Legal Update

Dec 21, 2020

HHS Proposes Changes to HIPAA Privacy Rules Affecting Group Health Plans

Click for PDF

Seyfarth Synopsis: The Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Privacy Rule that protects the privacy and security of individuals’ protected health information (PHI) maintained or transmitted by or on behalf of HIPAA covered entities, such as employer-sponsored health plans. One of the stated purposes of the NPRM is to address some of the HIPAA Privacy Rule provisions that may limit care coordination and case management communications among individuals and healthcare providers.

Click here for our related blog post on this topic. While this Update will focus on the NPRM’s impact on health plans, click here for our separate Legal Update addressing some of the changes that apply to health care providers.

Under the NPRM, some of the changes that would affect employer-sponsored health plans include:

  • Individual Care Coordination and Case Management. A health plan is permitted to use or disclose PHI for its own health care operations. (In addition, a health plan may disclose PHI to another covered entity for that entity’s health care operations in certain situations.) In order to encourage better, lower cost health care, the NPRM would revise the definition of “health care operations” to clarify that health plans can conduct care coordination and case management activities not only at the population level across multiple enrolled individuals, but also at the individual level. The NPRM also adds an exception to the minimum necessary rule for disclosures to, or requests by, a health plan for care coordination and case management activities that are at the individual level.
  • Business Associate Disclosures of PHI. The NPRM would clarify that a business associate is required to disclose PHI to the covered entity so the covered entity can meet its access obligations. However, if a business associate agreement provides that the business associate will provide access to PHI in an electronic health record (EHR) directly to the individual or the individual’s designee, the business associate must then provide such direct access.
  • Limited Disclosure When Individual is Not Present. The HIPAA Privacy Rule provides that if an individual is not present, or the opportunity to agree or object to the use or disclosure of PHI cannot be provided because of the individual’s incapacity or emergency circumstance, the health plan may disclose PHI that is directly relevant to the person’s involvement with the individual’s care or payment if the covered entity determines in its professional judgment that disclosure is in the best interest of the individual. The proposed rule would modify the standard under which that the determination is made, to be based on a good faith belief that the disclosure is in the best interests of the individual. This standard will allow health plan administrators to be better able to rely on this permitted disclosure circumstance by removing the inference that it only applied to providers when using a “professional” standard.
  • Privacy Notice. The proposed rule would require changes to the notice of privacy practices. The NPRM requires a notice of privacy practices to include the following header:

“THIS NOTICE DESCRIBES:

- HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

- YOUR RIGHTS WITH RESPECT TO YOUR MEDICAL INFORMATION

- HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR RECORDS AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE

- HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE PRIVACY, OR SECURITY OF YOUR MEDICAL INFORMATION, OR OF YOUR RIGHTS CONCERNING YOUR INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET COPIES OF YOUR RECORDS UNDER HIPAA.

YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) AND TO DISCUSS IT WITH [ENTER NAME OR TITLE AT [PHONE AND EMAIL] IF YOU HAVE ANY QUESTIONS."

In addition, the notice would have to describe the right of access to inspect and obtain a copy of PHI at limited cost or, in some cases, free of charge.

  • Faster Access to PHI. Under the NPRM, a health plan would have to act on a request for access to inspect or obtain a copy of PHI in a shorter timeframe, namely 15 days after receipt of the request. Other time frames would be shortened as well.
  • Electronic Health Record (EHR). The NPRM adds (i) a definition of EHR, (ii) requirements applicable to EHRs, including the right of an individual to direct his or her health plan to submit a request to a health care provider for electronic copies of PHI in an EHR; and (iii) a documentation requirement for EHRs.
  • Fee Disclosures. Finally, the NPRM would require health plans to post fee schedules on their website for common types of requests for copies of PHI and, upon request, provide individualized estimates of fees for copies.

Comments on the NPRM will be due on or before 60 days after the NPRM is published in the Federal Register, which means comments will likely be due in mid-February.