In response to HHS requests for comments on proposed HIPAA rule changes, CHIME and ABHW raised privacy and security concerns, including the Right of Access amendments.
CHIME and the Association for Behavioral Health and Wellness sent letters to the Department of Health and Human Services, in response to proposed changes to HIPAA. Among a range of concerns are HHS’ planned amendments to the Right of Access standard that could further burden providers and introduce unnecessary privacy and security risks.
First proposed in December 2020, HHS Office for Civil Rights extended the comment period to May 6, 2021 in light of the high public interest. Though the proposed amendments include a number of provisions, patient access to their health information was a key focus.
HHS has made the Right of Access standard a key agency priority for the last year, spotlighting the need for patients to have access to their protected health information in a designated record set upon request and within a reasonable timeframe.
Under the rule, providers have 30 days to respond to the patient or request an extension. The proposed HIPAA changes would reduce the timeframe to just 15 days, unless a request is made to extend the timeline for a recognized exception.
For CHIME, the change “will not always be feasible and could add costs to the healthcare system.”
“If OCR adopts a 15 calendar day timeliness standard starting with the receipt of the request, then there should be a way to document exceptions (i.e., legal dispute and custody cases) that exceed the one additional 15-day extension,” CHIME leaders explained.
“We are concerned about the implications of proposals involving personal health applications (PHAs) calling for covered entities to transmit electronic health information to PHAs without requiring those PHAs to include privacy and security controls or sign Business Associate Agreements,” they added.
Of particular interest, CHIME is concerned about privacy implications around the requirement for covered entities to transmit electronic health data to PHAs without requiring the PHAs to have privacy controls, like a business associate agreement.
Without a BAA, CHIME is concerned about how HHS can support the privacy and security of PHI when shared with PHAs. They stressed that HHS needs to address how it plans to ensure PHI isn’t used in ways not intended by patients, as well as how the proposed changes will harmonize with more stringent state laws.
ABHW shared similar concerns about the truncated timeline, stressing that the proposed change would cause a significant burden to health plans, particularly during a pandemic. The group urged HHS to leave the current 30-day timeframe in place.
The proposed changes would also expand PHI use for care coordination and case management, a cause supported by ABHW. However, they urged HHS to refine proposed terminology to ensure the protection of patient privacy.
For example, the proposed changes allow PHI to be disclosed to social service agencies when it’s in the patient’s best interest. HHS will need to better define the term social service agencies to ensure only those entities involved with patient care coordination receive the PHI.
ABHW also raised several key concerns mentioned by industry stakeholders in recent years, but were missing from HHS’ proposed changes.
Specifically, HHS should be reevaluating entities and the data that falls under HIPAA in light of the increasing amount of information that falls outside of the rule and new platforms that exchange PHI but aren’t regulated by the HIPAA rule.
Those concerns have been repeatedly brought to light by a host of industry stakeholders and Congress. But several leaders stressed that the onus falls on Congress.
ABHW also took issue with HHS’ attempts to finalize the changes this year, as it would force covered entities to begin compliance during a pandemic. As the public health emergency is expected to last beyond 2021, insurers and providers will be further challenged in ensuring access to care.
As such, ABHW asked HHS to delay the proposed changes for another year to support plans with the transition into the new provisions.
CHIME also expressed opposition to the proposed HIPAA provision that would allow individuals to direct copies of their protected health information to third parties.
As written, it would place an unreasonable amount of responsibility onto providers and assumes costs that will not be reimbursed, CHIME leaders explained. The proposed change also raises security issues, as providers would be required to submit requests for and obtain electronic copies of PHI on behalf of the patient.
The letter also stressed the need for HHS to designate the term ‘readily available’ to mean that it’s available to the patient during appointments and can be reviewed within that time frame. The rule should also allow for temporarily delayed releases to allow for PHI suppression when patient safety is a concern.
CHIME is also concerned about the costs providers will incur for requests that involve providing electronic media and recommended HHS allow providers to charge patients for the costs.
Notably, the definition for clinician and provider used in the proposed HIPAA changes, differ from the recently installed info blocking rule, CHIME explained. As such, HHS needs to harmonize the terms to ensure transparency.
“OCR raised dozens of important questions in the form of requests for comment in this proposed rule,” CHIME leaders stressed. “Given the number of outstanding questions, rather than issuing a final rule based on the responses, we urge OCR to: reissue the questions raised in the rule as a request for information rather than retaining this as part of the current rule.
“[And] OCR should host a listening session to gather more granular input that can be best contextualized through an iterative dialogue,” they added.