Show This week's post is the last installment in our series on the HIPAA Privacy Proposed Rule. Here we inspect the significant proposed changes to disclosures under HIPAA and how they may impact your practice. For a background on current HIPAA policies, see HIPAA and MIPS: Explained as easily as humanly possible. Links to our previous blogs on the HIPAA Privacy Proposed Rule are at the bottom of this page. When Would These Changes Need to Be Implemented? HHS is proposing to require compliance with any finalized policies by 240 days after the publication of the Final Rule. As the Proposed Rule was just published, it would likely be more than a year from now. Proposed Changes to HIPAA Disclosures Minimum Necessary Standard HHS proposes an express exception to the “minimum necessary” standard for individual-patient-level disclosures to or requests by a health plan or covered health care provider for care coordination and case management. Current Requirement
Proposed New Requirement HHS is proposing an express exception from the minimum necessary standard for disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management. HHS provides the following examples of the impact of this proposal:
Important note: You would still be able to honor an individual's (patient's) request not to use or disclose information for these purposes. How to Prepare Only if finalized would the exception to the minimum necessary standard be allowed. Therefore, we do not recommend any preparation at this time. Of note, if this exception is finalized, the ONC Information Blocking Final Rule would prohibit you from limiting a permissible disclosure to what you believe to be the minimum necessary information when the Privacy Rule specifically excepts the disclosure from the minimum necessary standard. Thus, if finalized, you would be required to apply the exception unless the patient specifically requests that you not use or disclose the information for the applicable purpose(s). Health Care Operations The Proposed Rule amends the definition of “health care operations” to clarify that the scope of permitted uses and disclosures extend to individual-level care coordination and case management that constitute health care operations. Current Requirement HIPAA allows uses and disclosures of PHI for treatment, payment, and health care operations (TPO) without an individual's valid authorization. The "health care operations" definition does not currently mention individual-level care. As such, many providers interpret this to mean that patient authorization is required to disclose individual patient data for individual-level care coordination and case management activities. Proposed New Requirement This proposed change to the definition of "health care operations" does not change the requirements, but clarifies that you are allowed to disclose individual patient PHI for individual-level care coordination and case management activities without the individual's valid authorization. How to Prepare This proposal is highly likely to be finalized. HHS stated that this was the intended current state for the HIPAA Privacy Rule’s allowed TPO disclosures. As such, if you currently subscribe to the interpretation that individual patient level care coordination and case management activities require patient authorization, this clarification shows that you do not need a patient authorization for these specific activities. Care Coordination HHS proposes clarifications permitting the ability of covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and similar third parties that provide health-related services. Current Requirement Currently, you are permitted, but not required, to obtain an individual's consent to use or disclose their PHI for TPO purposes, including to public or private-sector entities that provide health-related social and community based services as part of your treatment activities. This is subject to the minimum necessary standard if the disclosure is made to a third party entity that is not a health care provider. For example, you are allowed to make a disclosure for the treatment purposes of an elderly or disabled patient by disclosing PHI to a home and community based services (HCBS) provider if it is for the coordination or management of your treatment or necessary health-related services for the patient. This could be for things such as arranging for a home aide to help the elderly or disabled patient with their prescribed at-home or post-discharge treatment protocol. Although guidance from HHS established that this was allowable, many doctors believe that they have to obtain valid authorization from the patient first. Proposed New Requirement HHS proposes to expressly permit you to disclose PHI to social services agencies, community-based organizations, HCBS providers, and other similar third parties that provide health-related services to specific individuals for individual-level care coordination and case management. This can be either as a treatment activity or as a health care operations activity. This proposal allows the disclosure of PHI to an entity that provides health-related services to individuals, but these entities do not have to be health care providers; the third parties do not have to be covered by HIPAA. Instead, the third party may be providing health-related social services or other supportive services -- e.g., food or sheltered housing needed to address health risks. Important notes:
How to Prepare This proposal is simply a clarification of current policy. It remains up to you to determine how to release information for treatment purposes. We recommend that you continue to offer your patients the opportunity to request that you not disclose information in this way, but you are not required to get written authorization for these releases. Mental Health and Substance Use Disorder This Proposed Rule contains several provisions that would weaken privacy requirements around the care of patients with substance use disorder (SUD) and serious mental illness (SMI) and encourage disclosure to family by any member of a care team (including a scheduler). It also proposes to permit covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable” (replacing the current “serious and imminent” harm threshold for such disclosures). Current Requirements
Proposed New Requirements HHS proposes to replace the "exercise of professional judgement" with "good faith belief". In practice, this means that the covered entity that decides to disclose the PHI does not have to be a health care professional as long as they are acting within the scope of their authority (e.g., a scheduler disclosing schedule-related information). The proposed standard is meant to encourage covered entities to use and disclose PHI more broadly in circumstances involving SUD and SMI without written authorization. This has several important implications as outlined below.
HHS is also proposing to change the "serious and imminent" harm threshold to "serious and reasonably foreseeable" for uses and disclosures to avert a serious threat to health or safety. HHS would:
How to Prepare There is significant opposition from the medical community and patient rights advocates to the proposals that would weaken privacy protections for individuals with SUD or SMI. Therefore, we do not recommend preparing for those proposals at this time. The proposal regarding disclosures to avert a serious threat to health or safety has fairly widespread support and is likely to be finalized. As the loosening of restrictions on these disclosures would not be permitted under law until the proposal is finalized and effective, there is no need to prepare at this time. If the proposal is finalized, we will provide additional guidance. Telecommunications Relay Services HHS proposes to expressly allow you to disclose PHI to TRS communications assistants relating to any covered functions performed by, for, or on behalf of you and clarify for covered entities that a business associate agreement is not needed with a TRS communications assistant. Current Requirement Since this policy was created, advances in technology now allow people to communicate with the help of a TRS communications assistant in a seamless manner, such that they may not know that they are using a TRS communications assistant. In addition, TRS is also used to assist communications between workforce members of covered entities and business associates. Therefore, updates to the current policy are needed or a written authorization from the patient would be needed. Proposed New Requirement HHS proposes to expressly permit you (and business associates acting on your behalf) to disclose PHI to TRS communications assistants to conduct TPO activities. This change in policy accounts for the advances in technology mentioned in the current requirements section above. Important Note: TRS providers are federally regulated and mandated to protect the confidentiality of their information. How to Prepare This proposal creates administrative simplifications. As such, you do not need to prepare for this proposal. If the proposal is finalized, we will provide you with additional guidance. Notice of Privacy Practices HHS proposes to eliminate the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP). HHS also proposes to modify NPP content requirements to clarify individual rights with respect to their PHI and how to exercise said rights. Current Requirement Proposed New Requirement This proposal eliminates both of the above current requirements, and replaces the written acknowledgement requirement with an individual right to discuss the NPP with you or a person you designate. Also proposed in this section are several modifications to NPP content. Most of these modifications revolve around informing individuals on how to access and control their information. How to Prepare Keep abiding by the current NPP requirements as they are mandatory until and unless these proposals are finalized. If this proposal is finalized, we will provide more detailed guidance on how to comply with the new rules around NPPs. More Blogs on the HIPAA Privacy Proposed Rule Part 1: High-Level Summary Part 2: Individual Right of Access Deep Dive Part 3: Permitted Fees, Explained
Recently, we wrote a blog on the upcoming Information Blocking requirements: Get Ready! Information Blocking Deadline April 5. On April 5, we will post a webinar on the upcoming information blocking requirements. If you want hands-on, personalized assistance, contact us and we will have your back. Written by Jessica Peterson Jessica Peterson, MD, MPH is the Vice President of Health Policy at the consulting firm MarsdenAdvisors. When can you disclose PHI HIPAA?Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
Which use disclosure of PHI is allowed under the HIPAA Privacy Rule?For example, HIPAA permits disclosure of protected health information (PHI) for treatment purposes (including in emergencies) without patient authorization, and allows PHI to be used or disclosed to lessen a threat of serious and imminent harm to the health or safety of the patient or others (which may occur as part of ...
Does HIPAA allow covered entities to disclose PHI that came from other providers?A covered entity may not use or disclose PHI unless HIPAA allows it or the patient authorizes it in writing.
Does HIPAA allow patients to restrict disclosure of PHI?A covered entity is required to agree to an individual's request to restrict the disclosure of their PHI to a health plan when both of the following conditions are met: (1) the disclosure is for payment or health care operations and is not otherwise required by law; and (2) the PHI pertains solely to a health care item ...
|