Five Areas Where The Office Of Civil Rights Can Improve Its Proposed Changes To HIPAA, And Advance Interoperability

On December 10, 2020, the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS), released draft regulatory changes to the Health Insurance Portability and Accountability Act (HIPAA), stating its intention to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry.” For unknown reasons, the proposed regulatory changes were not officially published in the Federal Register until January 21, 2021.

Although not expressly noted, the proposed rule also offers a chance for OCR to make changes to the HIPAA privacy and security regulations, giving deeper meaning to the Office of the National Coordinator for Health IT’s (ONC’s) separate rule against information blocking. That rule, which took effect on April 5, 2020, makes it illegal for health information networks, as well as electronic health record (EHR)developers and the hospitals and provider practices who use them, to refuse to disclose individuals’ protected health information (PHI) in specific circumstances.

‘Without Special Effort’

The OCR makes several proposals that strengthen the right of individuals to get copies of their PHI, including electronically. This has been a right since the first HIPAA privacy rule in 2000 and has long been a bipartisan priority in Congress, which strengthened the right in HITECH in 2009. In the 21st Century Cures Act (Cures Act) of 2016—which passed the Senate by a vote of 96–4—Congress declared that individuals be able to get electronic copies of their own health information “without special effort.”

Now, the OCR’s newest proposals include:

• Eliminating formal requests. Providing individuals with the right to take photographs of or record their health information during an office visit or stay in the hospital versus having to put in a formal request for a copy and waiting for that copy to be sent.
• Quicker timeline. Decreasing the deadline by which entities covered by HIPAA must provide individuals with copies of their records from 30 days to 15 days.
• No onerous requirements. Prohibiting entities from imposing unreasonable measures on individuals seeking copies of their records, including onerous identity verification requirements.
• Personal health tools. Allowing individuals to use personal health tools to obtain and store their health information.
• Third parties. Giving individuals the right to direct information coming from an EHR to the third party of their choice, consistent with HITECH.
• Fees. Clarifying in regulations what fees can be charged to an individual who is seeking a copy of their own health information, including declaring that electronic access to PHI via an “internet-based” method should be free to individuals.

The above proposals will help advance interoperability and individuals’ rights. Take the identity verification requirements, as just one example. If these requirements are too onerous, they could violate the ONC’s information blocking rules. Under those rules, a certified EHR vendor must make the technology available to its provider and hospital customers, allowing an individual to use an app of their choosing to obtain their health information. The app works because the individual knowingly allows it to use the identity credential assigned to the individual by their provider (like a password and a user ID). The EHR developer recognizes that identity credential, allowing the app to operate. So, it can be important for everyone involved to know that the app is legitimately using the individual’s identity credential. In fact, HIPAA requires that vendors (and their provider customers) take reasonable steps to verify the individual’s identity, including ensuring that an app is acting on the individual’s behalf.

The information blocking rules also support reasonable identity proofing processes. But requiring an individual to prove their identity in person, when they want to just assign their identity credentials to the app, would be unreasonable since driving or taking transit to the hospital records room exceeds by far the “no special effort” standard required in the Cures Act and in the ONC’s rule. Likewise, requiring a notarized written confirmation of identity before releasing information to an individual, including through the individual’s app, would be unreasonable. This is not to say that there should be no identity verification standards—quite the contrary. Appropriate identity verification is key to ensuring the security of the data held by the covered entity.

An Opportunity To Provide Regulatory Certainty

Both of us have served at HHS in the past at the OCR (McGraw) and the ONC (Savage), where together we helped drive the development of early application programming interfaces (API) requirements and provided technical assistance to Congress as it developed the information blocking provisions of the Cures Act. One thing we learned is that more guidance, examples, and use cases improve entities’ ability to comply. Based on our experience, we strongly urge the OCR to say more in the final rule about what identity verification processes are acceptable.

And it is not just the issue of identity verification. The OCR has made several other proposals that, without greater detail in final regulations or in guidance accompanying those final regulations (often referred to as the “preamble” to a published rulemaking) may just cause confusion—or potentially do harm. In our experience, regulatory uncertainty is one of the biggest obstacles to achieving interoperability. It becomes an excuse to deny individuals their rights to receive copies of their PHI.

In particular, we urge the OCR to address the following:

First, earlier we praised the OCR for proposing that an individual can use a “personal health application” to exercise their individual HIPAA right to access their PHI with low fees and a mandatory quick response. This could be the type of health app illustrated in this OCR video released in 2016, on which we collaborated; however, the proposals do not make that clear. In essence, the OCR is considering these personal health applications to essentially “stand in the shoes” of the individual (or of that individual’s personal representative—a person who can make health care decisions for the individual, such as a parent or a health care proxy). However, neither the Notice of Proposed Rule Making preamble nor the new proposed regulatory text provides sufficient guidance about any other circumstance or types of apps that would be “standing in the shoes” of the individual.

Apps fall on a spectrum, from an app that is 100 percent in the individual’s control and may even be built by the individual, to apps that individuals use to interact with their physicians or with researchers, to apps that really are data collection vehicles for the app’s underlying business. So, what distinguishes tools or apps that provide the individual with a way of storing and managing their records from apps that may provide some benefit to the individual but also serve—or even mostly serve—the interests of others? It is critical that HIPAA give individuals choices about how they access, use, and share their health information. At the same time, the OCR must take care not to open the door for third parties seeking to use the individual’s right of access to obtain data, with little to no lasting benefits for the individual.

Second, the OCR proposes a specialized definition of “personal health application” when HITECH has a perfectly serviceable one (personal health record), passed by Congress and in use by the Federal Trade Commission. Similarly, the OCR proposes to implement a provision from HITECH that gives individuals the right to have information from an electronic health record sent directly to any recipient of the individual’s choice. But the OCR has proposed a definition for “electronic health record” that is different from the one already in HITECH. In both cases, the OCR has not explained WHY it needs a definition that varies from definitions in place in statute since 2009. More importantly, the competing definitions sow confusion for everyone, especially for consumers.

A third area of concern is the OCR’s proposed change to the standard that permits a covered entity to disclose PHI to a family member or caregiver. The current regulation allows for such disclosures if, based on the “exercise of professional judgment,” a covered entity believes the individual would not object or, if the individual is not present or is incapacitated, that the disclosures would be in the individual’s best interests. The proposed new standard is a “good faith belief” that the disclosure of PHI to friends or family members is in the individual’s best interests. Entities are presumed to be acting in good faith with such disclosures absent evidence of “bad faith.”   

For the past two decades, and especially as the opioid crisis unfolded, physicians and nurses have expressed concerns that they were between a rock and a hard place. On the one hand, they were concerned that they risked a HIPAA violation for disclosing PHI to individuals who were likely in the best position to help the individual. On the other hand, if the medical professional did disclose, they could be liable for a privacy or ethical violation if the individual objected to the disclosure—or might even scare an individual away from seeking treatment. Medical professionals are also bound by the applicable ethical strictures of their license and the Hippocratic Oath’s stricture to keep individuals’ secrets. We are concerned that the OCR’s new formulation goes too far because it lowers the standard without adequately planning for potential harm that might result.

For example, what if the office receptionist recognizes a teenager’s father and release records to him, which in turn disclose the child’s confidences about potential child sexual abuse by that same adult? Why, in 2021, doesn’t the standard take advantage of technology’s ability to have the provider ask the individual their preferences in advance, or even in the moment via delivered text-based messages easily and privately? Such an approach could lessen the need for providers to “guess” at an individual’s privacy preferences, or to try to prove “bad faith” after the fact.

A fourth area of concern is that the OCR proposes an entirely new circumstance in which a medical professional may disclose health information about an individual to a social services agency or “community organization.” This is a complex and important issue as we try to address systemic racism in health care and resultant disparities, and as we try to ensure medical professionals are accounting for social determinants of health. Space does not permit a full analysis of these issues. At a high level, however, more thought is needed on the following:

• Responsibility. Who is responsible if, upon receipt by the social services agency, the identifiable health information is compromised, stolen, or misappropriated? The social services agency may have no minimum security obligation as would another HIPAA-covered entity or their business associate.
• Disclosures in bulk. Can this disclosure occur in bulk, for example, for all the individuals at a community clinic, or is it a one-by-one determination?
• Personal discretion. What if the individual doesn’t want their information shared with a social service or community organization? Shouldn’t individuals be asked in advance (even if just verbally) or be able to opt-out of such sharing?

Fifth and finally, the OCR proposes to amend the HIPAA Privacy Rule to instantiate in regulation some long-standing guidance that HIPAA business associates are not required to directly respond to individuals seeking their health information unless their business associate agreement with a covered entity directs them to do so. However, this is inconsistent with provisions in the Cures Act that create expectations that certain business associates—chiefly vendors of certified EHRs and health information exchanges or networks—respond directly to requests for electronic health information, including from individuals. The customers of EHR vendors are often health care providers, who also are covered by the Cures Act prohibitions on information blocking. Allowing parties to use a contract—the business associate agreement—to limit otherwise permissible uses and disclosures of electronic health information is contrary to the intent and language of the Cures Act. It is critical that HHS sing from the same song sheet and align HIPAA and the information blocking rules whenever possible.

The OCR doesn’t get many opportunities to make changes to HIPAA, so this is a chance to influence policy for potentially years to come. As of May 3, the OCR had received almost 1,000 comments on its proposed rule, so it will have much to contemplate to ensure that its final rule advances interoperability, improves individuals’ ability to enforce their rights, and provides the clarity the health care system needs.