018 RFI, described above, demonstrate that quantifying the burden would necessarily include examining the manner or process by which a covered entity obtains the acknowledgement, as well as the format. With the increasing use of technology by covered entities (
While the wide variation in procedures that covered health care providers use to fulfill the current requirements does not allow for precise quantification of burdens, the Department's assumptions and estimates reflect reasonable analysis of the available data and consideration of public input. With respect to the low end of the range, the Department assumes that in some instances, such as when a covered health care provider uses electronic means to disseminate and obtain the acknowledgement, the burden hours associated with these activities may be near negligible. For estimates at the high end of the range, the Department assumes that these covered entities expend more labor hours to disseminate and collect paper forms with individuals' signed acknowledgments of receipt of the NPP and file the forms. The Department accounts elsewhere in this regulatory impact analysis (RIA) for the increased time associated with the new individual right to discuss a covered entity's privacy practices. The remaining burden of one minute and 15 seconds encompasses time for direct treatment providers to copy and distribute each NPP. The Department calculates, based on the mid-range estimate of hours of a clerical employee's time (based on an adjusted mean hourly rate of $30.04) that this proposal would result in an estimated annual savings of $537,090,228. The Department seeks comment and other examples of how these reductions in compliance burdens translate into quantifiable cost savings, including the time spent by a covered health care provider to conduct the following health care activities, including by electronic means if applicable:
• Disseminate the NPP, including an acknowledgement form;
• Collect the NPP acknowledgment form;
• Determine whether an individual's acknowledgement form is current, including for processes that are paper-based or electronic.
The Department also assumes that eliminating the related requirement to maintain documentation of the acknowledgment of the NPP for six years would result in significant cost savings to direct treatment health care providers in the form of a reduction of one page (electronic or paper) of each patient's record, and reduced space needed for one page of medical records (if that is where such documentation is stored) per patient or reduced electronic storage space for systems that store these notices electronically; however, the Department has not quantified the potential savings. The Department anticipates that most of the savings would result from eliminating the collection and maintenance of these records in the future. The Department seeks comments on the cost savings covered health care providers would be likely to accrue as a result of these proposed changes.
The Department anticipates no costs for eliminating the requirement for direct treatment providers to make a good faith effort to obtain an individual's signed acknowledgment of receipt of the NPP and to maintain related documentation. The Department welcomes comments on this assumption.
The Department proposes to modify the header of the NPP to specify to individuals that the notice provides information about: (1) How to access their health information, (2) how to file a HIPAA complaint, and (3) individuals' right to a copy of the notice and ability to discuss its contents with a designated person. The required header also would have to specify whether the designated contact person is available onsite and must include a phone number and email address an individual could use to reach the designated person.
The Department does not anticipate quantifiable cost savings to covered entities from making the required changes to the NPP; however, the improvements to individuals' right of access may contribute to improvements to health care delivery and the health of patients overall.
The Department believes the burden associated with revising the NPP consists of costs related to developing and drafting the revised NPP for covered entities. The Department estimates that the proposal to update and revise the language in the NPP (including drafting the language in the header) would require one hour of professional legal services at the wage reported in Table 4. There are no new costs for providers
The Department further estimates the cost of posting the revised NPP on the covered entity's website would be ten minutes of a web developer's time at the wage reported in Table 4.
The Department assumes that about 1% of an estimated 613 million new patients
The Department invites comments on all aspects of its estimates and assumptions, including the time spent on the identified activities and the occupations or professions of persons designated to perform those tasks.
The Department proposes to expressly permit covered entities (and their business associates, acting on the covered entities' behalf) to disclose PHI to TRS communications assistants to conduct covered functions, at proposed 45 CFR 164.512(m), and to expressly exclude TRS providers from the definition of business associate at 45 CFR 160.103.
Based on information from stakeholders, the Department believes that some covered entities with workforce members who are deaf, hard of hearing, or deaf-blind, or who have a speech disability may have entered into, or tried to enter into, a business associate agreement with a TRS provider before permitting a workforce member to disclose PHI to a TRS communications assistant, while others limited the use of TRS communications assistants by workforce members. Thus, some covered entities incurred legal costs for entering into a BAA or for analyzing the legal risk of not permitting workforce members to use needed accommodations, which they would not have to incur under the proposed changes. The Department lacks sufficient data to quantify the cost savings of this proposed change, and requests comment on the extent to which covered entities and business associates currently have business associate agreements with TRS providers, and on any costs such entities incur when analyzing whether a business associate agreement is needed.
The Department has not identified any additional costs to covered entities arising from the proposed change other than changes to policies and procedures and training, as TRS is provided without charge to the user.
Table 10 summarizes the estimated annual cost savings of the proposed rule for covered entities, as described in the preceding section.
The Department summarizes in Table 11 the additional estimated administrative costs that entities would incur on a one-time basis in the first year of implementing the proposed regulatory changes. The Department anticipates that these costs would be for posting an access fee schedule online for entities that have not already done so and posting a revised NPP online.
Table 12 summarizes the ongoing labor costs that the Department anticipates covered entities would incur as a result of the proposed regulatory changes. These new requirements would be based on an individual's request and include providing copies of PHI and ePHI under the right of access within a shorter time, providing an estimate of access and authorization fees, providing an itemized list of allowable access charges, discussing privacy practices with individuals, and submitting requests for copies of PHI to health care providers or health plans.
The total estimated additional first year administrative labor costs (including costs that will be ongoing) would be approximately $76 million (Table 11 total and Table 12a total).
Table 12b summarizes the increased capital costs that covered entities are estimated to incur as a result of the proposed new section 45 CFR 164.525 with respect to fee estimates for copies of PHI provided under the right of access and with a valid authorization.
Table 13 summarizes the total projected costs for covered entities to revise their policies and procedures to comply with the proposed regulatory changes to the Privacy Rule. The Department includes the costs for legal review and drafting of policies and for a compliance manager to revise procedures for relevant workforce members or departments.
The Department also estimates potential increased first-year costs for training medical records technicians to initially implement the changes to the right of access procedures, as shown in Table 14b.
The Department expects that it would incur costs related to disseminating information about the proposed regulatory changes to covered entities, including health care providers and health plans. However, the Department expects that many of these costs could be made part of the ongoing dissemination of guidance and other explanatory materials that OCR already provides. The covered entities that are operated by the Department would be affected by the proposed changes in a similar manner to other covered entities, and those costs have been factored into the estimates above.
The Department expects the benefits of the proposed rule to outweigh any costs because covered entities will save costs each year after the first year, having experienced initial higher costs related to implementation of proposed changes. The proposed changes to, or clarifications of, the minimum necessary standard, access fees, and the acknowledgment of the NPP would be largely deregulatory. The Department expects covered entities and individuals to benefit from the increased flexibility and confidence covered entities would have to act in individuals' best interests without undue concerns about HHS enforcement actions. The Department also expects covered entities to realize savings from less frequent consultations with legal counsel about when they can disclose PHI regarding individuals who are incapacitated or experiencing another emergency and reductions in minimum necessary analyses when disclosing PHI for individual-level health care coordination and case management activities that constitute treatment or health care operations. The Department further expects that, by involving family members and others, this proposed action would result in improved care coordination and case management and better patient health outcomes. The Department also expects that changes to the right of access, such as a shortened time limit for responding to a patient's request, the right to photograph or otherwise capture PHI using the individual's own device, and the right to an estimate of access and authorization fees, would significantly strengthen the access right, to the benefit of individuals. Additionally, replacing the requirement to obtain an acknowledgment of an individual's receipt of the NPP with an individual right to discuss a covered entity's privacy practices upon request would improve access to care and strengthen individual's understanding of their rights. The Department expects these benefits would substantially outweigh estimated costs, such as covered entities providing access in a shorter time, providing the new discussion right, posting an access fee schedule, modifying internal policies, and providing new trainings to workforce members.
The Department requests comment on these assumptions and on all aspects of this regulatory impact analysis. The tables below present the Department's summary of estimated quantifiable costs and cost savings (Tables 15 and 16), cost transfers (Table 17), and non-quantifiable costs and benefits (Table 18).
Covered entities would benefit from a total estimated net increase of $41.6 million in transferred costs for allowable fees for providing copies of PHI, while individuals would incur the same amount.
The Department's costs-benefits analysis asserts that the proposed regulatory changes would significantly advance care coordination and the transformation to value-based care and strengthen individual rights. Although there is a projected total net cost of $116 million in the first year, the total estimated annual net cost savings to covered entities in subsequent years would be approximately $825 million, with total projected net savings of $3.2 billion and an average increase in allowable fees for copies of $70 per request to direct copies of PHI to third parties.
The Department has analyzed a range of estimated costs and costs savings for key compliance burdens that are likely to be affected if the proposed regulatory changes are implemented as outlined. The Department performed an uncertainty analysis for each of the main drivers of costs and cost savings, reporting low, mid, and high values for each category, and for the proposed rule as a whole to better capture the range of potential outcomes. In summary, the Department estimates total costs of implementation over a five-year period ranging from a low of approximately $0.8 billion to a high of approximately $4 billion and a range of five-year cost savings of approximately $1.2 billion to $7.5 billion.
Because required HIPAA training is based on covered entities' policies and procedures, changes to the policies and procedures are accounted for separately, and a training specialist's time is allocated for time spent in updating existing training content. The burden hours are based on an adjusted hourly cost of $63.12 (see table 4). The content area for which the greatest training burden is estimated is due to the combination of proposed changes to the right of access and the new right to request fee estimates and itemized lists of charges for copies of PHI. At the low end, the Department estimates a burden of two hours for updating this section of the training content, and at the high end, three hours. This results in a low estimate of 1,548,662 total annual burden hours for all covered entities at a one-time cost of $97,751,545 and a high estimate of 2,322,993 burden hours at a cost of $146,627,318 for updating the access portions of the training program. The Department proposes to adopt a mid-range estimate of 2 hours and 30 minutes to update the access and fee estimate portions of the training content for a total of 1,935,828 burden hours at a cost of $122,189,432. The Department also estimates additional time spent in training for an average of one medical records technician per covered entity in the first year at an adjusted hourly labor cost of $44.80 (see Table 4), ranging from a low of 5 minutes to a high of 10 minutes. Overall one-time training costs for all proposed changes to the Privacy Rule are estimated to range from a low of $198,541,928 (and 3,164,196 burden hours) to a high of $250,512,185 (and 4,006,281 burden hours). The Department proposes adopting a mid-range estimate of 3,577,173 total burden hours at a one-time cost of $224,136,148. The 2013 Omnibus Final Rule contained no cost estimates for updates to HIPAA training programs and in the 2000 Privacy Rule the Department based its estimates on the time spent by covered entity workforce members to participate in training and not the time for a training specialist to update training content. In 2000, the Department anticipated that, in part,
The Department estimates a range of average total burden hours per covered entity to update policies and procedures as a result of the proposed modifications to the Privacy Rule, based on only the adjusted hourly wage for a lawyer of $139.72 (see Table 4) for the low and mid-range estimates, and adds the adjusted hourly wage for a health care manager of $110.74 for the high-range estimate. At the low end, the Department estimates a total burden per covered entity of 5 hours and 30 minutes (for a total of 3,884,851 hours and a cost of $542,791,420) for updating policies and procedures and at the high end 13.51 hours (for a total of 10,014,867 hours and a cost of $1,302,384,017). The Department proposes adopting a mid-range estimate of 6 hours and 55 minutes for a total estimate of 4,981,820 burden hours at a one-time cost of $696,059,017.
The Department estimates a low burden of 8 minutes of a web developer or designer's hourly wage of $79.20 (see Table 4) to post an access fee schedule online per covered entity and a high estimated burden of 15 minutes. These costs would range from 103,244 total annual burden hours to 193,583 burden hours, and costs of $8,176,935 at the low end to $15,331,754 at the high end. The Department proposed to adopt the mid-range estimate of 10 minutes for posting the new access fee schedule for a one-time total of 129,055 burden hours and a cost of $10,221,169.
The Department estimates a range of costs for covered entities to post an updated NPP at the hourly wage of a web developer or designer from a low of 8 minutes (and total burden hours of 103,244) to a high of 15 minutes (and total burden hours of 193,583), and total costs from a low of $8,176,935 to a high of $15,331,754. The Department proposes to adopt the mid-range estimate of 10 minutes for posting the revised NPP for a one-time total of 129,055 burden hours and a cost of $10,221,169.
The Department has separately estimated the charges that a covered entity may pass on to individuals who request copies of their PHI in the form of fees and allocated those as a transfer of costs. However, the Department estimates that due to the proposed changes to the access right covered entities may incur some costs above those that are allowed to be charged as fees. The Department has developed a range of cost estimates based on the hourly wage of a medical records technician ($44.80, see Table 4), ranging from .5 to 2.5 additional minutes of labor, and total burden hours ranging from a low of 10,250 total annual burden hours to a high of 51,250 hours. Annual cost estimates range from a low of $459,200 to a high of $2,296,000. The Department proposes to adopt the mid-range estimate of 1 minute per request of uncompensated labor for providing access within a shorter time period for a total of 20,500 annual burden hours and an annual cost of $918,400. All of these estimates are based on an estimate that 50 percent of the total estimated 2,460,000 annual access requests (or 1.23 million) will be from individuals seeking copies of their own PHI or ePHI.
The Department estimates on the low end that 10 percent of the total 615,000 requests by individuals to direct electronic copies of their PHI to their health care provider or health plan will be made by requesting that the receiving health care provider or health plan submit the request on the individual's behalf (or 61,500) and on the high end that 20 percent of such requests (or 123,000) will be made by requesting the assistance of the receiving health care provider or health plan. The Department believes that a medical assistant would submit these access requests to health plans and providers for individuals, at an hourly wage of $34.34 (see Table 4). The range of estimated costs is based on a low estimate that this task, on average, will take 2 minutes to complete, to a high estimate of 5 minutes. The total estimated annual burden hours ranges from 2,050 (and a cost of $70,397) to 10,250 (and a cost of $351,985). The Department proposes to adopt the mid-range estimate of 3.5 minutes for submitting 92,250 requests (15 percent of 615,000) for individuals for a total of 5,381 annual burden hours and an annual total cost of $184,792.
The Department's proposal to prohibit covered entities from charges fees for the labor associated with sending electronic copies of PHI through non-internet means (
The Department estimates that the unreimburseable costs for transmitting electronic copies of ePHI to third parties other than health plans and providers would be half of that for transmitting the same information to health plans and providers because some of the costs are likely to be charged as fees to individuals for copies. The estimated costs are based on the hourly wage of a medical records technician ($44.80, see Table 4), ranging from a low estimate of 1.5 minutes to a high estimate of 2.5 minutes for 153,750 requests (representing 25 percent of the total estimated 615,000 annual requests to direct copies of PHI to third parties other than health plans and providers). This results in a low estimate of 3,844 total annual burden hours at a cost of $172,200 and a high estimate of 6,406 total annual burden hours at a cost of $287,000. The Department proposes to adopt the mid-range estimate of 2 minutes per request for transmitting
The Department estimates costs for providing good faith individualized fee estimates to individuals for a low of 24,600 requests (1% of total 2.46 million annual access requests) to a high of 123,000 requests (5% of 2.46 million annual access requests). The Department has also estimated the time it would take a medical records technician to develop a good faith individualized fee estimate from a low of 3 minutes to a high of 5 minutes per request, or an annual total of burden hours ranging from 1,230 (at a cost of $55,104) to 10,250 (at a cost of $459,200). The Department proposes to adopt the low-range estimate of 3 minutes of labor and the mid-range number of 73,800 requests (3 percent of 2.46 million total annual access requests) resulting in a total of 3,690 annual burden hours and a total annual cost of $165,312.
The Department estimates costs for providing an itemized list of charges for requested copies of requested PHI, ranging from a low of 2,460 requests (0.1% of total 2.46 million annual access requests) to a high of 123,000 (5% of total annual access requests). The Department has also estimated a range of burden from a low of 41 total annual burden hours (at a cost of $1,837) to a high of 2,050 total annual burden hours (at a cost of $91,840). The Department proposes to adopt the mid-range estimate of 410 annual burden hours and a total annual cost of $18,368.
The Department estimates a range of costs for the requirement to discuss a covered entity's privacy practices with an individual upon request. The range is based on a low of 5 minutes of a registered nurse's time for 613,000 health care encounters (.1% of 613,000,000 total new health care encounters per year) to a high of 10 minutes of a health care manager's time for 30,650,000 health care encounters (5% of total new health care encounters per year). The total estimated annual burden hours for this proposed regulatory change ranges from 51,083 at the low end to 5,108,333 at the high end, and costs of $3,804,687 at the low end to $565,696,833 at the high end. The Department proposes to adopt the mid-range estimate of 7 minutes of a registered nurse's time for 6,130,000 requests (1 percent of 613,000,000) for a total estimate of 715,167 annual burden hours and a total annual cost of $53,265,613.
The Department estimates annual capital costs for three elements of the proposed rule: making an access fee schedule available, providing fee estimates for copies of PHI, and providing itemized lists of charges for copies of PHI. The capital costs for fee estimates and itemized lists of charges are based on the estimated number of requests, while the range of access fee schedule costs varies due to the number of copies provided by each covered entity. The total annual capital cost estimates range from a low of $235,091, a mid-range of $242,398, to a high of $395,899.
Because the Department is without data to estimate the actual average compliance burden, it has calculated a range of estimates for the costs savings resulting from the combined effects of the proposed regulatory modifications to the definition of health care operations and the minimum necessary standard. At the low end, the Department estimates a cost savings of 1 hour of labor annually per covered entity at the hourly rate of a health services manager ($110.74, see Table 4) for a total reduction of 774,331 burden hours and an annual cost savings of $85,749,415. At the high end, the Department estimates costs savings of 7 hours of labor for a total annual reduction of 5,420,317 burden hours and $600,245,905 in cost savings. The Department proposes to adopt an approximate mid-range estimate of burden reduction, which is 4 hours per covered entity for an annual total of 3,097,324 burden hours and $342,997,660 in total annual projected cost savings.
The Department has previously estimated a burden of 3 minutes for providing the NPP and obtaining the signed acknowledgement of receipt or documenting a good faith effort to do so. The Department estimates that the requirement to obtain the signed acknowledgement or document a good faith effort accounts for a large portion of the 3-minute burden because it involves engaging with the individual or their personal representative, obtaining or creating documentation, and storing the documentation for each individual. Lacking data to precisely estimate the amount of burden reduction for the proposed removal of the acknowledge requirements, the Department estimates a range of labor cost savings from a high of two minutes and 55 seconds to a low of 30 seconds for each NPP that is provided by a direct treating health care provider to a new patient. On an annual basis for all covered entities, this would range from a total savings of 5,108,331 burden hours and $153,454,272 in cost savings at the low end to 29,798,610 burden hours and $895,150,257 in cost savings at the high end. The Department proposes adopting a mid-range estimate of burden reduction in the amount of one minute and 45 seconds of labor for each NPP due to the proposed regulatory modifications for a total annual reduction of 17,879 burden hours and $537,090,228 of cost savings.
The Department carefully considered several alternatives to issuing this NPRM, including the option of not pursuing any regulatory changes, but rejected that approach for several reasons. First, the proposed regulatory changes would further the Administration's goal of reducing regulatory burden on individuals and the regulated community and promoting care coordination. Second, many commenters on the 2018 RFI believed the Privacy Rule could be improved, and offered comments supportive of some of the ideas suggested in the RFI that now are proposed in this NPRM. Revising the Privacy Rule would clarify covered entities' obligations and flexibilities, improve individuals' access to their PHI, and improve care coordination and case management overall.
As an alternative to rulemaking, the Department considered expanding OCR outreach, guidance, and educational materials to address misconceptions about (1) when HIPAA permits uses and disclosures of PHI, including to social services agencies and to family, friends, caregivers, and others; (2) what fees may be charged for providing access to PHI; (3) when the minimum necessary standard applies to disclosures for case management and care coordination; (4) when covered entities are required to transmit PHI to third parties, including health care providers and health plans; and (5) when individuals have the right to take photos of their own PHI.
The Department has published extensive guidance on existing
The Department welcomes public comment on any benefits or drawbacks of the following alternatives it considered while developing this proposed rule.
The Department considered how to modify the Rule consistent with the HITECH Act and the
The Department also considered a simplified approach, which would have required a covered entity to inform the individual about other options to obtain PHI, but without creating new grounds for denying the request. Instead, the Department decided to propose an optional element that covered health care providers may add to their Notice of Privacy Practices (NPP) that would address individuals' requests to direct copies of PHI to a third party that are not in an EHR or that are not electronic copies of PHI by informing them of the ability to request the copies of PHI directly and how to use a valid authorization to request the disclosure of the requested copies to a third party.
The Department also considered requiring covered health care providers to provide the electronic copies to third parties in a readable form and format as agreed to by the individual and the covered entity. This approach would not have required health care providers to provide the copies in the format requested by the individual, but would have required some mutual agreement about the format. The Department, however, believes that the
As raised in the 2018 RFI, the Department considered whether to require covered entities to disclose PHI to other covered entities for purposes of treatment, payment, or health care operations and variations on that idea, such as limiting the requirement to health care providers or limiting such required disclosures to treatment purposes only. The Department also considered how much individual control should be permitted for disclosures between covered entities, such as an opt-in or opt-out mechanism or some type of express permission. Due to the privacy concerns raised in comments on the RFI, the Department adopted a different approach whereby an individual could direct their current health care provider or health plan to submit an access request to another health care provider (“Discloser”) on the individual's behalf to have the individual's PHI sent to the current provider or plan (“Requester-Recipient”). This new pathway promotes disclosures to individuals' current health care providers and health plans in a manner that retains individual control. The Department believes that this proposal would be less burdensome than imposing mandatory disclosures for all requests for PHI for treatment, payment, and health care operations purposes.
The Department considered the feasibility of changing the access time limits by requiring covered entities to provide copies of electronic PHI within a shorter time period than non-electronic PHI. The comments on this question in the 2018 RFI revealed that multiple factors affect how long it takes a covered entity to provide access to PHI, separate from whether the PHI was created, or is maintained, in electronic or non-electronic format. Given this input, the Department believes that imposing a shorter time limit in the Privacy Rule for individual's access to electronic PHI than for non-electronic PHI would create unnecessary complexity and add to covered entities' burdens. For example, a request for a complete medical record may require the production of copies of both electronic and non-electronic PHI, and complying with differing time limits for different parts of a request would be difficult to track. However, the Department's proposals would result in different timelines for electronic and non-electronic copies of PHI sent to third parties because certain requests could be made by means of the right of access (for electronic copies of PHI in an EHR) and other requests would not be within the right of access (for non-electronic copies or electronic copies not in an EHR), and there is no time limit for disclosures requested using an authorization which are not required disclosures.
The Department also considered whether to modify the Privacy Rule to require covered entities to disclose PHI for continuity of care or medical emergencies within a shorter time than required under the access right. Many commenters on the 2018 RFI supported this concept; however, commenters also stressed the importance of streamlined and simplified requirements for ensuring compliance with any changes to the Privacy Rule. In light of this feedback, rather than impose a different time requirement for providing access for continuity of care or emergencies, the Department proposes at 45 CFR 164.524(b)(2)(ii)(C) to require entities to adopt a policy addressing the prioritization of access requests, to reduce or avoid the need for an extension of the time limit for providing copies of PHI at the direction or with the agreement of the individual. The Department understands that many covered health care providers already prioritize requests for PHI for these purposes. This proposed change would require covered entities that do not yet have such a policy to incur the one-time cost of developing a new policy and procedures and incorporate them into existing HIPAA training content.
The Department also considered whether to change the access time limits overall to a period shorter than the 15 calendar-day proposed time and did not
The Department considered retaining the existing access fee structure without change. However, the Department believes it can address the concerns of some commenters on the 2018 RFI that multiple, voluminous access requests to direct copies of PHI to third parties may be taking entities' time and resources away from fulfilling access requests to provide copies to individuals themselves and requests from other covered entities for disclosures for care coordination and case management.
The Department also considered allowing covered entities to charge no more than the limited access fee amounts for directing non-electronic copies of PHI to a third party for any treatment, payment, and health care operations purposes, while permitting higher fees for directing non-electronic copies of PHI to a third party for any other purposes. The Department does not propose this approach because it would open the door for covered entities to inquire into individuals' purposes in directing their own PHI to third parties. Instead, the Department proposes to adopt an approach that decreases the fees for access requests to direct electronic copies of PHI in an EHR to third parties. However, covered entities could charge higher fees for disclosing non-electronic copies of PHI or electronic copies of PHI that is not in an EHR, provided the fee does not result in an impermissible “sale” of PHI under 45 CFR 164.502(a)(5)(ii).
The Department considered modifying the individual right of access provision to prohibit burdensome paperwork requirements for individuals without also changing the identity verification provisions. However, the Department determined that changing both would help covered entities and individuals understand how the access and verification provisions interact. The Department also considered applying the proposed prohibition against unreasonable measures only to identity verification related to access requests, which would be more narrowly tailored to situations the Department has seen in complaints filed with the Department. However, the Department does not see a meaningful distinction between the access right and the other individual rights under HIPAA that would justify treating them differently with respect to verification of identity.
The Department considered limiting the new exception to the minimum necessary standard to disclosures to and requests by covered health care providers for all health care operations purposes. This would have relieved the burden on covered health care providers who conduct population-based care coordination and case management of needing to assess the minimum necessary PHI when exchanging information with other covered health care providers. Limiting the exception to health care providers also would have addressed the concerns of commenters who opposed an exception for disclosures to health plans due to concerns that the plans may use the information against patient interests. The Department rejected this option, however, because health plans collaborate with health care providers, other health plans and other entities, including public health agencies, to improve patient health through care coordination and case management activities. In response to concerns raised about privacy protections, the Department is limiting this proposal to disclosures for individual-level activities that constitute treatment or health care operations. In addition, covered health care providers and health plans would continue to be responsible for meeting the minimum necessary requirements that currently apply, including when using PHI for treatment and health care operations purposes, as applicable. The proposed exception should reduce overall compliance burdens for both health plans and health care providers.
The Department considered proposing to clarify in the definition of treatment when a covered health care provider's disclosures to a social services agency, community based organization, or HCBS provider are considered part of that covered health care provider's treatment activities, without adding an express disclosure permission. The Department also considered limiting the proposed disclosure permission to only covered entity health care providers and excluding health plans from the proposed policy. Ultimately, the Department rejected that option and proposed a permission for covered health care providers and health plans to encourage beneficial information sharing that would support care coordination and case management for individuals. As described more fully in the preamble above, the Department seeks comments on the appropriate recipients of PHI under this proposal, activities and purposes for which the PHI should be used or disclosed, and the covered entities to which an expanded disclosure permission would apply.
The Department considered applying a presumption of good faith to all fourteen provisions in the Privacy Rule that allow covered entities to use or disclose PHI based on the exercise of professional judgment. However, the Department intends this proposed modification to carefully expand the ability of covered entities to use or disclose PHI to facilitate the involvement of family and caregivers in the treatment and recovery of people experiencing the impacts of the opioid crisis, serious mental illness, and health emergencies. The Department believes the remaining nine provisions would be beyond the scope of this goal.
The Department further believes there likely could be unintended consequences if it replaced the exercise of professional judgment standard with a good faith standard across all fourteen provisions, including those provisions not rooted in emergency circumstances. For example, in the case of disclosures to government agencies pursuant to 45 CFR 164.512(c),
The Department requests comment on whether the Department should apply the good faith standard to any or all of the other nine provisions in the Privacy Rule that call upon health care providers to exercise professional judgment, identified below.
• Disaster relief. 45 CFR 164.510(b)(4).
• Law enforcement—crime victims. 45 CFR 164.512(f)(3).
• Reviewable grounds for denying individual access to records. 45 CFR 164.524(a)(3).
○ Safety or endangerment. 45 CFR 164.524(a)(3)(i).
○ References another person. 45 CFR 164.524(a)(3)(ii).
○ Personal representative. 45 CFR 164.524(a)(3)(iii).
• Victims of abuse, neglect, domestic violence. 45 CFR 164.512(c)(1)(iii)(A).
○ Informing the individual. 45 CFR 164.512(c)(2)(i).
○ Informing the personal representative. 45 CFR 164.512(c)(2)(ii).
• Personal representative suspected of abuse or neglect. 45 CFR 164.502(g)(5)(ii).
The Department considered proposing to apply a presumption of compliance to all existing provisions that permit covered entities to make decisions about uses and disclosures of PHI based on the exercise of professional judgment, without replacing the standard with a good faith standard. However, as noted above, where the Department summarizes its proposed application of the good faith standard, the Department intends not only to presume compliance with existing permissions, but to broaden the circumstances in which covered entities will use or disclose PHI in order to help address the needs of individuals experiencing opioid use disorder and other similarly situated individuals. The exercise of professional judgment generally is limited to covered entities who can, for example, draw upon a professional license or training and therefore, by definition, limits the scope of persons who could use or disclose PHI to aid individuals experiencing substance use disorder, SMI, or a health emergency.
The Department considered replacing the professional judgment standard with a good faith standard only in those provisions in 45 CFR 164.510 that are included in this rulemaking: 45 CFR 164.510(a)(3)(B), 164.510(b)(2)(iii) and 164.510(b)(3). However, modifying only 45 CFR 164.510 would encourage the disclosure of information only to family members, friends, caregivers, and other involved persons and only in the circumstances addressed at 45 CFR 164.510. As previously stated, the Department intends through this proposal to carefully broaden the permissible uses and disclosures of PHI by covered entities in circumstances that relate to the opioid crisis, serious mental illness, and health emergencies, to ensure that covered entities are able to share information as needed to care for individuals and protect the public. Changing only the applicable provisions at 45 CFR 164.510 would limit the scope of individuals and circumstances that would benefit from this proposed rule.
The Privacy Rule does not define the term “imminent,” although common understanding of the term conveys that an event will happen soon.
The Department considered requiring the online posting of the NPP by all covered entities, including those that do not currently have a website. However, the Department believes the burden of creating a website solely to post the NPP for those few covered entities without a website outweighed the benefits to individuals of such a requirement.
The Department considered an alternative proposal to categorize TRS providers as “conduits” because of their temporary access to PHI,
The Department requests comments on all of the assumptions and analyses within the cost-benefits analysis. The Department also requests comments on whether there may be other indirect costs and benefits resulting from the proposed changes in the proposed rule, and welcomes additional information that may help quantify those costs and benefits.
Executive Order 13771 (January 30, 2017) declares that “it is important that for every one new regulation issued, at least two prior regulations be identified for elimination,” and that “whenever an executive department or agency (agency) publicly proposes for notice and comment or otherwise promulgates a new regulation, it shall identify at least two existing regulations to be repealed.” The Department intends to comply as necessary with Executive Order 13771 at the time a final rule is issued.
The Department believes this proposed rule will be deemed an Executive Order 13771 deregulatory action when finalized. The Department estimates that this final rule would generate $0.6 billion in net annualized savings at a 7% discount rate (discounted relative to year 2016, over a perpetual time horizon, in 2016 dollars).
The Department has examined the economic implications of this proposed rule as required by the Regulatory Flexibility Act (5 U.S.C. 601–612). If a rule has a significant economic impact on a substantial number of small entities, the Regulatory Flexibility Act (RFA) requires agencies to analyze regulatory options that would lessen the economic effect of the rule on small entities. For purposes of the RFA, small entities include small businesses, nonprofit organizations, and small governmental jurisdictions. The Act defines “small entities” as (1) a proprietary firm meeting the size standards of the Small Business Administration (SBA), (2) a nonprofit organization that is not dominant in its field, and (3) a small government jurisdiction of less than 50,000 population. Because 90 percent or more of all health care providers meet the SBA size standard for a small business or are nonprofit organization, the Department generally treats all health care providers as small entities for purposes of performing a regulatory flexibility analysis. The SBA size standard for health care providers ranges between a maximum of $8 million and $41.5 million in annual receipts, depending upon the type of entity.
With respect to health insurers, the SBA size standard is a maximum of $41.5 million in annual receipts, and for third party administrators it is $35 million.
For the reasons stated below, it is not expected that the cost of compliance would be significant for small entities. Nor is it expected that the cost of compliance would fall disproportionately on small entities. Although many of the covered entities affected by the proposed rule are small entities, they would not bear a disproportionate cost burden compared to the other entities subject to the proposed rule.
The projected costs and savings are discussed in detail in the regulatory impact analysis. The Department does not view this as a burden because the result of the changes would be a net average estimated cost per covered entity of $150 in year one, followed by an average of $1,065 of estimated annual savings thereafter, for an average estimated total savings over five years of approximately $4,110 per covered entity. Thus, this proposed rule would not impose net costs on small entities, and the Secretary certifies that this proposed rule would not result in a significant negative impact on a substantial number of small entities.
Section 202(a) of The Unfunded Mandates Reform Act of 1995 (URMA) (section 202(a)) requires the Department to prepare a written statement, which includes an assessment of anticipated costs and benefits, before issuing “any rule that includes any federal mandate that may result in the expenditure by state, local, and tribal governments, in the aggregate, or by the private sector, of $100,000,000 or more (adjusted annually for inflation) in any one year.” Section 202 of UMRA also requires that agencies assess anticipated costs and benefits before issuing any rule whose mandates require spending that may result in expenditures in any one year of $100 million in 1995 dollars, updated annually for inflation. In 2019, that threshold is approximately $154 million. This proposed rule is not anticipated to have an effect only on state, local, or tribal governments, in the aggregate, of $154 million or more, adjusted for inflation. The Department believes that the proposed rule would impose mandates on the private sector that would result in an expenditure of $154 million in at least one year. As the estimated costs to private entities alone may exceed the $154 million threshold, UMRA requires the Department to prepare an analysis of the costs and benefits of the rule. The Department has already done so, in accordance with Executive Orders 12866 and 13563, and presents this analysis in the preceding sections.
Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent final rule) that imposes substantial direct requirement costs on state and local governments, preempts state law, or otherwise has federalism implications. The Department does not believe that this rulemaking would have any federalism implications.
The federalism implications of the Privacy and Security Rules were assessed as required by Executive Order 13132 and published as part of the preambles to the final rules on December 28, 2000 (65 FR 82462, 82797), February 20, 2003 (68 FR 8334, 8373), and January 25, 2013 (78 FR 5566, 5686). Regarding preemption, the preamble to the final Privacy Rule explains that the HIPAA statute dictates the relationship between state law and Privacy Rule requirements, and the Rule's preemption provisions do not raise federalism issues. The HITECH Act, at section 13421(a), provides that the HIPAA preemption provisions shall apply to the HITECH Act provisions and requirements.
The Department anticipates that the most significant direct costs on state and local governments would be the cost for state and local government-operated covered entities to revise policies and procedures, including drafting, printing, and distributing NPPs for individuals with first-time health encounters, which would include the cost of mailing these notices for state health plans, such as Medicaid. The regulatory impact
In considering the principles in and requirements of Executive Order 13132, the Department has determined that these proposed modifications to the Privacy Rule would not significantly affect the rights, roles, and responsibilities of the states.
Section 654 of the Treasury and General Government Appropriations Act of 1999 requires federal departments and agencies to determine whether a proposed policy or regulation could affect family well-being. If the determination is affirmative, then the Department or agency must prepare an impact assessment to address criteria specified in the law. The Department believes that these regulations would positively impact the ability of individuals and families to coordinate treatment and payment for health care by increasing access to PHI, particularly for families to participate in the care and recovery of their family members experiencing SMI, SUD, or health emergencies. These changes must necessarily be carried out by the Department through the modification of the Privacy Rule. The Department does not anticipate negative impacts on family well-being as a result of this regulation.
Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104–13), agencies are required to submit to the Office of Management and Budget (OMB) for review and approval any reporting or record-keeping requirements inherent in a proposed or final rule, and are required to publish such proposed requirements for public comment. The PRA requires agencies to provide a 60-day notice in the
1. Whether the information collection is necessary and useful to carry out the proper functions of the agency;
2. The accuracy of the agency's estimate of the information collection burden;
3. The quality, utility, and clarity of the information to be collected; and
4. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques.
The PRA requires consideration of the time, effort, and financial resources necessary to meet the information collection requirements referenced in this section. The Department explicitly seeks, and will consider, public comment on its assumptions as they relate to the PRA requirements summarized in this section. To comment on the collection of information or to obtain copies of the supporting statements and any related forms for the proposed paperwork collections referenced in this section, email your comment or request, including your address and phone number to
In this NPRM, the Department is revising certain information collection requirements and, as such, is revising the information collection last prepared in 2019 and previously approved under OMB control # 0945–0003. The revised information collection describes all new and adjusted information collection requirements for covered entities pursuant to the implementing regulation for HIPAA at 45 CFR parts 160 and 164, the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules.
The estimated annual burden presented by the proposed regulatory modifications in the first year of implementation, including one-time and ongoing burdens, is 9,577,626 burden hours at a cost of $996,122,087 (including capital costs of $242,398), reduced by first year annual costs savings of $880,087,888, for an estimated first year net cost of $116,034,199 and $880,087,888 of estimated annual cost savings in years two through five, resulting in annual net cost savings of $824,604,205. The overall total burden for respondents to comply with the information collection requirements of all of the HIPAA Privacy, Security, and Breach Notification Rules, including one-time and ongoing burdens presented by proposed program changes, is 952,089,673 burden hours at a cost of $93,937,597,924, plus $118,269,943 in capital costs for a total estimated annual burden of $94,055,867,867 in the first year following the effective date of the final rule, assuming all changes are adopted as proposed. Details describing the burden analysis for the proposals associated with this NPRM are presented below.
Due to the number of proposed changes to the Privacy Rule that would affect the information collection, the Department presents in separate tables, in Section V.G.2 below, the collections that reflect estimates to existing burdens, new and previously unquantified ongoing burdens, and new one-time burdens. Below is a summary of the significant program changes and adjustments made since the 2019 information collection. These program changes and adjustments form the bases for the burden estimates presented in the tables that follow:
(1) Increasing the number of covered entities from 700,000 to 774,331 based on program change;
(2) Increasing the number of access requests under 45 CFR 164.524 from 200,000 to 2,460,000 annually based on program change;
(3) Increasing the estimated burden hours for responding to access requests under 45 CFR 164.524 from 3 to 5 minutes per request due to program change and allocating 1 minute as uncompensated;
(4) Increasing the burden hours by a factor of two for responding to individuals' requests for restrictions on disclosures of their protected health information under 45 CFR 164.522 due to program change;
(5) Newly estimating the burdens resulting from the pre-existing, ongoing requirement for covered entities to make minimum necessary evaluations under 45 CFR 164.514 before using or disclosing protected health information for payment and health care operations purposes (and for using protected health information for treatment) in the amount of 18 hours annually per covered entity, and decrease the annual minimum necessary burden to by 4 hours per covered entity due to program change, resulting in a total ongoing annual burden of 14 hours per covered entity;
(6) Recognizing for the first time burdens associated with providing electronic copies of PHI to third parties designated by individuals under 45 CFR 164.524 in the amount of 2 minutes per request for 25 percent of 615,000 such requests received annually;
(7) Recognizing for the first time burdens associated with providing electronic copies of PHI to health plans and health care providers as third
(8) Decreasing the estimated burden for disseminating the Notice of Privacy Practices and obtaining an acknowledgement of receipt under 45 CFR 164.520, from 3 minutes to 1 minute and 15 seconds due to program change.
In addition to these changes, the Department added new burdens as a result of program changes:
(1) An annualized burden of 10 minutes per covered entity for posting an updated Notice of Privacy Practices due to program changes;
(2) An annualized burden of 3.5 minutes per request for submitting an access request for an individual to another provider for an estimated 92,250 annual requests;
(3) An annualized 10-minute burden per covered entity for posting an access and authorization fee schedule online under 45 CFR 164.525;
(4) An annualized 7-minute burden for each of an estimated 6,130,000 annual requests from individuals to discuss their direct treating health care provider's Notice of Privacy Practices under 45 CFR 164.520;
(5) An annualized three-minute burden for each of an estimated 73,800 annual requests from individuals for an individualized estimate of the fees to provide copies of requested protected health information under 45 CFR 164.525;
(6) An annualized one-minute burden for each of an estimated 24,600 annual requests from individuals for an itemized list of charges for their requested copies of protected health information under 45 CFR 164.525;
(7) A one-time burden of 6 hours and 55 minutes for each covered entity to update its policies and procedures under 45 CFR 164.530 due to program changes; and;
(8) A one-time burden of 4 hours and 40 minutes for each covered entity to update the content of its HIPAA training program under 45 CFR 164.530 and a related one-time burden of 7 additional minutes of workforce member time spent in training on 45 CFR 164.524 per covered entity.
Administrative practice and procedure, Computer technology, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Investigations, Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and record keeping requirements, Security.
Administrative practice and procedure, Computer technology, Drug abuse, Electronic information system, Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health professions, Health records, Hospitals, Medicaid, Medical research, Medicare, Privacy, Reporting and record keeping requirements, Security.
For the reasons stated in the preamble, the Department of Health and Human Services proposes to amend 45 CFR Subtitle A, Subchapter C, Parts 160 and 164 as set forth below:
42 U.S.C. 1302(a); 42 U.S.C. 1320d–1320d–9; sec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 (note)); 5 U.S.C. 552; secs. 13400–13424, Pub. L. 111–5, 123 Stat. 258–279 (42 U.S.C. 17921, 17931–17954); and sec. 1104 of Pub. L. 111–148, 124 Stat. 146–154.
(4) * * *
(v) A provider of Telecommunications Relay Service, as defined in 47 U.S.C. 225(a)(3), with respect to enabling communications through services regulated under 47 CFR part 64.
42 U.S.C. 1302(a); 42 U.S.C. 1320d–1320d–9; sec. 264, Pub. L. 104–191, 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 (note)); and secs. 13400–13424, Pub. L. 111–5, 123 Stat. 258–279 (42 U.S.C. 17921, 17931–17954).
The additions and revision read as follows:
(1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs; protocol development; case management and care coordination; contacting of health care providers and
The revisions read as follows:
(a) * * *
(4) * * *
(5) * * *
(ii) * * *
(B) * * *
(
(
(b) * * *
(2) * * *
(i) Disclosures to or requests by a health care provider for treatment, including for care coordination and case management activities with respect to an individual;
(vii) Disclosures to or requests by a health plan for care coordination and case management activities with respect to an individual.
(g) * * *
(3) * * *
(ii) * * *
(C) Where the parent, guardian, or other person acting
(c) * * *
(6) A covered entity may disclose an individual's protected health information to a social services agency, community-based organization, home and community based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities (whether such activities constitute treatment or health care operations as those terms are defined in § 164.501) with respect to that individual.
(a) * * *
(3) * * *
(i) * * *
(B) In the individual's best interests based on a good faith belief of the covered health care provider.
(b) * * *
(2) * * *
(iii) Reasonably infers from the circumstances, based on a good faith belief, that the individual does not object to the disclosure.
(3)
The revisions and additions read as follows:
(j) * * *
(1) * * *
(i) (A) Is necessary to prevent a serious and reasonably foreseeable harm, or lessen a serious and reasonably foreseeable threat, to the health or safety of a person or the public; and
(5) “Reasonably foreseeable” means that an ordinary person could conclude that a threat to health or safety exists and that harm to health or safety is reasonably likely to occur if a use or disclosure is not made, based on facts and circumstances known at the time of the disclosure.
(6) When a covered health care provider (or a member of the workforce of the covered health care provider) that has specialized training, expertise, or experience in assessing an individual's risk to health or safety—such as a licensed mental or behavioral health professional—determines that it is appropriate to use or disclose protected health information under paragraph (j)(1)(i)(A) of this section, such determination will be entitled to heightened deference if the determination is related to facts and circumstances about which the covered
(k) * * *
(1)
(i)
(A) Appropriate Uniformed Services command authorities; and
(ii) Separation or discharge from Uniformed Service. A covered entity that is a component of the Departments of Defense, Homeland Security, Commerce, or Health and Human Services may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Uniformed Services upon the separation or discharge of the individual from Uniformed Service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs.
(m)
The revision and addition read as follows:
(h) * * *
(2) * * *
(iv)
(v)
The revisions and additions read as follows:
(b) * * *
(1) * * *
(i) Header. The notice must contain the following statement as a header or otherwise prominently displayed:
THIS NOTICE DESCRIBES:
• HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
• YOUR RIGHTS WITH RESPECT TO YOUR MEDICAL INFORMATION
• HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR RECORDS AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE
• HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY, OR SECURITY OF YOUR MEDICAL INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET COPIES OF YOUR RECORDS UNDER HIPAA.
(iv) * * *
(C) The right of access to inspect and obtain a copy of protected health information at limited cost or, in some cases, free of charge; and the right to direct a covered health care provider to transmit an electronic copy of protected health information in an electronic health record to a third party, as provided by § 164.524;
(G) The right to discuss the notice with a designated contact person identified by the covered entity pursuant to § 164.520(b)(vii);
(vii)
(2) * * *
(iii) A covered entity may provide in its notice information about how an individual who seeks to direct protected health information to a third party, when the protected health information is not in an electronic health record and/or is in a non-electronic format, can instead obtain a copy of protected health information directly under § 164.524 and send the copy to the third party themselves, or request the covered entity to send a copy of protected health information to a third party using a valid authorization under § 164.508.
(c) * * *
(2) * * *
(ii) If the covered entity health care provider maintains a physical service delivery site:
(3) * * *
(iii) For purposes of paragraph (c)(2)(i) of this section, if the first service delivery to an individual is delivered electronically, the covered health care provider must provide electronic notice automatically and contemporaneously in response to the individual's first request for service.
(e)
The revisions and additions read as follows:
(a) * * *
(1)
(A) Psychotherapy notes; and
(B) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
(ii) An individual's right to inspect protected health information about the individual in a designated record set includes the right to view, take notes, take photographs, and use other personal resources to capture the information, except that a covered entity is not required to allow an individual to connect a personal device to the covered entity's information systems and may impose requirements to ensure that an individual records only protected health information to which the individual has a right of access.
(2)
(3)
(b) * * *
(1)
(i) The covered entity must permit an individual to request access to inspect or to obtain a copy of the protected health information about the individual that is maintained in a designated record set.
(ii) The covered entity may require an individual to make a request for access in writing (in electronic or paper form), provided that it informs the individual of such a requirement and does not impose unreasonable measures that impede the individual from obtaining access when a measure that is less burdensome for the individual is practicable for the entity. For example, requiring individuals to complete a standard form containing only the information the covered entity needs to process the request is a reasonable measure because it does not cause an individual to expend unnecessary effort or expense. In contrast, examples of unreasonable measures include requiring an individual to do any of the following when a measure that is less burdensome for the individual is practicable for the entity: fill out a request form with extensive information that is not necessary to fulfill the request; obtain notarization of the individual's signature on a request form; or submit a written request only in paper form, only in person at the entity's facility, or only through the covered entity's online portal.
(2) * * *
(i) Except as provided in paragraph (b)(2)(ii) of this section, the covered entity must act on a request for access as soon as practicable, but no later than 15 calendar days after receipt of the request as follows.
(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (e) of this section.
(ii) If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 15 calendar days, provided that:
(A) The covered entity, within the time limit set by paragraph (b)(2)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request;
(B) The covered entity may have only one such extension of time for action on a request for access; and
(C) The covered entity has implemented a policy to prioritize urgent or otherwise high priority requests (especially those relating to the health and safety of the individual or another person), so as to limit the use of a 15 calendar-day extension for such requests.
(iii) Where another federal or state law requires a covered entity to provide an individual with access to the protected health information requested in less than 15 calendar days, that shorter time period is deemed practicable under paragraph (b)(2)(i) of this section.
(c) * * *
(2) * * *
(iii) Where another federal or state law applicable to the covered entity requires the provision of access in a particular electronic form and format, the protected health information is deemed readily producible in such form and format under paragraphs (c)(2)(i) and (ii) of this section.
(iv)(A) The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information, or may
(
(
(B) The covered entity must inform any individual to whom it offers to provide a summary in lieu of a copy of protected health information that the individual retains the right to obtain a copy of the requested protected health information if the individual does not agree to receive such summary. This requirement does not apply if a covered entity is offering to provide a summary in lieu of a copy of protected health information because the covered entity is denying an individual's request for a copy; however, the covered entity still must follow the denial procedures under § 164.524(e).
(3)
(4)
(A) Labor for copying the protected health information requested by the individual, whether in non-electronic (
(B) Supplies for creating a non-electronic copy;
(C) Postage, when the individual has requested that a non-electronic copy, or the summary or explanation, be mailed; and
(D) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(iii) of this section.
(ii) A covered entity may not impose a fee when:
(A) an individual inspects the protected health information about the individual, as described at (a)(1)(ii) of this section, or
(B) an individual accesses electronic protected health information maintained by or on behalf of the covered entity using an internet-based method such as a personal health application.
(i) Psychotherapy notes; and
(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.
(2)
(i) The protected health information is excepted from the right of access by paragraph (d)(1) of this section.
(ii) A covered entity that is a correctional institution or a covered health care provider acting under the direction of the correctional institution may deny, in whole or in part, an inmate's request to exercise of the right of access, if transmitting such copy would jeopardize the health, safety, security, custody, or rehabilitation of the individual or of other inmates, or the safety of any officer, employee, or other person at the correctional institution or responsible for the transporting of the inmate.
(iii) An individual's ability to exercise of the right of access may be temporarily suspended by a covered health care provider in the course of research that includes treatment for as long as the research is in progress, provided that the individual has agreed to the denial of access when consenting to participate in the research that includes treatment, and the covered health care provider has informed the individual that the right of access will be reinstated upon completion of the research.
(iv) An individual's request to exercise the right of access may be denied if the protected health information is contained in records that are subject to the Privacy Act, 5 U.S.C. 552a, and if the denial of access under the Privacy Act would meet the requirements of that law.
(v) An individual's request to exercise the right of access may be denied if the protected health information was obtained from someone other than a health care provider under a promise of confidentiality and providing the copy to the third party would be reasonably likely to reveal the source of the information.
(3)
(i) A licensed health care professional has determined, in the exercise of professional judgment, that the access is reasonably likely to endanger the life or physical safety of the individual or another person; or
(ii) The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access is reasonably likely to cause substantial harm to such other person.
(4)
(A) The individual agrees in advance to such a summary or explanation; and
(B) The individual agrees in advance to the fees imposed, if any, by the covered health care provider for such summary or explanation.
(ii) A covered health care provider must inform any individual to whom it offers to transmit a summary in lieu of a copy of protected health information that the individual retains the right to direct an electronic copy of the requested protected health information in an EHR if the individual does not agree to receive such summary. This requirement does not apply if a covered entity is offering to provide a summary in lieu of a copy of protected health information because the covered entity is denying an individual's request for a copy; however, the covered entity still must follow the denial procedures under § 164.524(e).
(5)
(A) If the covered entity grants the request, in whole or in part, it must inform the individual of the acceptance of the request and provide the access requested, in accordance with paragraph (d) of this section.
(B) If the covered entity denies the request, in whole or in part, it must provide the individual with a written denial, in accordance with paragraph (e)(2) of this section.
(ii) If the covered entity is unable to take an action required by paragraph (d)(5)(i)(A) or (B) of this section within the time required by paragraph (d)(5)(i) of this section, as applicable, the covered entity may extend the time for such actions by no more than 15 calendar days, provided that:
(A) The covered entity, within the time limit set by paragraph (d)(5)(i) of this section, as applicable, provides the individual with a written statement of the reasons for the delay and the date by which the covered entity will complete its action on the request; and
(B) The covered entity may have only one such extension of time for action on a request.
(C) The covered entity has implemented a policy to prioritize urgent or otherwise high priority requests (especially those relating to the health and safety of the individual or another person), so as to limit the use of a 15 calendar-day extension for such requests.
(iii) Where another federal or state law requires a covered entity to provide an individual with an electronic copy of the protected health information in an electronic health record in less than 15 calendar days, that shorter time period is deemed practicable under paragraph (d)(5)(i) of this section.
(6)
(i) Labor for copying the protected health information requested by the individual in electronic form; and
(ii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as provided in paragraph (d)(4) of this section.
(7)
(i) An individual has a right of access to direct a covered health care provider or health plan (“Requester-Recipient”) to submit to a covered health care provider (“Discloser”) a request for an electronic copy of the individual's protected health information in an electronic health record maintained by or on behalf of the Discloser.
(ii) A Requester-Recipient must submit to the Discloser a request made by the individual, orally or in writing (including electronically), and that is clear, conspicuous, and specific, if the individual is:
A. a current or prospective new patient of the Requester-Recipient health care provider, or
B. a current enrolled member (or dependent) of the Requester-Recipient health plan.
(iii) The Requester-Recipient must submit the access request to the identified Discloser as soon as practicable, but no later than 15 calendar days after receiving the individual's direction and any information needed to submit the request. An extension is not available for submitting the request. The Discloser must respond to the access request within the time limits in paragraph (d)(5) of this section.
(e)
(2)
(ii) If applicable, a statement of the individual's review rights under paragraph (e)(4)(i) of this section, including a description of how the individual may exercise such review rights;
(3)
(4)
(i) The individual has the right to have the denial reviewed by a licensed health care professional who is designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny access. The covered entity must provide or deny access in accordance with the determination of the reviewing official under paragraph (e)(4)(i) of this section.
(ii) If the individual has requested a review of a denial under paragraph (e)(4)(i) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designated reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested based on the standards in paragraph (a)(3) or (d)(3) of this section, whichever is applicable, of this section. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required by this section to carry out the designated reviewing official's determination.
(f)
(1) The designated record sets that are subject to access by individuals under paragraph (a) of this section;
(2) The electronic health records that are subject to the right of access to direct the transmission of an electronic copy of protected health information in an electronic health record under paragraph (d) of this section; and
(3) The titles of the persons or offices responsible for receiving and processing requests for access by individuals.
(a) If a covered entity imposes fees allowed under §§ 164.524(c)(4), 164.524(d)(6) or 164.502(a)(5)(ii)(A) and 164.508(a)(4), the covered entity must provide advance notice of such fees as follows.
(1) The covered entity must post a fee schedule on its website, if it has one, and make the fee schedule available to individuals at the point of service and upon request. The fee schedule must specify:
(i) All types of access to protected health information available free of charge; and
(ii) Standard fees for:
(A) Copies of protected health information provided to individuals under § 164.524(a), with respect to all readily producible electronic and non-electronic forms and formats for such copies;
(B) Copies of protected health information in an electronic health record and directed to third parties designated by the individual under § 164.524(d), with respect to any available electronic forms and formats for such copies; and
(C) Copies of protected health information sent to third parties with the individual's valid authorization under § 164.508, with respect to any available forms and formats for such copies.
(2) Upon request, the covered entity must provide an individualized estimate of the approximate fee that may be imposed for providing a copy of the requested protected health information for any type of request covered by the fee schedule required by paragraph (1) of this section.
(3) Upon request, the covered entity must provide an individual with an itemized list of the specific charges for labor, supplies, and postage, if applicable, that constitute the total fee charged for any type of request covered by the fee schedule required by paragraph (1) of this section.
(b) A request under paragraph (a)(2) or (3) of this section shall not automatically extend the time allowed for the covered entity to provide copies of protected health information under 164.524.