It would be the understatement of all understatements to say that 2020 was an eventful year. From COVID-19, to social justice issues to a historic election, 2020 will be a year that won’t soon be forgotten. However, despite a year of headline grabbing issues and events, 2020, particularly the last several months of 2020, was a very active year regarding the HIPAA Privacy and Security rules. Given the level of activity in 2020, HIPAA covered entities and business associates should expect 2021 to be just as active, if not more so.
OCR HIPAA Right of Access Initiative
Beginning with its first enforcement activity in the Fall of 2019, the HHS Office of Civil Rights (OCR) continued to vigorously enforce the rights of patients to have prompt and appropriate access to their medical records. As of December 22, 2020, there have been thirteen settlements with HIPAA covered entities that allegedly failed to provide individuals with appropriate and timely access to their medical records. Likely due in no small part to focusing on COVID-19 response efforts, eleven of the enforcement actions were announced between September 15, 2020 and December 22, 2020. The covered entities involved all entered into Resolution Agreements with OCR with settlement amounts ranging from $3500 to $160,000 along with a requirement that all the covered entities implement a corrective action plan.
Although not directly related to OCR’s Access Initiative, there was also a substantial patient access related court case in early 2020. In Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020) a Federal District Court ruled that HHS exceeded its authority when it required covered entities to apply patient rate copy costs to third parties if the request was made at the direction of the patient. These third party directed requests, prior to the Court’s ruling, often prevented covered entities and/or the medical records copying companies from charging these third parties copy fees authorized by state statute. The Court’s ruling essentially held that HHS exceeded its statutory authority by extending HIPAA’s reasonable copy cost requirements to patient requests to provide records to third parties. A copy of the court’s opinion may be found here.
Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement
In a press release dated December 10, 2020, OCR announced proposed changes to the HIPAA Privacy Rule “to support individuals’ engagement in their care, remove barriers to coordinated care as well as to reduce regulatory burdens on the health care industry.” The Notice of Proposed Rule Making (NPRM), which is currently in the 60 day comment period, addresses the following issues:
- Disclosure of PHI for the best interest of individuals that suffering a health care emergency or crisis.
- Disclosures of PHI to avert a threat to the health and safety of an individual or others.
- Modifying the “minimum necessary” standard to provide for greater care coordination activities.
- Expanding the ability of covered entities to disclose PHI to social service and community-based organizations that provide care coordination and/or case management services.
- Following up on its individual Rights of Access Initiative, the NPRM proposes to make a number of changes to allow individuals to have greater control and access to their own information. The proposed changes include:
- Shortening the time for covered entities to respond for requests to access/copy records from 30 to 15 days.;
- Providing the individual the ability control the sharing of PHI in an EHR with other covered entities;
- Enhancing individuals’ rights to inspect their PHI in-person;
- Allowing for patients to more easily request the transmission of the individual’s PHI to the individual’s PHR or other personal health application;
- Reducing individual identification barriers;
- Specifying when electronic PHI must be provided to the individual at no charge; and
- Requiring covered entities to post estimated fees schedules for records.
- Changes to the Notice of Privacy Practices process including eliminating the requirement of a covered entity to obtain an individual’s written acknowledgment of receipt, as well modifying the content requirements of the Notice.
- Expressly permit disclosures to Telecommunications Relay Services communications assistants.
- Expand the ability of covered entities to disclose the PHI of individuals in “Uniformed Services” (Public Health Service and NOAA) to the same extent that disclosures are allowed for Armed Forces personnel.
HIPAA, Health Information Exchanges, and Disclosures of Protect Health Information for Public Health Purposes
On December 18, 2020, OCR issued guidance discussing how covered entities and business associates could use and disclose PHI via an HIE for public health purposes. Although HIEs have been around for some time now, the COVID-19 crisis has raised issues about the appropriateness of exchanging PHI to public health authorities via an HIE. The guidance seeks to address the appropriate circumstances for the use and disclose of PHI via an HIE for specified public health purposes.
2016-2017 HIPAA Audits Industry Report
On December 17, 2020, OCR released the results of its 2016-2017 HIPAA Audits Industry Report that addressed covered entity and business associate compliance with certain provisions of the HIPAA Privacy, Security and Breach Notification Rules. The results of the audit were somewhat mixed. While covered entities generally provided individuals with timely notifications of a security breach, such notifications often failed to provide all the required notification information relating to the breach. With regard to patient access, OCR found that most covered entities failed to properly adhere to individual access requirements and in fact specifically pointed to the audit results as confirmation of the “wisdom of OCR’s increased enforcement focus” in that area. Finally, the audit report found that most covered entities and business associates “failed to implement the HIPAA Security Rule requirements for risk analysis and risk management”.
Moving into 2021 those in the health care industry should continue to remain vigilant in complying with the HIPAA Privacy and Security Rules. There is no reason to believe that OCR will slow down its enforcement activities, in fact, given the health care industry’s current reliance on technology including the recent large scale move to telehealth as a result of the COVID-19 crisis, covered entities and business associates should expect more oversight.
If you need assistance with your leave policies, please direct any questions to William P. Dillon.