A Massively Transformative and Disruptive Proposed Privacy Rule for 2021
America, for the first time in a very serious way, is attempting a massive transformation of our broken healthcare system to a wellness, value-based system. Some polymaths at the big insurers likely convinced them that wellness produces better margins than illness. Therefore, some of these insurers are hiring Case Managers and Case Coordinators to ensure that consumers comply with their medications, exercise, and generally adopt a healthier way of living. The thinking for this “new” value proposition has been around for over 40 years but the insurers never had the collective will to change their business models until now. Many of these insurers are beginning to hire Case Managers and Care Coordinators (collectively Case Managers) in large numbers to manage both individual health and population health. This is a megatrend that is unlikely to change anytime soon.
The Final Privacy Rule of 2021 National Proposed Rule Making by HHS/OCR (“NPRM”) supports and underpins this public policy by removing barriers (e.g., the “minimum necessary” principle) that would prevent Case Managers from having a full, complete, and unencumbered view of a patient’s PHI. Without such a view it would be impossible for Case Managers to successfully carry out their mission. The NPRM also proposes to improve a patient’s access to their PHI by inserting two key provisions into section §164.524 of the existing Privacy Rule as follows: (1) cutting down the amount to get a copy of patients PHI from 30 days to 15 calendar days, with one 15 day extension; and (2) allowing the patient to inspect their PHI at a covered entity’s (“CE”) facility by “taking notes, making recordings, taking pictures and otherwise having an “open run” at their PHI to gather whatever information they can discern. The only prohibition placed on patients is that they are not allowed to connect any electronic device to the Covered Entity’s network or computers. Business Associates (“BAs”) are also required to produce PHI when requested by CEs to meet their obligations for access to PHI.
This article discusses the major provisions of the NPRM’s right to access (a subset of the changes in the NPRM), reviews the gnarly issues that the regulation leaves unsaid pursuant to this requirement, and reviews the challenges that CEs and BAs face when creating Minimally Viable Processes (“MVPs”) to meet the new and updated Privacy Rule requirements (i.e., especially because of what the proposed regulation leaves unsaid, forcing CEs to make difficult and substantive decisions pursuant to said processes with little guidance from HHS).
Finally, this article discusses how these processes should be tracked to satisfy the patient and not trigger an audit by OCR. (e.g., failure to meet a date is willful neglect and is sufficient for OCR to initiate an Audit). Should OCR come calling they will not only review the evidentiary record surrounding the complaint but take the opportunity to review the entirety of your HIPAA compliance program. Should the latter be found to be woefully insufficient, your civil monetary penalties (“CMPs”) will increase significantly, and in general, you are not going to have a good day. Further, we are anecdotally aware that some covered entities and business associates have “deep-sixed” small breaches; should OCR discover them “Katy bar the door” because your CMPs may increase exponentially.
In addition, the article will discuss how these right to access processes should be tracked so that a CE does not miss dates, ensures that handoffs occur smoothly, and otherwise guarantees that the process does not prematurely abort; leaving the patient dissatisfied and prepared to file a complaint with OCR. The webinar will briefly discuss reports that should be reviewed from your "Requestor" software so that the Compliance Manager and his or her designee may closely monitor notes captured by staff during this process to ensure a strong evidentiary record should OCR come calling or some sort of class action litigation was to ensue. If you can’t track each request with rigor, you will be defenseless should either one of the prior eventualities occur.
Major Provisions of the NPRM
Effective and Compliance Dates
Although we don’t have a date when publication will occur, it is believed that promulgation of the new Privacy Rule may happen before the end of 2021. Thus, the effective date of the final rule would be 60 days after promulgation, and 180 calendar days after publication will be the date by which all CEs and BAs must comply.
Amending the Definition of Health Care Operations To Clarify the Scope of Care Coordination and Case Management
The proposed rule promotes a massive, nationwide transformation from a sickness Healthcare system to a value-based, Patient-centric Healthcare system. A significant impact of the rule includes the use of Care Coordinators and Case Management who share patient information to improve health outcomes for patients while preserving privacy and security of their PHI.
Care coordination is an important aspect for achieving improved health outcomes and includes a wide range of activities that link Patients to services. Coordination also improves the communication between Patients, Physicians, and other essential clinical personnel. Although neither Care Coordination nor Case Management has a precise, commonly agreed-upon definition, they refer broadly to a set of activities aimed at promoting cooperation among members of a Patient’s health care team, including their family, caregivers, and community-based organizations.
Characteristics of Care Coordination share three key concepts: Comprehensive coordination (involving coordination of all services, including those delivered by systems other than the health system), patient-centered coordination (designed to meet the needs of the patient), and access and follow-up (described as ensuring the delivery of appropriate services and information flow among providers and back to the primary care provider). This feature of the proposed rule emphasizes for the first time that the Patient is now at the center of care; a long-awaited change to our healthcare system.
And finally, the Minimum Necessary Standard in the proposed rule, is no longer required for Care Coordinators and Case Managers when requesting PHI. This means they can now request all patient data from a CE, which is clearly necessary to enable them to perform their respective roles. The process by which this PHS is delivered is currently undefined, but our take on it will be covered in future webinars and newsletters.
What the NPRM Leaves Unsaid
The proposed changes to the right to access will disrupt the business models of all covered entities and many business associates. It is an organizational change of the highest order that will push the workforce out of its respective siloed comfort zones, into a collaborative space that the healthcare industry is unaccustomed to. For example, what follows are some of the most insidious questions that arise because the right to access section of the proposed final rule remains completely silent, providing no guidance as to how a covered entity should (or could) address these issues.
Three major process challenges are contained in the proposed right to access as follows:
Of the three use cases above the second is the most insidious because the patient must be given access to PHI that is readily available even without specifying the scope of the designated record set, they want to review. This poses an enormous challenge because the proposed right to access PHI at a CE’s facility is silent concerning the following issues:
When the patient requests an onsite review of their PHI, they have the right to view, take notes, take photographs, and use other personal resources to capture the information. However, the patient cannot connect a personal device to the covered entity’s information systems. In addition, The CE cannot impose an unreasonable burden to deny the patient’s access right to the facility. A CE could and should establish reasonable policies and safeguards in their MVP to ensure minimal disruptions to their operations and make certain that the patient ONLY accesses PHI in the designated record set to which they are entitled. Although the covered entity may require the request for access in writing (in electronic or paper form, but not in the case of access requested during an appointment), it should not impose unreasonable measures that are burdensome and impede the individual from obtaining access.
Here are some questions (non-exhaustive) that a CE must consider when establishing their new MVP.
If the CE does not meet the required dates in the proposed rule, the Patient is likely to file a complaint with OCR. Missing a date is willful neglect on its face and will trigger an audit in which OCR will impose Civil Monetary Penalties (“CMPs”) for the missed date but also, it should be expected that they will review the entirety of the CE’s HIPAA Compliance Initiative, potentially levying additional CMPs.
How Access Requests should be Tracked
Tracking Access requests is a necessary and meticulous activity that CEs (and BAs) must perform to create an evidentiary foundation for several reasons, including but not limited to, documenting its operations, an OCR audit, or if a lawsuit arises. Tracking should include all pertinent information about the request including:
Although not all access requests will require the level of effort described in the previous example, all Privacy Rule Requests for Access should be logged as well as any other request that a CE or BA considers germane:
A select group of tracking reports would include the ability to report on all extemporaneous requests, onsite meetings, and the category of the request (e.g., Request for Access, Authorizations, Restrictions, etc.) as well as dates that were missed, why, and who was responsible.
OCR has purposely proposed a massively disruptive set of new requirements in the Privacy Rule to support the wider health plan-led strategy of transforming our healthcare system from sickness to wellness. The proposed rule provides little if any guidance that helps answer the questions enumerated above. Over the last few years, OCR has shown a willingness to levy CMPs on both large and small CEs for failure to meet PHI access requests. They have just recently announced that they are hiring additional legal staff, sending the not-so-subtle message that they see the need for audits significantly increasing under the proposed rule. In other words, vis-à-vis the proposed rule, OCR intends to force CEs to take a more patient-centric approach, something which, if left to their own devices, they would never do. The business model changes discussed above are arguably the most difficult ones that the healthcare industry has experienced, from a process perspective, in the last 50 years. The industry has resisted changes to the point where that resistance is now futile and unsustainable.