3Lions HIPAA Survival Guide December, 2021 Newsletter

A Massively Transformative and Disruptive Proposed Privacy Rule for 2021

  • If you were unable to attend November's 2021 webinar, A Compliance Officer's Worst Nightmare Part 1 you may view it here.
  • Also, if you want to view Part 2, where we take a deeper dive into the NPRM, click here.

America, for the first time in a very serious way, is attempting a massive transformation of our broken healthcare system to a wellness, value-based system. Some polymaths at the big insurers likely convinced them that wellness produces better margins than illness. Therefore, some of these insurers are hiring Case Managers and Case Coordinators to ensure that consumers comply with their medications, exercise, and generally adopt a healthier way of living. The thinking for this “new” value proposition has been around for over 40 years but the insurers never had the collective will to change their business models until now. Many of these insurers are beginning to hire Case Managers and Care Coordinators (collectively Case Managers) in large numbers to manage both individual health and population health. This is a megatrend that is unlikely to change anytime soon.

The Final Privacy Rule of 2021 National Proposed Rule Making by HHS/OCR (“NPRM”) supports and underpins this public policy by removing barriers (e.g., the “minimum necessary” principle) that would prevent Case Managers from having a full, complete, and unencumbered view of a patient’s PHI. Without such a view it would be impossible for Case Managers to successfully carry out their mission. The NPRM also proposes to improve a patient’s access to their PHI by inserting two key provisions into section §164.524 of the existing Privacy Rule as follows: (1) cutting down the amount to get a copy of patients PHI from 30 days to 15 calendar days, with one 15 day extension; and (2) allowing the patient to inspect their PHI at a covered entity’s (“CE”) facility by “taking notes, making recordings, taking pictures and otherwise having an “open run” at their PHI to gather whatever information they can discern. The only prohibition placed on patients is that they are not allowed to connect any electronic device to the Covered Entity’s network or computers. Business Associates (“BAs”) are also required to produce PHI when requested by CEs to meet their obligations for access to PHI.

This article discusses the major provisions of the NPRM’s right to access (a subset of the changes in the NPRM), reviews the gnarly issues that the regulation leaves unsaid pursuant to this requirement, and reviews the challenges that CEs and BAs face when creating Minimally Viable Processes (“MVPs”) to meet the new and updated Privacy Rule requirements (i.e., especially because of what the proposed regulation leaves unsaid, forcing CEs to make difficult and substantive decisions pursuant to said processes with little guidance from HHS).

Finally, this article discusses how these processes should be tracked to satisfy the patient and not trigger an audit by OCR. (e.g., failure to meet a date is willful neglect and is sufficient for OCR to initiate an Audit). Should OCR come calling they will not only review the evidentiary record surrounding the complaint but take the opportunity to review the entirety of your HIPAA compliance program. Should the latter be found to be woefully insufficient, your civil monetary penalties (“CMPs”) will increase significantly, and in general, you are not going to have a good day. Further, we are anecdotally aware that some covered entities and business associates have “deep-sixed” small breaches; should OCR discover them “Katy bar the door” because your CMPs may increase exponentially.

In addition, the article will discuss how these right to access processes should be tracked so that a CE does not miss dates, ensures that handoffs occur smoothly, and otherwise guarantees that the process does not prematurely abort; leaving the patient dissatisfied and prepared to file a complaint with OCR. The webinar will briefly discuss reports that should be reviewed from your "Requestor" software so that the Compliance Manager and his or her designee may closely monitor notes captured by staff during this process to ensure a strong evidentiary record should OCR come calling or some sort of class action litigation was to ensue. If you can’t track each request with rigor, you will be defenseless should either one of the prior eventualities occur.

Major Provisions of the NPRM

Effective and Compliance Dates

Although we don’t have a date when publication will occur, it is believed that promulgation of the new Privacy Rule may happen before the end of 2021. Thus, the effective date of the final rule would be 60 days after promulgation, and 180 calendar days after publication will be the date by which all CEs and BAs must comply.

Amending the Definition of Health Care Operations To Clarify the Scope of Care Coordination and Case Management

The proposed rule promotes a massive, nationwide transformation from a sickness Healthcare system to a value-based, Patient-centric Healthcare system. A significant impact of the rule includes the use of Care Coordinators and Case Management who share patient information to improve health outcomes for patients while preserving privacy and security of their PHI.

Care coordination is an important aspect for achieving improved health outcomes and includes a wide range of activities that link Patients to services. Coordination also improves the communication between Patients, Physicians, and other essential clinical personnel. Although neither Care Coordination nor Case Management has a precise, commonly agreed-upon definition, they refer broadly to a set of activities aimed at promoting cooperation among members of a Patient’s health care team, including their family, caregivers, and community-based organizations.

Characteristics of Care Coordination share three key concepts: Comprehensive coordination (involving coordination of all services, including those delivered by systems other than the health system), patient-centered coordination (designed to meet the needs of the patient), and access and follow-up (described as ensuring the delivery of appropriate services and information flow among providers and back to the primary care provider). This feature of the proposed rule emphasizes for the first time that the Patient is now at the center of care; a long-awaited change to our healthcare system.

And finally, the Minimum Necessary Standard in the proposed rule, is no longer required for Care Coordinators and Case Managers when requesting PHI. This means they can now request all patient data from a CE, which is clearly necessary to enable them to perform their respective roles. The process by which this PHS is delivered is currently undefined, but our take on it will be covered in future webinars and newsletters.

What the NPRM Leaves Unsaid

The proposed changes to the right to access will disrupt the business models of all covered entities and many business associates. It is an organizational change of the highest order that will push the workforce out of its respective siloed comfort zones, into a collaborative space that the healthcare industry is unaccustomed to. For example, what follows are some of the most insidious questions that arise because the right to access section of the proposed final rule remains completely silent, providing no guidance as to how a covered entity should (or could) address these issues.

Three major process challenges are contained in the proposed right to access as follows:

  • The right to access PHI has been reduced from 30 to 15 calendar days with one 15-day extension. (Note that the clock starts ticking as soon as the CE is notified);
  • The patient can request to see their PHI at the time of a scheduled appointment with the CE (when PHI is readily available (e.g., in an EHR) at the point of care in conjunction with a health care appointment); and
  • The patient has a right to access your facility for an onsite review of their PHI following notification to the CE.

Of the three use cases above the second is the most insidious because the patient must be given access to PHI that is readily available even without specifying the scope of the designated record set, they want to review. This poses an enormous challenge because the proposed right to access PHI at a CE’s facility is silent concerning the following issues:

  • Onsite visits at the time of an appointment will be massively disruptive to the CE’s normal course of business, so how can it be minimized?
  • PHI is cross-functional, by definition, and various functional areas are going to be impacted whenever a patient enters a facility, but especially when the patient requests access at the appointment.
  • The request for access may require changes to CE/BA processes and their contractual arrangement. An example might be that certain activities (e.g., Billing) are outsourced and must be provided promptly for the CE to meet its obligations to the patient.
  • And, as mentioned above, the time frame for compliance is 180 days post the effective date of the proposed rule; for changes this disruptive that time constraint will prove daunting.

When the patient requests an onsite review of their PHI, they have the right to view, take notes, take photographs, and use other personal resources to capture the information. However, the patient cannot connect a personal device to the covered entity’s information systems. In addition, The CE cannot impose an unreasonable burden to deny the patient’s access right to the facility. A CE could and should establish reasonable policies and safeguards in their MVP to ensure minimal disruptions to their operations and make certain that the patient ONLY accesses PHI in the designated record set to which they are entitled. Although the covered entity may require the request for access in writing (in electronic or paper form, but not in the case of access requested during an appointment), it should not impose unreasonable measures that are burdensome and impede the individual from obtaining access.

Here are some questions (non-exhaustive) that a CE must consider when establishing their new MVP.

  • How will a CE authenticate the patient for the onsite meeting?
  • Can the Patient bring an authorized family member or friend?
  • Where should the meeting take place?
  • How much time is reasonable for the patient to view, take notes, photographs, etc.?
  • What happens if that amount of time proves insufficient?
  • Which staff should participate in the meeting?
  • What does the “abort process” look like? (The process may abort for any number of reasons: time e.g., allocation of 2, 4, 8 hours insufficient?); the 15-day extension is completely missed by the CE; PHI is missing; the patient is disgruntled (e.g., orally, or physically abusive), etc.
  • Should Security staff be readily available if a disruption occurs?
  • Who should own the entire cross-functional process (e.g., Compliance Officer, General Counsel, etc.))?
  • Should staff answer patient questions, and to what extent? Obviously, staff cannot and, in our opinion, should not provide answers to questions about why the doctor, or any other clinician, chose to treat the patient in a particular manner.
  • Who manages the formal communications with the patient that may be required during various points in the process (e.g., Compliance Officer, General Counsel, other)?
  • How should the PHI be presented (e.g., paper, large video screen, etc.)?
  • What does the exception process look like should the CE fail to provide PHI the patient requested (or thought they requested)?
  • How are handoffs between various organizational units or the need to request information from a BA be managed, and who is responsible for ensuring that handoffs occur promptly?
  • How is the process tracked with rigor to avoid or mitigate liability and to provide the necessary evidentiary foundation if a dispute arises?

If the CE does not meet the required dates in the proposed rule, the Patient is likely to file a complaint with OCR. Missing a date is willful neglect on its face and will trigger an audit in which OCR will impose Civil Monetary Penalties (“CMPs”) for the missed date but also, it should be expected that they will review the entirety of the CE’s HIPAA Compliance Initiative, potentially levying additional CMPs.

How Access Requests should be Tracked

Tracking Access requests is a necessary and meticulous activity that CEs (and BAs) must perform to create an evidentiary foundation for several reasons, including but not limited to, documenting its operations, an OCR audit, or if a lawsuit arises. Tracking should include all pertinent information about the request including:

  • Who requested access,
  • What PHI was requested, or a notation if no specific PHI was requested,
  • When the request was received,
  • Dates that were met, dates that were NOT met,
  • Who gathered the requested PHI,
  • Identification of cross-functional groups and/or BAs that participated and their roles,
  • If the request included only paper PHI,
  • If the request included an onsite meeting, and where it was held,
  • If the request was extemporaneous at the Physician’s office during a scheduled appointment,
  • Exception(s) that were managed and ones that were not,
  • If Security was required for an onsite meeting,
  • Who owned/managed the entire process,
  • A description of what was presented and how,
  • Names of all attendees,
  • Who logged the information, and most importantly,
  • A description of how the patient assessed the quality of their review.

Although not all access requests will require the level of effort described in the previous example, all Privacy Rule Requests for Access should be logged as well as any other request that a CE or BA considers germane:

  • “Normal” PHI access request;
  • Request to amend PHI;
  • Request to disclose PHI;
  • Request for PHI authorization;
  • Request for PHI restriction;
  • Request(s) for PHI from third-party non-treating covered entities; and
  • Request for PHI from Social Services organizations. Etc., etc.

A select group of tracking reports would include the ability to report on all extemporaneous requests, onsite meetings, and the category of the request (e.g., Request for Access, Authorizations, Restrictions, etc.) as well as dates that were missed, why, and who was responsible.


OCR has purposely proposed a massively disruptive set of new requirements in the Privacy Rule to support the wider health plan-led strategy of transforming our healthcare system from sickness to wellness. The proposed rule provides little if any guidance that helps answer the questions enumerated above. Over the last few years, OCR has shown a willingness to levy CMPs on both large and small CEs for failure to meet PHI access requests. They have just recently announced that they are hiring additional legal staff, sending the not-so-subtle message that they see the need for audits significantly increasing under the proposed rule. In other words, vis-à-vis the proposed rule, OCR intends to force CEs to take a more patient-centric approach, something which, if left to their own devices, they would never do. The business model changes discussed above are arguably the most difficult ones that the healthcare industry has experienced, from a process perspective, in the last 50 years. The industry has resisted changes to the point where that resistance is now futile and unsustainable.


Contact us: Mature Compliance Programs Made Easier!