Beckage’s Health Law Team is monitoring recent developments concerning patient’s right to access health information. Last week, two agencies within the Department of Health and Human Services (“HHS”) announced proposed rules that could have a significant impact on health plans and health care providers. Though applicability of the proposed rules varies, both rules focus on individuals’ right to access health information, a compliance area that has seen increased scrutiny and enforcement actions in recent years.
OCR Proposed Rule
On December 10th, the HHS Office of Civil Rights (“OCR”) announced proposed changes to the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule as part of a new proposed rule (“OCR Proposed Rule”). The OCR Proposed Rule is intended to reduce barriers for patients accessing medical records themselves and for covered entities using records related to care coordination and case management. While the OCR Proposed Rule eases some requirements for covered entities, it also creates a number of new requirements.
Key takeaways include:
- Patient Access Requests: While covered entities currently have 30 days to respond to patient requests for access to their own health information, the OCR Proposed Rule would shorten this timeframe to 15 days (though it would allow an additional 15-day extension). Additionally, the OCR Proposed Rule would allow patients who are inspecting their records in person to capture images and take notes.
- Fee Schedules and Notice of Privacy Practices: The OCR Proposed Rule would require covered entities to post their fee schedules for producing health records on their websites. In addition, covered entities would need to modify their Notice of Privacy Practices (“NPP”) to clarify patient rights, including prominent presentation of information about how patients can file HIPAA complaints and clarification that patients may direct release of their detailed records even when only a summary of records is made available to the patient. However, covered entities would no longer need to obtain patient acknowledgement of receipt of the NPP.
- Use and Disclosure of Protected Health Information: The OCR Proposed Rule also broadens the scope of when and how covered entities can use and disclose protected health information, for the purpose of health care operations, with use and disclosure now permitted for case management and care coordination. Furthermore, there are additional provisions for sharing patient health information among covered entities, including among Armed Services care providers. CMS also updated references to reflect widespread use of electronic health records (EHR).
CMS Proposed Rule
Also on December 10th, the Centers for Medicare & Medicaid Services (“CMS”) announced proposed changes to the CMS Interoperability and Patient Access Final Rule (“Interoperability Rule”) issued earlier this year as part of a new proposed rule (“CMS Proposed Rule”). Visit Beckage’s previous blog on the Interoperability Rule here.
Key takeaways include:
- Payer Requirements: The CMS Proposed Rule requires payers to provide patients with access to information about pending and active prior authorization decisions through their Patient Access API, which payers are required to implement under the Interoperability Rule. The CMS Proposed Rule also clarifies that payers can and must implement an attestation process for third-party apps to attest to security and privacy safeguards prior to accessing the payer’s Patient Access API on behalf of the member. Additionally, it specifies technical requirements for the Payer-to-Payer API, which must now be implemented using Fast Healthcare Interoperability Resources (“FHIR”) standards.
- Provider Requirements: The CMS Proposed Rule requires providers to develop a Provider Access API for providers and payers to share claims and encounter data, certain types of clinical data, and pending and active prior authorization decisions.
Though the proposed rules will likely change during the 60-day public comment period, they underscore HHS’s commitment to individuals’ right to access health information. We encourage covered entities to review the proposed rules carefully to understand how the changes will potentially impact daily operations and procedures.
The experienced Health Law team at Beckage can help to distill these lengthy and complicated rules so organizations can understand practical implications on daily operations. Our seasoned health law attorneys are uniquely positioned to advise on regulatory compliance matters, as they have also worked in health care settings, are certified privacy professionals, and are technologists.
Call Beckage at 716.898.2102 for assistance analyzing these and other regulatory and legislative matters.
*Attorney advertising. Prior results to not guarantee a similar outcome.
Subscribe to our newsletter.