Care management and care coordination is generally acknowledged to be foundational to effective population health delivery. For this reason, in June 2018, the U.S. Department of Health and Human Service (DHHS) announced its “Regulatory Sprint to Coordinated Care,” with the objective of “promoting” the transition to value-based care by removing “unnecessary obstacles.” In launching this regulatory overhaul, DHHS acknowledged that the regulatory infrastructure built up around a fee-for-service care model presents systemic challenges and barriers to the kind of coordination and data sharing necessary for value-based care delivery.
Initially, the focus of this regulatory evaluation and overhaul centered on the Stark Law, the Anti-kickback Statute, and the Civil Monetary Penalties, each governing the referral of patients and safe harbors for business relationships. DHHS recently published its final rules, including expanded “safe harbors” which are intended to enhance the available “range of arrangements available to improve the coordination and management of patient care.”
Last month, in this marathon of updating regulations to better accommodate care coordination and value-based care, DHHS shifted its focus to HIPAA’s Privacy Rule, with the Office of Civil Rights (OCR) publishing its Notice of Proposed Rule-making (“Notice” or “NPRM”). This Notice outlines specific proposed modifications to the Privacy Rule and solicits public feedback.
The proposed modifications fall into four general categories:
- Expanded Patient Right of Access;
- Removing Barriers to Care Coordination;
- Reducing barriers to voluntary disclosures in emergency circumstances; and
- Updates to Notice of Privacy Practice by Covered Entities.
There is certainly a lot of “meat” to these proposed modifications, and we will be diving into the proposed rulemaking (and their impact) over the coming months. In the meantime, the purpose of this article is to highlight some of the biggest changes presented, as they will impact providers.
PATIENT RIGHT OF ACCESS – EXPANDED
Under HIPAA’s Privacy Rule, patients have a general right to access, inspect, and modify their health records. However, as evidenced by OCR’s continuing 2019 enforcement initiative, this is a right that is too often overlooked or neglected. OCR’s proposed modifications dovetail closely with recently finalized rules relating to Interoperability and Patient Right of Access, which we discussed in both our October webinar and our November article on compliance. This includes the following:
- Requiring providers, when requested, to allow patients to review patient health information (PHI) at point of care (ie: during an office appointment or other treatment) where that information is already “readily available.” While OCR has not defined what constitutes “readily available” records, it is expected that records available through electronic health records (EHRs) which a physician may reference during the point of care are likely to be included in this application.
- Reducing the timeline in which covered entities must respond to and provide copies of requested care records.
- Providing further guidance limiting and standardizing the fees that covered entities may levy for providing access to individuals. This includes the duty for covered entities to identify the types of PHI which are available free of charge as well as those that have a fee associated and to make that fee schedule available upon request and at the point of care. Publication of a fee schedule online will be required where the covered entity maintains an organizational website.
While there are a number of definitions and applications to be ironed out in advance of proposed rules (Narrowing in on what constitutes “readily available” records is one example that comes to mind), when it comes to timelines for responding to requests for access and the processes covered entities may require patients to utilize when requesting records, we already have the needed application.
Specifically, under the proposed modifications, the timelines to respond to patient requests for records are halved. Under the Privacy Rule, covered entities must provide access to requested records within thirty (30) calendar days of the submitted request. Covered entities are entitled to an extension of an additional thirty days, where they notify the patient within that initial timeline.
The proposed modifications stipulate that the requested records must be provided “as soon as practicable” – but no later than fifteen (15) calendar days from the date of the request. Covered Entities may extend that timeframe up to an additional fifteen (15) days, provided that they have an established policy to address urgent or prioritized requests. Urgent and prioritized requests include (but are not limited to) circumstances where the patient informs the covered entity that the requested information is necessary for urgent medical treatment or where there is an urgent administrative or documentation need.
In addition to modifications of the timeline, OCR seeks to prevent covered entities from imposing “unreasonable measures” that can discourage or otherwise inhibit a patient’s ability to request or obtain access to their records. Specifically, OCR identifies exclusionary submission requirements as an unreasonable precondition to accessing records. This means that a Covered Entity cannot require an individual to submit their request only in paper form, or only through the entity’s online portal. This will require some covered entities and their partners to modify their submission process, including, potentially, the use of online access to and submission of requests.
EXPANDING THE DEFINITION OF HEALTH CARE OPERATIONS TO INCLUDE CASE MANAGEMENT
OCR seeks to further facilitate care coordination by creating a bias towards disclosures made for the purposes of care management and care coordination. This includes expressly permitting disclosures to social service agencies, community-based organizations, and other third parties that participate in addressing an individual’s health and health-related needs.
While these disclosures are currently permitted under the treatment or health care operations activities exception under the Privacy Rule, OCR noted that some have interpreted individual care management as outside of the treatment modality – inhibiting communication pathways between various stakeholders.
Furthermore, OCR proposes including care coordination and case management (when performed for a specific individual – as opposed to population-based activities) as an exception to the minimum necessary rule.
A PRESUMPTION OF COMPLIANCE – THE GOOD FAITH STANDARD
OCR proposes to amend the Privacy Rule to replace “the exercise of professional judgment” with a “good faith belief standard, for covered entities evaluating when and whether to make voluntary disclosures under the Privacy Rule. This changed standard is important on two grounds:
- First, this may facilitate discretionary disclosures by permitted workforce members other than licensed professionals, to exercise their discretion and defend the exercise of that discretion.
- Secondly, OCR proposes the creation of a presumption of compliance (or at least heightened deference) where a determination is made related to the individual facts and circumstances, or where there is a good faith basis for relying upon the facts and circumstances as presented.
Application of the proposed Good Faith Belief Standard will provide important clarification and latitude to a number of everyday operational challenges providers confront including facility directories and disclosures to family members seeking information regarding an incapacitated loved one in emergency circumstances. This also includes instances where disclosure can be made regarding minors to individuals who are acting ‘in loco parentis’ (but who are not the child’s legal representative).
The Good Faith Belief Standard is also expected to apply to additional guidance regarding disclosures related to substance abuse disorders and serious mental illness in emergency situations.
CONCLUSIONS
While the NPRM covers a lot of ground and hits on consistent themes and unifying governing principles, a great deal remains undetermined. The overhaul of a regulatory framework like the Privacy Rule is not something that can be accomplished overnight.
We will be following the progress of this latest “sprint” in the marathon to update federal regulations to accommodate coordinated care. In the meantime, we encourage all stakeholders to review the Notice and consider contributing comments based on their own experiences in advance of the February 10th deadline. And if you could use help contributing those comments, we’re experts in compliance (and also pretty great writers if we do say so ourselves), so reach out today.