By Linda Kloss

The Verisma disclosure management community was fortunate to be briefed last week by Timothy Noonan, JD, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR). OCR administers and enforces the Health Insurance Portability and Accountability Act (HIPAA) and compliance with HIPAA’s Privacy Rule is a central focus for release of information professionals. His webinar update covered three very timely and important topics:

  • Recent privacy-related COVID-19 guidance and bulletins
  • OCR’s Right of Access Initiative, and
  • Developments regarding the Right to Direct health records to a third party.

Mr. Noonan had been scheduled to address Verisma’s 4th Annual Disclosure Management Summit in early May, cancelled due to the COVID-19 pandemic. The Webinar provided an opportunity to cover COVID-related guidance and as Noonan noted, it was a first opportunity this year for OCR to address its Right of Access Initiative.  (The webinar archive is available from Davy Simanivanh at DSimanivanh@verisma.com).

 COVID-19 Guidance

We are grateful to Mr. Noonan and the team at the Office for Civil Rights for its rapid fire response to COVID-19 in issuing seven (7) guidance documents in about the same number of weeks. The guidance helps front line care givers, first responders, public health officials, privacy and compliance officers, and health information professionals by clarifying common Privacy Rule questions such as sharing patient information without authorization with family and friends and public health.  Guidance expands flexibility, where needed, to get essential (read ‘minimally necessary’) information to those who need it to care for people in a time of crisis.

Guidance also addresses challenges relating to rapid expansion of telehealth, the ramp up of community-based testing, and media and film crew access to protected health information in a public health emergency.  Guidance outlines limits to enforcement discretion where good faith efforts by covered entities and business associates to fully comply with the Privacy Rule are a barrier to supporting critical public health and health oversight needs. If you haven’t already done so, visit the HIPAA and COVID-19 Web Page and become familiar with the guidance and its cautions.[1]

Right of Access Initiative

OCR is responsible for teaching covered entities and business associates and educating communities about the Privacy Rule (and other areas of civil rights).  It is also responsible for investigating complaints to determine whether they constitute violations.  Often areas of violation can be resolved by education coupled with a corrective action plan. Generally, the agency encourages corrective action and such encouragement produces change. For areas of egregious violation or failed corrective action, OCR has enforcement authority.

Mr. Noonan reported that OCR recieves over 26,000 complaints each year on some aspect of HIPAA and that complaints regarding Right of Access violations are increasingly common. He emphasized that the Right of Access is the “cornerstone of the Privacy Rule.” Accordingly, in February 2019, OCR announced that Right of Access violations would be a priority for HIPAA enforcement and two enforcement actions were announced in late 2019.  (Verisma addressed these in its December 17, 2019 Webinar: Turning Up the Heat! HHS Initiates Access Enforcement)  Mr. Noonan reminded us that the enforcement actions taken represent demonstrated systemic non-compliance. Effective release of information is characterized by policies and procedures that advance an individual’s Right of Access, including the right of individuals to exercise their privacy preferences and assert their information rights.

Right to Direct Health Records to a Third Party

One of these rights is to direct health records to a third party. Mr. Noonan reviewed elements of the January 2020 lawsuit settlement that vacated previous OCR policy limiting fees for authorized provision of health records to third parties—such as law firms and life insurance companies.  Mr. Noonan reiterated that this policy revision does not affect the individual’s right to access their protected health information.

The Health Insurance Portability and Accountability Act (HIPAA) is a multi-part law enacted by Congress in 1996.  Its privacy provisions went into effect over 17 years ago, at a time when health information was largely stored on paper and population health and patient engagement were not yet central strategies for health improvement.  In 2018, OCR issued a Request for Information (RFI) on areas where the Rule might be improved.In 2018, OCR issued a Request for Information (RFI) on areas where the Rule might be improved.  Now, a Notice of Proposed Rulemaking (NPRM) based on feedback obtained through the RFI is under internal review.  Mr. Noonan encouraged our community to read, reflect, and comment on the NPRM when it is published in the Federal Register, most likely later this year.  While privacy rights are enduring, how they are best protected must evolve to be relevant.

[1] https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html