The Tortoise and the Hare? HIPAA Joins the Regulatory Sprint to Coordinated Care | K&L Gates LLP

Introduction

On 10 December 2020, the Workplace of Civil Rights (OCR) for the federal Division of Well being and Human Providers (the Division) issued Proposed Modifications to the HIPAA Privateness Rule to Help, and Take away Boundaries to, Coordinated Care and Particular person Engagement (the Proposed Rule).¹ The Proposed Rule comes almost two years after OCR issued a Request for Info from stakeholders concerning the ways in which HIPAA could possibly be modernized to help coordinated, value-based care.² OCR consists of quite a few proposed modifications to the HIPAA Privateness Rule meant to remove regulatory boundaries for functions of fostering care coordination and the shift to value-based care fashions, together with clarifying the scope of care coordination for disclosures of protected well being data (PHI) underneath the well being care operations and therapy exceptions, and creating an exception to the minimal vital customary for disclosures associated to care coordination and case administration.

This rulemaking growth is on the heels of different Division companies finalizing equally oriented companion guidelines by way of the Facilities for Medicare and Medicaid Providers (CMS) ultimate rule updating the doctor self-referral legislation (or Stark Legislation),³ and the Workplace of Inspector Normal (OIG) ultimate rule creating new protected harbors underneath the federal Anti-Kickback Statute,⁴ every of which created new regulatory safety for value-based preparations by which entities can come collectively to take care of a goal inhabitants. With proposed modifications to a person’s proper of entry to their PHI, the Proposed Rule additionally seems timed with companion guidelines from CMS and the Division’s Workplace of the Nationwide Coordinator for Well being Info Know-how (ONC) that promote digital medical document interoperability, stop data blocking, and increase affected person entry to data.⁵ Lastly, these proposed regulatory modifications would advance OCR’s views expressed by way of a current collection of investigations and enforcement actions underneath the company’s “proper of entry initiative.”⁶

Selling Care Coordination

Key proposed modifications to the HIPAA Privateness Rule to drive care coordination embrace the next:

• Clarifying the definition of “well being care operations” to extra clearly state that it permits all care coordination and case administration efforts by well being plans, together with the place such efforts are individual-based, similar to following up with a person affected person concerning his or her therapy plan;
• Creating a brand new exception to the “minimal vital” customary for disclosures of PHI pursuant to individual-based care coordination and case administration efforts between well being plans and well being care suppliers; and
• Clarifying that coated entities might disclose PHI to 3rd events for individual-based care coordination and case administration functions with out first acquiring an categorical authorization from the affected person.

Expanded Proper of Entry

Key proposed modifications in keeping with OCR’s current enforcement priorities embrace the next:

• Permitting sufferers to examine and even take notes and pictures of their PHI;
• Requiring coated entities to reply to affected person requests inside 15 days versus 30;
• Decreasing coated entities’ burden of identification verification with respect to sufferers requesting entry to their well being data;
• Clarifying parameters across the prices coated entities are permitted to cost for offering entry to well being data, and rquire the disclosure of such charge schedule data;
• Clarifying a person’s proper to direct copies of their PHI to 3rd events, and restrict that proper to digital copies of PHI; and
• Clarifying the obligations of enterprise associates in offering affected person entry to well being data.

Extra Flexibilities

Lastly, key proposed modifications to allow extra flexibility within the non-care coordination setting embrace:

Encouraging Disclosure to Avert a Well being or Security Risk

• To facilitate disclosures in emergency circumstances, which OCR states embrace the opioid and COVID-19 public well being emergencies, the Proposed Rule would calm down the usual for disclosure of PHI to avert a menace to well being or security from when there’s a “critical and imminent menace” to when hurt is “critical and fairly foreseeable.”

Discover of Privateness Practices

• OCR proposes to remove the requirement to acquire a person’s written acknowledgement of receipt of a supplier’s Discover of Privateness Practices (NPP) and so as to add new required components for inclusion within the NPP.

These modifications are anticipated to have a big impression on well being care suppliers and different stakeholders which will have been hesitant to have interaction in sure care coordination preparations due to issues that the requisite data sharing will not be permitted underneath HIPAA, and introduce new necessities that can require assets to implement. events could have sixty (60) days from the date the Proposed Rule is formally revealed within the Federal Register to remark, with feedback due seemingly in late February 2021 relying on the date of formal publication.

¹ OCR Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, (11 Dec. 2020), formal publication pending within the Federal Register.

² See OCR Request for Info on Modifying HIPAA Guidelines to Enhance Coordinated Care, 83 Fed. Reg. 64302 (14 Dec. 2018).

³ CMS Medicare Program; Modernizing and Clarifying the Doctor Self-Referral Laws, 85 Fed. Reg. 77492 (2 Dec. 2020).

⁴ OIG Medicare and State Well being Care Packages: Fraud and Abuse; Revisions to Secure Harbors Underneath the Anti-Kickback Statute, and Civil Financial Penalty Guidelines Concerning Beneficiary Inducements, 85 Fed. Reg. 77684 (2 Dec. 2020).

⁵ See CMS Medicare and Medicaid Packages; Affected person Safety and Reasonably priced Care Act; Interoperability and Affected person Entry for Medicare Benefit Group and Medicaid Managed Care Plans, State Medicaid Companies, CHIP Companies and CHIP Managed Care Entities, Issuers of Certified Well being Plans on the Federally-Facilitated Exchanges, and Well being Care Suppliers, 85 Fed. Reg. 25510 (1 Could 2020); and ONC twenty first Century Cures Act: Interoperability, Info Blocking, and the ONC Well being IT Certification Program, 85 Fed. Reg. 25642 (1 Could 2020).

⁶ See OCR Press Release OCR Settles Twelfth Investigation in HIPAA Right of Access Initiative, (19 Nov. 2020).