Federal regulators say they want to adjust personal health information privacy regulations to make coordinating patients’ care easier for health plans, health care providers and families.
The regulations also could reduce the amount of time health plans, life insurers, hospitals and other entities that store people’s health records have to give people access to their health records.
The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS) has posted a new set of draft regulations on the HHS website.
The new draft regulations would change the Privacy Rule regulation that interprets the privacy provisions in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
- A preliminary version of the draft HHS privacy regulations is available here.
- An earlier article about HIPAA privacy rules is available here.
HHS is still in the process of getting the draft regulations published in the Federal Register, a federal government regulatory publication. Members of the public will have 60 days after the official Federal Register publication date to submit comments.
A HIPAA Privacy Primer
The HIPAA Privacy Rule sets privacy protection requirements for “protected health information,” or PHI.
The requirements apply direct to “covered entities,” such as hospitals, health insurers and life insurance companies’ underwriting teams.
Many of the requirements also apply to the covered entities’ business associates. Insurance agents and other financial professionals who collect PHI may be covered entities’ business associates.
HHS officials estimate, in a burden analysis included with the draft regulations, that there are about 774,331 covered entities in the United States, and that those entities have about 1 million business associates.
The Draft Regulations
The point of the new draft regulations is to change Privacy Rule provisions “that could present barriers to coordinated care and case management — or impose other regulatory burdens without sufficiently compensating for, or offsetting, such burdens through privacy protections,” officials write in the preamble, or official introduction, to the draft regulations.
Some of the provisions in the new draft regulations that could have a significant effect on commercial health insurers and other insurers would:
- Shorten the amount of time insurers and other covered entities have to fill individuals’ record access requests to 30 days, from 60 days today.
- Create a new “pathway” people could use to have health plans and health care providers send their records to other plans and providers.
- Set official definitions for the terms “electronic health record” and “personal health application.”
- Ease what individuals have to do to verify their identity when they’re asking for their health information.
Some other provisions in the draft regulations would:
- Emphasize that patients have a right and to see and record their health information in person, by, for example, taking pictures of health records.
- Make it easier for covered entities to share people’s health information for care coordination purposes, and to get people help from social services agencies and community-based home care organizations.
- Let covered entities disclose PHI when a threat to health or safety is “seriously and reasonably foreseeable,” as well as when there is a “serious and imminent” threat to health or safety.
The proposed health record pathway provision, for example, would create a new mechanism that an individual could use to share information with multiple plans and providers, and, possibly, with life insurance, disability insurance and long-term care insurance underwriters.
The proposal might also give consumers a way to tell one covered entity insurance company that holds health-related underwriting information to make the information available to other covered entity insurers.
Individuals could ask their current providers or plans to send requests for information to other providers or plans on the individuals’ behalf, officials write.
“This new pathway promotes disclosures to individuals’ current health care providers and health plans in a manner that retains individual control,” officials say. “The department believes that this proposal would be less burdensome than imposing mandatory disclosures for all requests for PHI for treatment, payment, and health care operations purposes.”
— Read Some Consumers Would Still Let Life Insurers Track Them With Smartphones, on ThinkAdvisor.