[Federal Register Volume 86, Number 12 (Thursday, January 21, 2021)]
[Proposed Rules]
[Pages 6446-6538]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-27157]



[[Page 6445]]

Vol. 86

Thursday,

No. 12

January 21, 2021

Part III





Department of Health and Human Services





-----------------------------------------------------------------------





45 CFR Parts 160 and 164





-----------------------------------------------------------------------





Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove 
Barriers to, Coordinated Care and Individual Engagement; Proposed Rule

  Federal Register / Vol. 86 , No. 12 / Thursday, January 21, 2021 / 
Proposed Rules  

[[Page 6446]]


-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Parts 160 and 164

[Docket No.: HHS-OCR-0945-AA00]
RIN 0945-AA00


Proposed Modifications to the HIPAA Privacy Rule To Support, and 
Remove Barriers to, Coordinated Care and Individual Engagement

AGENCY: Office for Civil Rights, Office of the Secretary, HHS.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The United States Department of Health and Human Services (HHS 
or ``the Department'') is issuing this Notice of Proposed Rulemaking 
(NPRM) to modify the Standards for the Privacy of Individually 
Identifiable Health Information (Privacy Rule) under the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA) and the 
Health Information Technology for Economic and Clinical Health Act of 
2009 (HITECH Act). These modifications address standards that may 
impede the transition to value-based health care by limiting or 
discouraging care coordination and case management communications among 
individuals and covered entities (including hospitals, physicians, and 
other health care providers, payors, and insurers) or posing other 
unnecessary burdens. The proposals in this NPRM address these burdens 
while continuing to protect the privacy and security of individuals' 
protected health information.

DATES: Comments due on or before March 22, 2021.

ADDRESSES: 
    You may submit comments to this proposed rule, identified by RIN 
0945-AA00 by any of the following methods:

     Federal eRulemaking Portal. You may submit electronic 
comments at http://www.regulations.gov by searching for the Docket 
ID number HHS-OCR-0945-AA00. Follow the instructions http://www.regulations.gov online for submitting comments through this 
method.
     Regular, Express, or Overnight Mail: You may mail 
comments to U.S. Department of Health and Human Services, Office for 
Civil Rights, Attention: Proposed Modifications to the HIPAA Privacy 
Rule to Support, and Remove Barriers to, Coordinated Care and 
Individual Engagement NPRM, RIN 0945-AA00, Hubert H. Humphrey 
Building, Room 509F, 200 Independence Avenue SW, Washington, DC 
20201.

All comments received by the methods and due date specified above will 
be posted without change to content to http://www.regulations.gov, 
including any personal information provided about the commenter, and 
such posting may occur before or after the closing of the comment 
period.
    The Department will consider all comments received by the date and 
time specified in the DATES section above, but, because of the large 
number of public comments normally received on Federal Register 
documents, the Department is not able to provide individual 
acknowledgments of receipt.
    Please allow sufficient time for mailed comments to be timely 
received in the event of delivery or security delays. Electronic 
comments with attachments should be in Microsoft Word or Portable 
Document Format (PDF).
    Please note that comments submitted by fax or email and those 
submitted after the comment period will not be accepted.
    Docket: For complete access to background documents or posted 
comments, go to http://www.regulations.gov and search for Docket ID 
number HHS-OCR-0945-AA00.

FOR FURTHER INFORMATION CONTACT: Marissa Gordon-Nguyen at (800) 368-
1019 or (800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: 
    The discussion below includes an executive summary, a description 
of the statutory and regulatory background of the proposed rule, a 
section-by-section discussion of the need for the proposed rule, a 
description of the proposed modifications, and a regulatory impact 
statement and other required regulatory analyses. The Department 
solicits public comment on all aspects of the proposed rule. The 
Department requests that persons commenting on the provisions of the 
proposed rule precede their discussion of any particular provision or 
topic with a citation to the section of the proposed rule being 
discussed.

Table of Contents

I. Executive Summary
    A. Overview
    B. Summary of Major Provisions
    C. Effective and Compliance Dates
    D. Care Coordination and Case Management Described
II. Statutory Authority and Regulatory History
    A. Health Insurance Portability and Accountability Act of 1996 
(HIPAA) and the HIPAA Rules
    B. The Health Information Technology for Economic and Clinical 
Health (HITECH) Act and the 2013 Omnibus Rule
    C. 21st Century Cures Act
III. Need for the Proposed Rule and Proposed Modifications
    A. Individual Right of Access (45 CFR 164.524)
    1. Adding Definitions for ``Electronic Health Record'' or EHR 
and ``Personal Health Application'' (45 CFR 164.501)
    2. Strengthening the Access Right To Inspect and Obtain Copies 
of PHI
    3. Modifying the Implementation Requirements for Requests for 
Access and Timely Action in Response to Requests for Access
    4. Addressing the Form of Access
    5. Addressing the Individual Access Right To Direct Copies of 
PHI to Third Parties
    6. Adjusting Permitted Fees for Access to PHI and ePHI
    7. Notice of Access and Authorization Fees
    8. Technical Change to General Rules for Required Business 
Associate Disclosures of PHI
    9. Request for Comments
    B. Reducing Identity Verification Burden for Individuals 
Exercising the Right of Access (45 CFR 164.514(h))
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comments
    C. Amending the Definition of Health Care Operations To Clarify 
the Scope of Care Coordination and Case Management (45 CFR 160.103)
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comments
    D. Creating an Exception to the Minimum Necessary Standard for 
Disclosures for Individual-Level Care Coordination and Case 
Management (45 CFR 164.502(b))
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comments
    E. Clarifying the Scope of Covered Entities' Abilities to 
Disclose PHI to Certain Third Parties for Individual-Level Care 
Coordination and Case Management That Constitutes Treatment or 
Health Care Operations (45 CFR 164.506)
    1. Current Provisions and Issues To Address
    2. Proposal
    3. Request for Comments
    F. Encouraging Disclosures of PHI when Needed to Help 
Individuals Experiencing Substance Use Disorder (Including Opioid 
Use Disorder), Serious Mental Illness, and in Emergency 
Circumstances (45 CFR 164.502 and 164.510-514)
    1. Current Provisions and Issues To Address
    2. Proposals
    3. Request for Comments
    G. Eliminating Notice of Privacy Practices Requirements Related 
to Obtaining Written Acknowledgment of Receipt, Establishing an 
Individual Right To Discuss the NPP With a Designated Person, 
Modifying the NPP Content Requirements, and Adding an Optional 
Element (45 CFR 164.520)
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comments
    H. Permitting Disclosures for Telecommunications Relay Services 
for People Who are Deaf, Hard of Hearing, or Deaf-Blind, or Who Have 
a Speech Disability (45 CFR 164.512)

[[Page 6447]]

    1. Current Provisions and Issues To Address
    2. Proposal
    3. Request for Comments
    I. Expanding the Permission To Use and Disclose the PHI of Armed 
Forces Personnel To Cover All Uniformed Services Personnel (45 CFR 
164.512(k))
    1. Current Provision and Issues To Address
    2. Proposal
    3. Request for Comments
IV. Public Participation
V. Regulatory Impact Analysis
    A. Executive Orders 12866 and 13563 and Related Executive Orders 
on Regulatory Review
    1. Summary of the Proposed Rule
    2. Need for the Proposed Rule
    3. Cost-Benefit Analysis
    4. Consideration of Regulatory Alternatives
    5. Request for Comments on Costs and Benefits
    B. Executive Order 13771
    C. Regulatory Flexibility Act
    D. Unfunded Mandates Reform Act
    E. Executive Order 13132--Federalism
    F. Assessment of Federal Regulation and Policies on Families
    G. Paperwork Reduction Act of 1995
    1. Explanation of Estimated Annualized Burden Hours
    2. Tables Demonstrating Estimated Burden Hours

I. Executive Summary

A. Overview

    In this notice of proposed rulemaking (NPRM), the Department 
proposes modifications to the Standards for Privacy of Individually 
Identifiable Health Information (the Privacy Rule), issued pursuant to 
section 264 of the Administrative Simplification provisions of title 
II, subtitle F, of HIPAA.\1\ The Privacy Rule is one of several rules, 
collectively known as the HIPAA Rules,\2\ that protect the privacy and 
security of individuals' medical records and other protected health 
information (PHI), i.e., individually identifiable health information 
maintained or transmitted by or on behalf of HIPAA covered entities 
(i.e., health care providers who conduct covered health care 
transactions electronically, health plans, and health care 
clearinghouses).
---------------------------------------------------------------------------

    \1\ Subtitle F of title II of HIPAA (Pub. L. 104-191,110 Stat. 
1936 (August 21, 1996)) added a new part C to title XI of the Social 
Security Act, Public Law 74-271, 49 Stat. 620 (August 14, 1935), 
(see sections 1171-1179 of the Social Security Act, 42 U.S.C. 1320d-
1320d-8)), as well as promulgating section 264 of HIPAA (codified at 
42 U.S.C. 1320d-2 note), which authorizes the Secretary to 
promulgate regulations with respect to the privacy of individually 
identifiable health information. The Privacy Rule has subsequently 
been amended pursuant to the Genetic Information Nondiscrimination 
Act (GINA), title I, section 105, Public Law 110-233, 122 Stat. 881 
(May 21, 2008) and the Health information Technology for Economic 
and Clinical Health (HITECH) Act, Public Law 111-5, 123 Stat. 226 
(February 17, 2009).
    \2\ See also the HIPAA Security Rule, 45 CFR parts 160 and 164, 
subparts A and C, the HIPAA Breach Notification Rule, 45 CFR part 
164, subpart D, and the HIPAA Enforcement Rule, 45 CFR part 160, 
subparts C, D, and E.
---------------------------------------------------------------------------

    The proposals in this NPRM support the Department's Regulatory 
Sprint to Coordinated Care (Regulatory Sprint), described in detail 
below. Specifically, the proposals in this NPRM would amend provisions 
of the Privacy Rule that could present barriers to coordinated care and 
case management--or impose other regulatory burdens without 
sufficiently compensating for, or offsetting, such burdens through 
privacy protections. These regulatory barriers may impede the 
transformation of the health care system from a system that pays for 
procedures and services to a system of value-based health care that 
pays for quality care.
    The Department, which delegated the authority to administer HIPAA 
privacy standards to the Office for Civil Rights (OCR), developed many 
of the proposals contained in this NPRM after careful consideration of 
public input received in response to the Department's December 2018 
Request for Information on Modifying HIPAA Rules to Improve Coordinated 
Care (2018 RFI).\3\
---------------------------------------------------------------------------

    \3\ 83 FR 64302 (December 14, 2018).
---------------------------------------------------------------------------

B. Summary of Major Provisions

    The Department proposes to modify the Privacy Rule to increase 
permissible disclosures of PHI and to improve care coordination and 
case management by:
     Adding definitions for the terms electronic health record 
(EHR) and personal health application.
     Modifying provisions on the individuals' right \4\ of 
access to PHI by:
---------------------------------------------------------------------------

    \4\ Under the HIPAA Privacy Rule, and in this NPRM, an 
individual's rights generally include the ability of the 
individual's personal representative to exercise those rights on the 
individual's behalf. See 45 CFR 164.502(g).
---------------------------------------------------------------------------

    [cir] Strengthening individuals' rights to inspect their PHI in 
person, which includes allowing individuals to take notes or use other 
personal resources to view and capture images of their PHI;
    [cir] shortening covered entities' required response time to no 
later than 15 calendar days (from the current 30 days) with the 
opportunity for an extension of no more than 15 calendar days (from the 
current 30-day extension);
    [cir] clarifying the form and format required for responding to 
individuals' requests for their PHI;
    [cir] requiring covered entities to inform individuals that they 
retain their right to obtain or direct copies of PHI to a third party 
when a summary of PHI is offered in lieu of a copy;
    [cir] reducing the identity verification burden on individuals 
exercising their access rights;
    [cir] creating a pathway for individuals to direct the sharing of 
PHI in an EHR among covered health care providers and health plans, by 
requiring covered health care providers and health plans to submit an 
individual's access request to another health care provider and to 
receive back the requested electronic copies of the individual's PHI in 
an EHR;
    [cir] requiring covered health care providers and health plans to 
respond to certain records requests received from other covered health 
care providers and health plans when directed by individuals pursuant 
to the right of access;
    [cir] limiting the individual right of access to direct the 
transmission of PHI to a third party to electronic copies of PHI in an 
EHR; \5\
---------------------------------------------------------------------------

    \5\ This proposed rule uses the terms ``electronic copies'' and 
``in an electronic format'' interchangeably.
---------------------------------------------------------------------------

    [cir] specifying when electronic PHI (ePHI) must be provided to the 
individual at no charge;
    [cir] amending the permissible fee structure for responding to 
requests to direct records to a third party; and
    [cir] requiring covered entities to post estimated fee schedules on 
their websites for access and for disclosures with an individual's 
valid authorization \6\ and, upon request, provide individualized 
estimates of fees for an individual's request for copies of PHI, and 
itemized bills for completed requests.
---------------------------------------------------------------------------

    \6\ This proposed rule uses the term ``authorization'' to refer 
to an authorization under 45 CFR 164.508.
---------------------------------------------------------------------------

     Amending the definition of health care operations to 
clarify the scope of permitted uses and disclosures for individual-
level care coordination and case management that constitute health care 
operations.
     Creating an exception to the ``minimum necessary'' 
standard for individual-level care coordination and case management 
uses and disclosures. The minimum necessary standard generally requires 
covered entities to limit uses and disclosures of PHI to the minimum 
necessary needed to accomplish the purpose of each use or disclosure. 
This proposal would relieve covered entities of the minimum necessary 
requirement for uses by, disclosures to, or requests by, a health plan 
or covered health care provider for care coordination and case 
management activities with respect to an individual, regardless of 
whether such activities

[[Page 6448]]

constitute treatment or health care operations.
     Clarifying the scope of covered entities' abilities to 
disclose PHI to social services agencies, community-based 
organizations, home and community based service (HCBS) providers,\7\ 
and other similar third parties that provide health-related services, 
to facilitate coordination of care and case management for individuals.
---------------------------------------------------------------------------

    \7\ For purposes of this proposed rule, the Department refers to 
home and community-based services (HCBS) providers as they are 
described and referenced in the context of the Medicaid program. See 
generally 42 CFR part 441 subparts G, K, and M. See also National 
Quality Forum stating that HCBS ``refers to an array of services and 
supports delivered in the home or other integrated community setting 
that promote the independence, health and well-being, self-
determination, and community inclusion of a person of any age who 
has significant, longer-term physical, cognitive, sensory, and/or 
behavior health needs.'' ``Quality in Home and Community Based 
Service to Support Community Living: Addressing Gaps in Performance 
Measurement Final Report'' (September 2016), available at https://www.qualityforum.org/Publications/2016/09/Quality_in_Home_and_Community-Based_Services_to_Support_Community_Living__Addressing_Gaps_in_Performance_Measurement.aspx.
---------------------------------------------------------------------------

     Replacing the privacy standard that permits covered 
entities to make certain uses and disclosures of PHI based on their 
``professional judgment'' with a standard permitting such uses or 
disclosures based on a covered entity's good faith belief that the use 
or disclosure is in the best interests of the individual. The proposed 
standard is more permissive in that it would presume a covered entity's 
good faith, but this presumption could be overcome with evidence of bad 
faith.
     Expanding the ability of covered entities to disclose PHI 
to avert a threat to health or safety when a harm is ``serious and 
reasonably foreseeable,'' instead of the current stricter standard 
which requires a ``serious and imminent'' threat to health or safety.
     Eliminating the requirement to obtain an individual's 
written acknowledgment of receipt of a direct treatment provider's 
Notice of Privacy Practices (NPP).
     Modifying the content requirements of the NPP to clarify 
for individuals their rights with respect to their PHI and how to 
exercise those rights.
     Expressly permitting disclosures to Telecommunications 
Relay Services (TRS) communications assistants for persons who are 
deaf, hard of hearing, or deaf-blind, or who have a speech disability, 
and modifying the definition of business associate to exclude TRS 
providers.
     Expanding the Armed Forces permission to use or disclose 
PHI to all uniformed services, which then would include the U.S. Public 
Health Service (USPHS) Commissioned Corps and the National Oceanic and 
Atmospheric Administration (NOAA) Commissioned Corps.
    The Department carefully considered the extent to which each 
proposed modification would impact privacy protections compared to the 
likely benefit of making PHI more available for coordination of care or 
case management. These and other considerations are fully described for 
each proposal below.

C. Effective and Compliance Dates

    The effective date of a final rule would be 60 days after 
publication. Covered entities and their business associates would have 
until the ``compliance date'' to establish and implement policies and 
practices to achieve compliance with any new or modified standards. 
Except as otherwise provided, 45 CFR 160.105 provides that covered 
entities and business associates must comply with the applicable new or 
modified standards or implementation specifications no later than 180 
days from the effective date of any such change. The Department 
previously noted that the 180-day general compliance period for new or 
modified standards would not apply where a different compliance period 
is provided in the regulation for one or more provisions.\8\
---------------------------------------------------------------------------

    \8\ See 78 FR 5566, 5569 (Jan 25, 2013).
---------------------------------------------------------------------------

    The Department believes that compliance with the proposed 
modifications should require no longer than the standard 180-day period 
provided in 45 CFR 160.105, and thus propose a compliance date of 180 
days after the effective date of a final rule.\9\ Accordingly, OCR 
would begin enforcement of the new and revised standards 240 days after 
publication of a final rule.
---------------------------------------------------------------------------

    \9\ See 45 CFR 160.104(c)(1), which requires the Secretary to 
provide at least a 180-day period for covered entities to comply 
with modifications to standards and implementation specifications in 
the HIPAA Rules.
---------------------------------------------------------------------------

    The Department requests comment on whether the 180-day compliance 
period is sufficient for covered entities and business associates to 
revise existing policies and practices and complete training and 
implementation. For proposed modifications that would be difficult to 
accomplish within the 180-day timeframe, the Department requests 
information about the types of entities and proposed modifications that 
would necessitate a longer compliance period, how much longer such 
compliance period would need to be to address such issues, as well as 
the complexity and scope of changes and the impact on entities and 
individuals of a longer compliance period.

D. Care Coordination and Case Management Described

    On January 30, 2017, President Donald Trump issued Executive Order 
(E.O.) 13771, ``Presidential Executive Order on Reducing Regulation and 
Controlling Regulatory Costs,'' \10\ followed by E.O. 13777, 
``Enforcing the Regulatory Reform Agenda.'' These executive orders make 
clear ``the policy of the United States to alleviate unnecessary 
regulatory burdens placed on the American people . . .'' \11\ In 
several public speeches, Secretary of Health and Human Services Alex M. 
Azar II identified the value-based transformation of the Nation's 
healthcare system as one of his top priorities for the Department, and 
described how it relates to a reduction of regulatory burden. In a 2018 
speech to the Federation of American Hospitals, Secretary Azar 
committed to addressing ``government burdens that may be getting in the 
way of integrated, collaborative, and holistic care for the patient, 
and of structures that may create new value more generally.'' \12\ 
Secretary Azar also explained the need for regulatory reform in his 
remarks to the Better Medicare Alliance: ``The barriers to effective 
coordination among providers are much steeper than just excessive 
paperwork. . . . Addressing these regulations that impede care 
coordination are part of a much broader regulatory reform effort at 
HHS.'' \13\
---------------------------------------------------------------------------

    \10\ Available at https://www.whitehouse.gov/presidential-actions/presidential-executive-order-reducing-regulation-controlling-regulatory-costs/.
    \11\ Available at https://www.govinfo.gov/content/pkg/FR-2017-03-01/pdf/2017-04107.pdf.
    \12\ Remarks on Value-Based Transformation to the Federation of 
American Hospitals, Alex M. Azar II, Federation of American 
Hospitals, March 5, 2018, available at https://www.hhs.gov/about/leadership/secretary/speeches/2018-speeches/remarks-on-value-based-transformation-to-the-federation-of-american-hospitals.html.
    \13\ Remarks on the Trump Administration Healthcare Vision, 
Secretary Alex M. Azar II, Better Medicare Alliance, July 23, 2019, 
available at https://www.hhs.gov/about/leadership/secretary/speeches/2019-speeches/remarks-on-the-trump-administration-healthcare-vision.html.
---------------------------------------------------------------------------

    In support of this priority, HHS Deputy Secretary Eric D. Hargan 
explained, before the Joint Commission on May 29, 2019, that care 
coordination is a necessary component of achieving value-based care:

    It's about coordination, above all--we're focused on 
understanding how regulations are impeding coordination among 
providers

[[Page 6449]]

that can provide better, lower cost patient care, and then reforming 
these regulations consistent with the laws and their intents. And, 
finally, it's about care. Regulating health care means regulating 
some of the most intimate decisions and relationships in our lives--
deciding where and when to seek health care, how to make decisions 
with our doctors and family members, and more.\14\
---------------------------------------------------------------------------

    \14\ See the full text of Deputy Secretary Hargan's remarks at 
https://www.hhs.gov/about/leadership/eric-d-hargan/speeches/remarks-to-the-joint-commission-board.html (May 29, 2019).

    More recently, the Secretary praised the advancement of coordinated 
care with the publication of final rules on interoperability, access to 
health information, and certification of electronic health record 
technology. The Secretary stated, ``These rules are the start of a new 
chapter in how patients experience American healthcare, opening up 
countless new opportunities for them to improve their own health, find 
the providers that meet their needs, and drive quality through greater 
coordination.'' \15\ And, when announcing the publication of a final 
rule modifying regulations on the confidentiality of substance use 
disorder treatment records, the Secretary stated, ``This reform will 
help make it easier for Americans to discuss substance use disorders 
with their doctors, seek treatment, and find the road to recovery.'' 
\16\
---------------------------------------------------------------------------

    \15\ See the full text of Secretary Azar's remarks at https://www.cms.gov/newsroom/press-releases/hhs-finalizes-historic-rules-provide-patients-more-control-their-health-data.
    \16\ See the full text of Secretary Azar's remarks available at 
https://www.hhs.gov/about/news/2020/07/13/health-privacy-rule-42-cfr-part-2-revised-modernizing-care-coordination-americans-seeking-treatment.html.
---------------------------------------------------------------------------

    The Department intends for this proposed rule to support the full 
scope of care coordination and case management activities to further 
the Department's goal of achieving value-based health care. Although 
neither care coordination nor case management has a precise, commonly 
agreed upon definition, both refer broadly to a set of activities aimed 
at promoting cooperation among members of an individual's health care 
delivery team, including family members, caregivers, and community 
based organizations. To encompass these broad categories of activities, 
the Department offers a non-exhaustive list of examples for 
understanding care coordination and case management in the context of 
this NPRM, rather than proposing limited definitions. The Department 
welcomes comment on the examples and descriptions herein and on any 
additional definitions, examples, or scenarios that would be helpful 
for regulated entities and the public to understand what constitutes 
care coordination and case management.
    For example, the Department's Office of Inspector General (OIG), in 
conjunction with the Department, issued a proposed rule as part of the 
Department's Regulatory Sprint to Coordinated Care. Under proposed safe 
harbors for the anti-kickback statute, OIG proposes to define 
``coordination and management of care'' as the ``deliberate 
organization of patient care activities and sharing of information 
between two or more value-based enterprise (VBE) participants or VBE 
participants and patients, tailored to improving the health outcomes of 
the target patient population, in order to achieve safer and more 
effective care for the target population.'' \17\
---------------------------------------------------------------------------

    \17\ 84 FR 55694, 55762 (October 17, 2019).
---------------------------------------------------------------------------

    Additionally, as noted by the Centers for Medicare & Medicaid 
Services (CMS) in a recent RFI, ``care coordination is a key aspect of 
systems that deliver value.'' \18\ As CMS describes in guidance on the 
Medicaid benefit for children and adolescents, ``care coordination'' 
includes a range of activities that link individuals to services and 
improve communication flow. The guidance states that the various 
definitions of this term share three key concepts: Comprehensive 
coordination (involving coordination of all services, including those 
delivered by systems other than the health system), patient-centered 
coordination (designed to meet the needs of the patient), and access 
and follow-up (described as ensuring the delivery of appropriate 
services and information flow among providers and back to the primary 
care provider).\19\ In 2019 CMS issued a fact sheet associated with the 
Medicaid health home benefit, which includes six mandatory core 
elements for access to and coordination of care: Comprehensive care 
management, care coordination, health promotion, comprehensive 
transitional care and follow-up, individual and family support, and 
referral to community and social services. The term ``case management'' 
is defined in the Medicaid context for state plans as ``services 
furnished to assist individuals, eligible under the (Medicaid) State 
plan who reside in a community setting or are transitioning to a 
community setting, in gaining access to needed medical, social, 
educational, and other services.'' \20\ In the context of HCBS waivers, 
case management ``usually entails (but is not limited to) conducting 
the following functions: Evaluation and/or re-evaluation of level of 
care, assessment and/or reassessment of the need for waiver services, 
development and/or review of the service plan, coordination of multiple 
services and/or among multiple providers, linking waiver participants 
to other federal, state and local programs, monitoring the 
implementation of the service plan and participant health and welfare, 
addressing problems in service provision, and responding to participant 
crises.'' \21\
---------------------------------------------------------------------------

    \18\ 83 FR 29524 (June 25, 2018).
    \19\ ``Making Connections: Strengthening Care Coordination in 
the Medicaid Benefit for Children & Adolescents,'' Centers for 
Medicare and Medicaid Services, page 3 (September 2014), available 
at https://www.medicaid.gov/medicaid/benefits/downloads/epsdt-care-coordination-strategy-guide.pdf.
    \20\ 42 CFR 440.169.
    \21\ ``Instructions, Technical Guide and Review Criteria, 
Application for Sec.  1915(c) Home and Community Based Waiver'' 
(January 2019) available at https://www.nasddds.org/uploads/documents/Version3.6InstructionsJan2019.pdf.
---------------------------------------------------------------------------

    The Department's Agency for Healthcare Research and Quality (AHRQ) 
describes care coordination as ``the deliberate organization of patient 
care activities between two or more participants (including the 
patient) involved in a patient's care to facilitate the appropriate 
delivery of health care services.'' \22\ AHRQ describes a broad 
approach to care coordination as involving commonly used practices to 
improve health care delivery, including teamwork, care management, 
medication management, health information technology, and patient-
centered medical homes. AHRQ also describes a ``specific care 
coordination'' approach that closely aligns with individual patient 
needs. Examples include creating a proactive care plan, patient 
monitoring and follow-up, supporting patient self-management goals, and 
linking to community resources.\23\
---------------------------------------------------------------------------

    \22\ ``Care Coordination, Quality Improvement, Agency for 
Healthcare Research and Quality'' (2014), available at https://www.ahrq.gov/research/findings/evidence-based-reports/caregaptp.html 
(citing McDonald KM, Sundaram V, Bravata DM, et al., ``Closing the 
Quality Gap: A Critical Analysis of Quality Improvement Strategies: 
Volume 7--Care Coordination, Technical Reviews,'' No. 9.7, conducted 
for AHRQ (2007)).
    \23\ Ibid.
---------------------------------------------------------------------------

    Another frequently cited definition comes from the National Quality 
Forum (NQF), the consensus-based entity recognized by the Department, 
which defines ``care coordination'' as ``a multidimensional concept 
that includes effective communication among healthcare providers, 
patients, families, and caregivers; safe care transitions; a 
longitudinal view of care that considers the past, while monitoring 
present

[[Page 6450]]

delivery of care and anticipating future needs; and the facilitation of 
linkages between communities and the healthcare system to address 
medical, social, educational, and other support needs that align with 
patient goals.'' \24\
---------------------------------------------------------------------------

    \24\ ``Care Coordination Endorsement Maintenance Project 2016-
2017,'' available at http://www.qualityforum.org/Projects/c-d/Care_Coordination_2016-2017/Care_Coordination_2016-2017.aspx, 
discussing a multi-phased effort to provide guidance and measurement 
of care coordination activities, including endorsing a 2006 
definition of care coordination as ``a function that helps ensure 
that the patient's needs and preferences for health services and 
information sharing across people, functions, and sites are met over 
time.'' See the full definition at https://www.tnaap.org/documents/nqf-definition-and-framework-for-measuring-care-co.pdf.
---------------------------------------------------------------------------

    Definitions of ``case management'' are equally varied. The Case 
Management Society of America (CMSA) defines case management as ``a 
collaborative process of assessment, planning, facilitation, care 
coordination, evaluation and advocacy for options and services to meet 
an individual's and family's comprehensive health needs through 
communication and available resources to promote patient safety, 
quality of care, and cost effective outcomes.'' \25\ The American Case 
Management Association (ACMA) describes case management in hospital and 
health care systems as ``a collaborative practice model including 
patients, nurses, social workers, physicians, other practitioners, 
caregivers and the community.'' The ACMA's approach to case management 
encompasses communication and seeks to facilitate care along a 
continuum through effective resource coordination. The goals of case 
management include the achievement of ``optimal health, access to care 
and appropriate utilization of resources, balanced with the patient's 
right to self-determination.'' \26\
---------------------------------------------------------------------------

    \25\ ``What Is A Case Manager?'' Case Management Society of 
America (2017), available at http://www.cmsa.org/who-we-are/what-is-a-case-manager/.
    \26\ ``Definition of Case Management,'' American Case Management 
Association, available at https://www.acmaweb.org/section.aspx?sID=4.
---------------------------------------------------------------------------

II. Statutory Authority \27\ and Regulatory History
---------------------------------------------------------------------------

    \27\ While not relevant to this rulemaking, the Department also 
has authority to modify the Privacy Rule under GINA.
---------------------------------------------------------------------------

A. Health Insurance Portability and Accountability Act of 1996 (HIPAA) 
and the HIPAA Rules

    The Administrative Simplification provisions of HIPAA provide for 
the establishment of national standards to protect the privacy and 
security of individuals' health information and established civil money 
and criminal penalties for violations of the requirements, among other 
provisions.\28\ Under HIPAA, the Administrative Simplification 
provisions originally applied to three types of entities, known as 
``covered entities'': Health care providers who transmit health 
information electronically in connection with any transaction for which 
the Department has adopted an electronic transaction standard, health 
plans, and health care clearinghouses.\29\ As discussed more fully 
below, through a subsequent statute and its implementing regulations, 
some of the provisions of the Privacy Rule now also directly apply to 
the business associates \30\ of covered entities.\31\
---------------------------------------------------------------------------

    \28\ See 42 U.S.C. 1320d-1-1320d-9. With respect to privacy 
standards, Congress directed HHS to ``address at least the 
following: (1) The rights that an individual who is a subject of 
individually identifiable health information should have. (2) The 
procedures that should be established for the exercise of such 
rights. (3) The uses and disclosures of such information that should 
be authorized or required.'' 42 U.S.C. 1320d-2 note.
    \29\ See 42 U.S.C. 1320d-1 (applying administrative 
simplification provisions to covered entities).
    \30\ A business associate is a person, other than a workforce 
member, that performs certain functions or activities for or on 
behalf of a covered entity, or that provides certain services to a 
covered entity involving the disclosure of PHI to the person. See 45 
CFR 160.103.
    \31\ See 42 U.S.C. 17934 and HHS Office for Civil Rights Fact 
Sheet on Direct Liability of Business Associates under HIPAA, (May 
2019), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
---------------------------------------------------------------------------

    The Department issued its first regulation to implement HIPAA, the 
Privacy Rule, on December 28, 2000.\32\ The Department has modified the 
Privacy Rule several times since then to address new statutory 
requirements and to strengthen, refine, or add flexibility to privacy 
requirements in specific circumstances.\33\
---------------------------------------------------------------------------

    \32\ 65 FR 82462 (December 28, 2000).
    \33\ See 67 FR 53182 (August 14, 2002), 78 FR 5566 (January 25, 
2013), 79 FR 7289 (February 6, 2014) and 81 FR 382 (January 6, 
2016).
---------------------------------------------------------------------------

    The Privacy Rule protects individuals' medical records and other 
individually identifiable health information created, received, 
maintained, or transmitted by or on behalf of covered entities, which 
are collectively defined as PHI. The Privacy Rule protects individuals' 
PHI by regulating the circumstances under which covered entities and 
their business associates may use or disclose PHI and by requiring 
covered entities to have safeguards in place to protect the privacy of 
PHI. As part of these protections, covered entities are required to 
have contracts or other arrangements in place with business associates 
that use PHI to perform functions for or on behalf of, or provide 
services to, the covered entity and that require access to PHI to 
ensure that these business associates also protect the privacy of PHI. 
The Privacy Rule also establishes the rights of individuals with 
respect to their PHI, including the right to receive adequate notice of 
a covered entity's privacy practices, the right to request restrictions 
of uses and disclosures, the right to access (i.e., to inspect and 
obtain a copy of) their PHI, the right to request an amendment of their 
PHI, and the right to receive an accounting of disclosures.\34\
---------------------------------------------------------------------------

    \34\ See 45 CFR 164.520, 164.522, 164.524, 164.526 and 164.528.
---------------------------------------------------------------------------

    The Department established the right of individuals to access their 
PHI in the 2000 Privacy Rule,\35\ 45 CFR 164.524, ``Access of 
individuals to protected health information.'' Section 164.524 included 
requirements for timely action by covered entities, form and format of 
copies, the denial of access, and documentation. Certain provisions, 
such as the requirement for covered entities to provide individuals 
access to PHI in the form or format requested by the individual if 
readily producible, and the permission for covered entities to impose a 
reasonable, cost-based fee for copies, were expanded through the 
subsequent enactment of the HITECH Act and the 2013 Omnibus Final Rule 
modifying the Privacy Rule (the 2013 Omnibus Rule).\36\
---------------------------------------------------------------------------

    \35\ 65 FR 82462 (December 28, 2000).
    \36\ 78 FR 5566 (January 25, 2013).
---------------------------------------------------------------------------

    OCR has delegated authority from the Secretary to make decisions 
regarding the implementation, interpretation, and enforcement of the 
Privacy Rule. Under this authority, OCR also administers and enforces 
the Security Rule, which requires covered entities and their business 
associates to implement certain administrative, physical, and technical 
safeguards to protect ePHI; and the Breach Notification Rule, which 
requires covered entities to provide notification to affected 
individuals, the Secretary of HHS, and, in some cases, the media, 
following a breach of unsecured PHI, and requires a covered entity's 
business associate that experiences a breach of unsecured PHI to notify 
the covered entity of the breach.
    With respect to the HIPAA Enforcement Rule, which contains 
provisions addressing compliance, investigations, the imposition of 
civil money penalties for violations of the HIPAA Rules, and procedures 
for hearings, OCR also acts based on its delegated authority.

[[Page 6451]]

B. The Health Information Technology for Economic and Clinical Health 
(HITECH) Act and the 2013 Omnibus Rule

    The Health Information Technology for Economic and Clinical Health 
(HITECH) Act, Title XIII of Division A and Title IV of Division B of 
the American Recovery and Reinvestment Act of 2009,\37\ enacted 
February 17, 2009, is designed to promote the widespread adoption and 
standardization of health information technology (health IT). Subtitle 
D of title XIII, entitled ``Privacy,'' contains amendments to sections 
1176 and 1177 of the Social Security Act designed to strengthen the 
privacy and security protections established under HIPAA. These 
provisions extended the applicability of certain Privacy Rule 
requirements and all of the Security Rule requirements to the business 
associates of covered entities; required HIPAA covered entities and 
business associates to provide for notification of breaches of 
unsecured PHI (implemented by the Breach Notification Rule); 
established new limitations on the use and disclosure of PHI for 
marketing and fundraising purposes; prohibited the sale of PHI; 
required consideration of whether a limited data set can serve as the 
minimum necessary amount of information for uses and disclosures of 
PHI; and expanded individuals' rights to access electronic copies of 
their PHI in an EHR, to receive an accounting of disclosures of their 
PHI with respect to ePHI, and to request restrictions on certain 
disclosures of PHI to health plans. In addition, subtitle D 
strengthened and expanded HIPAA's enforcement provisions.
---------------------------------------------------------------------------

    \37\ Public Law 111-5, 123 Stat. 115 (February 17, 2009) 
(codified at 42 U.S.C. 201 note).
---------------------------------------------------------------------------

    Section 13405(e) of the HITECH Act strengthened the Privacy Rule's 
right of access with respect to covered entities that use or maintain 
an EHR. Under Subtitle D of Title XIII of the HITECH Act, ``The term 
``electronic health record'' means an electronic record of health-
related information on an individual that is created, gathered, 
managed, and consulted by authorized health care clinicians and 
staff.'' \38\ The HITECH Act does not define the term ``clinician.'' 
Section 13405(e) provides that when a covered entity uses or maintains 
an EHR with respect to PHI of an individual, the individual shall have 
a right to obtain from the covered entity a copy of such PHI in an 
electronic format, and that the individual may direct the covered 
entity to transmit such copy directly to the individual's designee, 
provided that any such choice is clear, conspicuous, and specific. 
Section 13405(e) also provides that any fee imposed by the covered 
entity for providing such an electronic copy shall not be greater than 
the entity's labor costs in responding to the request for the copy.
---------------------------------------------------------------------------

    \38\ See 42 U.S.C. 17921(5), definition of ``Electronic health 
record.''
---------------------------------------------------------------------------

    On July 14, 2010, the Department issued an NPRM to modify the HIPAA 
Rules consistent with the HITECH Act (2010 NPRM).\39\ Among other 
changes, the 2010 NPRM proposed to modify the Privacy Rule to address 
individual access rights to certain electronic PHI, including proposed 
requirements with respect to the form, format, and manner of access 
requested; the ability of the individual to direct a copy to a 
designee; and fee limitations for providing the requested access. In 
the 2010 NPRM, the Department acknowledged that section 13405(e) of the 
HITECH Act ``applies by its terms'' only to PHI in EHRs.\40\ However, 
the Department proposed to rely on its broad statutory authority under 
HIPAA section 264(c) to issue regulations expanding the HITECH Act 
requirements to avoid ``a complex set of disparate requirements for 
access'' such as different requirements for access to paper versus 
electronic records.\41\ The Department further explained its proposed 
implementation of the HITECH Act provisions:
---------------------------------------------------------------------------

    \39\ See 75 FR 40868 (July 14, 2010).
    \40\ 75 FR 40868, 40901 (July 14, 2010).
    \41\ Ibid.

    As such, the Department proposes to use its authority under 
section 264(c) of HIPAA to prescribe the rights individuals should 
have with respect to their individually identifiable health 
information to strengthen the right of access as provided under 
section 13405(e) of the HITECH Act more uniformly to all protected 
health information in one or more designated record sets 
electronically, regardless of whether the designated record set is 
an electronic health record.\42\
---------------------------------------------------------------------------

    \42\ Ibid.

    The 2013 Omnibus Rule finalized 45 CFR 164.524(c)(2)(ii), providing 
that if the individual's requested PHI is maintained in one or more 
designated record sets \43\ ``electronically'', and if the individual 
requests an electronic copy, the covered entity must provide the 
individual with access to his or her PHI in the electronic form and 
format requested by the individual if it is readily producible in such 
form and format.\44\ Alternatively, if the form and format of the PHI 
are not readily producible, the covered entity must provide the PHI in 
a readable electronic form and format as agreed to by the covered 
entity and individual.\45\ The Department also noted that the Privacy 
Rule, as first finalized in 2000, already applied the right of access 
to PHI held in designated record sets, and required a covered entity to 
provide the PHI in the ``form and format'' requested by the individual, 
including electronically, if ``readily producible.'' \46\
---------------------------------------------------------------------------

    \43\ A ``Designated record set'' is defined as (1) A group of 
records maintained by or for a covered entity that is: (i) The 
medical records and billing records about individuals maintained by 
or for a covered health care provider; (ii) The enrollment, payment, 
claims adjudication, and case or medical management record systems 
maintained by or for a health plan; or (iii) Used, in whole or in 
part, by or for the covered entity to make decisions about 
individuals. (2) For purposes of this paragraph, the term record 
means any item, collection, or grouping of information that includes 
protected health information and is maintained, collected, used, or 
disseminated by or for a covered entity. 45 CFR 164.501.
    \44\ 78 FR 5566, 5633 (January 25, 2013).
    \45\ Ibid.
    \46\ Ibid.
---------------------------------------------------------------------------

    The 2013 Omnibus Rule also finalized 45 CFR 164.524(c)(3)(ii) 
providing that covered entities must transmit a copy of an individual's 
PHI directly to a third party designated by the individual if the 
individual's request for access directs the covered entity to do 
so.\47\ The Department noted that, in contrast to other access requests 
by individuals pursuant to 45 CFR 164.524, requests to transmit a copy 
of PHI to a third party must be in writing, signed by the individual, 
and clearly identify the designated third party and where to send the 
copy of the PHI. In finalizing this provision, the Department cited 
section 13405(e) of the HITECH Act and section 264(c) of HIPAA, and 
stated that the finalized provision was consistent with its prior 
interpretation and would apply without regard to whether the PHI was in 
electronic or paper form.\48\
---------------------------------------------------------------------------

    \47\ Id. at 5634.
    \48\ Ibid.
---------------------------------------------------------------------------

    With respect to fees for access, the 2000 Privacy Rule permitted a 
covered entity to impose only a reasonable, cost-based fee for a copy 
of PHI under the right of access, which was limited to: (1) The costs 
of supplies and labor for copying; (2) postage to mail the copy; and 
(3) preparation of a summary or explanation of PHI if agreed to by the 
individual.\49\ As noted above, section 13405(e)(2) of the HITECH Act 
provided that, where a covered entity uses or maintains an EHR, any fee 
for providing electronic copies (or summary or explanation) of PHI 
shall not be greater than the entity's labor costs in responding to the 
request. Therefore, to implement the fee provisions of the HITECH Act, 
the 2013 Omnibus Rule

[[Page 6452]]

amended 45 CFR 164.524(c)(4) to provide that fees could include, in 
addition to postage and preparation of a summary or explanation when 
applicable, only the following: (i) Labor for copying the PHI requested 
by the individual, whether in paper or electronic form; and (ii) 
supplies for creating the paper or electronic media if the individual 
requested the PHI be provided on portable format.\50\
---------------------------------------------------------------------------

    \49\ See Id. at 5635.
    \50\ Id. at 5635-36.
---------------------------------------------------------------------------

    In the 2013 Omnibus Rule, the Department described the labor for 
copying PHI, whether in paper or electronic form, as one factor that 
may be included in a reasonable, cost-based fee.\51\ It also noted that 
rather than propose more detailed considerations for this factor in 
regulatory text, it retained all prior interpretations of labor with 
respect to paper copies--that is, that the labor cost of copying does 
not include costs associated with searching and retrieval of requested 
PHI.\52\ For example, labor for copying PHI may include the labor 
necessary to reproduce and transfer the PHI in the form and format and 
manner requested or agreed to by the individual, such as by converting 
electronic information in one format to the format requested by or 
agreed to by the individual, or transferring electronic PHI from a 
covered entity's data system(s) to portable electronic media or email. 
The Department also explained that the reorganization and addition of 
the phrase ``electronic media'' reflected its understanding that 
section 13405(e)(2) of the HITECH Act allowed for the inclusion of only 
labor costs in the fee for electronic copies, and by implication, 
excluded costs for supplies that are used to create the electronic copy 
(e.g., computers, scanners). Finally, the Department explained that its 
interpretation of the HITECH Act would permit a covered entity to 
charge a reasonable and cost-based fee for any electronic media it 
provided, as requested or agreed to by an individual.\53\
---------------------------------------------------------------------------

    \51\ Id. at 5636.
    \52\ Ibid.
    \53\ Ibid.
---------------------------------------------------------------------------

    In 2016, to educate the public about the individual right of access 
and clarify covered entities' obligations to fulfill this right, OCR 
issued extensive guidance (2016 Access Guidance) on how OCR interprets 
and implements 45 CFR 164.524. The 2016 Access Guidance comprises a 
comprehensive fact sheet and a set of frequently asked questions (FAQs) 
that provide additional detail.\54\
---------------------------------------------------------------------------

    \54\ See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html for the full text of the 2016 Access 
Guidance.
---------------------------------------------------------------------------

    Among other clarifications, the guidance included the Department's 
interpretation and intention that, as an expansion of the individual 
right of access, the right to direct a copy of PHI to a third party 
incorporated the general access right's pre-existing conditions and 
requirements, including its fee limitations. Accordingly, the guidance 
expressly stated that the access fee limitation applied, regardless of 
whether the individual requested that the copy of PHI be sent to the 
individual, or directed the copy of PHI to a third party designated by 
the individual.
    On January 23, 2020, by memorandum opinion and order in Ciox 
Health, LLC v. Azar, et al. (Ciox v. Azar),\55\ the U.S. District Court 
for the District of Columbia vacated: (1) The Department's expansion of 
the HITECH Act's ``third-party directive'' (i.e., the right of an 
individual to direct a copy of PHI to a third party) beyond requests 
for an electronic copy of PHI in an EHR; and (2) the extension of the 
individual ``patient rate'' for fees for copies of PHI directed to 
third parties. More specifically, the court held that 45 CFR 
164.524(c)(3)(ii), as added to the Privacy Rule by the 2013 Omnibus 
Rule, exceeded the statutory authority in section 13405(e)(2) of the 
HITECH Act, which granted a limited right to individuals to direct a 
copy of ePHI in an EHR to a third party in an electronic format. 
Further, the court ruled that the Department impermissibly broadened 
the application of the access fee limitation (known as the ``patient 
rate'') to apply to copies of PHI directed to third parties, insofar as 
the Department failed to subject this requirement, first expressly 
stated in the 2016 Access Guidance, to notice and comment rulemaking.
---------------------------------------------------------------------------

    \55\ No. 18-cv-0040-APM (D.D.C. January 23, 2020).
---------------------------------------------------------------------------

    Consistent with the court's opinion, which the Department did not 
appeal, the Department takes the opportunity of this NPRM to seek 
public comment on proposals to: (1) Narrow the scope of the access 
right to direct records to a third party to only electronic copies of 
PHI in an EHR; and (2) apply new fee limitations to the access right to 
direct a copy of PHI to a third party, as described more fully below.

C. 21st Century Cures Act

    The 21st Century Cures Act (Cures Act) \56\ was enacted on December 
13, 2016, to accelerate the discovery, development, and delivery of 
21st century cures, and for other purposes. The Cures Act added certain 
provisions to the Public Health Service Act (PHSA) \57\ relating to 
health IT.\58\ While the Department is not proposing a rule under the 
Cures Act in this NPRM, the proposals in this NPRM take into 
consideration certain provisions of the Cures Act that facilitate the 
exchange of health information, and thus provide helpful context for 
this rulemaking. Section 4004 of the Cures Act added section 3022 of 
the PHSA (42 U.S.C. 300jj-52), the ``information blocking'' provision. 
Section 3022(a)(1) defines information blocking as a ``practice that, 
except as required by law or specified by the Secretary pursuant to 
rulemaking, is likely to interfere with, prevent, or materially 
discourage access, exchange, or use of electronic health information.'' 
The definition of information blocking also includes two different 
knowledge requirements. If a practice is conducted by a health IT 
developer, exchange, or network, the definition requires that such 
developer, exchange, or network knows, or should know, that such 
practice is likely to interfere with, prevent, or materially discourage 
access to, exchange of, or use of, electronic health information. If a 
practice is conducted by a health care provider, the definition 
requires that such provider knows that such practice is unreasonable 
and is likely to interfere with, prevent, or materially discourage 
access to, exchange of, or use of, electronic health information. 
Section 3022(a)(1)(A) excludes from the definition of information 
blocking practices that are required by law, and reasonable and 
necessary activities identified by the Secretary in rulemaking.
---------------------------------------------------------------------------

    \56\ Public Law 114-255, 130 Stat. 1033 (December 13, 2016) 
(codified at 42 U.S.C. 201 note). Cures Act Title IV--Delivery 
amended the PHSA, 42 U.S.C. 201 et seq.
    \57\ 42 U.S.C. 201 et seq.
    \58\ See generally Cures Act sections 4003 Interoperability 
(amending section 3000 of the PHSA (42 U.S.C. 300jj)); and 4004 
Information Blocking (amending Subtitle C of title XXX of the PHSA 
by adding 42 U.S.C. 300jj-52).
---------------------------------------------------------------------------

    The Office of the National Coordinator for Health Information 
Technology (ONC) published a final rule \59\ that implements the 
statutory definitions of the information blocking provision and 
finalizes the proposed

[[Page 6453]]

eight reasonable and necessary activities (referred to as exceptions) 
that do not constitute information blocking for purposes of the 
definition set forth in section 3022(a)(1). These regulatory exceptions 
are finalized in the ONC rule, ``21st Century Cures Act: 
Interoperability, Information Blocking, and the ONC Health IT 
Certification Program'' (ONC Cures Act Final Rule), and include the 
Privacy Exception, which expressly applies to a practice of not 
fulfilling a request to access, exchange, or use electronic health 
information in order to protect an individual's privacy when the 
practice meets all of the requirements of at least one of the sub-
exceptions in 45 CFR 171.202.\60\
---------------------------------------------------------------------------

    \59\ See 85 FR 25642 (May 1, 2020) available at https://www.govinfo.gov/content/pkg/FR-2020-05-01/pdf/2020-07419.pdf.
    \60\ See 45 CFR 171.202.
---------------------------------------------------------------------------

    Based on authority granted to it by the Cures Act, the OIG has 
proposed a rule that addresses enforcement.\61\ Section 3022(b)(1) of 
the PHSA authorizes OIG to investigate any claim that a health IT 
developer of certified health IT or other entity offering certified 
health IT, a health care provider, or a health information exchange or 
network, engaged in information blocking. Section 3022(b)(2)(A) 
provides for civil monetary penalties for a health IT developer of 
certified health IT or other entity offering certified health IT, as 
well as for a health information exchange or network, that is 
determined to have committed information blocking. Section 
3022(b)(2)(B) of the PHSA provides that any health care provider that 
is determined to have committed information blocking shall be referred 
to the appropriate agency to be subject to appropriate disincentives 
using authorities under applicable Federal law, as the Secretary sets 
forth through notice and comment rulemaking. The OIG's proposed rule 
would codify these authorities.\62\
---------------------------------------------------------------------------

    \61\ See proposed rule, 85 FR 22979 (June 23, 2020). Grants, 
Contracts, and Other Agreements: Fraud and Abuse; Information 
Blocking; Office of Inspector General's Civil Money Penalty Rules. 
https://www.federalregister.gov/d/2020-08451/p-17.
    \62\ Ibid.
---------------------------------------------------------------------------

    The Cures Act also requires health IT developers participating in 
the ONC Health IT Certification Program \63\ (Certification Program) to 
publish application programming interfaces (APIs) and allow health 
information from such technology to be accessed, exchanged, and used 
without special effort through the use of APIs or successor technology 
or standards, as provided for under applicable law.\64\ ONC's Cures Act 
rule carries out this charge.
---------------------------------------------------------------------------

    \63\ In general, the HITECH Act provides the National 
Coordinator with the authority to establish a program or programs 
for the voluntary certification of health IT, and requires the 
Secretary to adopt certification criteria. See 42 U.S.C. 300jj-11.
    \64\ See Cures Act section 4002 (amending section 3001(c)(5) of 
the PHSA).
---------------------------------------------------------------------------

    For example, by requiring developers of certified health IT, 
including EHR technology, to make secured, standards-based APIs 
(certified APIs) available, ONC's rule creates mechanisms by which 
individuals can readily exercise their Privacy Rule right of access, 
thus empowering individuals to electronically access, share, and use 
their electronic health information. This approach gives individuals 
the ability to electronically access and share their health information 
with mobile applications of the individuals' choice. Likewise, CMS's 
new interoperability rule contains requirements similar to the ONC 
Cures Act Final Rule.\65\ Finally, section 4006 of the Cures Act 
directs ONC and OCR to jointly promote patient access to health 
information in a manner that would ensure the information is available 
in a form convenient for the patient, in a reasonable manner, without 
burdening the health care provider involved.
---------------------------------------------------------------------------

    \65\ See 85 FR 25510 (May 1, 2020).
---------------------------------------------------------------------------

    Taken together, implementation of the above Cures Act requirements 
through the ONC and CMS rules will support covered entities (and their 
business associates) that use health information technology in a manner 
that enables them to respond more timely to individual requests for 
access to ePHI. Further, the ONC Cures Act Final Rule requirements for 
certified health IT to use secure, standards-based APIs will allow 
individuals to more readily access their ePHI and support disclosures 
of PHI by covered health care providers and health plans for 
individual-level care coordination and case management purposes. This 
regulatory context informs the proposals that follow.

III. Need for the Proposed Rule and Proposed Modifications

    In light of ongoing concerns that regulatory barriers across the 
Department impede effective delivery of coordinated, value-based health 
care, in June 2018, the Department launched the Regulatory Sprint to 
Coordinated Care to promote care coordination and facilitate a 
nationwide transformation to value-based health care. The Department 
initiated the Sprint by publishing a series of RFIs to solicit public 
input on regulatory barriers to coordinated care that it should modify, 
remove, or clarify through guidance and subsequent proposed 
regulations. After considering public comment, on August 26, 2019, the 
Department published a NPRM to modify 42 CFR part 2, the regulatory 
scheme protecting the confidentiality of substance use disorder (SUD) 
treatment information held by HHS-funded treatment programs.\66\ On 
October 17, 2019, the HHS Office of Inspector General (OIG) published a 
NPRM, ``Revisions to the Safe Harbors Under the Anti-Kickback Statute 
and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.'' 
\67\ On the same day, CMS published a NPRM, ``Medicare Program; 
Modernizing and Clarifying the Physician Self-Referral Regulations.'' 
\68\
---------------------------------------------------------------------------

    \66\ 84 FR 44568 (August 26, 2019).
    \67\ 84 FR 55694 (October 17, 2019).
    \68\ 84 FR 55766 (October 17, 2019).
---------------------------------------------------------------------------

    This NPRM, proposing modifications to the Privacy Rule, continues 
the Department's Regulatory Sprint, taking into consideration public 
comment received on the 2018 RFI published by OCR. The 2018 RFI 
solicited public input on 53 questions asking whether and how the 
Department could modify the HIPAA Rules to support care coordination 
and case management, and promote value-based care, while preserving the 
privacy and security of PHI. The Department organized the 2018 RFI 
questions around several key themes for which it sought input and 
examples of how best to address care coordination through three 
specific content areas:
     Promoting information disclosure for care coordination and 
case management. The 2018 RFI sought input on individuals' right to 
access their own PHI in accordance with the provisions contained in 45 
CFR 164.524, and the amount of time covered entities should be 
permitted to respond to individuals' requests for access. The RFI also 
solicited input on whether health care clearinghouses should be subject 
to the individual access requirements, and whether disclosures of PHI 
for care coordination and case management to non-provider covered 
entities should be excepted from the minimum necessary requirements. 
Further, the RFI asked for public input on whether the Privacy Rule 
should require covered entities and business associates to disclose PHI 
when requested by another covered entity for treatment, payment, health 
care operations, or some combination or subset of these categories of 
disclosures. Finally, the RFI asked whether there should be an express 
regulatory permission for HIPAA covered entities to disclose PHI to 
social services agencies and/or community based organizations.

[[Page 6454]]

     Promoting parental and caregiver involvement and 
addressing the opioid crisis and serious mental illness (SMI). The 2018 
RFI sought input to help determine whether and how to modify the 
Privacy Rule to address the opioid crisis and SMI, and promote family 
involvement in the care of loved ones experiencing these health 
situations. The RFI also sought comment on how the Department could 
amend the Privacy Rule to increase the disclosure of information by 
providers to family members experiencing difficulties obtaining health 
information about parents, spouses, minor and adult children, and other 
loved ones when needed to coordinate their care or otherwise be 
involved in their treatment (or the payment for such treatment).
     Notice of Privacy Practices (NPP). The 2018 RFI sought 
input on whether the Department should eliminate or modify the Notice 
of Privacy Practices signature and recordkeeping requirements 
associated with distribution of the Notice of Privacy Practices. The 
Privacy Rule, at 45 CFR 164.520(c)(2)(ii), currently requires a covered 
health care provider that has a direct treatment relationship with an 
individual to make a good faith effort to obtain a written 
acknowledgment of receipt of the provider's NPP; if unable to obtain 
the written acknowledgment, the covered health care provider must 
document its good faith effort to do so and the reason for not 
obtaining an individual's acknowledgment, and maintain the 
documentation for six years.\69\ The 2018 RFI sought public comment on 
whether changing the requirements related to the acknowledgment of 
receipt could reduce administrative burden on covered health care 
providers and address confusion about the purpose and effect of the 
requirements. The 2018 RFI also asked whether and how other aspects of 
the Notice of Privacy Practices provisions (e.g., content requirements) 
could be changed to ensure that individuals are informed about their 
rights and covered entities' privacy practices.
---------------------------------------------------------------------------

    \69\ See 45 CFR 164.520(e) and 45 CFR 164.530(j)(2).
---------------------------------------------------------------------------

    In addition to the three major topics described above, the RFI 
sought information about implementing a requirement of the HITECH Act 
to include disclosures by a covered entity for treatment, payment, and 
health care operations through an EHR in an accounting of 
disclosures.\70\ Based on the comments received in response to the 2018 
RFI, and the history of previous rulemaking on this topic, the 
Department intends to address this requirement in future rulemaking.
---------------------------------------------------------------------------

    \70\ See 42 U.S.C. 17935(c).
---------------------------------------------------------------------------

    The Department received over 1,300 comments in response to the 2018 
RFI, from many types of individuals and entities, including covered 
entities, patients, family caregivers, professional associations, 
privacy advocates, mental health professionals and advocates, business 
associates, researchers, and government organizations. The Department 
provides a more complete description of the 2018 RFI topics and 
responsive comments below.\71\
---------------------------------------------------------------------------

    \71\ Throughout this preamble, the phrases ``majority of 
commenters'' or ``general consensus'' are used to mean a majority of 
commenters that have commented on the particular issue or consensus 
among commenters who have commented on the issue being discussed. 
These statements should not be interpreted to mean all commenters 
who have commented on the 2018 RFI, but only those who commented on 
the particular issue being discussed.
---------------------------------------------------------------------------

A. Individual Right of Access \72\ (45 CFR 164.524)
---------------------------------------------------------------------------

    \72\ Throughout this NPRM, references to the individual right of 
access and individual access requests include access requests by the 
personal representative of an individual.
---------------------------------------------------------------------------

General Policy Considerations
    The ability of individuals to access and direct disclosures of 
their own health information is key to the coordination of their care. 
Patients are at the center of each health care encounter. As such, 45 
CFR 164.524 of the Privacy Rule generally requires HIPAA covered 
entities (health plans and most health care providers) \73\ to provide 
individuals, upon request, with access to their PHI in one or more 
designated record sets maintained by or for the covered entity. As 
finalized in 2013, this right includes the right to inspect or obtain a 
copy, or both, of the PHI, and to access the PHI in the form and format 
requested if readily producible. Individuals have a right to access 
this PHI for as long as the information is maintained by a covered 
entity, or by a business associate on behalf of a covered entity, 
regardless of the date the information was created; whether the 
information is maintained on paper or in an electronic system onsite, 
remotely, or archived; or where the PHI originated (e.g., from the 
covered entity, another health care provider, the patient, etc.). The 
individual right to inspect PHI held in a designated record set, either 
in addition to obtaining copies or in lieu thereof, requires covered 
entities to arrange with the individual for a convenient time and place 
to inspect the PHI. The right of access also includes the right to 
direct the covered entity to transmit an electronic copy of PHI in an 
EHR to a designated person or entity of the individual's choice.\74\
---------------------------------------------------------------------------

    \73\ The third type of covered entity, a health care 
clearinghouse, is not subject to the same individual access 
requirements as covered health care providers and health plans. See 
45 CFR 164.500(b)(1) for a list of Privacy Rule provisions that 
apply to a health care clearinghouse in its role as a business 
associate of another covered entity.
    \74\ In accordance with the court order in Ciox v. Azar, the 
Department is not enforcing a right to direct to a third party non-
electronic copies of PHI or copies of PHI that are not in an EHR. 
These types of disclosures to third parties continue to be permitted 
with a valid authorization.
---------------------------------------------------------------------------

    While OCR has issued extensive guidance and performed outreach to 
the public and regulated entities regarding the individual right of 
access, OCR continues to hear--through complaints, comments on the 2018 
RFI, reports,\75\ and anecdotal accounts--that individuals frequently 
face barriers to obtaining timely access to their PHI, in the form and 
format requested, and at a reasonable, cost-based fee. Associated 
delays or lack of patient access to their PHI may inhibit care 
coordination and contribute to worse health outcomes for 
individuals,\76\ and contribute to burden on individuals and systems.
---------------------------------------------------------------------------

    \75\ Lye CT, Forman HP, Gao R, et al. ``Assessment of US 
Hospital Compliance With Regulations for Patients' Requests for 
Medical Records.'' JAMA Network Open. Published online October 05, 
2018(6):e183014. doi:10.1001/jamanetworkopen.2018.3014.
    \76\ See e.g., The Joint Commission, ``Transitions of Care: The 
need for collaboration across entire care continuum,'' https://www.jointcommission.org/assets/1/6/TOC_Hot_Topics.pdf (listing 
transfer of health information as foundational to safe transitions 
of care); Hesselink, G., Schoonhoven, L., Barach, P., Spijker, A., 
Gademan, P., Kalkman, C., Liefers, J., Vernooij-Dassen, M., & 
Wollersheim, H. (2012). ``Improving patient handovers from hospital 
to primary care: A systematic review.'' Annals of Internal Medicine, 
157(6), 417428.
---------------------------------------------------------------------------

    The 2018 RFI also requested information about current barriers or 
delays that health care providers face when attempting to obtain PHI 
from covered entities for treatment purposes. Specifically, the RFI 
asked whether the Privacy Rule could be modified to improve care 
coordination and case management by requiring covered entities and 
business associates to disclose PHI when requested by another covered 
entity for treatment purposes, for payment and health care operations 
purposes generally, or, alternatively, only for specific payment or 
health care operations purposes. The RFI further requested input on the 
effects of various potential requirements, including the creation of 
unintended burdens for covered entities or individuals, how much it 
would cost covered entities to comply, and whether any limitations 
should be placed on such disclosure requirements.

[[Page 6455]]

    After careful review of the responses to the 2018 RFI and the 
Department's analysis of the current Privacy Rule, the Department 
proposes to amend the Privacy Rule to strengthen the individual right 
of access and to remove barriers that may limit or discourage 
coordinated care or case management among covered entities and 
individuals, or otherwise impose regulatory burdens. Additionally, 
consistent with the court's decision in Ciox v. Azar,\77\ the 
Department proposes to modify aspects of the individual's right under 
the Privacy Rule to direct a covered entity to transmit a copy of PHI 
to a third party.
---------------------------------------------------------------------------

    \77\ No. 18-cv-0040-APM (D.D.C. January 23, 2020).
---------------------------------------------------------------------------

Summary of Proposals To Modify the Individual Right of Access
    The Department proposes to amend the individual right of access by 
incorporating definitions into the Privacy Rule that are necessary to 
implement key privacy provisions of the HITECH Act. The Department's 
proposed definitions for electronic health record and personal health 
application in 45 CFR 164.501 build on language from the HITECH Act 
definitions of electronic health record \78\ and personal health 
record.\79\ The Department also proposes to strengthen the individual 
right of access by strengthening the right to inspect and obtain copies 
of PHI and by shortening the time limits for covered entities to 
respond to access requests. The Department addresses requirements 
regarding the form and format in which covered entities must respond to 
individuals' requests for access, by clarifying that ``readily 
producible'' copies of PHI include copies of ePHI requested through 
secure, standards-based APIs using applications chosen by individuals, 
and that they also include copies in any form and format required by 
applicable state and other laws. The Department proposes that the 
individual right to direct a copy of PHI to a third party be limited to 
a right to direct an electronic copy of PHI in an EHR to a third party. 
To clearly distinguish between the scope and requirements of the 
individual right to inspect and obtain copies of PHI and the right to 
direct the transmission of electronic copies of PHI in an EHR to a 
third party, the Department proposes to list these distinct rights of 
access in separate paragraphs in the regulatory text:
---------------------------------------------------------------------------

    \78\ 42 U.S.C. 17921(5): ``The term ``electronic health record'' 
means an electronic record of health-related information on an 
individual that is created, gathered, managed, and consulted by 
authorized health care clinicians and staff.''
    \79\ Id. at 17921(11): ``The term ``personal health record'' 
means an electronic record of PHR identifiable health information 
(as defined in section 13407(f)(2) [of the HITECH Act]) on an 
individual that can be drawn from multiple sources and that is 
managed, shared, and controlled by or primarily for the 
individual.'' Sec. 13407(f)(2) of the HITECH Act defines ``PHR 
identifiable health information'' as individually identifiable 
health information, as defined in section 1171(6) of the Social 
Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an 
individual, information (A) that is provided by or on behalf of the 
individual; and (B) that identifies the individual or with respect 
to which there is a reasonable basis to believe that the information 
can be used to identify the individual. 42 U.S.C. 17937(f)(2).
---------------------------------------------------------------------------

     The individual right to inspect and obtain copies of PHI 
within the current rule requires covered entities to provide the 
requested information (with some exceptions) within a specific time 
limit and for a limited fee. This NPRM proposes to retain this 
individual right to inspect and obtain copies of PHI at 45 CFR 
164.524(c).
     The right of an individual to direct the transmission of 
electronic copies of PHI in an EHR to a third party is established by 
the HITECH Act and interpreted by the Ciox v. Azar decision to apply 
only to PHI in an EHR. The proposed rule would codify the Ciox v. Azar 
limits into regulatory text at 45 CFR 164.524(d).
     The Department also proposes to create a pathway for 
individuals to direct the sharing of an electronic copy of PHI in an 
EHR among covered health care providers and health plans. The NPRM 
proposes to require a covered health care provider or health plan (the 
``Requestor-Recipient''), at the individual's direction, to submit the 
individual's access request regarding his or her own ePHI to another 
covered health care provider (the ``Discloser''), requesting that the 
Discloser transmit the ePHI maintained by or on behalf of the Discloser 
in its EHR to the Requestor-Recipient. This new right would be inserted 
within the right to direct an electronic copy of PHI in an EHR to a 
third party, at proposed 45 CFR 164.524(d)(7).
    Finally, with respect to fees charged by covered entities to 
individuals exercising the right of access, the Department proposes to 
adjust and clarify the fees that covered entities may charge for copies 
of PHI, and require covered entities to provide advance notice of 
approximate fees for copies of PHI requested under the access right or 
with an individual's valid authorization. The Department also proposes 
technical clarifications to the Privacy Rule provision requiring 
business associates to disclose PHI as needed for the covered entity to 
fulfill its obligations under the right of access.
1. Adding Definitions for Electronic Health Record or EHR and Personal 
Health Application'' (45 CFR 164.501)
    The Privacy Rule currently does not define the term ``electronic 
health record.'' However, the HITECH Act codifies a definition of EHR 
that applies to that Act's privacy and security provisions for covered 
entities and business associates.\80\ As part of this NPRM's proposal 
to modify the scope of the access right regarding PHI in an EHR, the 
Department proposes to add a definition of EHR in 45 CFR 164.501 that 
expands on the HITECH Act definition to clarify some of its terms:
---------------------------------------------------------------------------

    \80\ See 42 U.S.C. 17921(5) for the HITECH Act definition: ``The 
term ``electronic health record'' means an electronic record of 
health-related information on an individual that is created, 
gathered, managed, and consulted by authorized health care 
clinicians and staff.''

    Electronic health record means an electronic record of health-
related information on an individual that is created, gathered, 
managed, and consulted by authorized health care clinicians and 
staff. Such clinicians shall include, but are not limited to, health 
care providers that have a direct treatment relationship with 
individuals, as defined at Sec.  164.501, such as physicians, 
nurses, pharmacists, and other allied health professionals. For 
purposes of this paragraph, ``health-related information on an 
individual'' covers the same scope of information as the term 
``individually identifiable health information'' as defined at Sec.  
---------------------------------------------------------------------------
160.103.

    The Privacy Rule does not define the term ``clinician'' and the 
Department has not identified a uniform statutory or regulatory 
definition. For example, the term ``clinician'' is not included among 
the several definitions of ``Health care provider'' in the Social 
Security Act, which includes a long list of health care professionals 
as well as ``any other person furnishing health care services or 
supplies.'' \81\ Section 13101 of the HITECH Act, adding Title XXX--
Health Information Technology and Quality to the PHSA, includes a 
definition for ``health care provider'' that appears to distinguish the 
term ``clinicians'' from other types of practitioners, but does not 
specify a basis for the distinction: ``. . . and any other category of 
health care facility, entity, practitioner, or clinician determined 
appropriate by the Secretary.'' \82\ CMS offers a definition of 
``clinician'' within its guidance materials discussing quality 
measures: ``The term clinician refers to a

[[Page 6456]]

healthcare professional qualified in the clinical practice of medicine. 
Clinicians are those who provide principal care for a patient where 
there is no planned endpoint of the relationship; expertise needed for 
the ongoing management of a chronic disease or condition; care during a 
defined period and circumstance, such as hospitalization; or care as 
ordered by another clinician. Clinicians may be physicians, nurses, 
pharmacists, or other allied health professionals.'' \83\
---------------------------------------------------------------------------

    \81\ See e.g., Social Security Act section 1171(3) (42 U.S.C. 
1320d (3)) (defining ``Health care provider'' to include a provider 
of services (cross-referencing the definition with that in 42 U.S.C. 
1861(u)), and any other person furnishing health care services or 
supplies.
    \82\ 42 U.S.C. 300jj (3), definition of ``Health care 
provider''.
    \83\ Available at https://www.cms.gov/Medicare/Quality-Initiatives-Patient-Assessment-Instruments/MMS/QMY-Clinicians.
---------------------------------------------------------------------------

    Consistent with the breadth of these various definitions, the 
Department proposes to interpret ``authorized health care clinicians 
and staff'' to at least include covered health care providers who are 
able to access, modify, transmit, or otherwise use or disclose PHI in 
an EHR, and who have direct treatment relationships with individuals; 
and their workforce members (as workforce is defined at 45 CFR 160.103) 
\84\ who support the provision of such treatment by virtue of their 
qualifications or job role. Accordingly, an EHR would include 
electronic records consulted by any covered health care provider, or a 
workforce member of such a covered health care provider, so long as the 
provider has a direct treatment relationship with individuals. The 
Department does not propose to include covered health care providers 
who have indirect treatment relationships with individuals. By 
definition, providers with indirect treatment relationships deliver 
health care based on the orders of another health care provider, and 
they typically provide services, products, or reports to another health 
care provider (e.g., a provider with a direct treatment relationship 
with the individual).\85\ Accordingly, the direct treatment provider 
that receives such services, products, or reports would be the entity 
documenting information in the EHR.
---------------------------------------------------------------------------

    \84\ This NPRM uses the terms ``workforce member'' and ``staff'' 
interchangeably.
    \85\ See 45 CFR 164.501 (definition of ``Direct treatment 
relationship'').
---------------------------------------------------------------------------

    For example, an EHR would include electronic lab test reports 
created by workforce members of a large health system who are licensed 
clinical laboratory personnel, and who perform clinical lab tests for 
patients treated by the health system. Likewise, electronic billing 
records created, gathered, managed, and consulted by workforce members 
of a covered health care provider that has a direct treatment 
relationship with an individual (e.g., a hospital) would be included in 
the term EHR because health care billing information is health-related 
information. The Department recognized as early as 2013 that many 
direct treatment providers use electronic practice systems that 
integrate functions such as scheduling and billing with providers' 
EHRs.\86\ Additionally, the American Academy of Family Physicians, in 
presenting definitions for both ``electronic health record'' and 
``electronic medical record,'' has noted that ``electronic health 
record'' refers to ``computer software that physicians use to track all 
aspects of patient care. Typically this broader term also encompasses 
the practice management functions of billing, scheduling, etc.'' \87\
---------------------------------------------------------------------------

    \86\ See Assistant Secretary for Planning and Evaluation (ASPE) 
report, ``The Feasibility of Using Electronic Health Data for 
Research on Small Populations, Information Available in an 
Electronic Health Record'' (September 1, 2013), available at https://aspe.hhs.gov/report/feasibility-using-electronic-health-data-research-small-populations.
    \87\ See American Academy of Family Physicians (AAFP), 
``Introduction to Electronic Health Records (EHRs)'' available at 
https://www.aafp.org/practice-management/health-it/product/intro.html.
---------------------------------------------------------------------------

    In contrast, the term EHR would not include health-related 
electronic records of covered health care providers that only supply 
durable medical equipment to other providers, who then provide the 
equipment to individuals, and thus do not have direct treatment 
relationships with individuals.
    With respect to the types of information in an EHR, the Department 
proposes to equate ``health-related information on an individual'' in 
regulatory text with the scope of the familiar, defined term, 
individually identifiable health information or IIHI.\88\ While the 
HITECH Act does not define ``health-related information,'' section 
13101 of the HITECH Act defines ``health information'' by reference to 
section 1171(4) of the Social Security Act,\89\ which is consistent 
with the definition of the term contained in the Privacy Rule. 
Therefore, the Department believes it is reasonable to interpret the 
term ``health-related information'' to be at least as broad as ``Health 
information,'' as defined in the Privacy Rule at 45 CFR 164.501.\90\ 
The Department notes that ``Health information'' includes not only 
clinical, but billing and other data. Therefore, the broader term 
``health-related information'' could be expected to include such data 
and not be limited to clinical data.
---------------------------------------------------------------------------

    \88\ 45 CFR 160.103 provides in part that IIHI is ``a subset of 
health information, including demographic information . . . created 
or received by a health care provider, health plan, employer or 
health care clearinghouse; and relates to the past, present, or 
future physical or mental health or condition of an individual; the 
provision of health care to an individual; or the past, present or 
future payment for the provision of health care to an individual.'' 
See 45 CFR 160.103 for the full definition.
    \89\ See 42 U.S.C. 300jj (4) (adding section 3000(4) to the 
PHSA, definition of Health care provider).
    \90\ Health information means any information, including genetic 
information, whether oral or recorded in any form or medium, that: 
(1) Is created or received by a health care provider, health plan, 
public health authority, employer, life insurer, school or 
university, or health care clearinghouse; and (2) Relates to the 
past, present, or future physical or mental health or condition of 
an individual; the provision of health care to an individual; or the 
past, present, or future payment for the provision of health care to 
an individual. 45 CFR 164.501.
---------------------------------------------------------------------------

    Further, the Department interprets ``on an individual,'' for HIPAA 
purposes to refer to information that is ``individually identifiable.'' 
Health information that is not individually identifiable (e.g., that is 
de-identified) is not protected by HIPAA. Thus, a definition of 
``health-related information on an individual'' that encompasses 
information outside the scope of IIHI would not create an administrable 
standard under the HIPAA Rules. The Department seeks comment on the 
scope of this proposed definition for EHR, including billing records 
for health care.\91\
---------------------------------------------------------------------------

    \91\ Note that the HITECH Act definition of ``Electronic health 
record,'' 42 U.S.C. 17921(5), applies only to HIPAA covered entities 
and business associates. ONC's regulations at 45 CFR Subchapter D--
Health Information Technology, do not define an EHR, but do include 
definitions for a 2015 Edition Base EHR and a Qualified EHR. CMS has 
also proposed a definition of EHR in its proposed rule; Medicare 
Program; Modernizing and Clarifying the Physician Self-Referral 
Regulations. See 84 FR 55766 (October 19, 2019), https://www.federalregister.gov/d/2019-22028/p-535.
---------------------------------------------------------------------------

    The Department also believes it is necessary to define a new term 
in the Privacy Rule, ``Personal health application'' (or ``personal 
health app''), by drawing on the definition of a personal health record 
in the HITECH Act.\92\ This term would be added to 45 CFR 164.501. More 
and more, individuals use personal health applications to access and 
manage their personal health information, and in this proposed rule, 
the Department proposes to revise the right of access to clarify that 
it includes the right of an individual to access electronic copies of 
the individual's PHI, and that one of the mechanisms by which a request 
for access can be fulfilled is by transmitting an electronic copy of an 
individual's PHI to a personal health application used by the 
individual. To support the

[[Page 6457]]

Department's proposal to address the use of personal health 
applications in the right of access, the Department proposes to define 
personal health application in the HIPAA Rules as ``an electronic 
application used by an individual to access health information about 
that individual in electronic form, which can be drawn from multiple 
sources, provided that such information is managed, shared, and 
controlled by or primarily for the individual, and not by or primarily 
for a covered entity or another party such as the application 
developer.'' \93\ Put another way, a personal health application is a 
service offered directly to consumers. The covered entity does not 
manage, share, or control the information, nor does the application 
developer manage the information on behalf of or at the direction of a 
health care provider or health plan (e.g., through a patient ``portal'' 
that the entity uses to manage individuals' access to the PHI it 
maintains), or another party that collects or manages PHI for its own 
purposes (e.g., a research organization). Instead, individuals (or 
their personal representatives) use a personal health application for 
the individuals' own purposes, such as to monitor their own health 
status and access their own PHI using the application. For example, 
individuals might request weight, vital signs, and other health 
information from their health care providers to either store it in the 
personal health application or to direct transmission to other persons. 
The Department notes that a personal health application is not acting 
on behalf of, or at the direction of a covered entity, and therefore 
would not be subject to the privacy and security obligations of the 
HIPAA Rules. However, the Department supports providing individuals 
with information that will assist them in making the best choices for 
themselves when selecting a personal health application or other 
applications that are not being provided on behalf of or at the 
direction of a covered entity.\94\
---------------------------------------------------------------------------

    \92\ See 42 U.S.C. 17921(11). ``The term ``personal health 
record'' means an electronic record of PHR identifiable health 
information (as defined in section 17937(f)(2) of this title) on an 
individual that can be drawn from multiple sources and that is 
managed, shared, and controlled by or primarily for the 
individual.''
    \93\ This proposed definition of personal health application 
would not apply to or otherwise affect the requirements of the ONC 
Cures Act Final Rule or the CMS Interoperability and Patient Access 
Rule.
    \94\ See 85 FR 25642, 25814 (May 1, 2020) for an extensive 
discussion of how a covered entity may provide individuals with such 
information, in the ONC Cures Act Final Rule preamble regarding 
Interference Versus Education When an Individual Chooses Technology 
to Facilitate Access.
---------------------------------------------------------------------------

    The Department requests comment on the proposed definition of 
personal health application, including the types of activities 
encompassed in the terms ``managed,'' ``shared,'' and ``controlled,'' 
and on the Department's assumptions about the use of such applications 
by individuals. The proposed definition of personal health application 
is meant to be consistent with the HITECH Act definition of personal 
health record (PHR),\95\ but specifically addresses certain health 
applications, which may or may not be PHRs.\96\
---------------------------------------------------------------------------

    \95\ ``[A]n electronic record of PHR identifiable health 
information (as defined in section 13407(f)(2)) on an individual 
that can be drawn from multiple sources and that is managed, shared, 
and controlled by or primarily for the individual.'' 42 U.S.C. 
17921(11).
    \96\ The same software could be a personal health application 
under the proposed Privacy Rule definition and also be a personal 
health record under the HITECH Act for other purposes, to the extent 
it meets both definitions.
---------------------------------------------------------------------------

    Taken together, the proposed definitions for EHR and personal 
health application would help clarify the proposed modifications to the 
right of access, including the scope of the modified right of 
individuals to direct a covered health care provider to transmit an 
electronic copy of PHI in an EHR to a designated third party.
2. Strengthening the Access Right To Inspect and Obtain Copies of PHI
    The individual right of access under the Privacy Rule includes a 
right to ``inspect and obtain a copy of'' PHI in a designated record 
set at 45 CFR 164.524(a)(1).\97\ The Department proposes to strengthen 
the access right to inspect and obtain copies of PHI by incorporating a 
portion of the 2016 Access Guidance, discussed below, into a new 
provision of the Privacy Rule. To do so, the Department proposes to 
retain the substance of the current right at 45 CFR 164.524(a)(1), but 
redesignate current 45 CFR 164.524(a)(1)(i) and (ii) as 45 CFR 
164.524(a)(1)(i)(A) and (B). The Department also proposes to add a new 
right at 45 CFR 164.524(a)(1)(ii) that generally would enable an 
individual to take notes, videos, and photographs, and use other 
personal resources to view and capture PHI in a designated record set 
as part of the right to inspect PHI in person. The Department does not 
propose to impose a requirement on covered entities that would result 
in the taking of an intellectual property right, and does not believe 
that an individual recording their own PHI in a designated record set 
through video, still camera photos, or audio recordings would be 
inconsistent with federal and state recording laws or intellectual 
property rights protections. However, the Department requests comment 
on this point and examples of possible unintended consequences of the 
proposal. Additionally, the Department invites comments on whether 
covered entities should be permitted to provide copies of PHI in lieu 
of in-person inspection of PHI when necessary to protect the health or 
safety of the individual or others, such as during a pandemic; and if 
so, whether the Department should establish additional rights for 
individuals in such circumstances, such as the right to receive such 
copies for free. The Privacy Rule currently does not provide covered 
entities with the opportunity to deny or delay (beyond 30 days plus one 
30-day extension) the right to inspect PHI in person to prevent the 
spread of an infectious disease, or address the ability to provide a 
reasonable alternative based on the need to protect the health or 
safety of the individual or others due to a pandemic or other public 
health emergency.
---------------------------------------------------------------------------

    \97\ See 45 CFR 164.524(a).
---------------------------------------------------------------------------

    Under this proposal, covered entities generally would be required 
to allow individuals to take notes, videos, and photographs using 
personal resources after arranging a mutually convenient time and place 
for the individual to inspect their PHI in a designated record set, 
such as in a medical records office. This would be accomplished by 
redesignating the first paragraph of 45 CFR 164.524(a)(1) as subsection 
(i) and creating a new subsection (ii). Covered entities would be 
required to provide such access without imposing a fee under proposed 
45 CFR 164.524(c)(4(ii). Additionally, the Department proposes to 
extend the right to inspect to situations where mutually convenient 
times and places include points of care where PHI in a designated 
record set is readily available for inspection by the patient, for 
example, by viewing x-rays, ultrasounds, or lab results in conjunction 
with a health care appointment with a treating provider. The Department 
anticipates that the time and place where an individual obtains health 
care treatment generally would be considered a convenient time and 
place for the individual to inspect the PHI that is immediately 
available in the treatment area. This provision would be added to 45 
CFR 164.524(c)(3) as part of the implementation specifications 
regarding the time and manner of access, as follows: ``When protected 
health information is readily available at the point of care in 
conjunction with a health care appointment, a covered health care 
provider is not permitted to delay the right to inspect.''
    In these circumstances, a covered health care provider would not be 
permitted to delay the right to inspect. The Department believes that 
it is common for individuals to take notes during a visit where health 
care

[[Page 6458]]

treatment is provided and that individuals could benefit from taking 
photographs or recordings of PHI, contained in a designated record set, 
during such visits. This provision would not extend the right beyond 
the records maintained by or for a covered entity as described in the 
definition of designated record set in the Privacy Rule.\98\
---------------------------------------------------------------------------

    \98\ 45 CFR 164.501.
---------------------------------------------------------------------------

    The Department seeks comment on whether to require covered health 
care providers to allow individuals to record PHI in this manner as 
part of the Privacy Rule access right; whether conditions or 
limitations should apply to ensure that a covered health care provider 
does not experience unreasonable workflow disruptions (e.g., 
limitations on time spent recording PHI in conjunction with a health 
care appointment); any potential unintended consequences of a new 
requirement to allow inspection of PHI that is readily available at the 
point of care in conjunction with a health care appointment; and how to 
determine when PHI is ``readily available.''
    Under proposed section 164.524(a)(1)(ii), the Department would not 
require a covered entity to allow the individual to connect a personal 
device, such as a thumb drive, to the covered entity's information 
systems. The Department does not expect a covered entity to tolerate 
unacceptable security risks (which would violate the HIPAA Security 
Rule) in order to accomplish a non-secure mode of data transfer to the 
requestor.\99\
---------------------------------------------------------------------------

    \99\ See discussion of security considerations in the 2016 
Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html. See also 45 CFR 
164.308(a)(1).
---------------------------------------------------------------------------

    The Department believes that the proposed changes would eliminate 
persistent barriers that individuals face when seeking to inspect or 
obtain copies of their PHI, as described above in Section III.A. At the 
same time, a provision at the end of the new subsection (ii) of 45 CFR 
164.524(a)(1) would provide, ``[A] covered entity is not required to 
allow an individual to connect a personal device to the covered 
entity's information systems and may impose requirements to ensure that 
an individual records only protected health information to which the 
individual has a right of access.'' Consistent with this provision, a 
covered entity could establish reasonable policies and safeguards to 
ensure, for example, that an individual's use of personal resources 
minimizes disruptions to the covered entity's operations, and is used 
in a way that enables the individual to copy or otherwise memorialize 
only the PHI in the individual's designated record set to which the 
individual is entitled pursuant to the right of access. However, a 
covered entity would not be permitted to establish such policies and 
safeguards that impose unjustified or unreasonable barriers to 
individual access. See proposed 45 CFR 164.524(b)(1)(ii).
3. Modifying the Implementation Requirements for Requests for Access 
and Timely Action in Response to Requests for Access
a. Current Provisions and Issues To Address
    Section 164.524(b)(1) of title 45 CFR requires a covered entity to 
permit an individual to inspect or to obtain a copy of PHI about the 
individual that is maintained in a designated record set, and to 
require individuals to make such a request in writing, provided the 
covered entity informs the individual of the writing requirement. 
Although the Department did not solicit commit in the 2018 RFI about 
this section of the Privacy Rule, the Department believes it is 
appropriate to solicit comment on a proposal to expressly prohibit a 
covered entity from imposing unreasonable measures that would impede an 
individual's right of access. The Department believes such a proposal 
would support the goal of improving coordination of care for 
individuals, as further discussed below.
    Section 164.524(b)(2) of title 45 CFR requires a covered entity to 
act on an individual's request to exercise their right of access no 
later than 30 days after receipt of the request, with an option to 
extend the time to take action by an additional 30 days after providing 
written explanation and the date by which the entity will complete its 
action on the request. To assess whether the time limit could be 
shortened to better serve individuals seeking to exercise their right 
to access their records, in the 2018 RFI, the Department solicited 
public comments on this timeframe, the feasibility of covered entities 
meeting a shorter time limit, recommended time limits, and whether 
access to PHI maintained by covered entities in electronic format 
should be subject to different timeliness requirements than non-
electronic records (e.g., paper).
    Many commenters on the 2018 RFI preferred a uniform standard for 
providing access to PHI regardless of the record format (e.g., 
electronic or non-electronic). Simplicity, consistency, and uniformity 
of requirements were cited as priorities above other considerations, 
such as differing technical capabilities with respect to different 
formats. Commenters cited numerous factors other than whether the 
information is in electronic or non-electronic form that affect a 
covered entity's ability to timely fulfill access requests, such as the 
nature of the requested information, whether the records are stored 
off-site, the need for professional or legal review based on state law 
or 42 CFR part 2 requirements to segregate information that cannot be 
released at all or without authorization, and the size and complexity 
of the covered entity. Covered health care provider comments further 
described a number of factors that can affect access times for the 
production of electronic records, including PHI residing in multiple IT 
systems in varying formats and requests covering long periods of time, 
or covering a high volume of records related to complex and intensive 
medical treatment that must be collated and put into the requested 
electronic format or medium.
    Citing these factors, health care providers who commented on this 
topic generally did not believe that requiring access to electronic 
records more quickly than non-electronic records would improve the 
overall speed of providing access to all of an individual's requested 
PHI, and some commenters expressed concern that doing so may negatively 
affect timely access to non-electronic records. To support this point, 
many described how fulfilling a single access request may encompass the 
production of both electronic and non-electronic records (sometimes 
referred to as a ``hybrid'' request or record). Commenters also 
reported that applying different time requirements for different parts 
of an individual's record would add complexity, potentially creating 
additional administrative burdens and barriers to compliance.
    Of the commenters who offered specific timeframes concerning 
current practices, about half reported providing records within 15 days 
and half stated that they take up to 30 days. Health care entities 
subject to shorter response times required under state law (including 
requirements in California and Texas) \100\ commented that they are 
able to meet those shorter time limits. Also, among commenters 
providing a specific recommendation for shorter access time limits, the 
most suggested timeframe was 14 to 15 days, consistent with the 
deadlines in those states. Some commenters recommended prioritizing 
certain types of requests based on their

[[Page 6459]]

purpose: Two-thirds of organizational commenters who responded to this 
question stated that requests for continuity of care purposes or urgent 
medical needs should be prioritized.
---------------------------------------------------------------------------

    \100\ See Cal. Health & Safety Code 12110, Tex. Health & Safety 
Code 241.154 (hospitals), Tex. Occupations Code 159.006 
(physicians), and Tex. Health & Safety Code 181.102 (other providers 
with an EHR).
---------------------------------------------------------------------------

    Individual commenters described delays in obtaining access, 
including inconsistent or incomplete uploading of electronic records to 
health information exchanges, entities that routinely respond to access 
requests on day 29 with a demand for additional clarifying information 
in writing in order to process the requests, and entities that only 
respond when threatened with legal action. They also described the 
harmful effects on health when the process to access records is too 
complicated or when the provision of records is delayed or denied.
    Examples from consumers included needing to repeat tests and 
procedures because medical history information was not available, which 
is both expensive and leads to delays in needed treatment; delayed 
referrals and inaccurate diagnoses based on incomplete information; and 
lack of timely information needed for self-care. Sometimes health 
decisions have to be made quickly, and individuals need access to 
information in a timely manner to fully participate in their care or 
obtain an urgent second opinion from another medical professional.
    Among commenters that opposed shorter timelines, many stated that 
covered entities would be burdened if they had to provide access within 
a shorter period. Several commenters stated that they would have to 
increase expenditures on staff, diverting resources from treating 
patients, and at least one mentioned the need to increase investment in 
information technology. Some commenters expressed particular concern 
that shorter access time limits would place an undue burden on smaller 
entities.
b. Proposals
    To address the barriers to timely access described above, the 
Department proposes to modify the Privacy Rule as follows.
i. Requests for Access
    Section 164.524(b) of title 45 CFR currently requires covered 
entities to permit individuals exercising their right of access to 
inspect or to obtain a copy of their PHI that is contained in a 
designated record set, and permits covered entities to require access 
requests in writing, provided that the covered entity informs the 
individual of that requirement. The Department proposes to modify the 
Privacy Rule to expressly prohibit a covered entity from imposing 
unreasonable measures on an individual exercising the right of access 
that create a barrier to or unreasonably delay the individual from 
obtaining access.\101\ Specifically, in proposed new section 
164.524(b)(1)(ii),\102\ the Department proposes to clarify that, while 
an entity may require individuals to make requests for access in 
writing (as currently provided in the second sentence of section 
164.524(b)(1)), it would not be permitted to do so in a way that 
impedes access.
---------------------------------------------------------------------------

    \101\ OCR previously addressed such unreasonable measures in 
guidance. See 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
    \102\ The Department would redesignate section 164.524(b)(1) as 
section 164.524(b)(1)(i) and move the second sentence of such 
provision, as redesignated, to section 164.524(b)(1)(ii).
---------------------------------------------------------------------------

    To help define ``unreasonable measures'' for covered entities, the 
Department proposes to include and compare, in regulatory text, non-
exhaustive specific examples of reasonable and unreasonable measures 
that some covered entities have imposed (as described in public 
comments or individuals' complaints submitted to the Department), or 
may be likely to impose. For example, proposed section 
164.524(b)(1)(ii) compares a standard form containing the minimum 
information that is needed to process a request for access against a 
form requiring extensive information from the individual that is not 
necessary to fulfill the request; requiring the use of the form 
containing unnecessary information is an unreasonable measure. Other 
examples of unreasonable measures in the proposed regulatory text 
include requiring the individual to obtain notarization of the 
individual's signature, or accepting individuals' written requests only 
in paper form, only in person at the covered entity's facility, or only 
through the covered entity's online portal. Similarly, the Department 
proposes below to amend the Privacy Rule by adding section 
164.514(h)(2)(v) to prohibit a covered entity from imposing an 
unreasonable identity verification requirement on an individual 
attempting to exercise the right of access, and includes examples of 
such measures.
    The Department assumes a prohibition against ``unreasonable 
measures'' for requesting access would not result in adverse unintended 
consequences for individuals, but acknowledges that covered entities 
may have concerns about potential implementation burdens associated 
with this proposal. The Department solicits comment on its assumptions, 
and seeks examples of unreasonable measures that individuals and 
covered entities believe could reduce an individual's ability to 
participate in the coordination of his or her own healthcare. The 
Department also requests comment on burdens that covered entities 
believe may result from this proposed change.
ii. Timeliness
    As noted above, the Privacy Rule generally requires covered 
entities to respond to requests by individuals to exercise their right 
of access no later than 30 days after receipt by either providing 
access or a written denial that meets certain requirements.\103\ If the 
covered entity is unable to provide access or a written denial within 
30 days, it may extend the allowable time by no more than an additional 
30 days if the entity provides to the individual, within the initial 
30-day time limit, a written statement of the reason for the delay and 
the expected completion date.\104\
---------------------------------------------------------------------------

    \103\ 45 CFR 164.524(b)(2(i).
    \104\ See 45 CFR 164.524(b)(2)(ii)(A) and (B).
---------------------------------------------------------------------------

    The Department believes that entities can provide individuals 
access to their information within a time limit shorter than 30 days. 
Therefore, to strengthen the individual's right of access to their PHI 
in a designated record set, the Department proposes to modify section 
164.524(b)(2)(i) and (ii) of the Privacy Rule to require that access be 
provided ``as soon as practicable,'' but in no case later than 15 
calendar days after receipt of the request, with the possibility of one 
15 calendar-day extension. Where another federal or state law (i.e., 
statute or regulation) requires a covered entity to provide an 
individual with access to the PHI requested in less than 15 calendar 
days, that shorter time limit would be deemed practicable within the 
meaning of the Privacy Rule under proposed new section 
164.524(b)(2)(iii). The Department proposes, in new section 
164.524(b)(2)(ii)(C), to also require covered entities to establish 
written policies for prioritizing urgent or other high priority access 
requests (especially those related to health and safety) so as to limit 
the need to use 15 calendar-day extensions for such requests.
    At least eight states have statutory requirements to provide 
patients with copies of their health records in less time than the 
Privacy Rule's current 30-day limits, and at least five states require 
the opportunity to view or inspect the record in fewer than 30

[[Page 6460]]

days.\105\ These access laws primarily apply to health care providers, 
including hospitals and other health facilities, but not to health 
plans. Among these states, the requirements to provide copies range 
from 10 to 15 days.
---------------------------------------------------------------------------

    \105\ See e.g., California, Cal. Health & Safety Code 123110 (5 
days to inspect; 15 days to receive a copy); Colorado, 6 Colo. Regs. 
1011:1:II-5.2 (24 hours to inspect; 10 days to receive a copy); 
Hawaii, HRS 622.57 (10 days to receive a copy); Louisiana, LSA-R.S. 
40:1165.1 (15 days to receive a copy); Montana, MCA 50-16-541(10 
days, copy and inspect); Tennessee, TCA 63-2-101 (10 days to receive 
a copy); Texas, Tex. Health & Safety Code 241.154 (hosp.) (15 days, 
copy and inspect), Tex. Occupations Code 159.006 (physicians) (15 
days to receive a copy), Tex. Health & Safety Code 181.102 (15 days 
to receive electronic copies), Tex. Admin. Code 165.2 (physicians) 
(15 days to receive a copy); and Washington, Wash. Rev. Code 
70.02.080 (15 days, copy and inspect).
---------------------------------------------------------------------------

    The Department is strongly persuaded by these examples and by 
comments from entities operating in states with 10 to 15-day access 
provisions that, when mandated, covered entities are able to adapt to 
shorter access time limits. A majority of states do not impose time 
limits on health care entities that are as short as 15 days, so access 
to PHI in those states will be markedly improved. Additionally, these 
shorter timelines would better support the Department's initiatives to 
improve health care price transparency to empower and assist consumers 
with making more informed health care decisions. In support of these 
goals, the Administration has proposed and finalized other rules to 
require health insurance issuers and plans, as well as hospitals, to 
make health care prices more readily available to consumers in real-
time. For example, in November 2019, CMS, along with the Internal 
Revenue Service, Department of the Treasury; and the Employee Benefits 
Security Administration, Department of Labor, proposed rules regarding 
transparency in coverage to give consumers real-time, personalized 
access to cost-sharing information. The proposed rules include a 
proposal for non-grandfathered health insurance plans and issuers in 
the individual and group markets to provide an estimate of 
participants', beneficiaries', and enrollees' cost-sharing liability 
for all covered health care items and services through an online self-
service tool, or in paper form, upon request. The rule also would 
require issuers and plans to disclose in-network provider negotiated 
rates and historical out-of-network allowed amounts through two 
machine-readable files posted on an internet website, thereby allowing 
the public, including personal health application developers (and other 
application developers that are not providing the application on behalf 
of or at the direction of a covered entity), to have access to health 
insurance coverage information.\106\ In addition, CMS finalized a rule 
containing price transparency requirements for hospitals.\107\ This 
rule provides that hospitals must publish on the web standard charges 
for certain items and services that could be delivered by the hospital 
to a patient, as well as display the price for bundled ``shoppable'' 
services that patients would likely schedule in advance, thereby 
informing the patient's selection of a hospital for scheduled 
procedures.\108\ While many health plans have already provided pricing 
calculators as an online tool where individuals may access 
individualized estimates of out-of-pocket costs, not all individuals 
have equal access to or the ability to utilize internet resources. The 
proposed Privacy Rule modification would help address this gap in 
access by applying time limits to providing both electronic and non-
electronic PHI the individual may need, such as health conditions and 
recommended treatment options, to conduct meaningful searches for 
pricing information. This proposed rule would extend and support the 
goals of these price transparency initiatives.
---------------------------------------------------------------------------

    \106\ See 84 FR 65464 (November 27, 2019).
    \107\ Medicare and Medicaid Programs: CY 2020 Hospital 
Outpatient PPS Policy Changes and Payment Rates and Ambulatory 
Surgical Center Payment System Policy Changes and Payment Rates; 
Price Transparency Requirements for Hospitals to Make Standard 
Charges Public, 84 FR 65524 (November 27, 2019).
    \108\ Ibid.
---------------------------------------------------------------------------

    Therefore, the Department proposes to amend the individual access 
right provisions to require covered entities to provide copies of PHI 
as soon as practicable, but no later than 15 calendar days (with the 
possibility of one 15 calendar-day extension) or where another federal 
or state law requires a covered entity to provide an individual with 
access to the PHI requested in less than 15 calendar days, that shorter 
time period will be deemed practicable under the Privacy Rule. The same 
timeliness requirements would be applied when an individual requests 
direct access under proposed 45 CFR 164.524(b)(2) and when an 
individual requests that an electronic copy of PHI in an EHR be 
directed to a third party under proposed 45 CFR 164.524(d)(5).
    To limit compliance complexity, the Department proposes to 
uniformly apply this timeliness requirement, regardless of the form or 
format of the PHI (e.g., paper or electronic). The Department proposes 
to explicitly refer to calendar days as the units of time. The 
Department believes that the current 30-day limit is already understood 
to be calendar days, and the 2016 Access Guidance also uses the term 
``calendar days.'' \109\ Thus, the proposed addition of the reference 
to calendar days would not be a material change, but a clarification.
---------------------------------------------------------------------------

    \109\ See 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    The Department also proposes to add a requirement that a covered 
entity may use one 15-day extension of time for providing access to 
requested PHI if it has established a policy to address urgent or high-
priority requests. This proposal is not intended to limit the use of 
extensions to urgent or high-priority requests, but to provide 
flexibility for entities that have this type of policy. The Department 
does not propose to define what constitutes an urgent or high priority 
request, and does not intend with this proposal to encourage covered 
entities to require individuals to reveal the purposes for their 
requests for access. However, examples of urgent or high priority 
requests could include when an individual voluntarily reveals that the 
PHI is needed in preparation for urgent medical treatment, or that the 
individual needs documentation of a diagnosis of severe asthma to be 
allowed to bring medication to school.
    Finally, the Department also proposes at 45 CFR 164.524(c)(3) to 
expressly provide that, while a covered entity may discuss aspects of 
the individual's access request with the individual before fulfilling 
the individual's request, such clarification of the request would not 
extend the time limit for providing access. This modification would put 
into regulatory language the Department's interpretation of the access 
deadlines in the 2016 Access Guidance \110\ and help address situations 
described in public comments in which covered entities contact 
individuals for the first time near the end of the initial compliance 
deadline to discuss the request or obtain additional information, and 
then take unnecessary additional time beyond that initial deadline to 
fulfill the request.
---------------------------------------------------------------------------

    \110\ ``These timelines apply regardless of whether . . . [t]he 
covered entity negotiates with the individual on the format of the 
response. Covered entities that spend significant time before 
reaching agreement with individuals on format are depleting the 30 
days allotted for the response by that amount of time.'' Available 
at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    Shortening and clarifying the Privacy Rule time limits for access 
requests would strengthen individuals' rights with respect to their 
health information, advance the aims of patient-directed

[[Page 6461]]

health care, and enhance care coordination.
4. Addressing the Form of Access
    The Privacy Rule requires a covered entity to provide the 
individual with access to the PHI in the form and format requested, if 
readily producible in that form and format, or if not, in a readable 
hard copy form, or other form and format as agreed to by the covered 
entity and individual.\111\ If the individual requests electronic 
access to PHI that the covered entity maintains electronically, the 
covered entity must provide the individual with access to the 
information in the requested electronic form and format, if it is 
readily producible in that form and format, or if not, in an agreed 
upon alternative, readable electronic format.\112\ The Department 
intends for the phrase ``readily producible in that form and format'' 
to refer to how the PHI is produced to the individual or to a third 
party designated by the individual to receive a copy of PHI and the 
form (e.g., on paper or electronically) and format (e.g., the type of 
electronic file, etc.) of the PHI that is transmitted. As new forms of 
information and communications technologies emerge, the ``form and 
format'' and the ``manner'' of producing or transmitting a copy of 
electronic PHI may become indistinguishable. For example, if a covered 
entity or its EHR developer business associate has chosen to implement 
a secure, standards-based API--such as one consistent with ONC's Cures 
Act certification criteria,\113\ and the covered entity's Security Rule 
obligations--that is capable of providing access to ePHI in the form 
and format used by an individual's personal health application, that 
ePHI is considered to be readily producible in that form and format, 
and that is also the manner by which the ePHI is transmitted. Where 
ePHI is readily producible in the electronic form and format requested 
by the individual, the covered health care provider must provide that 
access, including when the individual requests access to the ePHI 
through a secure, standards-based API via the individual's personal 
health application.\114\
---------------------------------------------------------------------------

    \111\ See 45 CFR 164.524(c)(2)(i).
    \112\ See 45 CFR 164.524(c)(2)(ii).
    \113\ ONC has finalized significant updates to its certification 
criteria at 45 CFR parts 170 and 171. See 85 FR 25642 (May 1, 2020).
    \114\ See proposed 45 CFR 164.501 definition of personal health 
application: Personal health application means an electronic 
application used to access health information on an individual, 
which can be drawn from multiple sources, provided that such 
information is managed, shared, and controlled by or primarily for 
the individual, and not by or primarily for a covered entity. The 
Privacy Rule does not require a covered entity to implement an API 
for electronic transmission of an electronic copy of PHI to an 
individual. Covered entities that transmit ePHI electronically, 
through an API or by other means, are subject to the Security Rule 
requirements to ensure the confidentiality, integrity and 
availability of the ePHI they transmit. See 45 CFR 164.306, Security 
standards: General rules. See 45 CFR Subparts A and C for the 
complete Security Rule.
---------------------------------------------------------------------------

    The Department is examining how best to address individuals' 
privacy and security interests when they use a personal health 
application that receives PHI from a covered entity and has outlined 
several approaches in the request for comment at the end of this 
section. The Department requests information about the costs and 
benefits of options for educating individuals in a manner that does not 
delay or create a barrier to access. The options presented are 
consistent with the intent expressed in the ONC Cures Act Final Rule: 
Although ``an actor may not prevent an individual from deciding to 
provide its EHI to a technology developer or application despite any 
risks noted regarding the application itself or the third party 
developer,'' ONC ``strongly encourage[s] actors to educate patients and 
individuals about the risks of providing other entities or parties 
access to their EHI.'' \115\
---------------------------------------------------------------------------

    \115\ 85 FR 25642, 25815 (May 1, 2020).
---------------------------------------------------------------------------

    In addition, the Department proposes, at 45 CFR 164.524(c)(2)(iii), 
to provide that if other federal or state law (e.g., a statute or 
regulation) requires an entity (which may include a business associate 
acting on behalf of a covered entity) to implement a technology or 
policy that would have the effect of providing an individual with 
access to his or her PHI in a particular electronic form and format 
(e.g., if a federal law required the provision of access via secure, 
standards-based API), such form and format would be deemed ``readily 
producible'' for purposes of compliance in fulfilling requests for such 
PHI under 45 CFR 164.524(c)(2)(i) and (ii). This would mean, for 
example, that if a covered health care provider refused to provide an 
electronic copy of PHI in response to an individual's request for 
access via a secure API despite the provider's having implemented a 
secure API established within the provider's EHR for this purpose, the 
provider would be in violation of the requirement to provide the 
requested PHI in the form and format requested if readily 
producible.\116\ In contrast, if the same covered health care provider 
required all applications to register before providing access via its 
secure API, imposing this requirement would not constitute a denial of 
access in the form and format requested, provided that the registration 
process did not exclude or prevent a personal health application that 
was capable of securely connecting to the secure API from so 
connecting.\117\
---------------------------------------------------------------------------

    \116\ Note that unlike the HIPAA Rules, the ONC Cures Act Final 
Rule defines access for the purposes of the information blocking 
provision as ``the ability or means necessary to make EHI available 
for exchange, use, or both.'' See 45 CFR 171.102.
    \117\ HIPAA does not convey authority to impose security 
standards on a personal health application that is not a covered 
entity or a business associate. However, the ONC Cures Act Final 
Rule at 45 CFR 171.203 provides an exception to what is considered 
information blocking when the actor's practice that is likely to 
interfere with the access, exchange, or use of electronic health 
information is done in order to protect the security of electronic 
health information. An actor whose practices met this security 
exception would not be subject to civil money penalties for 
information blocking under 45 CFR 1003.1400 of the HHS OIG proposed 
rule. See 85 FR 22979 (April 24, 2020).
---------------------------------------------------------------------------

    The Department seeks comments on related situations: Whether to 
require a health care provider that has EHR technology that 
incorporates a secure, standards-based API without extra cost, to 
implement the API; whether to require a health care provider that could 
implement such an API at little cost to do so; and how to measure the 
level of cost that would be considered a reasonable justification for 
not implementing an API.
    Section 164.524(c)(2)(iii) of the current Privacy Rule, which would 
be redesignated as sections 164.524(c)(2)(iv) and 164.524(d)(4), allows 
a covered entity to provide a summary in lieu of providing access to 
the requested PHI, or an explanation of the PHI to which access has 
been provided, if the individual agrees. To ensure that individuals are 
able to fully exercise their right of access, the Department proposes 
to add new sections 164.524(c)(2)(iv)(B) and 164.524(d)(4)(ii) to 
require that, when a covered entity offers a summary in lieu of access, 
it must inform the individual that the individual retains the right to 
obtain a copy of the requested PHI (or direct an electronic copy of PHI 
in an EHR to a third party) if they do not agree to receive the 
summary. The proposed requirement would not apply when the covered 
entity offers a summary because it is denying the request for a copy on 
unreviewable or reviewable grounds, in which case the covered entity 
must implement the required procedures for such denial. For example, if 
a covered physician offered to provide a summary in lieu of an entire 
medical record requested by an individual (or in lieu of ``all PHI 
about the individual in a designated record set,'' if that is the 
request), the physician would be required to inform the individual of 
the

[[Page 6462]]

right to obtain all of the PHI requested. In contrast, if a covered 
psychologist offered to provide a summary in lieu of requested 
psychotherapy notes, the psychologist would be required to follow the 
implementation specifications for denial of access, including providing 
a written denial and making other information accessible, such as 
mental health records that are not psychotherapy notes, as defined in 
the Privacy Rule.
5. Addressing the Individual Access Right To Direct Copies of PHI to 
Third Parties
a. Current Provisions and Issues To Address
    The Privacy Rule right of access requires covered entities to 
transmit a copy of PHI directly to another person designated by the 
individual when directed by the individual.\118\ Under the current 
regulatory provision, the request must be in writing, signed by the 
individual, and clearly identify the designated person and where to 
send the copy of the PHI. The designated recipient (the ``third 
party'') may be a family member or caregiver, a health care provider, a 
researcher, or any other person or entity the individual (or their 
personal representative) chooses.
---------------------------------------------------------------------------

    \118\ See 45 CFR 164.524(c)(3)(ii). As discussed above, the 
Department is not enforcing the elements of this regulatory 
provision that apply to directing non-electronic copies of PHI or 
copies of PHI that are not in an EHR.
---------------------------------------------------------------------------

    The access right to direct a copy of PHI to a third party is 
distinct from the provision that permits a covered entity to disclose 
PHI to a third party with an individual's valid authorization in at 
least four key respects: \119\ (1) The mandatory versus permissive 
nature of the disclosure; (2) the manner in which the request is made 
(e.g., with or without a form containing required elements); (3) the 
form and format of the information provided; and (4) the fees that may 
be charged. Under the right of access, the individual requests the 
desired PHI in a designated record set, for whatever purpose he or she 
wishes, and the covered entity that maintains the PHI is required to 
respond within a certain period of time and to comply with certain form 
and format requirements in 45 CFR 164.524, and is subject to access fee 
limits. In contrast, the Privacy Rule specifically designed the 
authorization requirements to ensure that individuals agree to the 
specific uses or disclosures, including the purposes for the uses or 
disclosures, and that they understand and know how to exercise their 
rights. Therefore, an authorization states the purpose for the request, 
describes the PHI requested in a specific and meaningful fashion, and 
includes a statement explaining the individual's right to revoke the 
authorization (among other information). The covered entity that 
receives the individual's valid authorization is permitted, but not 
required, to disclose the PHI as requested, and may charge the 
individual for costs beyond those that may be included in a fee for 
providing copies of PHI pursuant to the right of access.
---------------------------------------------------------------------------

    \119\ See 45 CFR 164.508.
---------------------------------------------------------------------------

    The right of access does not specifically address provider-to-
provider exchanges of PHI because the Privacy Rule permits such 
disclosures without the individual's authorization for treatment, 
payment, and health care operations, among other specified purposes. 
The Privacy Rule also does not address fees for those disclosures. 
However, the Department believes that some patients have been using the 
right to direct PHI to a third party as a means of having one covered 
health care provider send records to another provider. The proposed 
changes to the right to direct copies of PHI to third parties, such as 
limiting the right to electronic copies in an EHR and allowing fees for 
copying ePHI onto electronic media may affect those exchanges of PHI, 
if health care providers choose to charge fees when sending copies of 
PHI to other providers when previously they did not.
b. Proposals
    The Department proposes to create a separate set of provisions for 
the right to direct copies of PHI to a third party at subsection (d) of 
45 CFR 164.524. Proposed subsection (d) will better align the Privacy 
Rule with the HITECH Act right to direct to a third party only 
electronic copies of PHI in an EHR,\120\ expand an individual's ability 
to submit an oral, electronic, or written request for a covered health 
care provider to transmit an electronic copy of PHI in an EHR to a 
designated third party in proposed 45 CFR 164.524(d)(1), and expand the 
access right to empower individual-directed sharing of electronic 
copies of PHI in an EHR (as the Department proposes to define 
electronic health record in 45 CFR 164.501) among covered health care 
providers and health plans as proposed in 45 CFR 164.524(d)(7). The 
Department believes that only covered health care providers would be 
responsible for fulfilling an individual's access request under these 
proposals because the Department believes other covered entities do not 
have an EHR as that term is defined in the HITECH Act (i.e., an 
electronic record of health-related information on an individual that 
is created, gathered, managed, and consulted by authorized health care 
clinicians and staff). The Department seeks comment on this assumption.
---------------------------------------------------------------------------

    \120\ See 42 U.S.C. 17935(e).
---------------------------------------------------------------------------

    Under the first part of this proposal, at 45 CFR 164.524(d)(1), 
requests to direct copies of PHI to a third party will be limited to 
only electronic copies of PHI in an EHR. Therefore, if an individual 
directs a covered health care provider to transmit an electronic copy 
of PHI contained in an EHR (as defined in proposed 45 CFR 164.501) to a 
third party, the covered health care provider must provide a copy of 
the requested PHI to the person designated by the individual.
    The Ciox v. Azar decision noted that the HITECH Act ``says nothing 
about a right to transmit PHI contained in any format other than an 
EHR.'' \121\ The Department believes that the Ciox v. Azar decision 
precludes a proposal to require covered health care providers to 
provide electronic copies of PHI to third parties designated by the 
individual in the form and format requested by the individual. However, 
the Department encourages covered health care providers, when feasible, 
to provide copies to third parties in the electronic format requested 
by the individual. There are many formats in which ePHI can be saved 
and transmitted that are accessible, readable, and usable by a third 
party designated by an individual to receive the individual's PHI. For 
example, the portable document format (PDF) was created specifically to 
present readable electronic documents independent of hardware, 
software, and operating systems. Other electronic formats are 
accessible, usable, and readable because of the popularity of the 
format (e.g., files saved in .doc and .docx format). The 2013 Omnibus 
Rule preamble referred to these formats as examples of electronic 
formats that covered entities could use when providing ePHI in response 
to a right of access request to ensure patients could read and use the 
PHI they request.\122\ In addition, ONC and CMS are promoting the use 
of the Fast Healthcare

[[Page 6463]]

Interoperability Resources (FHIR) standard, which covered health care 
providers can adopt as an electronic format, to achieve 
interoperability and easy exchange of health information.\123\
---------------------------------------------------------------------------

    \121\ See Ciox v. Azar, No. 18-cv-0040-APM, memorandum op. at 
46.
    \122\ ``The Department considers machine readable data to mean 
digital information stored in a standard format enabling the 
information to be processed and analyzed by computer. For example, 
this would include providing the individual with an electronic copy 
of the protected health information in the format of MS Word or 
Excel, text, HTML, or text-based PDF, among other formats.'' See 78 
FR 5566, 5631.
    \123\ See 45 CFR 170.215, Application Programming Interface 
Standards, adopted by ONC at 85 FR 25642, 25941 and ONC's Fact 
Sheet, ``The ONC Cures Act Final Rule'' available at https://www.healthit.gov/cures/sites/default/files/cures/2020-03/TheONCCuresActFinalRule.pdf; See also 85 FR 25510, 25521, explaining 
that CMS-regulated entities must adopt 45 CFR 170.215 to implement 
and maintain a standard-based Patient Access API to support data 
exchange and empower patients through use of technology (``apps'').
---------------------------------------------------------------------------

    However, in some cases, ePHI might be exported from legacy health 
IT systems in a proprietary format that would be unreadable for the 
average person. Further, many data systems offer the capability to 
export data in multiple formats for portability, and not all of the 
formats are equally accessible, usable, and readable. For example, a 
comma-separated value (CSV) file is a common format for sharing data 
between databases and spreadsheets. However, if a designated third 
party received PHI in a CSV file from a covered health care provider, 
the third party may lack the necessary context to read and use such 
information. Because the right to direct PHI to a third party is a part 
of the individual right of access, the Department encourages covered 
health care providers to respond to such requests in a manner that does 
not frustrate individuals' efforts to exercise those rights in a 
meaningful way or potentially require the individual to make a second 
request to obtain a copy of the requested information directly.
    As discussed above in reference to individual access, as new forms 
of information and communications technologies emerge, the ``form and 
format'' and the ``manner'' of producing or transmitting a copy of 
electronic PHI may become indistinguishable. For example, if a covered 
entity has implemented a secure, standards-based API that is capable of 
providing access to ePHI in the form and format used by an individual's 
personal health application, that ePHI is considered to be readily 
producible in that form and format, and that is also the manner by 
which the ePHI may be directed to a third party.
    Under the second part of this proposal, in proposed 45 CFR 
164.524(d)(1), a covered health care provider would be required to 
respond to an individual's request to direct an electronic copy of PHI 
in an EHR to a third party designated by the individual when the 
request is ``clear, conspicuous, and specific''--which may be orally or 
in writing (including electronically executed requests).\124\ The 
proposed requirement would replace the current requirement that a 
request to direct an electronic copy of PHI in an EHR be in writing, 
signed by the individual, and clearly identify the designated person 
and where to send the copy of the PHI.\125\
---------------------------------------------------------------------------

    \124\ The exceptions to this right are parallel to the existing 
exceptions to the individual right of access in 45 CFR 164.524(a)(1) 
for psychotherapy notes and information compiled in anticipation of, 
or for use in, legal proceedings or unreviewable or reviewable 
grounds of denial.
    \125\ See 45 CFR 164.524(c)(3)(ii).
---------------------------------------------------------------------------

    Under these proposals, a written access request such as that 
contemplated in the current rule would be one means of exercising this 
right of access, but an oral request could also be actionable if it is 
clear, conspicuous, and specific. For example, an oral request that 
identifies the designated recipient and where to send the PHI could 
meet this standard. Additionally, this provision would allow an 
individual to use an internet-based method,\126\ such as a personal 
health application, to submit an access request to their health care 
provider to direct an electronic copy of their PHI in an EHR to a third 
party, so long as it is ``clear, conspicuous, and specific.''
---------------------------------------------------------------------------

    \126\ This NPRM uses ``internet-based method'' to include online 
patient portals, mobile ``apps,'' and successor technologies.
---------------------------------------------------------------------------

    The third part of this proposal, at 45 CFR 164.524(d)(7), would 
create a requirement within the right of access for a covered health 
care provider or health plan to facilitate an individual's request to 
direct an electronic copy of PHI in an EHR to a third party designated 
by the individual, which in this case would be the covered entity 
facilitating the request. If an individual makes a clear, conspicuous, 
and specific request that his or her covered health care provider or 
health plan (``Requester-Recipient'') obtain an electronic copy of PHI 
in an EHR from one or more covered health care providers 
(``Discloser''), Requester-Recipient would be required to submit the 
individual's request to Discloser, as identified by the 
individual.\127\ This requirement would apply when an individual is an 
existing or prospective new patient or a current member (or dependent) 
of Requester-Recipient, and is limited to directing electronic copies 
of PHI in an EHR back to Requester-Recipient. (The proposed rule would 
not require Requester-Recipient to determine whether the potential 
Discloser is a covered health care provider before submitting the 
individual's request.) Under this proposal, the individual may make the 
request orally if the request is clear, conspicuous, and specific. 
Requester-Recipient may document and submit the oral request in writing 
or electronically, or, if Discloser accepts oral requests for records 
from other health care providers or from health plans, Discloser could 
use its established procedures for accepting and verifying such 
requests.
---------------------------------------------------------------------------

    \127\ Discloser is an entity that maintains or previously 
maintained an individual's PHI, so they will have had a relationship 
with the patient, unless the request is made in error.
---------------------------------------------------------------------------

    The HITECH Act right of an individual to direct an electronic copy 
of their PHI in an EHR to a third party does not limit the type of 
entity that may be designated as a third party recipient. As such, 
covered entities already are potential third party recipients under the 
right of access, if designated as such by an individual. Under this 
proposal, a Requester-Recipient would be required to assist an 
individual in submitting their request for Discloser to direct PHI in 
an EHR maintained by or on behalf of the Discloser to Requester-
Recipient; however, the Department does not propose to change any 
obligations of the Requester-Recipient once it receives the PHI. For 
example, the Privacy Rule does not require that a covered health care 
provider retain PHI it receives about individuals, and the Department 
does not propose to change this. While Requester-Recipient might be 
subject to a records retention requirement under state law, its 
obligations with respect to PHI it receives as a designated third party 
would be no different under this proposal than its existing obligations 
when it receives ePHI from other health care providers, e.g., for 
treatment, payment, or health care operations (TPO) purposes. The 
Department believes this conclusion holds true whether the disclosure 
of PHI is pursuant to a valid authorization, or to a third party 
designated by an individual pursuant to an access request. The 
Department welcomes examples and comment on this assumption.
    In summary, the proposed requirement offers a second mechanism (in 
addition to the permitted disclosure for TPO) for a covered health care 
provider or health plan to obtain an electronic copy of PHI in an EHR 
from another covered health care provider through a required disclosure 
initiated by an individual's exercise of the right of access. This 
requirement differs from the scenario in which, for example, one 
provider queries a health information system or health information 
exchange (HIE) for records from another provider pursuant to an 
applicable disclosure

[[Page 6464]]

permission, such as for treatment or health care operations purposes.
    The Department's proposal would require that Requester-Recipient 
submit such access requests to Discloser on behalf of the individual as 
soon as practicable, but no later than 15 calendar days after receiving 
the individual's direction and any information the Requester-Recipient 
needs to submit the access request to Discloser. For example, Discloser 
may need the name and birthdate of the individual, as well as the name 
of the Requester-Recipient, a link to a secure electronic document 
exchange portal, or a physical address where the Discloser may deliver 
electronic media. The time limit for Requester-Recipient to submit an 
individual's access request to Discloser would be distinct from covered 
entities' obligations to provide copies in response to an individual's 
access request, and a 15 calendar day extension would not be available 
to Requester-Recipient when submitting the request. Pursuant to the 
access right to direct an electronic copy of PHI in an EHR to a third 
party, Discloser would be required to provide the requested electronic 
copy to Requester-Recipient according to the shorter time proposed for 
all access requests when the individual directs the information to a 
third party under 45 CFR 164.524(d)(5) (``as soon as practicable, but 
not later than 15 calendar days after receiving the request''), 
provided that the request is clear, conspicuous, and specific. The 
proposal would permit one 15 calendar day extension under the same 
conditions described above with respect to the Discloser fulfilling 
other access requests. Thus, Requester-Recipient would be required to 
submit an individual's clear, conspicuous, and specific request to 
Discloser within 15 calendar days of receipt of the request from the 
individual, and Discloser would then be required to respond by 
providing the electronic copy to Requester-Recipient, in accordance 
with proposed 45 CFR 164.524(d)(7). As explained above with respect to 
requests to direct electronic copies of PHI in an EHR to a third party, 
individuals may choose to use an internet-based method, such as a 
personal health application, to ask Requester-Recipient to submit a 
request to Discloser to transmit an electronic copy of the individual's 
PHI in an EHR to Requester-Recipient, so long as it is ``clear, 
conspicuous, and specific.'' The Department welcomes comments on 
whether a Requester-Recipient should be permitted to refuse to submit a 
request for an individual in some circumstances (e.g., if it already 
has the requested information), and whether the Department should 
specify in regulatory text that if a Requestor-Recipient discusses the 
request with the individual (e.g., to clarify the request or explain 
how the request could be changed to be more useful in meeting the 
individual's health needs), such discussion does not extend the time 
limit for submitting the request.
    The Department also seeks comments on approaches it may take to 
clarify that the Privacy Rule permits covered entities to use HIEs to 
make ``broadcast'' queries on behalf of an individual to determine 
which covered entities have PHI about the individual and request copies 
of that PHI. Section 164.506(c)(1) permits a covered entity to disclose 
PHI for its own health care operations purposes, including customer 
service activities, which could include forwarding an access request to 
other providers using a trusted exchange network. The Department is 
considering approaches to clarifying this permission to enhance the 
right of access and seeks comment on how to do so effectively.
    The Department's proposal regarding individual-directed disclosures 
of PHI in an EHR among certain covered entities would strengthen and 
clarify the individual's ability to direct the sharing of such PHI. The 
proposed changes are not intended to replace or frustrate prompt 
transfers of PHI and ePHI that covered health care providers and health 
plans already make voluntarily for purposes of treatment, payment, and 
health care operations. Instead, as was urged by commenters on the 2018 
RFI, the proposed changes would require covered entities to submit 
certain requests for PHI and require covered health care providers to 
make certain disclosures, pursuant to the exercise of the individual's 
right to access. This mechanism creates a new required disclosure to 
covered entities, but in a manner that respects individual preferences 
and control over the disclosure of PHI through his or her exercise of 
the right of access.
    Finally, parallel to the proposal with respect to the individual 
right to obtain copies of PHI (and discussed in III.a.4), the 
Department proposes to require covered entities to inform individuals 
about their right to direct the requested electronic copies of PHI in 
an EHR to designated third parties when a covered entity offers to 
provide a summary in lieu of the requested copies of PHI in 45 CFR 
164.524(d)(4)(ii). Consistent with the earlier proposal, the new 
requirement would not apply when the covered entity offers a summary 
because it is denying the request for a copy on unreviewable or 
reviewable grounds, in which case the covered entity must implement the 
required procedures for such denial.
6. Adjusting Permitted Fees for Access to PHI and ePHI
a. Current Provisions and Issues To Address
    The Privacy Rule allows covered entities to charge a reasonable, 
cost-based fee to fulfill access requests from individuals for copies 
of their PHI. Section 45 CFR 164.524(c)(4) limits the allowable fees to 
the costs of (i) labor for copying (whether the PHI is in paper or 
electronic form), (ii) supplies for creating the paper copy or 
electronic media if requested, (iii) postage, and (iv) preparing any 
agreed-upon summary or explanation of the requested PHI. Section 
13405(e) of the HITECH Act expands the individual right of access to 
include the right to direct an electronic copy of PHI in an EHR to a 
third party. Because the HITECH Act expressly placed the new right 
within 45 CFR 164.524, the long established right of access, the 
Department interpreted the 2013 Omnibus Rule as applying the component 
parts of the existing access right to the new type of access right. 
This interpretation applied the limitation on fees that covered 
entities may charge individuals exercising the access right. However, 
the Department first explained its interpretation in the 2016 Access 
Guidance, not the 2013 Omnibus Rule. As a result, the Ciox v. Azar 
court found that the Department had improperly imposed the fee 
limitations in the access right to direct a copy of PHI to a third 
party without notice and comment rulemaking. This NPRM proposes to 
place modified fee limitations in regulatory text and requests public 
comment on all aspects of the proposal.
b. Proposal
    The Department proposes to modify the access fee provisions to 
establish a fee structure with two elements based on the type of access 
request. The first element describes categories of access for which 
covered entities cannot charge a fee. The second element describes the 
allowable costs that may be included when an access fee is permitted. 
The modified fee provisions will be separately located within the 
enumerated sections for the individual right to inspect and obtain 
copies of PHI and for the right to direct electronic copies of PHI in 
an EHR to third parties, as summarized below.
    For the individual right to inspect PHI and to obtain copies of PHI 
about the individual, fees would be:

[[Page 6465]]

    (1) Always free of charge (i.e., no fee permitted) in proposed 45 
CFR 164.524(c)(4)(ii), when:

    (a) an individual inspects PHI about the individual in person, 
which may include recording or copying PHI in a designated record 
set with the individual's own device(s) or resource(s).
    (b) an individual uses an internet-based method to view or 
obtain a copy of electronic PHI maintained by or on behalf of the 
covered entity. This includes, for example, access obtained by an 
individual through the covered entity's certified health IT (e.g., 
the ``view, download, and transmit'' criterion at 45 CFR 170.315), 
or by a personal health application connecting to secure standards-
based APIs,\128\ consistent with applicable federal or state law. 
The Department intends that such access would be provided without 
charging a fee to the individual or the personal health application 
developer.
---------------------------------------------------------------------------

    \128\ See e.g., 85 FR 25642, 25645 (May 1, 2020), discussing ONC 
adoption of API certification criteria at 45 CFR 170.213 and 215.

    (2) A reasonable, cost-based fee, in proposed 45 CFR 
---------------------------------------------------------------------------
164.524(c)(4)(i), provided that the fee includes only the cost of:

    (a) Labor for copying the PHI requested by the individual in 
electronic or non-electronic (e.g., paper, film) form;
    (b) Supplies for making non-electronic copies;
    (c) Actual postage and shipping for mailing non-electronic 
copies; and
    (d) Preparing an explanation or summary of electronic or non-
electronic PHI, if agreed to by the individual as provided in 
paragraph (c)(2)(iii) when an individual requests an electronic or 
non-electronic copy of PHI about the individual through a means 
other than an internet-based method.

    For the right to direct an electronic copy of PHI in an EHR to a 
third party, the fees would be:
    Under proposed 45 CFR 164.524(d)(6), a reasonable, cost-based fee 
for an access request to direct a covered health care provider to 
transmit an electronic copy of PHI in an EHR to a third party through 
other than an internet-based method, provided that the fee includes 
only the cost of:
    (a) Labor for copying the PHI requested by the individual in 
electronic form; and
    (b) Preparing an explanation or summary of the electronic PHI, if 
agreed to by the individual as provided in paragraph (d)(4).
    This category would apply to requests for a copy of PHI that cannot 
be fulfilled through an automated process. For example, requests to 
copy PHI in an EHR onto electronic media and mail it to a physical 
address would fall within this category.
    A summary of how different types of access and recipients of the 
PHI would affect the proposed allowable access fees is outlined in the 
chart below.
---------------------------------------------------------------------------

    \129\ See e.g. 45 CFR 170.315(b)(10) Data export functionality, 
as added by ONC Final Rule, 85 FR 25642 (May 1, 2020).

------------------------------------------------------------------------
        Type of access           Recipient of PHI      Allowable fees
------------------------------------------------------------------------
In-person inspection--          Individual (or     Free.
 including viewing and self-     personal
 recording or -copying.          representative).
Internet-based method of        Individual.......  Free.
 requesting and obtaining
 copies of PHI (e.g., using
 View-Download-Transmit
 functionality (VDT), or a
 personal health application
 connection via a certified-
 API technology).
Receiving a non-electronic      Individual.......  Reasonable cost-based
 copy of PHI in response to an                      fee, limited to
 access request.                                    labor for making
                                                    copies, supplies for
                                                    copying, actual
                                                    postage & shipping,
                                                    and costs of
                                                    preparing a summary
                                                    or explanation as
                                                    agreed to by the
                                                    individual.
Receiving an electronic copy    Individual.......  Reasonable cost-based
 of PHI through a non-internet-                     fee, limited to
 based method in response to                        labor for making
 an access request (e.g., by                        copies and costs of
 sending PHI copied onto                            preparing a summary
 electronic media through the                       or explanation as
 U.S. Mail or via certified                         agreed to by the
 export functionality) \129\.                       individual.
Electronic copies of PHI in an  Third party as     Reasonable cost-based
 EHR received in response to     directed by the    fee, limited to
 an access request to direct     individual         labor for making
 such copies to a third party.   through the        copies and for
                                 right of access.   preparing a summary
                                                    or explanation
                                                    agreed to by the
                                                    individual.
------------------------------------------------------------------------

    The proposed approach, described in further detail below, also 
would allow covered entities to recoup their costs for handling certain 
requests to send copies of PHI to third parties, while ensuring that 
covered entities do not profit from disclosures of PHI made at the 
individual's request.

(1)(a) No fees permitted when an individual inspects PHI in person, 
including taking notes, photographs, or using other personal resources 
to view or capture the information.

    As noted above, the current Privacy Rule permits a covered entity 
to impose a reasonable, cost-based fee for providing copies of PHI that 
may include only the cost of labor for copying the PHI requested; 
supplies for creating the copy (e.g., paper, electronic media); postage 
for mailing the copy to the individual, where applicable; and, if 
agreed to by the individual, preparation of an explanation or summary 
of the PHI. The Rule contains no provision permitting fees to be 
charged for inspection of PHI by the individual who is the subject of 
the PHI. The Department believes that a covered entity does not incur 
labor costs for copying, and is unlikely to incur costs for supplies, 
when providing the individual the opportunity to inspect PHI in person 
and use his or her own personal resources to capture the information. 
Therefore, the Department proposes to expressly provide that the 
covered entity may not charge a fee to an individual who exercises the 
right to inspect their PHI in person.
    Based on its beliefs regarding likely costs, the Department 
proposes to expressly require that covered entities allow an individual 
to exercise the access right to inspect their PHI in person without 
charging a fee.\130\ Inspecting PHI may include viewing the information 
on a patient portal, which could be made available in person for the 
individual at the point of care in conjunction with a health care 
appointment or at a medical records office.
---------------------------------------------------------------------------

    \130\ This proposal is consistent with the Department's 
interpretation of this issue in guidance. See also FAQ #2035, 
available at https://www.hhs.gov/hipaa/for-professionals/faq/2035/can-an-individual-be-charged-a-fee-if-the-individual/index.html.
---------------------------------------------------------------------------

    The Department requests comment on any new costs that covered 
entities would likely incur when providing individuals with 
opportunities to

[[Page 6466]]

inspect their PHI in this manner in person at the covered entity's 
---------------------------------------------------------------------------
facility.

(1)(b) No fees permitted when an individual uses an internet-based 
method to view and capture or obtain an electronic copy of PHI 
maintained by or on behalf of the covered entity.

    The Department believes that access through an internet-based 
method likely occurs without involvement of covered entity workforce 
members, and thus believes that the covered entity likely incurs no 
allowable labor costs or expenses. The Department requests comment on 
its view of the costs of providing access through an internet-based 
method, including any internet-based methods described in the ONC Cures 
Act Final Rule.
    Based on its views regarding costs, and to further the policy goal 
of removing unnecessary barriers to individuals' exercise of the right 
of access, the Department proposes to prohibit covered entities from 
charging a fee to provide access through an internet-based method, as 
described below. While covered entities currently use patient portals 
and APIs to provide individuals and/or their designated third party 
recipients with electronic access, the Department proposes that the 
term ``internet-based method'' would apply to portals and APIs, as well 
as similar successor technologies. The Department does not intend free 
access to apply to situations where the individual is simply using an 
online portal to submit a request for copies of PHI to be sent to him 
or her in a manner that would require the covered entity to incur 
allowable costs for supplies, postage, or labor for copying.

(2)(a) Access requests by an individual for a non-electronic copy of 
PHI through other than an internet-based method would remain subject to 
the individual access fee limitations.

    When providing copies of PHI to an individual, covered entities 
would remain subject to the current access fee limits.\131\ This would 
include only labor for copying PHI in non-electronic form, supplies for 
creating the non-electronic copy, actual postage for mailed copies, and 
the costs of preparing a requested summary or explanation of the PHI.
---------------------------------------------------------------------------

    \131\ See 45 CFR 164.524(c)(4).

(2)(b) Access requests by an individual for an electronic copy of PHI 
through other than an internet-based method would be a reasonable, 
cost-based fee that is limited to the costs of: (i) Labor for making 
electronic copies of the PHI, and (ii) preparing a summary or 
---------------------------------------------------------------------------
explanation as agreed to by the individual.

    The Department understands that such methods may require special 
effort on the part of the covered entity, which may include, for 
example, copying PHI onto electronic media and mailing it to the 
individual or, under some circumstances, using the export functionality 
of certified EHR technology to transmit ePHI.\132\ The costs of 
electronic media and postage would not be allowed for providing 
electronic copies of PHI by any method. Pursuant to section 13405(e) of 
the HITECH Act, ``any fee that the covered entity may impose for 
providing [an] individual with a copy of such information (or a summary 
or explanation of such information) if such copy (or summary or 
explanation) is in an electronic form shall not be greater than the 
entity's labor costs in responding to the request for the copy (or 
summary or explanation).'' \133\ Therefore, the Department is proposing 
to limit the fees covered entities are permitted to charge for 
electronic copies of PHI in an EHR based on a plain reading of this 
statutory requirement.
---------------------------------------------------------------------------

    \132\ See e.g., 45 CFR 170.315(b)(10) and 85 FR 25642, 25691 
(May 1, 2020). The ONC Cures Act Final Rule added this requirement 
but did not specify an export format such as an internet-based 
method of access. Therefore, at times special effort by covered 
entity workforce member may be required to copy the exported EHI.
    \133\ See 42 U.S.C. 17935(e)(2),
---------------------------------------------------------------------------

    For the right to direct the transmission of an electronic copy of 
PHI in an EHR to a third party:

A reasonable, cost-based fee that is limited to the costs of: (i) Labor 
for making electronic copies of the PHI, and (ii) preparing a summary 
or explanation as agreed to by the individual.
    In response to the Ciox v. Azar \134\ decision and comments 
received in response to the 2018 RFI, the Department proposes in 45 CFR 
164.524(c)(3)(ii) to limit the right of an individual to direct copies 
of PHI to a third party to only electronic copies of PHI in an EHR (as 
defined in proposed 45 CFR 164.501). The Department also proposes to 
limit the allowable fees for such copies to the costs of labor for 
making such electronic copies.
---------------------------------------------------------------------------

    \134\ No. 18-cv-0040-APM (D.D.C. January 23, 2020).
---------------------------------------------------------------------------

    Section 13405(e) of the HITECH Act created a new way for an 
individual to exercise the right of access by choosing to send a copy 
of PHI to a third party, and thus changed the assumptions previously 
expressed in the 2000 Privacy Rule that disclosures at the individual's 
initiation are made only to the individual, while disclosures to third 
parties are always initiated by others. For example, the 2000 Privacy 
Rule preamble contrasted the limited fees to provide PHI ``for 
individuals'' based on the individual's request with fees allowed for 
``the exchange of records not requested by the individual'' \135\ 
(i.e., requests made by other persons). The HITECH Act expanded the 
types of records exchanges that could be requested by the individual 
pursuant to the right of access, with the result that the identity of 
the recipient of PHI no longer signifies whether the PHI was provided 
``for'' the individual (i.e., at the individual's request through their 
exercise of the right of access). In addition, the same policy 
rationales expressed in the 2000 Privacy Rule for limiting fees for 
individual requests for access, to ensure that the right of access ``is 
within reach of all individuals,'' \136\ apply when the individual 
requests to direct a copy of PHI to a third party: In both cases, the 
individual is choosing where to send their own PHI and often, if not 
always, will be responsible for paying the fee themselves. Finally, by 
placing the right to direct an electronic copy of PHI in an EHR within 
the right of access, which had included access fee limitations since 
the 2000 Privacy Rule, the Department believes the HITECH Act 
contemplated that access fee limitations would apply, along with other 
aspects of the existing access right.
---------------------------------------------------------------------------

    \135\ See 65 FR 82462, 82754 (December 28, 2000).
    \136\ See Id at 82577.
---------------------------------------------------------------------------

    Under this proposal, the allowable fees would include, for example, 
the labor involved in transferring electronic copies of PHI from an EHR 
onto electronic media when requested by the individual, but would 
exclude the costs of the electronic media, the labor involved in 
shipping or mailing the media, and the costs of shipping or postage. 
Additionally, as under the current rule, a covered entity would be 
permitted to charge for the costs of preparing a summary or explanation 
of the requested PHI to be directed to a third party as agreed to by 
the individual in advance. With these proposed changes, individuals 
would rely on a valid authorization to send non-electronic copies of 
PHI in an EHR, or electronic copies of PHI that is not in an EHR, to 
third parties. Covered entities responding to requests based on an 
authorization would not be subject to the access fee limitations; 
however, the fees would remain limited by the Privacy Rule's provisions 
on the sale of PHI \137\ and by applicable state law.

[[Page 6467]]

Under the Privacy Rule's provisions on the sale of PHI at 45 CFR 
164.502(a)(5)(ii)(B)(2)(viii) and 45 CFR 164.502(a)(5)(ii)(A), covered 
entities generally must limit fees for disclosures pursuant to an 
authorization to a ``reasonable, cost-based fee to cover the cost to 
prepare and transmit the protected health information for such purpose 
or a fee otherwise expressly permitted by other law'' or must state in 
the authorization that the disclosure will result in remuneration to 
the covered entity as provided in 45 CFR 164.508(a)(4).
---------------------------------------------------------------------------

    \137\ By default, this change would treat disclosures based on 
requests to direct non-electronic and non-EHR copies of PHI to third 
parties the same as other requests for disclosures pursuant to a 
valid authorization. See discussion of the limitations on requests 
to direct certain copies of PHI to a third party and related 
requirements, infra. See also 45 CFR 164.502(a)(5)(ii)(A) and 
164.508(a)(4).
---------------------------------------------------------------------------

    Although covered entities would be restricted from recouping some 
costs that are allowed under the current rule, the effect of limiting 
the right to direct PHI to a third party to only electronic copies of 
PHI in an EHR would significantly reduce covered entities' burdens by 
increasing the number of requests based on an authorization. For 
example, many states have laws permitting health care entities to 
impose fees for providing copies of medical records that may be higher 
than the Privacy Rule allows. The states, for example, may permit 
covered entities to charge for costs other than supplies, labor for 
copying, and postage, or may establish a per page fee in excess of what 
the Privacy Rule allows. However, under the current Privacy Rule, when 
an individual exercises his or her access right, including when 
directing an electronic or non-electronic copy of PHI to any third 
party, covered entities are not permitted to impose higher fees for 
copies of PHI that may be permitted by state law.\138\
---------------------------------------------------------------------------

    \138\ See 78 FR 5566, 5636 (January 25, 2013).
---------------------------------------------------------------------------

    The Department anticipates that no fees would be charged when an 
individual uses an internet-based method to direct an electronic copy 
of PHI in an EHR to any third party, when an individual uses such a 
method to direct a covered health care provider or health plan to 
submit an access request to another covered health care provider, or 
when an individual submits a request through a health care provider or 
health plan to other providers and plans using such method. The 
rationale for this understanding is the same as discussed above in 
relation to the individual right to access or obtain copies of PHI 
available via an internet-based method--that there are no associated 
costs incurred by the covered entity for responding to the specific 
request. The Department requests comment on whether the assumption that 
no costs will be incurred to provide access using an internet-based 
method applies to each of the internet-based access scenarios described 
in this paragraph.
    As a consequence of the proposed limits on the right to direct 
transmission of electronic copies of PHI in an EHR, covered entities 
would be permitted to charge less restricted fees when fulfilling 
requests to send non-electronic copies of PHI in an EHR, or electronic 
copies of PHI that is not in an EHR, to third parties, because these 
requests would no longer be within the right of access.\139\ Instead, 
such disclosures to third parties (whether to an individual's family 
member, covered entity, researcher, or any other person) would be 
accomplished through an individual's valid authorization, with the only 
Privacy Rule limitation on the fees for such copies being the Privacy 
Rule's provisions on the sale of PHI.\140\
---------------------------------------------------------------------------

    \139\ By default, this would change the status of requests to 
direct non-electronic and non-EHR copies of PHI to third parties by 
relegating such requests to disclosures under the authorization 
standards. See discussion of the limitations on requests to direct 
certain copies of PHI to a third party and related information 
requirements, infra.
    \140\ 45 CFR 164.501(a)(5)(ii)(A) and 164.508(a)(4).
---------------------------------------------------------------------------

    The Department does not propose to change how covered entities 
currently charge for disclosing records to health plans and providers. 
It is the Department's understanding that frequently there is no charge 
for permitted disclosures of PHI to another covered entities for core 
health care activities such as treatment, payment, or health care 
operations. This proposal is not intended to cause covered entities to 
begin charging fees for such disclosures, but to recognize individuals 
as the center of their own health care and empower individual-initiated 
transfers of electronic copies of PHI in an EHR.
7. Notice of Access and Authorization Fees \141\
---------------------------------------------------------------------------

    \141\ This NPRM uses ``access and authorization fees'' to mean 
fees for copies of PHI provided pursuant to the individual's right 
of access and for disclosures made pursuant to a valid 
authorization, respectively.
---------------------------------------------------------------------------

    To increase an individual's awareness of the cost of copies of PHI, 
and to make the access fee requirements more uniform, the Department 
proposes to add a new subsection 525 to 45 CFR 164 to require covered 
entities to provide advance notice of approximate fees for copies of 
PHI requested under the access right and with an individual's valid 
authorization. Readily available public information about access fees 
would also serve to promote compliance with the Privacy Rule because 
covered entities will want to avoid posting fee schedules that show 
noncompliance with fee limitations,\142\ or that publicly misrepresent 
their business practices, and individuals will be empowered to insist 
on covered entities' compliance as well. Specifically, covered entities 
would be required to post a fee schedule online (if they have a 
website) and make the fee schedule available to individuals at the 
point of service, upon an individual's request. The notice must 
include: (i) All types of access available free of charge and (ii) fee 
schedule for: (A) Copies provided to individuals under 45 CFR 
164.524(a), with respect to all readily producible electronic and non-
electronic forms and formats for such copies; (B) copies of PHI in an 
EHR and directed to third parties designated by the individual under 45 
CFR 164.524(d), with respect to all readily producible electronic forms 
and formats for such copies; and (C) copies of PHI sent to third 
parties with the individual's valid authorization under 45 CFR 164.508, 
with respect to all available forms and formats for such copies.
---------------------------------------------------------------------------

    \142\ In addition to the access fees limits contained in 45 CFR 
164.524, the Privacy Rule limits the fees that may be charged for 
uses and disclosures of PHI based on an authorization. Under the 
Privacy Rule's provisions on the sale of PHI, covered entities 
generally must limit fees for disclosures pursuant to an 
authorization to a ``reasonable, cost-based fee to cover the cost to 
prepare and transmit the protected health information for such 
purpose or a fee otherwise expressly permitted by other law'' or 
must state in the authorization that the disclosure will result in 
remuneration to the covered entity. See 45 CFR 
164.502(a)(5)(ii)(B)(2)(viii); 45 CFR 164.502(a)(5)(ii)(A); 45 CFR 
164.508(a)(4).
---------------------------------------------------------------------------

    With respect to fee schedule availability at the point of service, 
the Department would expect that a covered health care provider would 
make the fee schedule available upon request, in paper or electronic 
form, at the point of care or at an office that is responsible for 
releasing medical records, as well as orally (e.g., over the phone), as 
applicable. For both covered health care providers and health plans, 
the point of service also could include a customer service call center 
that handles requests for records, or any location at which PHI is made 
available for individuals to inspect, as required under 45 CFR 164.524.
    Additionally, the Department proposes to require that covered 
entities provide an individualized estimate to an individual of the 
approximate fees to be charged for the requested copies of PHI, upon 
request. The Department would expect that the covered entity would 
provide the individualized estimate upon request and within the initial 
time (or in many cases sooner) in which the covered entity has to 
fulfill the access

[[Page 6468]]

request (prior to any extension of time that may be allowed for 
providing the copies) and prior to providing the requested PHI, to 
allow for a meaningful decision by the individual regarding the scope 
of the request or the form and format requested. If more time is needed 
to provide the requested copies after providing an individualized 
estimate, a covered entity may notify the individual of its need for a 
15-day extension.
    The Department also proposes in 45 CFR 164.525 to require covered 
entities to provide, upon an individual's request, an itemization of 
the charges for labor for copying, supplies, and postage, as 
applicable, which constitute the total fee charged to the individual 
for copies of PHI.
    The Privacy Rule does not prohibit a covered entity from requiring 
individuals to pay a fee for copies of PHI ``upfront'' before receiving 
such copies. The Department does not propose to amend the Privacy Rule 
to require covered entities to fulfill the requests of individuals (by 
providing copies of PHI) before fees are paid. However, because the 
Department believes that providing individuals with access to their 
health information is an important component of delivering and paying 
for healthcare, the Department continues to encourage covered entities 
that charge fees for copies of PHI to waive fees or provide flexibility 
in payment (such as delaying charges or accepting payment in 
installments, without delaying the provision of copies) for individuals 
who are unable to pay upfront due to an emergency or a lack of 
resources.\143\ The Department also encourages covered entities to 
waive access fees in cases where the individual cannot pay the fee due 
to a demonstrated financial hardship, including when the requesting 
individual is a Medicaid beneficiary, homeless, otherwise financially 
disadvantaged, or experiencing financial strain due to some other type 
of emergency situation.
---------------------------------------------------------------------------

    \143\ See 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    Finally, an individual's request for a fee estimate under this 
proposal would not automatically extend the time permitted for covered 
entities to provide copies of PHI under the right of access; however, a 
covered entity would have the ability to inform the individual if one 
15-day extension is needed.
8. Technical Change to General Rules for Required Business Associate 
Disclosures of PHI
    The Department proposes to insert clarifying language in 45 CFR 
164.502(a)(4)(ii), which currently requires business associates to 
provide copies of PHI to covered entities, individuals, or individuals' 
designees, to satisfy the covered entity's obligations under the right 
of access. To clarify when a business associate must disclose PHI and 
to whom, the proposal would specify that a business associate is 
required to disclose PHI to the covered entity so the covered entity 
can meet its access obligations. However, if the business associate 
agreement provides that the business associate will provide access to 
PHI in an EHR directly to the individual or the individual's designee, 
the business associate must then provide such direct access. This 
proposed clarification is consistent with the preamble discussion on 
this topic in the 2013 Omnibus Rule \144\ and subsequent guidance,\145\ 
and is not intended to be a substantive change.
---------------------------------------------------------------------------

    \144\ See 78 FR 5566, 5598-5599 (January 25, 2013).
    \145\ See https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html?language=es.
---------------------------------------------------------------------------

9. Request for Comments
    The Department seeks comment on the foregoing proposals, including 
any benefits or unintended consequences, and the following 
considerations in particular:
    a. Whether the Department's proposed definition of EHR is too 
broad, given the context of the HITECH Act, such that the definition 
should be limited to clinical and demographic information concerning 
the individual.
    b. Whether an electronic record can only be an EHR if it is created 
or maintained by a health care provider, or whether there are 
circumstances in which a health plan would create or maintain an EHR.
    c. Whether the Department should instead define EHRs to align with 
the scope of paragraphs (1)(i) and (2) of the definition of designated 
record set.\146\
---------------------------------------------------------------------------

    \146\ See 45 CFR 164.501, definition of ``Designated record 
set.''
---------------------------------------------------------------------------

    d. Whether the proposed definition of EHR includes PHI outside of 
an electronic designated record set, whether it should, and examples of 
such PHI.
    e. Whether the proposed interpretation of ``health care clinicians 
and staff'' as it relates to the proposed EHR definition is 
appropriate, too broad, or too narrow, and in what respects.
    f. Should ``health care clinicians and staff'' be interpreted to 
mean all workforce members of a covered health care provider? What are 
the benefits or adverse consequences of such an interpretation? Does 
the same interpretation apply regardless of whether the provider has a 
direct treatment relationship with individuals, and why or why not?
    g. Are there other health care industry participants that have 
access to or maintain EHRs that should be explicitly recognized in the 
definition of EHR or that OCR should consider when establishing such a 
definition?
    h. Whether EHR should be defined more broadly to include all ePHI 
in a designated record set, and benefits or drawbacks of doing so.
    i. Should the definition of EHR for Privacy Rule purposes be 
aligned with other Department authorities or programs related to 
electronic health information? If so, which ones and for what purposes? 
\147\
---------------------------------------------------------------------------

    \147\ See, e.g., 84 FR 55766 (October 19, 2019). Electronic 
health record means a repository that includes electronic health 
information that--(1) Is transmitted by or maintained in electronic 
media; and (2) Relates to the past, present, or future health or 
condition of an individual or the provision of health care to an 
individual. https://www.federalregister.gov/d/2019-22028/p-535.
---------------------------------------------------------------------------

    j. Any other effects, burdens, or unintended consequences of the 
proposed definition of EHR or of including a definition for EHR in the 
Privacy Rule.
    k. What types of activities should be encompassed in the terms 
``managed,'' ``shared,'' and ``controlled'' in the proposed definition 
of personal health application, and whether other terms would improve 
the clarity of the definition.
    l. State laws or other known legal restrictions that might affect 
the ability of individuals to take photos of or otherwise capture 
copies of their PHI in a designated record set.
    m. The frequency with which covered entities currently receive 
requests to inspect PHI in person, and estimated annual costs to 
covered health care providers and health plans of fulfilling such 
requests.
    n. Whether a time limit shorter than 15 calendar days for a covered 
entity to submit, or respond to, an individual's access request would 
be appropriate. The Department seeks comment on time limits for covered 
entities to respond to access requests, requests to direct electronic 
copies of PHI in an EHR to a third party, and requests to submit a 
request to another provider on behalf of the individual. The Department 
welcomes data on the burdens and

[[Page 6469]]

benefits such a time limit would impose.
    o. Whether a covered health care provider should be required to 
inform an individual who requests that PHI be transmitted to the 
individual's personal health application of the privacy and security 
risks of transmitting PHI to an entity that is not covered by the HIPAA 
Rules. What are the benefits or burdens of different approaches? For 
example: Accepting the individual's judgment without requiring covered 
entities to provide education, notice, or warning; requiring a covered 
entity to provide a warning verbally and/or electronically at the time 
the individual requests transmission of PHI to a personal health 
application; providing education about the application developer's 
privacy and security policies and practices through an automated 
attestation and warning process; or adding information about risks to 
PHI disclosed to a personal health application in the covered entity's 
NPP.
    p. The Department also invites comment on whether to apply any 
potential education, notice, or warning requirement to only health care 
providers or also to health plans. Whether the Department should 
consider requiring a covered health care provider or health plan to 
provide any specific educational or advisory language to individuals 
who may choose to share their PHI with other individuals through 
applications that are not regulated by the Privacy Rule.
    q. Whether the Department should specify in regulatory text that if 
a Requestor-Recipient discusses the request with the individual (e.g., 
to clarify the request or explain how the request could be changed to 
be more useful in meeting the individual's health needs), such 
discussion does not extend the time limit for submitting the request, 
and the benefits or drawbacks of such a provision.
    r. Whether any federal or state law time limit shorter than 15 
calendar days that applies to disclosures of PHI to a third party 
(e.g., public health agency) should be deemed a ``practicable'' time 
limit under the Privacy Rule right of access.
    s. Whether and how a covered entity should be required to implement 
a policy for prioritizing urgent or otherwise high priority access 
requests, so as to minimize the use of the 15-calendar-day extension. 
Would there be unintended adverse consequences of such a requirement--
e.g., would covered entities begin to require individuals to state the 
purposes for their access requests even though the Privacy Rule does 
not make the right of access contingent on the purpose for the request? 
If a covered entity did impose such a requirement, would this 
constitute an unreasonable measure that impedes the individual from 
obtaining access?
    t. Any benefits or drawbacks of the proposal to require a covered 
entity to act on an oral access request to either direct an electronic 
copy of PHI in an EHR to a third party or direct a covered entity to 
submit such a request, provided the oral communication is clear, 
conspicuous, and specific.
    u. Whether there would be unintended consequences for the covered 
entity that has received PHI as a result of a request that was made to 
another covered entity by an individual.
    v. ``Clear, conspicuous, and specific'' is a statutory standard 
\148\ that the Department proposes to use in place of the existing 
regulatory requirement that the request be signed and in writing and 
clearly identify the designated third party. The Department requests 
comment on how to interpret the phrase ``clear, conspicuous, and 
specific,'' including when the request is verbal.
---------------------------------------------------------------------------

    \148\ See 42 U.S.C. 17935(e).
---------------------------------------------------------------------------

    w. Whether the Department should specify any bases for a Requester-
Recipient to deny an individual's request to submit an access request 
to a Discloser, for example, if the requested disclosure is prohibited 
by state or other law or if the Requester-Recipient already has the 
information.
    x. Whether there are certain types of individual requests to submit 
an access request to a Discloser that would place an undue burden on 
the Requester-Recipient, such as submitting large numbers of requests 
to multiple Disclosers, or other factors affecting the potential burden 
on or benefit to a Requester-Recipient.
    y. Whether a covered health care provider or health plan that uses 
an HIE to make a broadcast query to identify other HIE participants 
that have PHI about that individual, and that requests the PHI on 
behalf of an individual, should be considered to be making a 
permissible disclosure of PHI for customer service or other 
administrative or management activities that are part of the covered 
health care provider or health plan's health care operations.\149\ Are 
there unintended consequences for covered entities or individuals of 
such an interpretation of health care operations?
---------------------------------------------------------------------------

    \149\ See 45 CFR 164.501 (definition of ``Health care 
operations,'' paragraph (6)).
---------------------------------------------------------------------------

    z. Information from individuals and covered entities about how 
covered entities currently respond to ``imperfect'' requests to send 
PHI to a third party (e.g., requesting information that is not part of 
the access right; all the necessary elements of a right of access 
request are not included when an individual directs electronic PHI in 
an EHR to a designated third party; invalid authorizations, etc.) and 
the efforts made by covered entities to enhance individuals' abilities 
to efficiently obtain the requested information.
    aa. Whether the term ``internet-based method'' or alternative terms 
adequately describe online patient portals, mobile applications, APIs, 
and other related technologies. If there are unintended consequences 
associated with using such broad terminology, are there ways in which 
any unintended adverse effects could be minimized?
    bb. Should the Privacy Rule prohibit covered entities from charging 
fees for copies of PHI when requested by certain categories of 
individuals (e.g., Medicaid beneficiaries or applicants for or 
recipients of Social Security Disability Insurance (SSDI)), or when the 
copies are directed to particular types of entities (e.g., entities 
conducting clinical research)?
    cc. Whether the Privacy Rule should prohibit covered entities from 
denying requests to exercise the right of access to copies of PHI when 
the individual is unable to pay the access fee. If so, how should a 
covered entity determine when an individual is unable to pay?
    dd. The fees (if any) that covered entities currently charge when 
sending records to another provider or covered entity at the request of 
an individual.
    ee. What fees, if any, are charged for disclosures among covered 
entities made at the request of the entities?
    ff. How covered entities currently treat access requests that 
involve converting non-electronic PHI into an electronic format, the 
fees that are charged for such requests, and how that compares to fees 
charged for similar requests for copies of PHI made by a third party 
with an individual's valid authorization.
    gg. How the proposals to narrow the access right to direct PHI to 
third parties to electronic copies of PHI in an EHR will affect fees 
for copies of PHI.
    hh. How covered entities currently calculate reasonable, cost-based 
fees for copies of PHI under the right of access. For example, OCR's 
2016 Access Guidance offered three illustrative methods for calculating 
allowable access fees: (1) Actual labor costs for copying, plus 
supplies and postage; (2) average labor costs for copying, plus 
supplies and postage; and (3) a flat fee of $6.50 for electronic copies 
of ePHI, inclusive of labor, supplies, and any

[[Page 6470]]

applicable postage. The Department requests comment on the extent to 
which entities use each of these methods. For entities using the 
average costs option (2), the Department requests comment on what data 
is being used to calculate the average. It also seeks comment on how 
covered entities calculate fees for ``hybrid'' access requests--that 
is, requests for copies of PHI that encompass both electronic and non-
electronic PHI.
    ii. Comment on whether the Department should specify one or more of 
the three methods listed above, or another method, in the regulatory 
text as the exclusive acceptable method of calculating access fees. 
This NPRM does not propose to require any particular method of 
calculation; however, the Department requests comment on the benefits 
and burdens of doing so. The Department also requests comment on the 
reasonableness of the $6.50 flat fee for electronic copies of PHI 
maintained electronically, and whether another flat rate would be more 
appropriate. Finally, the Department requests comment on whether other 
methods of calculating fees should be required in regulation or offered 
as options in guidance.
    jj. Whether the Department should establish in regulation a 
separate required timeframe for covered entities to respond to 
individuals' requests for access fee estimates or an itemized list of 
charges, and what timeframe(s) would be appropriate, and whether the 
time to respond to a request for access should be tolled pending an 
individual's confirmation that it desires the requested information 
given the fee estimate.
    kk. Whether there should be a legal consequence to covered entities 
for the bad faith provision of an incorrect estimate of fees for access 
and authorization requests, and if so, what actions should be 
considered evidence of bad faith sufficient to subject a covered entity 
to potential penalties.
    ll. More information from covered entities and individuals about 
their experiences with records requests (including when made at the 
direction of the individual or with an individual's valid 
authorization) and any unintended consequences that may result from the 
Department's proposals.
    mm. What are commonly available electronic forms and formats that 
covered entities and business associates generally provide to 
individuals or third parties? How many requests per month for 
electronic copies of PHI on electronic media do covered entities and 
business associates receive from individuals? How many requests per 
month are received for electronic copies provided through internet-
based methods? How long does it take to fulfill each type of request?
    nn. Do individuals or third parties ever receive requested PHI in 
unreadable electronic forms and formats? What are those forms and 
formats, and do covered entities or business associates provide another 
form and format if they are told the first copy of PHI they provided is 
unreadable or unusable?

B. Reducing Identity Verification Burden for Individuals Exercising the 
Right of Access (45 CFR 164.514(h))

1. Current Provision and Issues To Address
    Section 45 CFR 164.514(h) of the Privacy Rule generally requires a 
covered entity to take reasonable steps to verify the identity of a 
person requesting PHI before disclosing the PHI to help ensure that 
unauthorized persons do not obtain an individual's PHI.\150\
---------------------------------------------------------------------------

    \150\ See 45 CFR 164.514(h). Disclosures under 45 CFR 164.510 
are excepted from this requirement. See 45 CFR 164.514(h)(1)(i).
---------------------------------------------------------------------------

    As OCR has explained in guidance,\151\ the Department's view is 
that the Privacy Rule does not mandate any particular form of 
verification (such as viewing an individual's driver's license at the 
point of service), but instead generally leaves the type and manner of 
the verification to the discretion and professional judgment of the 
covered entity, provided the verification processes and measures do not 
create barriers to, or unreasonably delay, the individual from 
obtaining access to their PHI. Verification may be done orally or in 
writing and, in many cases, the type of verification may depend on how 
the individual is requesting and/or receiving access, such as in 
person, by phone (if permitted by the covered entity), by faxing or 
emailing the request on the covered entity's supplied form, by secure 
internet portal, or by other means. For example, if the covered entity 
requires that access requests be made on its own supplied form, the 
form could ask for basic information about the individual that would 
enable the covered entity to verify that the person requesting access 
is the subject of the information requested or is the individual's 
personal representative. For covered entities providing individuals 
with access to their PHI through internet portals, the Department's 
view is that the portals should be set up with appropriate 
authentication controls, as required by 45 CFR 164.312(d) of the HIPAA 
Security Rule, to ensure that the person seeking access is the 
individual who is the subject of the PHI (or their personal 
representative).
---------------------------------------------------------------------------

    \151\ See 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    Despite OCR's guidance explaining the Department's interpretation 
of the verification and individual access provisions in 45 CFR 
164.514(h) and 164.524,\152\ the Department has received complaints and 
heard anecdotal accounts of covered entities imposing burdensome 
verification requirements on individuals seeking to obtain their PHI 
pursuant to the individual right of access. For example, some covered 
entities require individuals to receive their PHI in person, or even to 
go through the process (and potential added expense) of obtaining a 
notarization on a written request, to exercise their right of access.
---------------------------------------------------------------------------

    \152\ Id.
---------------------------------------------------------------------------

2. Proposal
    To address these ongoing challenges and barriers to an individual's 
access to their health information, the Department proposes to modify 
paragraph (2)(v) of 45 CFR 164.514(h) to expressly prohibit a covered 
entity from imposing unreasonable identity verification measures on an 
individual (or his or her personal representative) exercising a right 
under the Privacy Rule. In addition, the Department proposes to clarify 
within the regulatory text that unreasonable verification measures are 
those that require an individual to expend unnecessary effort or 
expense when a less burdensome verification measure is practicable for 
the particular covered entity. Unreasonable measures would include 
requiring individuals to obtain notarization of requests to exercise 
their Privacy Rule rights and requiring individuals to provide proof of 
identity in person when a more convenient method for remote 
verification is practicable for the covered entity. The Department 
would consider the application of the practicability standard for 
verification measures to encompass considerations related to an 
entity's fulfillment of its Security Rule obligations including its 
size, complexity and capabilities; its technical infrastructure, 
hardware, and software security capabilities; the costs of security 
measures related to verification and implementing measures that may be 
more convenient for individuals; and the probability and criticality of 
potential risks to ePHI in the covered entity's systems.\153\ This 
modification is not intended to prevent

[[Page 6471]]

covered entities from taking reasonable measures to verify the identity 
and authority of the individual or entity making the request.
---------------------------------------------------------------------------

    \153\ See 45 CFR 164.306(b)(2).
---------------------------------------------------------------------------

    As explained above, the Department proposes to clarify that a 
covered entity that implements a requirement for individuals to submit 
a request for access in writing would not be permitted to do so in a 
way that imposes unreasonable burdens on individuals. The proposed 
change to prohibit a covered entity from implementing unreasonable 
identity verification requirements complements the first proposal to 
ensure that an individual is afforded as much flexibility as reasonable 
when accessing his or her own records. In contrast, a covered entity 
that is responding to an individual's request to direct an electronic 
copy of ePHI in the covered entity's EHR to a third party must do so if 
the oral or written request is clear, conspicuous, and specific. The 
Department assumes that a covered entity holding records of an 
individual in an EHR has necessarily established a treatment 
relationship with such individual, and therefore, imposing additional 
verification requirements is unnecessary. The Department seeks comments 
on this assumption.
    Consistent with the verification provisions described above, 
unreasonable measures for submitting an access request in writing would 
be measures that impede the individual from obtaining access when a 
measure that is less burdensome for individuals is practicable for the 
particular covered entity. For example, requiring individuals to 
complete a form with only the limited information needed for the entity 
to provide access would be considered reasonable because it only 
requests information necessary for verification and does not require 
the individual to expend unnecessary effort. In contrast, requiring 
individuals to fill out a form with the extensive information contained 
in a HIPAA authorization form may impose an unreasonable burden to 
individuals. In addition, while covered entities are encouraged to 
provide individuals with the option to submit access requests through 
online portals, it generally would be unreasonable for a covered entity 
to require that requests for access be made only through the covered 
entity's online portal, depending on factors such as the covered 
entity's analysis of security risks to ePHI.\154\ Unreasonable measures 
also would include applying onerous or infeasible registration 
requirements for personal health applications (or other applications 
that are not being provided on behalf of or at the direction of the 
covered entity) that would create a barrier to or unreasonably delay 
registration beyond what is necessary for compliance with the HIPAA 
Security Rule, such as requiring a third party that does not meet the 
definition of a business associate to enter into a business associate 
agreement with the covered entity. Another example would be preventing 
an individual's personal health application from registering with an 
endpoint (e.g., API) that the covered entity makes public, absent an 
identified security risk to the ePHI in the covered entity's (or its 
business associate's) EHR systems.
---------------------------------------------------------------------------

    \154\ See proposed 45 CFR 164.514(h)(v), which would require a 
covered entity to examine risks pursuant to 45 CFR 164.308(b)(2).
---------------------------------------------------------------------------

    The Department's view is that, under the Privacy Rule access 
requirements, covered entities generally must allow every application 
that wants to register with the API to provide access for an 
individual, the ability to do so, assuming that it is practicable for 
the covered entities and absent any Security Rule concerns.\155\ 
Therefore, a covered entity or its business associate that makes 
available a secure, standards-based API but denies registration, and 
therefore individual access, to a designated personal health 
application, or other application that is not being provided on behalf 
of or at the direction of a covered entity, may be in violation of the 
Privacy Rule requirements for provision of access of individuals to 
PHI. For example, a health care provider may not deny an application 
from registering solely because the application does not have a 
business associate relationship and agreement with the covered entity 
or because the application offers another service to patients that 
competes with a service the health care provider offers.
---------------------------------------------------------------------------

    \155\ The ONC Cures Act Final Rule provides exceptions aligned 
to the HIPAA Rules to information blocking requirements to prevent 
harm, for privacy and security. This discussion is consistent with 
those provisions. See 85 FR 25642 (May 1, 2020), 45 CFR 171 Subpart 
B.
---------------------------------------------------------------------------

    The Department recognizes that due to the variety of circumstances 
of individuals and entities, a given measure to complete identity 
verification or request access, such as using an online portal, may be 
convenient for some individuals and burdensome for others, and 
practicable for some entities but not for others. Due to this 
variability, the Department does not propose to require that covered 
entities implement any particular measure, nor require covered entities 
to analyze and adopt the least burdensome measure possible for each 
individual. Further, the Department does not intend to impede the 
ability of covered entities to comply with any applicable federal or 
state law provisions that provide greater privacy or security 
protections related to verification of identity to access medical 
records, provided that the identity verification measures used and the 
manner in which they are implemented do not impose unreasonable burdens 
on an individual's exercise of the right of access.\156\ Rather, the 
Department would expect covered entities to avoid imposing measures 
that would require unnecessary effort or expense by an individual and 
to provide individuals with some flexibility (e.g., by accepting 
verification and access requests by more than one practicable measure).
---------------------------------------------------------------------------

    \156\ For example, Privacy Act guidelines for federal agencies 
state, ``A requester need not state his [or her] reason for seeking 
access to records under the Privacy Act, but an agency should verify 
the identity of the requester in order to avoid violating subsection 
(b) [of that Act.] https://www.justice.gov/opcl/individuals-right-access. See OMB Guidelines, 40 FR 28948, 28957-58 (July 9, 1975), 
available at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation_guidelines.pdf. See also 5 
U.S.C. 552a(i)(1) (imposing criminal penalties for disclosure of 
information to parties not entitled to receive it); 5 U.S.C. 
552a(i)(3) (imposing criminal penalties for obtaining records about 
an individual under false pretenses); cf., e.g., 28 CFR 16.41(d) 
(DOJ regulation regarding the verification of identity). See also 
OMB guidance on Privacy Act implementation available at https://www.whitehouse.gov/omb/information-regulatory-affairs/privacy/.
---------------------------------------------------------------------------

3. Request for Comments
    The Department requests comments on the above proposal, including:
    a. Please describe any circumstances in which individuals have 
faced verification barriers to exercising their Privacy Rule rights, as 
well as examples of verification measures that should be encouraged as 
convenient and practicable, in comparison to those that should be 
prohibited as per se unreasonable. Please also describe any 
circumstances related to unreasonable verification measures imposed on 
third parties to whom an individual directs a copy of PHI.
    b. What verification standard should apply when a covered health 
care provider or health plan submits an individual's access request to 
another covered health care provider or health plan? Specifically, 
should the covered entity that holds the requested PHI be required to 
verify the identity and authority of the covered entity that submitted 
the request, but be permitted to rely on the requesting entity's 
verification of the identity of the individual (or personal 
representative)?

[[Page 6472]]

    c. How could or should covered entities consider the costs of 
implementation when evaluating whether a verification method is 
practicable?
    d. Whether the proposal would support individuals' access rights by 
reducing the verification burdens on individuals, and any potential 
unintended adverse consequences.
    e. Whether a different identity verification standard should apply 
when an individual requests access, as compared to when a personal 
representative requests access on the individual's behalf.
    f. Examples of state law identity verification requirements that 
apply when a covered entity provides PHI to an individual or personal 
representative, or fulfills an individual's request to direct a copy of 
PHI to a third party. Please provide input on whether any state law 
identity verification requirements create a barrier to or unreasonably 
delay an individual's exercise of the right of access in a manner that 
should be considered inconsistent with the Privacy Rule.

C. Amending the Definition of Health Care Operations To Clarify the 
Scope of Care Coordination and Case Management (45 CFR 160.103)

1. Current Provision and Issues To Address
    The Privacy Rule expressly permits certain uses and disclosures of 
PHI, without an individual's valid authorization, for treatment and 
certain health care operations, among other important purposes.\157\ 
The definitions of both treatment and health care operations include 
some care coordination and case management activities. For example, the 
Privacy Rule definition defines treatment to include ``the provision, 
coordination, or management of health care.'' \158\ The definition of 
health care operations includes, among other activities, ``. . . 
population-based activities relating to improving health or reducing 
health care costs, protocol development, case management and care 
coordination . . . and related functions that do not include 
treatment.'' \159\
---------------------------------------------------------------------------

    \157\ See 45 CFR 164.506. 45 CFR 160.103 defines ``Disclosure'' 
as ``release, transfer, provision of access to, or divulging in any 
manner of information outside the entity holding the information''; 
The term ``Use'' is defined as ``with respect to individually 
identifiable health information, the sharing, employment, 
application, utilization, examination, or analysis of such 
information with an entity that maintains such information.''
    \158\ See 45 CFR 164.501, definition of ``Treatment.''
    \159\ See 45 CFR 164.501, definition of ``Health care 
operations.''
---------------------------------------------------------------------------

    The preamble to the 2000 Final Privacy Rule states that certain 
activities ``may be considered either health care operations or 
treatment, depending on whether population-wide or patient-specific 
activities occur, and if patient-specific, whether the individualized 
communication with a patient occurs on behalf of a health care provider 
or a health plan. For example, a telephone call by a nurse in a 
doctor's office to a patient to discuss follow-up care is a treatment 
activity. The same activity performed by a nurse working for a health 
plan would be a health care operation.'' \160\ Therefore, the Privacy 
Rule contemplates that health plans would--as part of health care 
operations--conduct the types of activities described in this NPRM as 
care coordination and case management not only at the population level 
across multiple enrolled individuals but also at the individual level 
for unique patients including providing for their care across different 
settings.\161\
---------------------------------------------------------------------------

    \160\ 65 FR 82462, 82627 (December 28, 2000).
    \161\ This NPRM describes such activities as ``population-
based'' and ``individual-level'' care coordination and case 
management, respectively.
---------------------------------------------------------------------------

    Despite this guidance published in the preamble to the 2000 Privacy 
Rule,\162\ some covered entities appear to interpret the existing 
definition of health care operations to include only population-based 
care coordination and case management, which would have the effect of 
excluding individual-focused care coordination and case management by 
health plans. Since health plans do not perform treatment functions as 
defined by HIPAA, such an interpretation could limit a health plan's 
ability to perform such individual-level care coordination or case 
management activities.
---------------------------------------------------------------------------

    \162\ 65 FR 82462, 82627 (December 28, 2000).
---------------------------------------------------------------------------

    While the 2018 RFI did not specifically request comment on the 
definitions of treatment or health care operations, both of which 
include care coordination activities, some covered entities expressed 
uncertainty regarding whether the use or disclosure of PHI for a 
particular care coordination or case management activity is permitted 
as part of treatment, health care operations, both, or neither. Some 
covered entities reported that, due to uncertainty about which 
provisions apply in certain circumstances, they do not request or 
disclose PHI even when doing so would support coordinated care and the 
transformation of the health care system to value based care.
2. Proposal
    The Department proposes to clarify the definition of health care 
operations in 45 CFR 164.501 to encompass all care coordination and 
case management by health plans, whether individual-level or 
population-based. The proposal would provide clarity to covered 
entities and individuals regarding which Privacy Rule standards apply 
to which care coordination and case management activities, and thereby 
facilitate those beneficial activities. The clarification also would 
complement and enhance the proposal in this NPRM to modify the minimum 
necessary standard to promote uses and disclosures for care 
coordination and case management for treatment or health care 
operations by covered health care providers and health plans. The 
Department believes that, as drafted, the placement of commas 
separating the list of activities following the term ``population-based 
activities'' permits the interpretation that the term ``population-
based activities'' modifies (i.e., places a condition on) all of the 
activities listed between the semi-colons, including case management 
and care coordination, although the Department has not placed that 
interpretation on the definition of health care operations. In order to 
clearly convey that the activities listed are each separate types of 
health care operations, the Department proposes to change the commas 
into semi-colons. The new definition proposed in paragraph (1) of the 
definition of ``Health care operations'' in 45 CFR 164.501 would read 
as follows:

. . . population-based activities relating to improving health or 
reducing health care costs; protocol development; case management 
and care coordination; contacting of health care providers and 
patients with information about treatment alternatives; and related 
functions that do not include treatment.

    The Department believes this change in punctuation would clarify 
that health care operations encompasses all care coordination and case 
management activities by health plans and covered health care 
providers, whether population-based or focused on particular 
individuals, and thus would increase the likelihood of these entities' 
using and disclosing PHI for such beneficial activities.
3. Request for Comments
    The Department requests comments on the benefits and costs of 
clarifying the definition of health care operations, including 
information on how, if at all, this clarification would affect covered

[[Page 6473]]

entities' decision-making regarding uses and disclosures of PHI for 
these purposes, and on any potential unintended adverse consequences.

D. Creating an Exception to the Minimum Necessary Standard for 
Disclosures for Individual-Level Care Coordination and Case Management 
(45 CFR 164.502(b)(2))

1. Current Provision and Issues To Address
    The Privacy Rule generally requires that covered entities use, 
disclose, or request only the minimum PHI necessary to meet the purpose 
of the use, disclosure, or request.\163\ This minimum necessary 
standard requires covered entities to evaluate their practices and 
enhance safeguards as needed to limit unnecessary or inappropriate use 
and disclosure of PHI.\164\ While the standard is an important privacy 
protection that is consistent with foundational federal information 
privacy policy,\165\ the Department believes that there is room for 
flexibility in the application of the standard without sacrificing key 
privacy protections.
---------------------------------------------------------------------------

    \163\ See 45 CFR 164.502(b)(1).
    \164\ ``Use'' in this context refers to internal utilization and 
sharing of PHI within a covered entity or business associate. See 45 
CFR 160.103.
    \165\ See Advisory Committee on Automated Personal Data Systems, 
Report: ``Records, Computers and the Rights of Citizens,'' ASPE 
(1973) available at https://aspe.hhs.gov/report/records-computers-and-rights-citizens. See also, ``Guidelines for the Protections of 
Privacy and Transborder Flow of Personal Data,'' Organization for 
Economic Cooperation & Development (1981, revised in 2013), 
available at http://www.oecd.org/sti/ieconomy/privacy.htm.
---------------------------------------------------------------------------

    The Privacy Rule's minimum necessary requirements are designed to 
be sufficiently flexible to accommodate the various circumstances of 
any covered entity and to avoid creating unnecessary barriers to 
information sharing for permitted purposes. Accordingly, the minimum 
necessary standard gives a covered entity that receives a request for 
PHI from another covered entity (and certain non-covered entities) the 
ability to rely on the requestor's assessment of what it needs, if such 
reliance is reasonable under the circumstances.\166\ For example, a 
covered health care provider may determine that it is reasonable to 
rely on a health plan's representations that the plan is requesting the 
minimum necessary PHI to conduct a medical necessity determination for 
payment purposes. The disclosing provider is not required to make its 
own independent assessment of what is the minimum necessary PHI that 
can be disclosed to meet the request.\167\ As another example, a health 
plan may rely on the representations of a public health authority, 
including a person or entity acting under a grant of authority from, or 
under a contract with, a public health authority, requesting PHI that 
the information requested is the minimum necessary for the stated 
purposes, such as preventing or controlling disease, provided that the 
authority is authorized by law to collect or receive information for 
the requested purposes.\168\
---------------------------------------------------------------------------

    \166\ See 45 CFR 164.514(d)(3)(iii)(B).
    \167\ See 45 CFR 164.514(d)(3)(iii)(B) stating that a covered 
entity may rely, if such reliance is reasonable under the 
circumstances, on a requested disclosure as the minimum necessary 
for the stated purpose when: . . . ``(B) The information is 
requested by another covered entity''.
    \168\ See 45 CFR 164.514(d)(3)(iii)(A) and 45 CFR 
164.512(b)(1)(i). See also definition of ``Public health 
authority'', 45 CFR 164.501.
---------------------------------------------------------------------------

    The minimum necessary standard also includes important exceptions 
to facilitate the provision of health care to individuals. Most 
importantly, the minimum necessary standard does not apply to 
disclosures to, or requests by, a health care provider for treatment 
purposes \169\--an exception intended to avoid creating barriers or 
delays in providing patient care. For example, a hospital that 
discloses PHI to an inpatient rehabilitation facility to coordinate 
patient care is making a disclosure to a health care provider for 
treatment that is not subject to the minimum necessary standard, 
regardless of whether the facility is covered by the HIPAA Rules. 
However, while disclosures of PHI to health care providers for 
treatment, including for case management and care coordination, are 
excluded from the minimum necessary standard, uses of PHI for treatment 
must adhere to the minimum necessary standard.\170\ With respect to 
uses of PHI, the covered entity's policies and procedures must identify 
the persons or classes of persons within the covered entity who need 
access to the PHI to carry out their job duties, the categories or 
types of PHI needed, and conditions appropriate to such access.\171\
---------------------------------------------------------------------------

    \169\ See 45 CFR 164.502(b)(2)(i).
    \170\ See 45 CFR 160.103 definition of ``Use'' as ``the sharing, 
employment, application, utilization, examination, or analysis of 
such information within an entity that maintains such information.''
    \171\ See 45 CFR 164.514(d)(2)(i).
---------------------------------------------------------------------------

    The Privacy Rule also permits certain uses and disclosures of PHI 
for care coordination and case management that are considered health 
care operations activities, and thus are subject to the minimum 
necessary standard.\172\ For example, the Privacy Rule permits a 
covered health care provider or health plan to use or disclose only the 
minimum necessary PHI for population-based case management, such as to 
identify all patients or enrollees with diabetes and send them 
information about a recommended healthy diet to facilitate diabetes 
self-management.\173\
---------------------------------------------------------------------------

    \172\ See 45 CFR 164.501, definition of ``Health care 
operations.''
    \173\ See 45 CFR 164.502(b)(1)-(2), identifying when the minimum 
necessary standard applies and does not apply.
---------------------------------------------------------------------------

    Finally, under the Privacy Rule, because health plans generally do 
not perform treatment functions, any care coordination or case 
management activity conducted by a health plan generally is a health 
care operation subject to the minimum necessary standard.\174\ Thus, 
the current rule imposes greater restrictions on disclosures to and 
requests by health plans than on disclosures to and requests by covered 
health care providers when conducting care coordination or case 
management activities related to an individual.
---------------------------------------------------------------------------

    \174\ See 45 CFR 164.501, definition of ``Health care 
operations.''
---------------------------------------------------------------------------

    In the 2018 RFI, the Department requested public input on whether 
it should expand the exceptions to the minimum necessary standard to 
include uses and disclosures for additional activities related to care 
coordination and case management.\175\ For example, the Department 
asked whether the exceptions to the minimum necessary standard should 
be expanded to include payment and health care operations activities 
such as population-based care coordination and case management 
activities, claims management, review of health care services for 
appropriateness of care, utilization reviews, or formulary 
development.\176\ Comments varied widely, even within the general 
categories of commenters (e.g., health care providers or consumers).
---------------------------------------------------------------------------

    \175\ See 83 FR 64302 (December. 14, 2018).
    \176\ Ibid.
---------------------------------------------------------------------------

    Many commenters supported expanding the exceptions to the minimum 
necessary standard for care coordination and case management. These 
commenters stated that such an expansion would allow providers to 
better coordinate and manage patient care across systems and delivery 
models. Some health care professionals who supported additional 
exceptions expressed concern that their interpretation of ``necessary'' 
might not be correct, and that they would be ``punished'' under the 
existing standard for an impermissible use or disclosure of PHI. Some 
commenters reported that this uncertainty about compliance requirements 
creates fears that may result in less information sharing, and

[[Page 6474]]

therefore less efficient and effective care.
    In contrast, over half of the responsive commenters opposed adding 
exceptions to the minimum necessary standard. Many commenters expressed 
strong concerns that a broader exception could undermine patient 
privacy or lead to unspecified harm to patients, some specifically 
noting that the minimum necessary standard is the only requirement for 
covered entities to consider what information is reasonably needed for 
their purpose before making a request, use, or disclosure. Others 
asserted that if health care operations activities were excepted from 
the standard, there would be no clear boundaries and covered entities 
likely would disclose entire patient records to each other, when 
convenient, without effective limit. In addition, some covered health 
care provider commenters expressed fear of an increase in requests for 
large volumes of data that would overwhelm their capacity.
2. Proposal
    To consistently promote permissible disclosures of PHI for care 
coordination and case management, the Department proposes to add an 
express exception to the minimum necessary standard for disclosures to, 
or requests by, a health plan or covered health care provider for care 
coordination and case management.\177\ The exception would apply only 
to those care coordination and case management activities that are at 
the individual level, in recognition of the concerns expressed by 
commenters that this proposal would weaken patient privacy by 
permitting additional PHI to flow for these purposes.
---------------------------------------------------------------------------

    \177\ See proposed 45 CFR 164.502(b)(2)(vii).
---------------------------------------------------------------------------

    Health plans and covered health care providers would continue to be 
responsible for meeting the minimum necessary requirements that apply 
to: (1) Disclosures of PHI for health care operations other than 
individual-level care coordination and case management; (2) disclosures 
of PHI for care coordination and case management to most entities other 
than health care providers and health plans, such as social services 
agencies or transitional supportive housing authorities; (3) uses of 
PHI for care coordination and case management, whether as part of 
treatment or health care operations; and (4) uses, requests, and 
disclosures of PHI for other purposes, including all population-based 
activities, when applicable.\178\ In addition, covered entities would 
continue to be able to agree to and honor an individual's request not 
to use or disclose information for these purposes, as provided in the 
Privacy Rule and the ONC Cures Act Final Rule information blocking 
exception for respecting an individual's request.\179\
---------------------------------------------------------------------------

    \178\ See 45 CFR 164.502(b); 164.514(d).
    \179\ See 45 CFR 164.522(a); 171.202(e).
---------------------------------------------------------------------------

    This proposal would relieve covered entities from the requirement 
to make determinations about the minimum information necessary when the 
request is from, or the disclosure is made to, a covered health care 
provider or health plan to support individual-level care coordination 
and case management activities. The proposal would also remove the 
disincentive to disclose and request PHI to support care coordination 
and case management based on uncertainty about applicable permissions 
and fear of being subject to penalties for noncompliance resulting from 
such uncertainty. For example, when a health plan requests a disclosure 
for care coordination or case management to facilitate an individual's 
participation in the plan's new wellness program, a requesting health 
plan or covered health care provider would be relieved of the 
responsibility for determining the minimum necessary amount of PHI for 
the purpose and the disclosing health plan or covered health care 
provider would be relieved of the responsibility of assessing whether 
reliance on the health plan's determination of the minimum necessary 
PHI for its purpose is reasonable under the circumstances. As another 
example, when a covered health care provider contacts a health plan to 
coordinate potential mental health treatment referrals for a patient, 
the provider would not need to consider what information is the minimum 
necessary to disclose to the health plan for this purpose. In fact, the 
ONC Cures Act Final Rule would prohibit a health care provider from 
limiting a permissible disclosure to what the provider believes to be 
the minimum necessary information when the Privacy Rule specifically 
excepts the disclosure from the minimum necessary standard. However, 
the provider still could honor an individual's request for restrictions 
on disclosures of PHI,\180\ consistent with the ONC Cures Act Final 
Rule privacy sub-exception for respecting an individual's request not 
to share information.\181\
---------------------------------------------------------------------------

    \180\ See 45 CFR 164.522.
    \181\ See 45 CFR 171.201(e).
---------------------------------------------------------------------------

    This proposed exception would enable health plans and covered 
health care providers to more easily and efficiently request and 
disclose PHI for care coordination and case management for individuals, 
and would complement the proposal in this NPRM to create an express 
permission for covered entities to disclose PHI for care coordination 
and case management, which is described below.
3. Request for Comments
    The Department requests comments on the above proposal, and the 
following considerations in particular:
    a. Would the proposed exceptions improve the ability of covered 
entities to conduct care coordination and case management activities? 
Why or why not? Please provide any cost or savings estimates that may 
apply both on the entity level and across the health care system.
    b. Please provide examples of particular care coordination or case 
management activities that would be furthered or impeded by this 
proposal.
    c. Please describe any unintended negative consequences of the 
proposed changes for the privacy of PHI or the health information 
rights and interests of individuals. Would there be any negative 
impact, in particular, on certain populations (e.g., people with 
disabilities, older adults, rural dwellers, persons experiencing mental 
health conditions and/or substance use disorders or other illnesses, or 
others)?
    d. Would the proposed changes have similar or different effects on 
the activities of health plans versus health care providers? Are there 
unintended consequences for other ancillary providers including social 
services agencies, community based organizations, and HCBS providers? 
Please describe.
    e. What alternative regulatory modifications or clarifying guidance 
might achieve the same or greater improvements in care coordination or 
case management?
    f. A health care provider that refused to disclose PHI would not be 
considered to be information blocking when a state or federal law 
requires one or more preconditions for providing access, exchange, or 
use of electronic health information and the precondition has not been 
satisfied.\182\ This proposed modification would remove one of the 
minimum necessary policy ``preconditions'' for refusing to respond

[[Page 6475]]

to a request for an individual's PHI without violating the information 
blocking prohibition. How would the information blocking provisions in 
the ONC rule interact with these modifications, and are there any 
adverse unintended consequences that might result, such as covered 
entities requesting and receiving far more than the minimum amount of 
PHI necessary for individual-level care coordination and case 
management and using PHI for other unrelated purposes?
---------------------------------------------------------------------------

    \182\ As noted elsewhere in this preamble, the ONC Cures Act 
Final Rule defines information blocking, in part, as a practice 
that, if ``conducted by a health care provider, such provider knows 
that such practice is unreasonable and is likely to interfere with, 
prevent, or materially discourage access, exchange, or use of 
electronic health information. See 45 CFR 171.103 Information 
blocking and Sec.  171.202 Privacy exception (b) Sub-exception--
precondition not satisfied.
---------------------------------------------------------------------------

    g. Some disclosures for payment purposes with respect to an 
individual's health care are related to care coordination and case 
management (e.g., review of health care services for appropriateness of 
care). Disclosures for payment purposes are subject to the minimum 
necessary standards. Should all or certain individual-level payment 
activities be included in the proposed exception?
    h. Please provide additional examples of circumstances in which it 
should be considered reasonable, or unreasonable, to rely on the 
representations of another entity that it is requesting the minimum 
necessary PHI.

E. Clarifying the Scope of Covered Entities' Abilities To Disclose PHI 
to Certain Third Parties for Individual-Level Care Coordination and 
Case Management That Constitutes Treatment or Health Care Operations 
(45 CFR 164.506)

1. Current Provisions and Issues To Address
    Section 45 CFR 164.506 sets forth the permissible uses and 
disclosures of PHI to carry out TPO. Section 45 CFR 164.506(b)(1) 
permits, but does not require, covered entities to obtain an 
individual's consent to use or disclose their PHI for TPO 
purposes,\183\ while 45 CFR 164.506(c) describes the implementation 
specifications for TPO uses and disclosures, including 45 CFR 
164.506(c)(1), which expressly permits a covered entity to use and 
disclose PHI for its own TPO. OCR guidance provides an example of how 
this Privacy Rule provision permits covered health care providers to 
disclose PHI to public or private-sector entities that provide health-
related social and community based services as part of the disclosing 
provider's treatment activities: \184\
---------------------------------------------------------------------------

    \183\ A consent that a covered entity chooses to obtain 
consistent with 45 CFR 164.506(b) is different from an authorization 
obtained under 45 CFR 164.508, which is required for certain uses 
and disclosures of PHI.
    \184\ The disclosure of patient information for treatment and 
other purposes may be subject to other laws, including 42 CFR part 2 
for substance use disorder records.

    A health care provider may disclose a patient's PHI for 
treatment purposes without having to obtain the authorization of the 
individual. Treatment includes the coordination or management of 
health care by a health care provider with a third party. Health 
care means care, services, or supplies related to the health of an 
individual. Thus, health care providers who believe that disclosures 
to certain social service entities are a necessary component of, or 
may help further, the individual's health or mental health care may 
disclose the minimum necessary PHI to such entities without the 
individual's authorization. For example, a provider may disclose PHI 
about a patient needing mental health care supportive housing to a 
service agency that arranges such services for individuals.\185\
---------------------------------------------------------------------------

    \185\ See HHS Office for Civil Rights, Frequently Asked 
Questions on Mental Health, Disclosures for Care Coordination 
(2018), available at https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html. A consent that a covered entity 
chooses to obtain consistent with 45 CFR 164.506(b) is different 
from an authorization obtained under 45 CFR 164.508, which is 
required for certain uses and disclosures of PHI.

    The guidance explains the circumstances in which the Privacy Rule 
permits a covered health care provider to disclose PHI about an 
individual to a third party when the third party is part of the broader 
health treatment plan, or participating in the coordination of care, 
for an individual.\186\ Such a treatment disclosure generally is 
subject to the minimum necessary standard, where the disclosure is made 
to a third party entity that is not a health care provider, even though 
the entity is providing health-related services.\187\
---------------------------------------------------------------------------

    \186\ Ibid. However, the disclosure of patient information for 
treatment and other purposes may be subject to other laws, including 
42 CFR part 2 for substance use disorder records.
    \187\ See 45 CFR 164.502(b)(2)(i).
---------------------------------------------------------------------------

    Under the Privacy Rule, a covered health care provider is able to 
make a disclosure for treatment purposes of an elderly or disabled 
patient by disclosing PHI to a home and community based services (HCBS) 
\188\ provider if it is for the coordination or management of treatment 
by the health care provider.\189\ For example, a health care provider 
may disclose the minimum necessary PHI to a senior center or adult day 
care provider to help coordinate necessary health-related services for 
an individual, such as arranging for a home aide, to help the older 
adult or disabled person with their prescibed at-home or post-discharge 
treatment protocol. Likewise, a disclosure could also facilitate care 
coordination and case management as part of a covered health plan's 
health care operations, such as when a health plan discloses the PHI of 
a senior citizen to a senior wellness center as part of the plan's 
wellness program in which the senior citizen is enrolled.
---------------------------------------------------------------------------

    \188\ Information about HCBS is available at https://www.medicaid.gov/medicaid/hcbs/index.html. Some HCBS providers also 
may be health care providers within the definition at 45 CFR 
160.103, in which case the disclosing provider could disclose PHI 
for the receiving HCBS provider's treatment purposes. See 45 CFR 
164.506(c)(2).
    \189\ See 45 CFR 164.506(c).
---------------------------------------------------------------------------

    Despite the guidance on this topic, OCR has heard that many covered 
entities make disclosures to third parties that are commonly referred 
to as social services agencies and community based organizations, and 
to HCBS providers, only after obtaining a valid authorization from the 
individual. Similarly, some covered entities never disclose PHI to 
these health-related service providers, even when a treating provider 
specifies the service as part of a treatment plan or when it would 
enable the covered health care provider's treatment of the individual 
across a care continuum (e.g., from inpatient to home or HCBS setting). 
Some covered entities may not be aware that the Privacy Rule 
contemplates disclosures of PHI to third party organizations without 
authorization for care coordination and case management, including when 
required by law.\190\ Other covered entities may be uncertain about the 
scope of the permission to disclose, and may fear that they will 
inadvertently violate the HIPAA Rules, as the current regulatory 
provisions permitting disclosures for treatment do not expressly list 
these types of entities as permissible recipients of PHI.
---------------------------------------------------------------------------

    \190\ See 45 CFR 164.506(c) and 164.512(a).
---------------------------------------------------------------------------

    The 2018 RFI requested comments on whether the Department should 
modify the Privacy Rule to clarify the scope of and eliminate any 
confusion about a covered entitity's ability to disclose PHI to third 
parties, such as social services agencies, community based 
organizations, and HCBS providers,\191\ as necessary for a disclosing 
health care provider to carry out a treatment plan, or for a disclosing 
health plan to conduct care coordination and case management as health 
care operations. Health care associations, information technology (IT) 
vendors, health plans, and health care providers commented on this 
topic.
---------------------------------------------------------------------------

    \191\ The Department intends to include other types of 
organizations that are similar to these named examples.
---------------------------------------------------------------------------

    Some supportive commenters urged the Department to clarify the 
permissions for covered entities by modifying the regulation text to 
reduce any confusion on the part of covered entities about their 
ability to disclose

[[Page 6476]]

PHI to the types of entities that typically partner with providers and 
(in some cases) health plans to improve those covered entities' own 
treatment- or health care operations-based care coordination and case 
management for the individual. Most commenters also stated that such a 
regulatory change should include a definition of social services 
agencies with examples of the types of services contemplated. Several 
commenters recommended that the Department permit disclosures of PHI 
with these organizations only with an individual's consent.
    Some health plan commenters stated that an express regulatory 
permission for covered entities to disclose PHI to social services 
agencies for care coordination and case management purposes would be 
helpful, but recommended placing some limits on the permission, such as 
only permitting disclosures with patient consent. Several health plans 
described the care coordination and case management activities they 
would like to provide to their plan members, including working closely 
with community based organizations and/or multi-disciplinary teams to 
address the social determinants of health, without first receiving the 
individual's valid authorization; and coordinating comprehensive 
wraparound services, including clinical and behavioral health care, 
social services, and patient advocates to support certain populations, 
such as people experiencing SMI or SUD. The Department finds the 
comments by health plans to be persuasive in demonstrating the need to 
propose an express permission to disclose PHI for individual-level care 
coordination and case management activities that constitute health care 
operations.
    Not all commenters supported addressing disclosures to third 
parties including social services agencies, community based 
organizations, and HCBS providers through rulemaking. Some correctly 
stated that covered health care providers already are permitted to make 
such disclosures, and therefore the commenters did not believe a change 
in the regulation was needed. Others specifically opposed expanding 
disclosures to any law enforcement entity that may be part of a multi-
disciplinary team, expressing concern that law enforcement intrusions 
into health records can deter patients from seeking needed care, 
especially if law enforcement has broad access to SUD treatment 
information.
2. Proposal
    The Department proposes to modify 45 CFR 164.506(c) to add a new 
subsection 164.506(c)(6). This new subsection would expressly permit 
covered entities to disclose PHI to social services agencies, community 
based organizations, HCBS providers, and other similar third parties 
that provide health-related services to specific individuals for 
individual-level care coordination and case management, either as a 
treatment activity of a covered health care provider or as a health 
care operations activity of a covered health care provider or health 
plan. Under this provision a health plan or a covered health care 
provider could only disclose PHI without authorization to a third party 
that provides health-related services to individuals; however, the 
third party does not have to be a health care provider. Instead, the 
third party may be providing health-related social services or other 
supportive services--e.g., food or sheltered housing needed to address 
health risks. Section 45 CFR 164.501 of the Privacy Rule defines 
treatment as ``the provision, coordination, or management of health 
care and related services by one or more health care providers, 
including the coordination or management of health care by a health 
care provider with a third party; consultation between health care 
providers relating to a patient; or the referral of a patient for 
health care from one health care provider to another.'' Section 45 CFR 
164.501 paragraph (1) of the current Privacy Rule definition of health 
care operations also refers to case management and care 
coordination.\192\ This express permission would allow a covered entity 
to disclose PHI to these third party entities that provide or 
coordinate ancillary and other health-related services when the covered 
entity determines that the disclosure is needed to provide health-
related services to specific individuals for individual-level care 
coordination and case management activities that constitute treatment 
or health care operations, as applicable.\193\ For example, a covered 
entity could disclose the PHI of a senior individual experiencing 
chronic illness to a senior center attended by the individual to check 
on his or her health periodically, and to ask the senior center to give 
reminders about effective disease self-management.
---------------------------------------------------------------------------

    \192\ This NPRM includes a proposal to change the punctuation in 
paragraph (1) of the definition of health care operations at 45 CFR 
164.501 to make clear that care coordination and case management are 
not limited to ``population-based activities.'' See proposed 45 CFR 
164.501.
    \193\ See proposed 45 CFR 164.506(c)(6).
---------------------------------------------------------------------------

    The Department notes that there may be instances in which some 
disclosures for care coordination and case management, for treatment or 
health care operations, will be made to business associates engaged by 
a covered entity, such as a health plan, to provide health-related 
services to an individual, or that relate to an individual's health 
care, on behalf of the plan. In such cases, the covered entity must 
have a HIPAA compliant business associate agreement in place prior to 
disclosing the PHI for this purpose. In other cases, the entity 
receiving the PHI will be providing health-related services on its own 
behalf, and not performing covered activities or functions for or on 
behalf of the disclosing covered entity. In the latter situation, a 
business associate agreement is not required, because the entity 
receiving the PHI does not meet the definition of a business 
associate.\194\
---------------------------------------------------------------------------

    \194\ See the definition of ``Business associate'' at 45 CFR 
160.103. Whether the Privacy Rule permits a particular disclosure 
for health care operations is determined separately from whether a 
business associate agreement is required. These provisions of the 
rule operate independently, such that disclosures for health care 
operations may be made to an entity that is neither a covered entity 
nor a business associate of the covered entity. See, e.g., 65 FR 
82462, 82491 (December 28, 2000).
---------------------------------------------------------------------------

    The express permission for disclosures to these third party 
entities is being proposed primarily to facilitate the treatment and 
health care operations of the disclosing covered entities in cases 
where a disclosure will serve the health care or health-related needs 
of individuals. The Department's understanding is that, in general, the 
third party entities receiving PHI under this proposed permission would 
not be covered entities and thus, the PHI disclosed to them would no 
longer be protected by the HIPAA Rules. However, because some of these 
third party recipients of PHI may be health care providers or covered 
health care providers under HIPAA,\195\ which can perform care 
coordination and case management for their own treatment activities 
(and, with respect to covered health care providers, for health care 
operations), the Department does not propose to limit the regulatory 
text of the permission to disclosures made by a covered health care 
provider or health plan as part of the discloser's own treatment and 
health care operations. For example, under this proposal a covered 
health care provider could expressly disclose PHI for the case 
management and care coordination activities of another health care 
provider or health plan. Such disclosures are permitted under the 
current rule at 45 CFR 164.506(c)(2) and (c)(4); however, the Privacy 
Rule currently does not

[[Page 6477]]

address the applicability of this permission to case management and 
care coordination. The Department requests comment on whether such 
limiting language would be appropriate.
---------------------------------------------------------------------------

    \195\ See the definitions of ``Health care provider'' and 
``Covered entity'' at 45 CFR 160.103.
---------------------------------------------------------------------------

    Although the Department believes that such disclosures generally 
are permitted under the existing Privacy Rule for treatment or certain 
health care operations, this additional, express regulatory language 
would provide greater regulatory clarity, and help ensure that covered 
entities are able to disclose PHI to coordinate care for individuals 
with social services agencies, community based organizations, and HCBS 
providers or other similar third parties that are providing health-
related services to those individuals. The Department acknowledges that 
some RFI commenters expressed concerns about expressly permitting such 
disclosures without individuals' authorization or consent. In response, 
the Department notes that, similar to its proposal to except certain 
care coordination and case management disclosures from the minimum 
necessary standard, it also proposes to limit the scope of this 
permission to disclosures by covered entities for care coordination and 
case management for individuals (whether as treatment or health care 
operations, depending on whether the covered entity is a health care 
provider or a health plan, respectively), rather than population-based 
activities. The Department believes that the limitation to individual-
level activities will ensure that the disclosures made under this 
permission would be akin to disclosures for treatment, which 
individuals expect to occur without their needing to provide an 
authorization or consent. The existing Privacy Rule right to request 
restrictions on disclosures for treatment, payment, and health care 
operations purposes under 45 CFR 164.522(a) also remains available for 
individuals to request more limited disclosures.
    The Department believes this change would facilitate and encourage 
greater wraparound support and more targeted care for individuals, 
particularly where it would be difficult to obtain an individual's 
authorization or consent in advance, because the individual cannot 
easily be contacted (e.g., when an individual is homeless). This 
improved care coordination and case management could lead to better 
health outcomes while retaining existing limits on population-based 
disclosures. At this time, the Department proposes to place examples of 
the third party recipient entities in regulatory text but does not 
propose definitions of care coordination and case management that such 
third parties must conduct to be appropriate recipients of PHI for 
these purposes. The Department believes the robust description and 
discussion of stakeholder definitions for ``care coordination and case 
management'' affords the regulated community sufficient information 
with which to determine whether a recipient is engaged in the 
contemplated activities.
3. Request for Comments
    The Department requests comments on the above proposal, and the 
following considerations in particular:
    a. Whether the proposal to create an express permission to disclose 
PHI to certain third parties for individual level treatment and health 
care operations would help improve care coordination and case 
management for individuals, and any potential unintended adverse 
consequences.
    b. Whether the proposal poses any particular risks for individuals 
related to permitting disclosures without authorization for individual-
level care coordination and case management activities that are health 
care operations (i.e., those that are conducted by health plans) in 
addition to individual-level care coordination and case management 
activities that constitute treatment (i.e., those that are conducted by 
health care providers).
    c. Would the proposed change remove perceived barriers to 
disclosure of PHI, as appropriate, to social services agencies, 
community-based organizations, and HCBS providers to better enable care 
coordination and case management? Are there other entities the 
Department should identify in regulatory text as examples of 
appropriate recipients of PHI under the proposed permission?
    d. Should the proposed change be limited to care coordination and 
case management for a particular individual as proposed, or should it 
also include population-based efforts?
    e. Would this permission to disclose PHI for case management and 
care coordination to the entities described above interact with the ONC 
information blocking requirement to create any unintended adverse 
consequences for individuals' privacy? Please explain.
    f. Should the Department specify the types of organizational 
entities to be included as recipients of PHI in this express permission 
in regulation text, as well as limitations or exclusions, if any, that 
should be placed on the types of entities included? If yes, what types 
of organizational entities should be included or excluded?
    g. Should the Department limit the proposed permission to disclose 
PHI to circumstances in which a particular service provided by a social 
services agency, community-based organization, or HCBS provider is 
specifically identified in an individual's care plan and/or for which a 
social need has been identified via a screening assessment? Should the 
Department require, as a condition of the disclosure, that the parties 
put in place an agreement that describes and/or limits the uses and 
further disclosures allowed by the third party recipients?
    h. To what extent are social services agencies, community-based 
organizations, and HCBS providers covered health care providers under 
HIPAA? How many are non-covered health care providers? Are any such 
entities covered under HIPAA as health plans?

F. Encouraging Disclosures of PHI When Needed to Help Individuals 
Experiencing Substance Use Disorder (Including Opioid Use Disorder), 
Serious Mental Illness, and in Emergency Circumstances (45 CFR 164.502 
and 164.510-514)

    Support from family members, friends, and caregivers is key to 
helping people experiencing substance use disorder (SUD) or serious 
mental illness (SMI).\196\ However, individuals' family members and 
caregivers cannot help if they are not informed. Therefore, to 
encourage covered entities to share information in individuals' best 
interests, without fear of HIPAA penalties, the Department proposes to 
amend five provisions of the Privacy Rule to replace ``the exercise of 
professional judgment'' standard with a standard permitting certain 
disclosures based on a ``good faith belief'' about an individual's best 
interests. Further, to better enable covered entities to prevent and 
lessen harm to individuals or the public, the Department proposes to

[[Page 6478]]

replace the Privacy Rule provision that currently permits a covered 
entity to use or disclose an individual's PHI based on a ``serious and 
imminent threat'' with a ``serious and reasonably foreseeable threat'' 
standard. These provisions and the proposed amendments are discussed in 
detail below.
---------------------------------------------------------------------------

    \196\ See Substance Abuse and Mental Health Administration, 
Mental Health and Substance Use Disorders, which defines these terms 
as follows: Serious mental illness is defined by someone over 18 
having (within the past year) a diagnosable mental, behavior, or 
emotional disorder that causes serious functional impairment that 
substantially interferes with or limits one or more major life 
activities. Substance use disorders occur when the recurrent use of 
alcohol and/or drugs causes clinically significant impairment, 
including health problems, disability, and failure to meet major 
responsibilities at work, school, or home. For minors, the term 
``Serious Emotional Disturbance'' refers to a diagnosable mental, 
behavioral, or emotional disorder in the past year, which resulted 
in functional impairment that substantially interferes with or 
limits the child's role or functioning in family, school, or 
community activities. Available at https://www.samhsa.gov/find-help/disorders.
---------------------------------------------------------------------------

1. Current Provisions and Issues To Address
Disclosures to Personal Representatives
    Under 45 CFR 164.502(g) of the Privacy Rule, a personal 
representative is a person with authority under applicable law (e.g., 
state law) to act on behalf of an individual in making decisions 
related to health care.\197\ In general, the Privacy Rule treats a 
personal representative in the same way it treats the individual; thus, 
for example, a personal representative is able to exercise the 
individual's right to obtain PHI about the individual.\198\ In many 
circumstances, the parent or guardian of an unemancipated minor child 
is treated as the minor's personal representative under applicable law. 
In addition, to address circumstances in which state or other 
applicable law does not treat a parent as an unemancipated minor's 
personal representative, the provision at 45 CFR 164.502(g)(3)(ii)(C) 
permits, but does not require, covered entities to provide access under 
45 CFR 164.524 to a parent, guardian or other person acting in loco 
parentis who is not a personal representative under applicable law, if 
the action is consistent with state or other applicable law, and the 
decision to disclose is based on the professional judgment of a 
licensed health care professional.
---------------------------------------------------------------------------

    \197\ 45 CFR 164.502(g)(3)(i) lists exceptions to this general 
rule, specifying that such a person may not be a personal 
representative with respect to information pertaining to a health 
care service if: (A) The minor consents to such health care service; 
no other consent to such health care service is required by law, 
regardless of whether the consent of another person has also been 
obtained; and the minor has not requested that such person be 
treated as the personal representative; (B) The minor may lawfully 
obtain such health care service without the consent of a parent, 
guardian, or other person acting in loco parentis, and the minor, a 
court, or another person authorized by law consents to such health 
care service; or (C) A parent, guardian, or other person acting in 
loco parentis assents to an agreement of confidentiality between a 
covered health care provider and the minor with respect to such 
health care service.
    \198\ See 45 CFR 164.502(g)(1).
---------------------------------------------------------------------------

Uses and Disclosures Requiring an Opportunity for the Individual To 
Agree or Object
    Under 45 CFR 164.510, covered entities, including health care 
providers, generally must provide an individual with the opportunity to 
agree or object before using or disclosing the individual's PHI for 
inclusion in a facility directory or disclosing PHI to family members, 
caregivers, or others involved in care or payment for care. However, 
individuals are not always able to agree or object to such uses or 
disclosures, particularly in emergency situations.
    Accordingly, 45 CFR 164.510(a)(3) permits a covered health care 
provider to disclose facility directory information, including name, 
location within the provider's facility, general condition, and 
religious affiliation to clergy and others, such as family members, who 
ask for the individual by name, when the individual cannot agree or 
object due to incapacity or an emergency treatment circumstance, if: 
(A) Consistent with a prior expressed preference of the individual, if 
any, that is known to the covered health care provider; and (B) the 
disclosure is in the individual's best interests, as determined by the 
covered health care provider, in the exercise of professional judgment.
    A similar rationale applies to 45 CFR 164.510(b), which recognizes 
that family members and other caregivers have a legitimate need to 
obtain the information that will permit them to continue to participate 
in the individual's care when it is in the individual's best interests, 
particularly in emergency circumstances. Currently, 45 CFR 
164.510(b)(2)(iii) permits a covered entity to disclose relevant PHI 
about an individual who is present and has decision-making capacity, if 
the covered entity can reasonably infer, based on the exercise of 
professional judgment, that the individual does not object to the 
disclosure. Further, 45 CFR 164.510(b)(3) permits a covered entity to 
disclose relevant PHI about an individual who cannot agree or object 
due to incapacity or an emergency circumstance to family members and 
other caregivers involved in the individual's care or payment for care, 
if the covered entity, based on professional judgment, determines that 
the disclosure is in the best interests of the individual.
Identity Verification
    Section 164.514(h)(2)(iv) of title 45 CFR generally requires 
covered entities to establish and use written policies and procedures 
reasonably designed to verify the identity and authority of the 
requestor of PHI.\199\ However, certain circumstances surrounding the 
disclosure itself may accomplish the verification without having to 
collect additional documents or rely on a pre-established 
procedure.\200\ Therefore, 45 CFR 164.514(h)(2)(iv) provides that a 
covered entity's obligation to verify a requestor's identify is met if 
the covered entity relies on an exercise of professional judgment 
pursuant to 45 CFR 164.510, or acts on a good faith belief in making a 
disclosure pursuant to 45 CFR 164.512(j) to prevent or lessen certain 
serious and imminent threats.
---------------------------------------------------------------------------

    \199\ See 65 FR 82462, 82546 (December 28, 2000).
    \200\ Ibid.
---------------------------------------------------------------------------

Uses and Disclosures To Avert a Serious Threat to Health or Safety
    Section 164.512(j) of title 45 CFR permits covered entities, 
``consistent with applicable law and standards of ethical conduct,'' to 
rely on a good faith belief to use or disclose PHI when necessary to 
prevent or lessen a serious and imminent threat to the health or safety 
of a person or the public.\201\ The permission is intended to 
accommodate, and be consistent with, a ``duty to warn'' third parties 
of a threat as established in case law (and, in some states, statutory 
requirements).\202\ Certain conditions apply, including that the 
recipient of the PHI must be reasonably able to prevent or lessen the 
threat, or the use or disclosure must be necessary for law enforcement 
to identify or apprehend the subject individual.\203\ In the case of a 
disclosure to law enforcement, additional conditions include that the 
individual made a statement admitting participation in a violent crime 
that the covered entity reasonably believes may have caused serious 
physical harm to the victim, or that circumstances demonstrate that the 
subject individual escaped from a correctional institute or lawful 
custody, as defined in the Privacy Rule.\204\
---------------------------------------------------------------------------

    \201\ See 45 CFR 164.512(j)(1)(i)(A). To ``lessen'' a threat 
could mean, for example, to reduce the severity of the threat, or 
the likelihood of the anticipated harm occurring.
    \202\ See 65 FR 82462, 82538 (December 28, 2000). See also state 
law requirements compiled at http://www.ncsl.org/research/health/mental-health-professionals-duty-to-warn.aspx. To the extent that 
state or other law requires a disclosure (e.g., as part of a 
statutory duty to warn), the Privacy Rule would permit the 
disclosure under its permission for uses and disclosures of PHI 
required by law. See 45 CFR 164.512(a). However, not all states have 
enacted such requirements, and those that do apply a variety of 
different standards. In contrast, HIPAA's disclosure permission 
applies a uniform permissive standard to covered entities 
nationwide.
    \203\ See 45 CFR 164.512(j)(1)(ii).
    \204\ Ibid. See also 164.501, definition of ``Correctional 
institution,'' including description of ``lawful custody.''

---------------------------------------------------------------------------

[[Page 6479]]

Relevant Guidance Encouraging Disclosures of PHI To Help Individuals 
Experiencing Opioid Use Disorder or Mental Illness
    On October 27, 2017, in response to the nation's opioid crisis, OCR 
issued guidance titled How HIPAA Allows Doctors to Respond to the 
Opioid Crisis.\205\ The guidance addresses the HIPAA permission for 
covered health care providers to share PHI with an individual's 
friends, family, and others involved in the individual's care or the 
payment for that care when the individual has overdosed and is unable 
to agree or object to uses and disclosures of PHI. The guidance 
clarifies that ``a provider may use professional judgment to talk to 
the parents of someone incapacitated by an opioid overdose about the 
overdose and related medical information, but generally could not share 
medical information unrelated to the overdose without permission.'' 
\206\
---------------------------------------------------------------------------

    \205\ Guidance on Responding to an Opioid Overdose, HHS Office 
for Civil Rights (October 27, 2017), available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf?language=es.
    \206\ Ibid.
---------------------------------------------------------------------------

    The guidance further clarifies when a covered health care provider 
may rely on another permission, 45 CFR 164.512(j), in an overdose 
situation:

    For example, a doctor whose patient has overdosed on opioids is 
presumed to have complied with HIPAA if the doctor informs family, 
friends, or care-givers of the opioid abuse after determining, based 
on the facts and circumstances, that the patient poses a serious and 
imminent threat to his or her health through continued opioid abuse 
upon discharge.\207\
---------------------------------------------------------------------------

    \207\ Ibid.

Although the guidance focuses primarily on overdose situations, the 
HIPAA provisions apply equally to the disclosure of PHI during other 
health emergencies or dangerous situations. The full text of the 
guidance is available at https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf?language=es.
    In addition to guidance addressing the opioid epidemic, OCR has 
issued guidance to assist individuals experiencing SMI, their families, 
and other caregivers as required by the Cures Act.\208\ Section 11001 
of the Cures Act includes a ``sense of Congress'' that clarification 
was needed regarding the Privacy Rule's existing permitted uses and 
disclosures of PHI by health care professionals to communicate with 
caregivers of adults with SMI to facilitate treatment. Section 11003 
directed the Secretary, acting through the Director of OCR, to issue 
clarifying guidance explaining the circumstances under the Privacy Rule 
in which a health care provider or other covered entity may disclose 
PHI, such as in the exercise of professional judgment regarding the 
best interests of a patient when the patient is incapacitated or in an 
emergency situation, and the circumstances in which HIPAA permits 
disclosures of PHI to a patient's family and other caregivers. In 
response to the requirements in the Cures Act, OCR created new web 
pages for health care professionals and consumers containing all of its 
guidance and materials related to mental and behavioral health 
information.\209\
---------------------------------------------------------------------------

    \208\ Available at https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf.
    \209\ ``Information Related to Mental and Behavioral Health, 
including Opioid Overdose,'' HHS Office for Civil Rights (2017), 
available at https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html and https://www.hhs.gov/hipaa/for-individuals/mental-health/index.html.
---------------------------------------------------------------------------

    Despite issuing extensive guidance, OCR continues to hear that some 
covered entities are reluctant to disclose information to persons 
involved in the care of individuals experiencing these health issues, 
even when the Privacy Rule permits such disclosures. For example, since 
the guidance was published and as recently as July 11, 2018, a patient 
advocate testified before the Federal Commission for School Safety 
(FCSS) that, despite OCR's efforts to disseminate guidance, providers 
continue to ``stonewall'' families when asked to disclose PHI and 
routinely withhold medical information from family members, out of 
concerns of potentially violating HIPAA.\210\
---------------------------------------------------------------------------

    \210\ ``Final Report on the Federal Commission on School 
Safety,'' Department of Education (December 18, 2018), p. 136, 
available at https://www2.ed.gov/documents/school-safety/school-safety-report.pdf.
---------------------------------------------------------------------------

    The Department has similarly heard anecdotal accounts that some 
health care providers are reluctant to disclose needed health 
information about an incapacitated patient to even their closest 
friends and family, due to concerns about potential penalties under 
HIPAA. OCR understands that this reluctance to disclose, even when the 
Privacy Rule permits disclosure, creates particular difficulties, and 
potential risks for patients and others, when a patient is unable to 
agree or object to the disclosure due to incapacity related to SMI, 
SUD, or another cause.
    In addition, in the wake of the incidents of mass violence in 
recent years, such as shootings and acts of terrorism, the Department 
has heard anecdotes claiming that HIPAA impedes health care providers 
from disclosing PHI, even when such disclosure could prevent or lessen 
a serious and imminent threat of harm or violence. According to these 
accounts, the reluctance to disclose persists even though the HIPAA 
Rules permit disclosure in such circumstances.
    In the 2018 RFI, the Department solicited public input to determine 
whether and how to modify the Privacy Rule to help combat the opioid 
crisis, treat SMI, and promote family involvement in the care of 
individuals experiencing these health situations. It also sought 
comment on how the Department could amend the Privacy Rule to increase 
disclosures of PHI by covered health care providers with family members 
and other caregivers experiencing difficulties obtaining health 
information about their minor and adult children or parents, spouses, 
and other individuals when needed to coordinate their care or otherwise 
be involved in their treatment. Noting anecdotal information suggesting 
that some covered entities are reluctant to involve the caregivers of 
individuals facing health crises for fear of violating the Privacy 
Rule, the Department asked for examples of circumstances in which the 
Privacy Rule has presented real or perceived barriers to family members 
attempting to access information.
    Many commenters asked the Department to align the Privacy Rule with 
42 CFR part 2 (Part 2), which requires certain federally funded SUD 
treatment programs (called ``Part 2 programs'') and downstream 
recipients (called ``lawful holders'') of their patient-identifying 
information to maintain the confidentiality of records related to the 
diagnosis and treatment of SUD.\211\ Part 2 modifications are outside 
the scope of this rulemaking, and nothing in this Privacy Rule NPRM 
would change the part 2 compliance obligations of covered entities who 
are subject to part 2. Further, this NPRM does not affect covered 
entities' obligations to comply with applicable state laws that 
restrict the disclosure of sensitive information, including SUD or 
other sensitive health issues.
---------------------------------------------------------------------------

    \211\ The Part 2 regulations are authorized by section 290dd-2 
of Title 42 US Code, which provides that ``Records of the identity, 
diagnosis, prognosis, or treatment of any patient which are 
maintained in connection with the performance of any program or 
activity relating to substance use disorder education, prevention, 
training, treatment, rehabilitation, or research, which is 
conducted, regulated, or directly or indirectly assisted by any 
department or agency of the United States shall, except as provided 
in subsection (e), be confidential and be disclosed only for the 
purposes and under the circumstances expressly authorized under 
subsection (b).''

---------------------------------------------------------------------------

[[Page 6480]]

    On March 27, 2020, Congress enacted the Coronavirus Aid, Relief, 
and Economic Security Act (CARES Act) which requires greater alignment 
of the part 2 regulations with the HIPAA Rules.\212\ On July 15, 2020, 
the Department, through the Substance Abuse and Mental Health Services 
Administration (SAMHSA), published a final rule revising the part 2 
regulations to facilitate such activities as quality improvement and 
claims management in a manner that more closely aligns part 2 with some 
of the disclosure permissions of the Privacy Rule.\213\ The Department 
will implement the CARES Act requirements concerning the part 2 
regulations in a future rulemaking.
---------------------------------------------------------------------------

    \212\ See Public Law 116-136, 134 Stat. 286 (March 27, 2020). 
Section 3221 of Public Law 116-136 amended 42 U.S.C. 290dd-2.
    \213\ See 85 FR 42986 (July 15, 2020).
---------------------------------------------------------------------------

    Nearly all commenters who identified as family members of patients 
agreed that in many cases more information related to an individual's 
SMI or SUD should be disclosed to family caregivers, and shared 
personal stories about the devastating consequences--such as suicide, 
missed appointments, homelessness, and lack of continuity in treatment 
and medication--that occurred because of a lack of information 
disclosure. A few commenters suggested that HIPAA should preempt all 
state laws that restrict disclosures of mental and behavioral health 
information to family members or coordinating health and social 
services agencies. A few other commenters expressed concern that the 
inability to disclose PHI related to mental health to social services 
agencies largely impacts poor individuals and minorities.
    Commenters who identified as patients or privacy advocacy groups 
almost universally opposed modifying the Privacy Rule to expand 
permitted disclosures of information related to SMI and opioid use 
disorder or other SUDs. Many commenters expressed fear of family 
members and employers having access to this information, citing 
potentially adverse consequences, including fear of discrimination, 
abuse, and retaliation. Many health care providers expressed concern 
about the chilling effect that increased disclosures would have on 
individuals seeking treatment for opioid use disorders and stated that 
the Privacy Rule is already flexible enough to permit the amount of 
disclosure needed to address the opioid epidemic. Many suggested 
issuing clarifying guidance on existing regulatory permissions as a 
preferred approach to increasing disclosures of PHI. A few pointed to 
the need to leverage technology, such as consent management and data 
segmentation, pursuant to the health information certification 
standards \214\ published by ONC, as a means to help providers protect 
sensitive records while accessing information necessary for care.
---------------------------------------------------------------------------

    \214\ See 45 CFR parts 170 and 171.
---------------------------------------------------------------------------

    As the Department noted in the 2018 RFI, the Privacy Rule generally 
defers to state law with respect to the circumstances in which a parent 
or guardian is treated as the personal representative of an 
unemancipated minor child, and under which information may not be 
disclosed to parents. Many commenters recognized state law, not the 
Privacy Rule, as the source of the more restrictive provisions (e.g., 
state laws that restrict access to an unemancipated adolescent's mental 
health information). Nevertheless, some commenters suggested that HIPAA 
presented a barrier, especially in cases where a teenager or school-
aged child experienced mental illness. Accordingly, some covered 
entities, professional organizations, advocacy organizations, and 
parents supported increasing parental access to minors' PHI. Some 
commenters were particularly supportive of increasing disclosures of 
PHI involving SUD, SMI, and other behavioral health concerns. However, 
some commenters raised concerns about abusive parents or guardians 
gaining access to a minor child's PHI, and some appreciated that the 
Privacy Rule currently permits a covered entity to deny access to a 
personal representative suspected of abuse or neglect. In addition, 
some commenters expressed concern that increasing parental access would 
inhibit a child from seeking the health care he or she needs, 
especially with respect to sensitive health conditions.
    The Department received a few comments related to adult children 
being able to access the records of their parents. For example, one 
commenter suggested that the Department create a ``relative caregiver'' 
category with a right to access the medical records of elderly parents; 
another commenter provided a similar suggestion to address the care of 
individuals experiencing dementia. In contrast, several commenters 
raised concerns about impinging on the individual autonomy of their 
adult parents or other adults, and stressed the importance of 
protecting privacy for older adults.
2. Proposals
    The Department believes more can be done to encourage health care 
providers to disclose PHI when families and other caregivers of 
individuals are attempting to assist with health related emergencies, 
SUD (including opioid disorder) or SMI, and other circumstances in 
which individuals are incapacitated or otherwise unable to express 
their privacy preference. To address these concerns, the Department 
proposes several modifications to the Privacy Rule to encourage covered 
entities to use and disclose PHI more broadly in scenarios that involve 
SUD, SMI, and emergency situations, provided that certain conditions 
are met. In particular, the Department proposes to amend five 
provisions of the Privacy Rule to replace ``exercise of professional 
judgment'' with ``good faith belief'' as the standard pursuant to which 
covered entities would be permitted to make certain uses and 
disclosures in the best interests of individuals. The professional 
judgment standard presupposes that a decision is made by a health care 
professional, such as a licensed practitioner, whereas good faith may 
be exercised by other workforce members who are trained on the covered 
entity's HIPAA policies and procedures and who are acting within the 
scope of their authority. The Department also proposes a presumption 
that a covered entity has complied with the good faith requirement, 
absent evidence that the covered entity acted in bad faith. Together, 
these proposed modifications would improve the ability and willingness 
of covered entities to make certain uses and disclosures of PHI as 
described below.
    The Department acknowledges prior comments expressing concern that 
a good faith standard offers individuals less privacy protection. 
However, covered entities still must take into account the facts and 
circumstances surrounding the disclosures, such as an individual's 
prior expressed privacy preferences and knowledge of any abusive 
relationship between the person to whom the covered entity would 
disclose PHI and the individual. Similarly, the Department would treat 
disclosures for any improper purpose as ``bad faith'' disclosures. 
Examples of bad faith could include knowledge that information will be 
used to harm the individual or will be used for crime, fraud (including 
defrauding the individual), or personal enrichment. As another example, 
a provider who is sued for malpractice and demands a signed statement 
of satisfactory care

[[Page 6481]]

from an incapacitated individual's family member in exchange for 
disclosing the individual's PHI to the family member has likely acted 
in bad faith. Finally, the Department encourages covered entities to 
ascertain the privacy preferences of individuals who are at known risk 
of experiencing episodes of incapacity before such individuals become 
incapacitated, where possible. Replacing professional judgment with 
good faith in sections 45 CFR 164.502(g)(3)(ii)(C), 164.510(a)(3), 
164.510(b)(2)(iii), 164.510(b)(3), 164.514(h)(2)(iv).
    The Department's proposal to replace ``professional judgment'' with 
a standard based on the good faith belief of the covered entity in the 
five provisions listed above should improve care coordination by 
expanding the ability of covered entities to disclose PHI to family 
members and other caregivers when they believe it is in the best 
interests of the individual, without fear of violating HIPAA. The 
requirement under the current rule to exercise ``professional 
judgment'' could be interpreted as limiting the permission to persons 
who are licensed or who rely on professional training to determine 
whether a use or disclosure of PHI is in an individual's best 
interests. While professional training and experience naturally inform 
a health care provider's good faith belief about an individual's best 
interests, a good faith belief does not always require a covered entity 
or its workforce member to possess specialized education or 
professional experience. Rather, a good faith belief may be based on, 
for example, knowledge of the facts of the situation (including any 
prior expressed privacy preferences of the individual, such as those in 
an advance directive), or the representations of a person or persons 
who reasonably can be expected to have knowledge of relevant facts.
    At the same time, as illustrated by the following scenarios, a 
standard of ``good faith'' anticipates that a covered entity or 
workforce member would exercise a degree of discretion appropriate for 
its role when deciding to use or disclose PHI, and to comply with any 
other conditions contained in the applicable permissions. For example, 
``good faith'' would permit a licensed health care professional to draw 
on experience to make a good faith determination that it is in the best 
interests of a young adult patient, who has overdosed on opioids, to 
disclose information to a parent who is involved in the patient's 
treatment and who the young adult would expect, based on their 
relationship, to participate in or be involved with the patient's 
recovery from the overdose. In this circumstance, the professional's 
good faith belief should be informed by professional judgment, but the 
professional would be assured that the Department would not second-
guess the decision made for the patient's best interests by, for 
example, requiring the professional to prove that the decision was 
consistent with his or her professional training.
    Likewise, front desk staff at a physician's office who have 
regularly seen a family member or other caregiver accompany an adult 
patient to appointments could disclose information about upcoming 
appointments when the patient is not present, based on the staff's 
knowledge of the person's involvement and a ``good faith'' belief about 
the patient's best interests. The extent of the disclosure of PHI would 
be limited to the level of involvement of the family member or 
caregiver of which the staff is aware, consistent with the covered 
health care provider's policies and procedures for disclosures of PHI 
by workforce members. In contrast, front desk staff would not be 
permitted to decide whether to provide access to records under the 
individual right of access at 45 CFR 164.524 to a parent who is not 
their minor child's personal representative, because the applicable 
permission at 45 CFR 164.502(g)(3)(2)(C) requires that the decision be 
made by a licensed health care professional.
    The Department understands that these proposals may raise concerns 
about unintended consequences where a covered health care provider is 
asked to disclose sensitive information to family members or other 
caregivers about individuals at risk of, or experiencing, abuse by the 
requesting family members or caregivers. The Department assumes that 
health care providers would incorporate relevant concerns about an 
individual's risk of abuse as a key factor in whether a disclosure of 
PHI is in an individual's best interest. Disclosures to suspected 
abusers are not in the best interests of individuals and health care 
providers' workforce members should feel confident that this proposal 
would not negate their ability to consider all relevant factors when 
making decisions about disclosing PHI to an individual's family and 
other caregivers related to their involvement in the individual's care 
or payment for care.
    The following examples illustrate the operation of a good faith 
standard in each provision this proposal would modify:
     Parent or guardian who is not the individual's personal 
representative. The Department proposes to amend 45 CFR 
164.502(g)(3)(ii)(C) to permit a covered entity to disclose the PHI of 
an unemancipated minor to a parent or guardian who is not the personal 
representative of the individual under HIPAA if consistent with state 
or other applicable law and a licensed health care professional has a 
good faith belief that disclosing PHI is in the best interests of the 
individual. For example, the proposed change would permit a covered 
health care provider to disclose PHI of an un-emancipated minor 
experiencing SUD in a state or jurisdiction where applicable law does 
not treat the minor's parent as a personal representative, when the 
provider believes that disclosing information to the parent could 
improve the care and treatment of the minor. This proposed good faith 
standard would remove an impediment to disclosures of PHI to a parent 
or guardian of a minor experiencing SUD or SMI where the parent or 
guardian is not recognized as the personal representative of the minor 
under state law. At the same time, this proposal would not preempt 
state laws that prohibit the disclosure of sensitive information 
because this proposal would permit, but not require, the disclosure 
under HIPAA. As such, a covered entity could comply with both HIPAA and 
a more restrictive state law by limiting disclosures in accordance with 
the state law.
     Facility Directories. The Department proposes to amend 45 
CFR 164.510(a)(3)(i)(B) to permit a covered entity to include an 
individual's name in a facility directory and to disclose, for 
directory purposes, the individual's location and general condition, 
when the individual is unable to agree or object and the covered entity 
has a good faith belief that the disclosure is in the best interests of 
the individual. For example, this change would facilitate a hospital's 
disclosure of directory information about an individual who is 
incapacitated and unable to identify family members or other caregivers 
involved in his or her care who are trying to locate the individual. 
The Department does not propose to change 45 CFR 164.510(a)(3)(i)(A), 
which requires that a disclosure under 45 CFR 164.510(a)(3) be 
consistent with a prior expressed preference of the individual, if any, 
that is known to the covered health care provider.
     Emergency contacts. The Department proposes to amend 45 
CFR 164.510(b)(2)(iii) to permit covered entities to disclose relevant 
information to a person involved in the individual's care or payment 
for care when the covered entity reasonably infers, based

[[Page 6482]]

on a good faith belief, that the individual does not object. For 
example, under this proposal an acute care facility that lacks a 
written designation of an emergency contact but possesses knowledge of 
an incapacitated patient's designated emergency contact could disclose 
PHI to that contact, based on a good faith belief that the patient does 
not object to the disclosure. In contrast, a disclosure of PHI by a 
covered entity with knowledge of an individual's advance directive that 
documents an objection to disclosure to a particular person would be 
inconsistent with a good faith belief that the individual does not 
object.
     Emergencies and incapacity. The Department proposes to 
amend 45 CFR 164.510(b)(3) to permit covered entities to disclose 
relevant information about the individual to family members and other 
caregivers who are involved with the individual's care or payment for 
care, or who require notification related to the individual, when the 
individual cannot agree to the disclosure because of absence, 
incapacity, or emergency circumstances, and the covered entity has a 
good faith belief that the disclosure is in the best interests of the 
individual. This change would, for example, facilitate a health care 
provider's disclosure of PHI to a caregiver of a patient who is 
incapacitated by an overdose, mental health crisis, or other health 
emergency. The Privacy Rule does not define incapacity, but the 
Department has provided examples and explained that a formal 
determination is not necessary.\215\
---------------------------------------------------------------------------

    \215\ See e.g., https://www.hhs.gov/hipaa/for-professionals/faq/2090/when-does-mental-illness-or-another-mental-condition-constitute-incapacity-under-privacy-rule.html.
---------------------------------------------------------------------------

     Verifying requestor's identity. The Department proposes to 
amend 45 CFR 164.514(h)(2)(iv) to provide that a covered entity would 
satisfy its obligations to verify a requestor's identity if the covered 
entity acts on a good faith belief in making a disclosure of relevant 
PHI under 45 CFR 164.510, 164.512(j), and 164.514(h)(2)(iv). These 
disclosures are already limited in scope to the information relevant to 
assisting the individual with his or her health care or payment for 
care (45 CFR 164.510) or to the minimum amount of information necessary 
for the purpose (45 CFR 164.512(j)). This proposal would, for example, 
improve the ability of a covered hospital to disclose PHI of an 
individual experiencing an emergency to a person who represents that he 
or she is a family member or caregiver of the individual, without 
requiring the family member or caregiver to present documentation of 
the relationship with the individual, if the hospital has a good faith 
basis for believing the requestor and the requestor's identity. As 
stated in the preamble to the 2000 Privacy Rule:

    ``Requiring written proof of identity in many of these 
situations, such as when a family member is seeking to locate a 
relative in an emergency or disaster situation, would create 
enormous burden without a corresponding enhancement of privacy, and 
could cause unnecessary delays in these situations. The Department 
therefore believes that reliance on professional judgment provides a 
better framework for balancing the need for privacy with the need to 
locate and identify individuals. . . . As with many of the 
requirements of this final rule, health care providers are given 
latitude and expected to make decisions regarding disclosures, based 
on their professional judgment and experience with common practice, 
in the best interest of the individual.'' \216\
---------------------------------------------------------------------------

    \216\ 65 FR 82462, 82719 (December 28, 2000).

    A hospital may not have a good faith basis for believing the 
requestor's representations about the requestor's identity and 
relationship with the individual if, for example, a workforce member 
receives a request from an unfamiliar and unverified email address or 
the requestor is unknown and not named as a contact in an individual's 
record. Additionally, this proposal would not remove a covered entity's 
obligation(s) under other applicable laws, such as laws requiring 
providers to obtain documentation of a relationship before disclosing 
information, including laws governing requests for access to medical 
records by a person who claims to be an individual's personal 
representative.
    The Department also proposes to amend the Privacy Rule at 45 CFR 
164.502 by adding a new paragraph (k), which would apply a presumption 
of compliance with the ``good faith'' requirement when covered entities 
make a disclosure based upon a belief that the disclosure is in the 
best interests of the individual with regard to those five provisions.
Changing ``Serious and Imminent'' to ``Serious and Reasonably 
Foreseeable''
    As noted above, 45 CFR 164.512(j)(1)(i)(A) permits covered entities 
to use or disclose PHI, consistent with applicable law and standards of 
ethical conduct, if the covered entity has a good faith belief that the 
use or disclosure is necessary to prevent or lessen a ``serious and 
imminent threat'' to the health or safety of a person (including the 
individual) or the public.\217\ The recipient of the PHI must be 
reasonably able to prevent harm or lessen the threat, or the use or 
disclosure must be necessary for law enforcement to identify or 
apprehend an individual.\218\
---------------------------------------------------------------------------

    \217\ 45 CFR 164.512(j)(1)(i)(A). 45 CFR 164.512(j), unlike the 
provisions above that currently permit uses and disclosures based on 
professional judgment, already permits a covered entity to disclose 
PHI based on a good faith belief.
    \218\ See 45 CFR 164.512(j)(1)(ii)(A)-(B). This condition 
additionally requires the individual who is the subject of the PHI 
to have admitted participation in a violent crime that the covered 
entity reasonably believes may have caused serious physical harm to 
the victim of the crime, or the individual who is the subject of the 
PHI has escaped from a correctional institute or lawful custody.
---------------------------------------------------------------------------

    To clarify that the Privacy Rule permits covered entities to 
address threats of harm, the Department proposes to amend the Privacy 
Rule at 45 CFR 164.512(j)(1)(i)(A) to replace the ``serious and 
imminent threat'' standard with a ``serious and reasonably foreseeable 
threat'' standard. The Department seeks to prevent situations in which 
covered entities decline to make uses and disclosures they believe are 
needed to prevent harm or lessen threats of harm due to concerns that 
their inability to determine precisely how imminent the threat of a 
harm is may make them subject to HIPAA penalties for an impermissible 
use or disclosure. The proposed modification would permit covered 
entities to use or disclose PHI without having to determine whether the 
threatened harm is imminent (which may not be possible in some cases); 
instead, they may determine whether it is reasonably foreseeable that 
the threatened harm might occur. The Department further proposes to add 
a new paragraph (5) to define ``reasonably foreseeable'' using a 
reasonable person standard.\219\ This standard involves consideration 
of whether a similarly situated covered entity could believe that a 
serious harm is reasonably likely to occur, and does not require a 
determination that a

[[Page 6483]]

majority of covered entities could have such a belief. However, the 
``reasonably foreseeable'' standard would not permit the application of 
assumptions unwarranted by the individual's diagnosis and specific 
circumstances. For example, the assumption that a person with a 
diagnosis of depression or anxiety is a threat to themselves or others 
merely by virtue of that diagnosis is unfounded. Likewise, assuming 
that an individual on the autism spectrum who displays certain 
behaviors frequently associated with mental illness has co-occurring 
mental illness without any such diagnosis is unfounded.
---------------------------------------------------------------------------

    \219\ See, e.g., Rest. 2d Torts, section 283. In describing the 
standard of the ``reasonable man'' in the context of negligence in 
tort law, the authors note benefits of the standard that also apply 
to the proposal in this NPRM: ``The chief advantage of this standard 
of the reasonable man is that it enables the triers of fact who are 
to decide whether the actor's conduct is such as to subject him to 
liability for negligence, to look to a community standard rather 
than an individual one, and at the same time to express their 
judgment of what that standard is in terms of the conduct of a human 
being. The standard provides sufficient flexibility, and leeway, to 
permit due allowance to be made for such differences between 
individuals as the law permits to be taken into account, and for all 
of the particular circumstances of the case which may reasonably 
affect the conduct required, and at the same time affords a formula 
by which, so far as possible, a uniform standard may be 
maintained.''
---------------------------------------------------------------------------

    The Department recognizes that some covered health care providers, 
such as licensed mental and behavioral health professionals, have 
specialized training, expertise, or experience in assessing an 
individual's risk to health or safety (e.g., through a violence or 
suicide risk assessment). Therefore, the reasonably foreseeable 
standard would include an express presumption that such a covered 
health care provider has met the reasonably foreseeable standard when 
it makes a disclosure related to facts and circumstances about which 
the covered health care provider (or member of the provider's 
workforce) has specialized training, expertise, or experience.
    Threats to public health or safety would include, for example, mass 
shootings, the use of explosive devices to attack a crowd, or other 
acts of terrorism. These examples are intended to highlight for covered 
health care providers their ability to use or disclose PHI to lessen 
the threat of, or prevent harm due to, potential mass violence and are 
not intended to limit the scope or type of serious and reasonably 
foreseeable threats covered by this provision. That is, a covered 
entity (or a member of a covered entity's workforce) need not have such 
specialized training, expertise, or experience in order to meet the 
reasonably foreseeable standard.
    The Department does not propose to change the existing 
``presumption of good faith belief'' at 45 CFR 164.512(j)(4), which 
explains the circumstances in which a covered entity is presumed to 
have acted in good faith with regard to a belief that a use or 
disclosure is necessary to prevent harm or lessen a threat.\220\ 
Therefore, with the proposed modification, a covered entity that 
reports a threat to health or safety could potentially benefit from two 
presumptions under the Privacy Rule: (1) A presumption that the serious 
harm the covered entity identified was reasonably foreseeable, and (2) 
a presumption that the covered entity believed the use or disclosure 
was necessary to prevent harm or lessen the threat.
---------------------------------------------------------------------------

    \220\ See 45 CFR 164.512(j)(4). The provision states the 
presumption of good faith belief applies ``if the belief is based 
upon the covered entity's actual knowledge or in reliance on a 
credible representation by a person with apparent knowledge or 
authority.''
---------------------------------------------------------------------------

    The Department expects that the proposed modification would improve 
the timeliness of disclosures that would have occurred, but for the 
covered entity's uncertainty regarding whether a threatened harm is 
``imminent.'' As such, this proposed change would improve covered 
entities' ability to disclose PHI to persons who are reasonably able to 
lessen the threat and to prevent harm to the individual, other persons, 
or the public--with sufficient time for such persons to act.
    Thus, for example, adopting a ``serious and reasonably foreseeable 
threat'' standard could further enable a health care provider to timely 
notify a family member that an individual is at risk of suicide, even 
if the provider cannot predict that a suicide attempt is likely to 
occur ``imminently.'' For an individual who poses a threat to public 
safety, a ``serious and reasonably foreseeable threat'' standard may 
afford a health care provider sufficient time to notify a person, such 
as a law enforcement official, who is in a position to avert a serious 
harm that may occur and ensure the safety of the individual and others.
    By referencing mental and behavioral health professionals in the 
proposed definition of reasonably foreseeable, the Department does not 
mean to imply that individuals with mental or behavioral health 
conditions are more likely than other individuals to commit acts of 
violence. As the Department has stated previously,\221\ mental illness 
is not proven to be an effective predictor of gun violence, and 
individuals who are experiencing mental illness are more likely to be 
the victims of violent crime than perpetrators.\222\ The Department 
does not intend with this proposal to perpetuate false and harmful 
stereotypes about individuals with SMI or SUD, but rather to ensure 
that HIPAA is not a barrier in instances when entities believe a 
disclosure of PHI is necessary to prevent harm to the individual or to 
others.\223\ Further, the Department believes that licensed mental and 
behavioral health professionals are among the health care providers 
that are most likely to have specialized training, expertise, or 
experience for which it is reasonable to establish a higher level of 
deference to their belief that a threat exists and that serious harm is 
reasonably foreseeable. The Department requests comment on this 
proposal.
---------------------------------------------------------------------------

    \221\ See HIPAA Privacy Rule and the National Instant Criminal 
Background Check System Proposed Rule, 79 FR 784 (January 7, 2014), 
and Final Rule, 81 FR 382 (January 6, 2016).
    \222\ See 79 FR 784, 788 (January 7, 2014) and 81 FR 382, 386 
(January 6, 2016).
    \223\ Ibid., Id. at 387.
---------------------------------------------------------------------------

    The Department also proposes non-substantive revisions to 45 CFR 
164.512(j) to refer to preventing a harm or lessening a threat, rather 
than preventing or lessening a threat. These proposed revisions are 
intended to clarify the standard, not change it; however, the 
Department requests comment on whether any unintended adverse 
consequences may result from the revisions.
    Finally, the Privacy Rule does not preempt other law that is more 
protective of the individual's privacy.\224\ As such, this proposal 
would not relieve covered entities of stricter restrictions on 
disclosure under state law or other Federal laws. However, the proposal 
would help ensure that HIPAA is not a barrier to disclosures needed to 
prevent harm.
---------------------------------------------------------------------------

    \224\ See 45 CFR 160.203.
---------------------------------------------------------------------------

3. Request for Comments
    The Department requests comments on the above proposal, and the 
following considerations in particular:
    a. Would the proposed change in standard from ``professional 
judgment'' to ``good faith belief'' discourage individuals from seeking 
care?
    b. Should the Department apply the good faith standard to any or 
all of the other nine provisions in the Privacy Rule that call for the 
exercise of professional judgment? Are there circumstances in which it 
would be inappropriate to apply a presumption of compliance across the 
other nine provisions?
    c. Should 45 CFR 164.510(b)(3) be revised to permit a covered 
entity to disclose the PHI of an individual who has decision making 
capacity to the individual's family member, friend, or other person 
involved in care, in a manner inconsistent with the individual's known 
privacy preferences (including oral and written expressions), based on 
the covered entity's good faith belief that the use or disclosure is in 
the individual's best interests, in any situations outside of an 
emergency circumstance? Put another way, are there examples in which 
the totality of the facts and circumstances should or would outweigh an 
individual's preferences, but do not rise

[[Page 6484]]

to the level of posing a serious and reasonably foreseeable threat 
under 45 CFR 164.512(j)? Are there examples related to individuals who 
have regained capacity after having been formerly incapacitated, such 
as where an individual recovering from an opioid overdose leaves the 
hospital against medical advice or leaves a residential treatment 
program?
    d. When should overriding an individual's prior expressed 
preferences constitute bad faith on the part of the covered entity, 
which would rebut the presumption of compliance? Are there instances in 
which overriding an individual's prior expressed preferences would not 
constitute bad faith on the part of the covered entity?
    e. Would the proposed ``serious and reasonably foreseeable threat'' 
standard discourage individuals from seeking care?
    f. Would the proposed standard improve a covered entity's ability 
to prevent potential harm, such that the benefits of the change would 
outweigh potential risks? Please provide examples.
    g. How often do mental and behavioral health professionals perceive 
that HIPAA constrains their ability to report such threats? Please 
provide specific examples, when available, including relevant state 
law.
    h. Are there potential unintended consequences related to granting 
extra deference to a covered health care provider based on specialized 
risk assessment training, expertise, or experience when determining 
that a serious threat exists or that serious harm is reasonably 
foreseeable? Are there unintended consequences related to specifying 
mental and behavioral health professionals as examples of such 
providers?
    i. As an alternative to the existing proposal, should the 
Department establish a specific permission for mental and behavioral 
health professionals to disclose PHI when in the view of the 
professional, the disclosure could prevent serious and reasonably 
foreseeable harm or lessen a serious and reasonably foreseeable threat 
to the health or safety of a person or the public? What would be 
potential unintended consequences of such an alternative?

G. Eliminating Notice of Privacy Practices Requirements Related to 
Obtaining Written Acknowledgment of Receipt, Establishing an Individual 
Right To Discuss the NPP With a Designated Person, Modifying the NPP 
Content Requirements, and Adding an Optional Element (45 CFR 164.520)

1. Current Provision and Issues To Address
    The Privacy Rule, at 45 CFR 164.520, requires a covered health care 
provider that has a direct treatment relationship with an individual to 
make a good faith effort to obtain a written acknowledgment of receipt 
of the provider's NPP. If the provider is unable to obtain the written 
acknowledgment, the provider must document its good faith efforts and 
the reason(s) for not obtaining an individual's acknowledgment, and 
maintain such documentation for six years.\225\
---------------------------------------------------------------------------

    \225\ See 45 CFR 164.520(e); 45 CFR 164.530(j)(2).
---------------------------------------------------------------------------

    The Department has heard anecdotally and in public comments on the 
2018 RFI that the acknowledgment requirements impose paperwork burdens 
that are perceived as unnecessary and that create confusion for 
individuals (who may erroneously believe they are signing an 
authorization or waiver of some kind), as well as front office staff 
(who may erroneously believe that individuals must sign the 
acknowledgment to obtain care).
    In the 2018 RFI, the Department asked whether it should eliminate 
the signature and recordkeeping requirements in 45 CFR 164.520 to 
reduce administrative burden on covered health care providers and free 
up time and resources for providers to spend on treatment, including 
care coordination. In addition, the 2018 RFI asked providers to suggest 
alternative ways to document that they provided an NPP to an individual 
if the written acknowledgment were no longer required. The Department 
also asked whether and how to modify other NPP requirements to 
alleviate covered entity burdens without compromising transparency 
about providers' privacy practices or an individual's awareness of his 
or her rights. In particular, the Department requested feedback on how 
to improve the NPP content and dissemination requirements.
    Most commenters stated that the acknowledgment requirement was 
unduly burdensome, but did not provide cost estimates. Many covered 
entities and associations that commented reported experiencing a large 
administrative burden to document the good faith effort to obtain the 
acknowledgment in cases where the patient is unconscious or otherwise 
incapacitated or cannot sign the acknowledgment due to communication 
barriers.
    Covered entities and large associations agreed with the 
Department's concern in the 2018 RFI that some individuals may 
mistakenly believe that their signature or written acknowledgment of 
the NPP is required to receive treatment. Commenters of all types 
reported their observations of individuals not reading the NPP when 
presented with it. Commenters also noted that physician offices 
frequently provide the NPP form to patients as part of a large bundle 
of paperwork at the time of the visit. Some commenters perceived the 
bundling of the NPP and acknowledgment with other paperwork as 
diminishing the likelihood that individuals pay attention to NPP 
content.
    Associations and health systems/hospitals supported eliminating the 
requirement of a written acknowledgment of receipt of the NPP and 
believed the expected benefits would outweigh any adverse consequences. 
Professional associations, hospitals, and physicians commented that the 
signed NPP acknowledgment or the documentation of good faith efforts to 
obtain the written acknowledgment was of little or no use, and was an 
unnecessary burden.
    In contrast, a number of commenters opposed removing the 
requirement relating to the written acknowledgment of receipt of the 
NPP, asserting that the acknowledgment helps to ensure that individuals 
are aware of their HIPAA rights. These commenters expressed concern 
that eliminating the written acknowledgment requirement would make it 
difficult or even impossible to track whether an individual was 
actually given the NPP and made aware of his or her rights under HIPAA.
    Some commenters suggested alternative policy solutions or other 
actions that the Department could take to improve consumer awareness of 
the NPP, such as requiring providers to post the NPP electronically and 
increasing consumer education about the contents of the NPP.
    Regarding NPP content, ONC, in collaboration with OCR, developed 
several model NPPs, which are publicly available on the OCR 
website.\226\ These

[[Page 6485]]

models use plain language and approachable designs that were tested 
with consumer focus groups. The 2018 RFI sought comment on whether 
covered entities use the model NPPs, whether the model NPPs should 
contain more specific information, and whether an entity that uses a 
model NPP should be deemed compliant with the NPP content requirements.
---------------------------------------------------------------------------

    \226\ See ``Model Notices of Privacy Practices,'' HHS Office for 
Civil Rights (2013), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html and https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf.
---------------------------------------------------------------------------

    Some commenters stated that they use the model NPP as a reference 
when creating their own forms, or modify a model to conform to state 
law and other organizational requirements. Some professional 
associations supported creating a safe harbor for entities using a 
model NPP, but several commenters pointed out potential challenges that 
such a safe harbor could create. For example, some commenters stated 
that a safe harbor would lead to greater confusion, with some entities 
having to incorporate provisions from state or local law into model NPP 
language. Others stated that utilizing the model NPP form would lead to 
longer and harder-to-understand notices. Most commenters urged that, 
rather than creating a safe harbor, the Department instead focus on 
developing consumer-focused educational materials.
    Additional issues to address in connection with the NPP would arise 
from the NPRM's proposal to limit the individual right to direct PHI to 
a third party only to an electronic copy of ePHI in an EHR. Covered 
entities may receive requests from individuals to direct to third 
parties copies of PHI that are not ePHI in an EHR and therefore are 
outside the scope of the access right to direct a copy of PHI to a 
third party. The current NPP content does not address these 
limitations. For example, an individual submits a request to her health 
plan to direct ePHI in a designated record set to a third party, but 
that ePHI is not in an EHR. As another example, an individual requests 
that a paper copy, rather than an electronic copy, of PHI in an EHR be 
sent to a third party. Neither of these requests would be included in 
the individuals' right of access to direct an electronic copy of their 
PHI in an EHR to a third party. In addition, the Department is aware 
that many requests to send PHI to a third party may be for a ``complete 
medical record'' that exists in multiple forms and formats (electronic 
and in paper),) which are hybrid in nature. The current NPP content 
requirements do not help the individual understand how to obtain such 
records.
2. Proposal
    To alleviate paperwork burdens and reduce confusion for individuals 
and covered health care providers, the Department proposes to eliminate 
the requirements for a covered health care provider with a direct 
treatment relationship to an individual to obtain a written 
acknowledgment of receipt of the NPP and, if unable to obtain the 
written acknowledgment, to document their good faith efforts and the 
reason for not obtaining the acknowledgment.\227\ The proposal also 
would remove the current requirement to retain copies of such 
documentation for six years.\228\
---------------------------------------------------------------------------

    \227\ See 45 CFR 164.520(c)(2)(ii).
    \228\ See 45 CFR 164.520(e).
---------------------------------------------------------------------------

    To ensure that individuals are able to understand and make 
decisions based on the information in the NPP, the Department proposes 
at 45 CFR 164.520(b)(1)(iv)(G) to replace the written acknowledgment 
requirements with an individual right to discuss the NPP with a person 
designated by the covered entity. In addition, the Department proposes 
at 45 CFR 164.520(b)(1)(i) to modify the content requirements of the 
NPP to help increase patients' understanding of an entity's privacy 
practices and their rights with respect to their PHI. First, the 
Department proposes to modify the required header of the NPP to specify 
to individuals that the notice provides information about (1) how to 
access their health information; (2) how to file a HIPAA complaint; and 
(3) individuals' right to receive a copy of the notice and to discuss 
its contents with a designated person.
    Second, the required header would specify whether the designated 
contact person is available onsite and must include a phone number and 
email address the individual can use to reach the designated person. 
This header content requirement would apply to all covered entities, 
and not just covered health care providers with direct treatment 
relationships with individuals, ensuring consistency in how NPP content 
is presented to individuals. Providing this information at the 
beginning of the NPP would improve patients' awareness of their Privacy 
Rule rights, what they can do if they suspect a violation of the 
Privacy Rule, and how to contact a designated person to ask questions.
    Further, consistent with the proposed header language, and to 
ensure that individuals are fully informed of their access rights, the 
Department proposes at 45 CFR 164.520(b)(1)(iv)(C) to modify the 
required element of an NPP that addresses the access right, to describe 
how an individual can exercise the right of access to obtain a copy of 
their records at limited cost or, in some cases, free of charge, and 
the right to direct a covered health care provider to transmit an 
electronic copy of PHI in an EHR to a third party. Finally, the 
Department proposes to add an optional element to the NPP to include 
information to address instances in which individuals seek to direct 
their PHI to a third party, when their PHI is not in an electronic 
health record or is not in an electronic format. This optional element 
would help make individuals aware that they retain the right to obtain 
the PHI directly and give it to a third party or they can request to 
send a copy of PHI directly to a third party using a valid 
authorization. The Department believes these proposals to remove the 
acknowledgment of the NPP requirements would eliminate a significant 
documentation and storage burden for health care providers. The 
Department also believes the proposals would help individuals better 
understand how to exercise their rights, including what they can do if 
they suspect a violation of the Privacy Rule, and who to contact with 
specific questions.
    Based on public comments on the 2018 RFI, the Department does not 
propose to create a safe harbor to deem those entities that use the 
model NPP compliant with the NPP content requirements. Instead, the 
Department requests comment on ways the model NPP could be changed to 
improve consumer understanding. For example, the Privacy Rule requires 
that the NPP contain a description, including at least one example, of 
the types of uses and disclosures the covered entity is permitted to 
make for health care operations (as well as for treatment and payment), 
and the description must include sufficient detail to place the 
individual on notice of the uses and disclosures that are permitted or 
required.\229\ The model NPP explains that the health care operations 
permission allows uses and disclosures of PHI to ``run [the] 
organization,'' which is further described as disclosing an 
individual's health information to run the practice, improve care, and 
contact the individual. The model NPP also includes an example of 
health care operations as ``us[ing] health

[[Page 6486]]

information . . . to manage your treatment and services.'' \230\
---------------------------------------------------------------------------

    \229\ See 45 CFR 164.520(b)(1)(ii)(A) and (D).
    \230\ See ``Full Page Model Notice of Privacy Practices'', HHS 
Office for Civil Rights (2013), available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp_fullpage_hc_provider.pdf.
---------------------------------------------------------------------------

    Based on the Department's experience, many individuals are not 
aware of the scope of activities that constitute health care 
operations, and thus the description and example currently in the model 
NPP may not provide sufficient detail to inform the individual of how 
their health information may be used and disclosed for health care 
operations purposes. To that end, the Department requests 
recommendations for how best to impart to individuals how health 
information can be used and disclosed under the health care operations 
permission in the model NPP.
    Finally, consistent with public feedback, the Department will 
continue to consider how to best educate and conduct outreach to inform 
individuals about their Privacy Rule rights and entities' privacy 
practices.
3. Request for Comments
    The Department requests comments on the above proposal, and the 
following considerations in particular:
    a. Would the proposed changes to the NPP requirements have any 
unintended adverse consequences for individuals or regulated entities?
    b. Would the revised NPP content requirements improve individuals' 
understanding of, and ability to exercise, their rights under the 
Privacy Rule?
    c. Are there ways that OCR can improve the model NPPs to be more 
informative and easier to understand?
    d. Should the model NPP's description of health care operations be 
modified? If so, please provide suggested language for modifying the 
description in the model NPP to reflect how your organization uses PHI 
for health care operations purposes.
    e. Are there specific examples that should be included in a model 
NPP to explain to individuals how PHI can be used or disclosed for 
health care operations?
    f. Specific examples of amounts spent and any other costs incurred 
by a covered entity to comply with the requirements relating to the 
acknowledgement of receipt of the NPP, when the covered entity fulfills 
the requirements using paper-based or electronic forms, signatures, or 
document filing systems.

H. Permitting Disclosures for Telecommunications Relay Services for 
People Who are Deaf, Hard of Hearing, or Deaf-Blind, or Who Have a 
Speech Disability (45 CFR 164.512)

1. Current Provisions and Issues To Address
    Telecommunications Relay Service (TRS) facilitates telephone calls 
between individuals who are deaf, hard of hearing, or deaf-blind, or 
who have a speech disability, and others. \231\ TRS is a federally 
mandated service that federally regulated common carriers (e.g., 
operators of all landline and mobile telephone services) are required 
to provide individuals, in the general public, who are deaf, hard of 
hearing, or deaf-blind, or who have a speech disability.\232\ The 
Federal Communications Commission (FCC), pursuant to the Americans with 
Disabilities Act (ADA) \233\ certifies TRS programs, which are 
available in all 50 states, the District of Columbia, Puerto Rico, and 
U.S. territories. States and other government entities typically 
compensate telephone companies to provide TRS services.\234\
---------------------------------------------------------------------------

    \231\ See ``Consumer Guide, Telecommunications Relay Service,'' 
FCC (2017), available at https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.
    \232\ See 47 U.S.C. 225(b).
    \233\ Public Law 101-336, 104 Stat. 327 (July 26, 1990), and its 
amendments.
    \234\ See ``Consumer Guide, Telecommunications Relay Service,'' 
https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.
---------------------------------------------------------------------------

    TRS facilitates such telephone communication by using a 
communications assistant \235\ who transliterates conversations (or, in 
some cases, interprets using ASL). The communications assistant relays 
information, which may include PHI, between a person who uses text or 
video and another person, who may be communicating by voice or who may 
also use TRS.\236\ Several forms of TRS are available.\237\ All TRS 
providers must comply with standards for operators established by the 
FCC pursuant to Title IV of the ADA, including protecting the 
confidentiality of all relayed communications.\238\
---------------------------------------------------------------------------

    \235\ A communications assistant is ``[a] person who 
transliterates or interprets conversation between two or more end 
users of TRS.'' 47 CFR 64.601(a)(12).
    \236\ See generally, FCC's 2017 ``Consumer Guide, 
Telecommunications Relay Service,'' available at https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.
    \237\ TRS types include Text-to-Voice, Voice Carry Over, Hearing 
Carry Over, Speech-to-Speech Relay, Shared Non-English Language 
Relay, Captioned Telephone Service, IP Captioned Telephone Service, 
internet Protocol Relay Service, and Video Relay Service. Id. at 2.
    \238\ Except in very limited circumstances specified in FCC 
regulations, TRS communications assistants are not permitted to keep 
notes of the contents of a call after a call, unless the caller 
requests that the communications assistant retain such information 
in order to facilitate the completion of subsequent calls. In no 
case may the communications assistant retain such information after 
the completion of the subsequent call(s). See 47 CFR 64.604(a)(2).
---------------------------------------------------------------------------

    OCR has a longstanding FAQ on the use of TRS by a covered entity to 
communicate with an individual who is deaf, hard of hearing, or deaf-
blind, or who has a speech disability. The FAQ states that a covered 
entity is permitted to disclose an individual's PHI to a TRS 
communications assistant when communicating with the individual, 
without the need for a business associate agreement with the TRS 
provider.\239\ The FAQ explains that the Privacy Rule permits 
disclosures to TRS communications assistants under 45 CFR 164.510(b) 
because individuals have an opportunity to agree or object to 
disclosures of PHI to a TRS communications assistant at the beginning 
of a call, and the individuals are identifying the communications 
assistant as involved in their care if they do not object. The FAQ also 
explains that the TRS provider is not acting for or on behalf of the 
covered entity when it provides such relay services, and therefore is 
not a business associate.
---------------------------------------------------------------------------

    \239\ See HHS Office for Civil Rights Frequently Asked 
Questions, available at https://www.hhs.gov/hipaa/for-professionals/faq/500/is-a-relay-service-a-business-associate-of-a-doctor/index.html.
---------------------------------------------------------------------------

    Since the FAQ was created, the Department has become aware that 
advances in technology now allow people who are deaf, hard of hearing, 
or deaf-blind, or who have a speech disability to communicate with the 
help of a TRS communications assistant in a seamless manner, with 
immediate connection and instantaneous transliteration of text or 
interpretation of ASL to voice and vice versa, such that the other 
party to the call may not know that a person is using a TRS 
communications assistant. In addition, TRS is used to not only connect 
patients and providers, but also to assist communications between 
workforce members of covered entities and business associates. For 
these reasons, the original assumption that individuals would always 
have the opportunity to agree or object to a use or disclosure of PHI 
to a communications assistant no longer holds when it is a workforce 
member of the covered entity or business associate, rather than an 
individual (e.g., patient or beneficiary), who needs the TRS services 
to assist in making communications. Further,

[[Page 6487]]

stakeholders have requested that the Department specifically address 
the use of TRS by members of the covered entity or business associate 
workforce to share PHI with other workforce members or outside parties 
as needed to perform their duties. These stakeholders have shared 
anecdotal accounts in which a covered entity or business associate 
refuses to allow a workforce member to use this essential service 
because of concerns about violating the Privacy Rule if they do not 
have a business associate agreement with the TRS provider.
2. Proposal
    The Department proposes to expressly permit covered entities (and 
their business associates, acting on the covered entities' behalf) to 
disclose PHI to TRS communications assistants to conduct covered 
functions by adding a new paragraph (m) to 45 CFR 164.512.\240\ This 
proposed permission would cover all disclosures to TRS communications 
assistants relating to any covered functions performed by, for, or on 
behalf of covered entities and clarify for covered entities that a 
business associate agreement is not needed with a TRS communications 
assistant.
---------------------------------------------------------------------------

    \240\ The terms ``Telecommunications Relay Service'' and 
``Telecommunications Relay Service Communications Assistant'' have 
the same meaning used in 47 CFR part 64.
---------------------------------------------------------------------------

    The Department also proposes to add a new subsection (v) to 
paragraph (4) of the definition of business associate at 45 CFR 160.103 
to expressly exclude TRS providers from the definition of business 
associate. The proposed exclusion would apply regardless of whether the 
workforce member is an employee, contractor, or business associate of 
the covered entity. This proposal would ensure that covered entities 
and business associates do not bear the burdens of analyzing whether 
they need business associate agreements with TRS providers and, 
potentially, establishing such agreements.
    Together, these modifications would help ensure that workforce 
members and individuals who are deaf, hard of hearing, or deaf-blind, 
or who have a speech disability are able to communicate easily using 
TRS for care coordination and other purposes.
3. Request for Comments
    The Department requests comments on this proposal, including the 
following questions:
    a. Would the proposed change achieve the anticipated effects?
    b. Are there any potential unintended, adverse consequences of the 
proposal?
    c. Please share data related to the number of covered entity and 
business associate workforce members who are deaf, hard of hearing, or 
deaf-blind, or who have a speech disability and currently utilize TRS 
to perform their duties.
    d. Please provide data on the amount of time and other resources 
covered entities and business associates have spent on determining 
whether they need a business associate agreement with a TRS provider, 
or actually entering into business associate agreements with TRS 
providers.

I. Expanding the Permission To Use and Disclose the PHI of Armed Forces 
Personnel To Cover all Uniformed Services Personnel (45 CFR 164.512(k))

1. Current Provision and Issues To Address
    The original Privacy Rule \241\ established an express permission 
for covered entities to use and disclose the PHI of Armed Services 
personnel, under certain conditions, to avoid the burden and obstacles 
of obtaining individuals' authorizations when the balance of privacy 
interests and social values weighed toward permitting the use or 
disclosure of PHI without authorization for specialized purposes. 
Currently, a covered entity may use and disclose the PHI of Armed 
Forces personnel for activities deemed necessary by appropriate 
military command authorities to assure the proper execution of the 
military mission, provided the conditions at 45 CFR 164.512(k) are met. 
The appropriate military command authorities and the purposes for which 
the PHI may be used or disclosed must be identified through Federal 
Register notices.\242\
---------------------------------------------------------------------------

    \241\ See 65 FR 82462, 82704, 82817 (December 28, 2000).
    \242\ See 45 CFR 164.512(k)(1)(i).
---------------------------------------------------------------------------

    Like the Secretaries of the Armed Services, the Secretaries of HHS 
and the Department of Commerce are responsible for ensuring the medical 
readiness of the Uniformed Services personnel in the U.S. Public Health 
Service (USPHS) Commissioned Corps and the National Oceanic and 
Atmospheric Administration (NOAA) Commissioned Corps, respectively. 
Pursuant to 42 U.S.C. 204a(a)(1), while on active duty, the ongoing 
medical standards require USPHS personnel to be medically fit to deploy 
in response to urgent and emergent public health crises, as well as for 
any necessary military mission, and for duty in various environments. 
These medical standards include physical, dental, and mental health 
requirements. The NOAA Commissioned Corps has a similar standard, 
requiring personnel to meet U.S. Coast Guard medical standards to 
maintain individual medical readiness for deployment on aircraft and 
shipboard missions. Further, when personnel in the Uniformed Services 
are no longer fit for duty, they are entitled to retirement pay and 
compensation, and once separated they are entitled to receive veterans' 
benefits. In order to confirm the medical fitness of personnel, the 
USPHS and NOAA Commissioned Corps must have access to personnel's 
medical records.
    In addition, the USPHS Commissioned Corps and NOAA Commissioned 
Corps routinely align their policies and practices with those of the 
Armed Forces. Members of the USPHS and NOAA Commissioned Corps may be 
assigned to the Armed Services and must meet medical readiness 
standards consistent with the various military missions of the Armed 
Services. In times of war, the President may declare the USPHS and the 
NOAA Commissioned Corps to be a military service.
    However, the members of the USPHS and NOAA Commissioned Corps are 
not members of the Armed Services, and thus covered entities currently 
are not permitted to use and disclose the PHI of such Commissioned 
Corps personnel for the same purposes as for Armed Forces personnel 
unless the member is actively assigned to the Armed Services. The 
Department proposes to expand the existing permission at 45 CFR 
164.512(k)(1) in recognition that ensuring the health and well-being of 
Uniformed Services personnel is essential, whether such personnel are 
serving in the continental United States or overseas or whether such 
service is combat-related. In all environments, operational or 
otherwise, the Uniformed Services must be assured that personnel are 
medically qualified to perform their responsibilities and medically 
ready for deployment at all times.
    Although the issue was not raised in the 2018 RFI, the Department 
received a joint comment in response to the 2018 RFI from the Directors 
of the Commissioned Corps of NOAA and USPHS suggesting that the current 
permission for covered entities to use and disclose the PHI of Armed 
Forces personnel be broadened to also include non-armed Uniformed 
Services personnel. The Directors of the NOAA and USPHS Commissioned 
Corps stated that the existing rule limits the ability of the NOAA and 
USPHS Commissioned Corps to facilitate health care coordination and 
case management for Commissioned Corps personnel,

[[Page 6488]]

which is important for ensuring that personnel meet medical readiness 
standards, and thus for fulfilling the Commissioned Corps' respective 
missions. The commenters also stated that the permission is important 
because personnel and the broader population are put at risk when 
personnel do not disclose medical conditions to Commissioned Corps 
leaders and are deployed on a Commissioned Corps mission.
2. Proposal
    The Department agrees that expanding the Armed Forces permission 
may facilitate coordinated care and enhance USPHS and NOAA Commissioned 
Corps' readiness. Therefore, to improve care coordination and case 
management for individuals serving in the Uniformed Services, the 
Department proposes in 45 CFR 164.512(k)(1) to expand to all Uniformed 
Services personnel the current Armed Forces permission for covered 
entities to use and disclose PHI for mission requirements and veteran 
eligibility.
3. Request for Comments
    The Department requests comments on this proposal, including on 
whether the proposed change would achieve the anticipated effects and 
any potential unintended consequences.

IV. Public Participation

    The Department seeks comment on all issues raised by the proposed 
regulation, including any unintended adverse consequences. Because of 
the large number of public comments normally received on Federal 
Register documents, the Department is not able to acknowledge or 
respond to them individually. In developing the final rule, the 
Department will consider all comments that are received by the date and 
time specified in the DATES section of the Preamble.
    Because mailed comments may be subject to security delays due to 
security procedures, please allow sufficient time for mailed comments 
to be timely received in the event of delivery delays. Any attachments 
submitted with electronic comments on www.regulations.gov should be in 
Microsoft Word or Portable Document Format (PDF). Please note that 
comments submitted by fax or email and those submitted after the 
comment period will not be accepted.

V. Regulatory Impact Analysis

    The Department has examined the impact of the proposed rule as 
required by Executive Order 12866 on Regulatory Planning and Review, 58 
FR 51735 (October 4, 1993); Executive Order 13563 on Improving 
Regulation and Regulatory Review, 76 FR 3821 (January 21, 2011); 
Executive Order 13132 on Federalism, 64 FR 43255 (August 4, 1999); 
Executive Order 13175 on Consultation and Coordination with Indian 
Tribal Governments, 65 FR 67249 (November 6, 2000); Executive Order 
13771 on Reducing Regulation and Controlling Costs, 82 FR 9339 (January 
30, 2017); the Congressional Review Act, Public Law 104-121, sec. 251, 
110 Stat. 847 (March 29, 1996); the Unfunded Mandates Reform Act of 
1995, Public Law 104-4, 109 Stat.48 (March 22, 1995); the Regulatory 
Flexibility Act, Public Law 96-354, 94 Stat. 1164 (September 19, 1980); 
Executive Order 13272 on Proper Consideration of Small Entities in 
Agency Rulemaking, 67 FR 53461 (August 16, 2002); the Assessment of 
Federal Regulation and Policies on Families, Public Law 105-277, sec. 
6545, 112 Stat. 2681 (October 21, 1998); and the Paperwork Reduction 
Act of 1995, Public Law 104-13, 109 Stat. 163 (May 22, 1995).

A. Executive Orders 12866 and 13563 and Related Executive Orders on 
Regulatory Review

    Executive Order 12866 directs agencies to assess all costs and 
benefits of available regulatory alternatives and, if regulation is 
necessary, to select regulatory approaches that maximize net benefits 
(including potential economic, environmental, public health and safety 
effects; distributive impacts; and equity). Executive Order 13563 is 
supplemental to, and reaffirms the principles, structures, and 
definitions governing regulatory review as established in, Executive 
Order 12866.
    This proposed rule is deregulatory. The Department has estimated 
that the effects of the proposed requirements for regulated entities 
would result in new costs of $996 million within 12 months of 
implementing the final rule. The Department estimates these first year 
costs would be partially offset by $880 million of first year cost 
savings, followed by net savings of $825 million annually in years two 
through five, resulting in overall net cost savings of $3.2 billion 
over five years.
    The Department estimates that the private sector would bear 
approximately 60 percent of the costs, with state and federal health 
plans bearing the remaining 40 percent of the costs. All of the costs 
savings experienced from the first year through subsequent years would 
benefit covered entities. As a result of the economic impact, the 
Office of Management and Budget (OMB) has determined that this proposed 
rule is an economically significant regulatory action within the 
meaning of section 3(f)(1) of E.O. 12866. Accordingly, OMB has reviewed 
this proposed rule.
    The Department presents a detailed analysis below.
1. Summary of the Proposed Rule
    This NPRM proposes to modify the Privacy Rule to improve 
individuals' access to their PHI, increase permissible disclosures of 
PHI, and improve care coordination and case management by:
     Adding definitions for electronic health records (EHRs) 
and personal health applications.
     Modifying the provisions on the individuals' right of 
access to protected health information (PHI) by: Strengthening the 
individual's right to inspect their PHI, which includes allowing 
individuals to take notes or use other personal resources to view and 
capture copies of their PHI in a designated record set; shortening 
covered entities' response time to 15 calendar days (from the current 
30 days); clarifying what constitutes a readily producible form and 
format when providing requested copies of PHI, which may be ePHI 
transmitted via a personal health application, while requiring covered 
entities to inform individuals about their right to obtain or direct 
copies of PHI to a third party when a summary or explanation is 
offered; requiring covered health care providers and health plans to 
respond to certain record requests from other covered health care 
providers and health plans made at the direction of an individual; 
clarifying when ePHI must be provided to the individual free of charge; 
amending the fee structure for certain requests to direct ePHI to a 
third party; and requiring covered entities to post fee schedules on 
their websites (if they have a website) for common types of requests 
for copies of PHI, and, upon request, provide individualized estimates 
of fees for copies and an itemized list of actual costs for requests 
for copies.
     Reducing the identity verification burden on individuals 
exercising their access right.
     Amending the definition of health care operations to 
clarify the scope of care coordination and case management activities 
encompassed in the term.
     Creating an exception to the minimum necessary standard 
for disclosures to, or requests from, a health plan or covered health 
care provider for individual-level care coordination and case 
management activities.

[[Page 6489]]

     Clarifying the scope of covered entities' ability to 
disclose PHI to social services agencies, community-based 
organizations, home and community based service (HCBS) providers, and 
other similar third parties that provide health-related services, to 
facilitate individual-level care coordination and case management 
activities that constitute treatment- or health care operations.
     Replacing the privacy standard that permits covered 
entities to make decisions about certain uses and disclosures based on 
their ``professional judgment'' with a standard permitting covered 
entities to use or disclose PHI in some circumstances based on a good 
faith belief that the use or disclosure is in the best interests of the 
individual. The proposed standard would presume a covered entity's 
compliance with the good faith requirement; the presumption could be 
overcome with evidence that a covered entity acted in bad faith.
     Expanding the ability of covered entities to use or 
disclose PHI to avert a serious threat to health or safety when a harm 
is ``serious and reasonably foreseeable,'' instead of the current 
standard which requires a ``serious and imminent'' threat to health or 
safety.
     Eliminating the requirement to obtain an individual's 
written acknowledgment of receipt of a direct treatment provider's 
Notice of Privacy Practices and modifying the content requirements of 
the Notice of Privacy Practices to clarify for individuals their rights 
with respect to their PHI and how to exercise those rights.
     Expressly permitting disclosures to Telecommunications 
Relay Services (TRS) communications assistants and modifying the 
definition of business associate to exclude TRS providers.
     Expanding the Armed Forces permission to use or disclose 
PHI to all Uniformed Services, which would include the U.S. Public 
Health Service (USPHS) Commissioned Corps and the National Oceanic and 
Atmospheric Administration (NOAA) Commissioned Corps.
    The proposed changes to the Privacy Rule offer some estimated 
costs, and numerous and substantial estimated cost savings and expected 
benefits which the Department is unable to quantify, but are described 
in depth below. These include improved care coordination and health 
outcomes; improved harm reduction; greater adherence to treatment for 
persons experiencing health emergencies, SUD, and SMI; improved 
understanding of individuals' rights and covered entities' privacy 
practices; improved access to care; quicker, more convenient access to 
PHI by individuals; improved access to PHI by health care providers and 
health plans; reduction in access fee disputes, resulting in improved 
ability to collect of fees for copies of PHI; increased certainty about 
allowable fees; increased adoption and utilization of EHR technology; 
improved employment conditions and opportunities for workforce members 
of HIPAA covered entities and business associates who are deaf, hard of 
hearing, or deaf-blind, or who have a speech disability; and improved 
compliance with non-discrimination laws that require accessibility for 
individuals with disabilities.
    The Department has identified three general categories of costs 
arising from these proposals which mostly relate to activities by HIPAA 
covered entities, particularly health care providers and health plans: 
(1) Administrative activities (first-year and ongoing); (2) revising or 
creating policies and procedures, the NPP, and an access fee schedule; 
and (3) revising training programs for workforce members.
    The Department estimates that the first-year costs will total $996 
million. These costs are attributable to covered entities revising or 
developing new policies and procedures, at a cost of $696 million; 
revising training programs for workforce members, at a cost of $224 
million; and additional administrative tasks, at a cost of $76 million. 
For years two through five, estimated annual costs of $55 million are 
attributable to ongoing administrative costs, primarily related to 
improvements to the right of access to PHI.
    The Department estimates annual cost savings of $880 million per 
year, over five years, attributable to eliminating the NPP 
acknowledgment requirements (cost savings of $537 million) and 
clarifying the minimum necessary standard ($343 million).
    The Department estimates net costs for covered entities totaling 
$116 million in the first year followed by net savings of $825 million 
annually in years two through five, resulting in overall cost savings 
of $3.2 billion over five years. Covered entities would experience an 
average net savings of approximately $1,065 per entity in years two 
through five after expending costs of $150 per entity in the first 
year.\243\
---------------------------------------------------------------------------

    \243\ The Department recognizes that some of the proposed 
changes would affect certain covered entities more than others, 
resulting in significantly different costs and savings. The tables 
summarizing estimated costs and cost savings account for these 
differences (Cost-Benefit Analysis, subsections f-j and Tables 10-
17).

  Table 1--Estimated Five-Year Costs and Cost-Savings, Undiscounted, in
                                Millions
------------------------------------------------------------------------
                                                                 Amount
------------------------------------------------------------------------
Costs:
    Revise Training..........................................       $224
    Revise Policies and Procedures...........................        696
    Administrative Costs.....................................        297
    Capital Costs............................................          1
                                                              ----------
        Total Costs..........................................      1,218
------------------------------------------------------------------------
Cost Savings:
    Eliminate Notice of Privacy Practices Acknowledgment.....      2,685
    Clarify Minimum Necessary Standard.......................      1,715
                                                              ----------
        Total Cost Savings...................................      4,400
------------------------------------------------------------------------
Net Total (negative = savings)...............................     -3,182
------------------------------------------------------------------------

    The Department estimates that the proposed adjustments to costs 
that can be charged to individuals for copies of PHI in an EHR on 
electronic media would result in a transfer of those expenses from 
individuals to covered entities in a total estimated amount of $1.4 
million. The Department also estimates that the proposed changes to the 
right to direct the transmission of copies of PHI to a third party and 
to allowable access fees would result in an annual transfer of $43 
million in costs incurred by covered entities to individuals for 
directing copies of PHI to third parties. The net result of these 
proposals likely would be a transfer of an estimated $41.6 million in 
costs from covered entities to individuals and some third party 
recipients of PHI in the form of higher fees for copies of PHI.
2. Need for the Proposed Rule
    The Privacy Rule balances protecting the privacy of individuals' 
PHI with facilitating the use and disclosure of PHI for important 
public interest purposes, such as facilitating efficient care 
coordination and case management. This proposed rule would improve on 
this balance with modifications to promote the transformation to value-
based health care and reduce regulatory burdens by removing unhelpful 
or unnecessary requirements. Based on public comments on the 2018 RFI 
and OCR's experience administering and enforcing the Privacy Rule, the 
Department has identified areas where the Privacy Rule could be 
modified to improve the flow of PHI for such purposes in a manner that 
would continue to protect individuals' privacy. These include changes 
strengthening the individual's ability to gain access to his or her own 
PHI; enhancing the

[[Page 6490]]

disclosure of PHI between covered entities; improving health care 
providers' ability to disclose needed PHI to patients' family members, 
friends, caregivers, and others in a position to prevent harm; 
supporting the rights of workforce members who need accommodations to 
communicate and share PHI; including all branches of the Uniformed 
Services in applicable disclosure permissions; and technical amendments 
for business associates to provide individuals with access to copies of 
PHI.
a. Individual Right of Access
    Individual access to PHI is a core right established by the Privacy 
Rule. Delays or lack of access inhibit care coordination and may 
contribute to worse health outcomes for individuals. Individuals 
frequently face barriers to obtaining timely access to their PHI, in 
the form and format requested, and at a reasonable, cost-based, and 
transparent fee. A recent cross-sectional study of medical records 
request processes conducted in 83 top-ranked US hospitals found 
numerous indications of noncompliance with the access right.\244\
---------------------------------------------------------------------------

    \244\ Lye CT, Forman HP, Gao R, et al. ``Assessment of US 
Hospital Compliance With Regulations for Patients' Requests for 
Medical Records.'' JAMA Network Open. October 5, 2018, 1(6):e183014, 
available at https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2705850.
---------------------------------------------------------------------------

    To address multiple barriers to individual access, the Department 
proposes to: Add definitions of EHR and personal health application; 
expressly provide that the right to inspect PHI in person includes the 
right of an individual to take notes and photographs of, and use other 
personal resources to capture, PHI; clarify what constitutes a readily 
producible form and format for copies of PHI, while requiring covered 
entities to inform individuals about access rights when offering a 
summary in lieu of providing or directing copies; shorten the time 
limits for covered entities to respond to access requests; empower 
individuals to use the right of access to direct the disclosure of PHI 
among their health care providers and health plans; adjust and clarify 
the fees covered entities may impose; and require covered entities to 
provide individuals with notice of the fees charged for copies of PHI. 
Additionally, the Department proposes to limit the scope of the right 
to direct the transmission of copies of PHI to a third party to 
electronic copies of PHI in an EHR, consistent with the Ciox v. Azar 
decision.\245\
---------------------------------------------------------------------------

    \245\ No. 18-cv-0040-APM (D.D.C. January 23, 2020).
---------------------------------------------------------------------------

i. Defining Electronic Health Record and Personal Health Application
    The Department proposes to add a definition of EHR for the purpose 
of clarifying the scope of the individual right to direct an electronic 
copy of PHI in an EHR to a third party. For purposes of harmonizing the 
proposed regulatory changes and the right of the individual to obtain 
an electronic copy, the Department interprets the EHR as health 
information ``created, gathered, managed, and consulted by authorized 
health care clinicians and staff.'' The definition would be tied to 
clinicians with direct treatment relationships with individuals and 
consistent with the defined terms in the current rule. The proposed 
definition would improve understanding of whether certain aspects of a 
covered entity's electronic records are or are not part of an EHR to 
enable a covered entity to assess whether such electronic PHI is 
subject to the HITECH Act right of access requirements to respond to 
requests from an individual to direct electronic copies of PHI in an 
EHR to designated third parties. Although covered health care providers 
have substantial flexibility in determining the composition of an EHR, 
an EHR may vary across different health care providers. The definition 
is intended to provide a clear standard by which health care providers 
would be able to identify what PHI is subject to HITECH Act 
requirements for electronic PHI in an EHR. As noted earlier, the 
Department proposes that only covered health care providers would 
provide such access because only providers would maintain EHRs as 
defined in proposed 45 CFR 164.501, and that an EHR would also include 
billing records.
    The Department also proposes to add a new definition for the term 
``Personal health application'' that is similar to the HITECH Act 
definition of personal health record (PHR),\246\ but is intended to 
specifically address health applications, which may or may not be 
PHRs.\247\ Adding this definition would clarify the intended scope of 
proposed changes to the right of access, such as clarifying that an 
individual may use an internet-based method such as a personal health 
application to obtain access without charge.
---------------------------------------------------------------------------

    \246\ See the HITECH Act definition of personal health record, 
``[A]n electronic record of PHR identifiable health information (as 
defined in section 17937(f)(2) of this title) on an individual that 
can be drawn from multiple sources and that is managed, shared, and 
controlled by or primarily for the individual.'' 42 U.S.C. 
17921(11). See also proposed 45 CFR 164.501, definition of 
``Personal health application.''
    \247\ The same software could be a personal health application 
under the proposed Privacy Rule definition and also be a personal 
health record under the HITECH Act for other purposes, to the extent 
it meets both definitions.
---------------------------------------------------------------------------

ii. Strengthening the Right To Inspect and Obtain Copies of PHI
    The individual right of access under the Privacy Rule includes a 
right to ``inspect and obtain a copy of'' PHI in a designated record 
set.\248\ The Department proposes to strengthen the access right to 
inspect and obtain copies of PHI to generally enable an individual to 
take notes, videos, and photographs, and use other personal resources 
to capture PHI in a designated record set, as part of the right to 
inspect PHI in person.
---------------------------------------------------------------------------

    \248\ See 45 CFR 164.524(a).
---------------------------------------------------------------------------

iii. Timeliness
    Timely access to an individual's own PHI can be a key component to 
patient-directed care (see discussion of harms due to lack of 
timeliness above in section III.A.3.a.). The Department proposes to 
modify the Privacy Rule to require that access be provided as soon as 
practicable, but no later than 15 calendar days after receipt of the 
request, with the possibility of one 15 calendar-day extension, 
provided certain conditions are met. Where another federal or state law 
(i.e., statute or regulation) requires a covered entity to provide 
individuals with access to the PHI requested in less than 15 calendar 
days, that shorter time period would be deemed practicable under 45 CFR 
164.524 (b)(2)(i) and (d)(5). The Department also proposes to add a new 
condition requiring a covered entity to establish a written policy to 
prioritize urgent or other high-priority access requests (especially 
those for health and safety and to support individual decisions about 
treatment options), to limit the need to use a 15 calendar-day 
extension for such requests. This would reduce by half the time within 
which entities must provide access to PHI, consistent with existing 
requirements in several large states, improvements in health IT, and 
consumers' needs and expectations. The proposal would also prohibit 
covered entities from delaying the right to inspect PHI that is readily 
available at the point of care in conjunction with a health care 
appointment.
    The Department lacks sufficient data to correlate shorter required 
access times with health care costs. The Department examined state 
health expenditure data \249\ and noted that of

[[Page 6491]]

the eight states with shorter access time limits than the Privacy 
Rule,\250\ six rank in the lowest third for health care expenditures; 
however, there is a lack of granularity to this data upon which to draw 
clear conclusions about the potential ongoing burden to covered 
entities. The Department has estimated that the proposed changes would 
increase costs on an ongoing basis and welcomes data about these 
estimates, as detailed in the cost-benefits analysis.
---------------------------------------------------------------------------

    \249\ See ``Kaiser Family Foundation, Health Care Expenditures, 
per Capita, by State of Residence,'' available at https://www.kff.org/other/state-indicator/health-spending-per-capita/?currentTimeframe=0&sortModel=%7B%22colId%22:%22Location%22,%22sort%22:%22asc%22%7D (citing CMS, National Health Care Expenditure Data, 
available at https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/NationalHealthExpendData/NationalHealthAccountsStateHealthAccountsResidence.html.
    \250\ California, Colorado, Hawaii, Louisiana, Montana, 
Tennessee, Texas, and Wyoming (New York's shorter time limit is 
published as agency guidance).
---------------------------------------------------------------------------

    Finally, the Department also proposes to expressly provide that 
while a covered entity may discuss aspects of the individual's access 
request with the individual before fulfilling the individual's request, 
such discussions to clarify the scope of the request would not extend 
the time limit for providing access. This modification would help 
address the issue raised in individual complaints and comments on the 
2018 RFI that covered entities may contact individuals for the first 
time nearly 30 days after receiving a request for access to discuss the 
request or obtain additional information, and then take additional time 
beyond the 30-day period to fulfill the request.
iv. Addressing the Form and Format of Access
    The Department proposes to clarify that ``readily producible'' 
includes access through APIs and personal health applications and to 
add a set of parallel requirements related to the form of access that 
applies to both the individual right to obtain copies of PHI and the 
access right to direct the transmission of electronic copies of PHI in 
an EHR to a designated third party. As new forms of information and 
communications technologies emerge, the ``form and format'' and the 
``manner'' of producing or transmitting a copy of electronic PHI may 
become indistinguishable. For example, if a covered entity or its EHR 
developer business associate has chosen to implement a secure, 
standards-based API--such as one consistent with ONC's Cures Act 
certification criteria,\251\ and the covered entity's Security Rule 
obligations--that is capable of providing access to ePHI in the form 
and format used by an individual's personal health application, that 
ePHI is considered to be readily producible in that form and format, 
and that is also the manner by which the ePHI is transmitted.
---------------------------------------------------------------------------

    \251\ ONC has finalized significant updates to its certification 
criteria at 45 CFR parts 170 and 171. See 85 FR 25642 (May 1, 2020).
---------------------------------------------------------------------------

    Additionally, when a covered entity offers a summary in lieu of 
providing or directing the requested copies of PHI, the Department 
would require the covered entity to inform the individual of the right 
to obtain or direct the requested copies if the individual does not 
agree to the offered summary. This requirement would not apply when the 
covered entity denies the access request for a copy on unreviewable or 
reviewable grounds, in which case the covered entity must implement the 
required procedures for such denial.
v. Addressing the Individual Access Right to Direct Copies of PHI to 
Third Parties
    The Department proposes to implement the Ciox v. Azar decision by 
codifying in regulation the HITECH Act right to direct the transmission 
to a third party of only electronic copies of PHI in an EHR in 45 CFR 
164.524(d)(1). Under this proposal, if an individual directs a covered 
health care provider to transmit an electronic copy of PHI in an EHR to 
a third party, the covered health care provider would be required to 
provide a copy of the requested PHI to the person designated by the 
individual. The Department believes this proposal is consistent with 
the plain meaning of section 13405(e) of the HITECH Act, which extended 
a right to a copy of PHI in an EHR ``in an electronic format'' as part 
of the Privacy Rule right of access. As a result, requests to direct to 
a third party non-electronic copies of PHI in a designated record set 
(whether from an EHR or other source) and electronic copies of PHI that 
is not in an EHR, would no longer fall within the right of access. 
Individuals would continue to have the right to directly obtain the 
types of PHI that are outside of the scope of the access right to 
direct electronic copies of PHI in an EHR to a third party, and also 
could request that a copy of the PHI be sent to a third party by 
submitting a valid authorization. To address the potential impact on 
individual rights as a result of these changes the Department proposes 
an optional element for the Notice of Privacy Practices (NPP) as 
described in the NPP sections of the NPRM.
    The Department proposes to extend the right to direct copies of PHI 
to a third party by adding an express right to request that covered 
health care providers and health plans submit an access request to 
covered health care providers for electronic copies of PHI in an EHR on 
behalf of the individual. Under this proposal, if an individual is a 
current or prospective new patient of a covered health care provider, 
or an enrolled member or dependent of a health plan, and the individual 
makes a clear, conspicuous, and specific request that their health care 
provider or health plan submit an access request for electronic copies 
of PHI in an EHR to another covered health care provider, the first 
health care provider or health plan (``Requester-Recipient'') would be 
required to submit the request on behalf of the individual as soon as 
practicable, but no later than 15 calendar days after receiving the 
individual's direction and any information needed to make the access 
request. The requirement would be limited to requests to send the 
electronic PHI back to the covered entity that submitted the request on 
behalf of the individual.
    A covered health care provider that receives an individual's access 
request (``Discloser'') for an electronic copy of PHI maintained in an 
EHR by or on behalf of the Discloser, from a health care provider or 
health plan Requester-Recipient that is clear, conspicuous, and 
specific (e.g., clearly identifies the Requester-Recipient, the scope 
of the requested PHI and where to transmit it), would be required to 
transmit the requested electronic copy to the Requester-Recipient, 
consistent with obligations under the access right to direct a copy of 
PHI to a third party. The Department reconfirms the clarification 
provided in the preamble to the 2000 Privacy Rule and OCR's 2016 Access 
Guidance that a covered entity may accept an electronic copy of a 
signed request by the individual or personal representative (e.g., 
PDF), as well as an electronically executed request (e.g., via a secure 
web portal or using secure, standards-based API technology) that 
includes an electronic signature of the individual or personal 
representative.\252\
---------------------------------------------------------------------------

    \252\ See 65 FR 82462, 82660 (December 28, 2000) (``We intend 
email and electronic documents to qualify as written documents. 
Electronic signatures are sufficient, provided they meet standards 
to be adopted under HIPAA. In addition, we do not intend to 
interfere with the application of the Electronic Signature in Global 
and National Commerce Act.''); see also OCR's 2016 Access Guidance, 
available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html#newlyreleasedfaqs.
---------------------------------------------------------------------------

    These proposed changes would empower individuals' ability to direct 
the transmission of PHI in an EHR through a health care provider or 
health plan. The costs for implementing these changes generally would 
be one-time expenditures for updating policies and

[[Page 6492]]

procedures to ensure compliance with the proposed requirement to submit 
requests for individuals to health care providers within 15 calendar 
days of receipt of the request from the individual as would be required 
under the proposed changes. The Department anticipates that some 
covered entities are already relying on the individual right to direct 
the transmission of copies to a third party \253\ as a means of 
obtaining electronic copies of PHI in an EHR \254\ and are facilitating 
individuals' access rights by transmitting requests within 15 calendar 
days in compliance with applicable state laws, so these changes would 
create certainty without significantly increasing burdens for these 
covered entities. Additionally, despite problems that are addressed by 
this proposal, many covered entities that receive requests from another 
covered entity for copies of PHI are fulfilling such requests, so no 
additional burden would be created for these disclosing entities when 
the electronic copy requested by the individual is submitted by and 
transmitted to their current health care provider or health plan.
---------------------------------------------------------------------------

    \253\ See 45 CFR 164.524(c)(ii).
    \254\ 45 CFR 164.524(c)(3)(ii) requires the covered entity 
holding the PHI to disclose it to the person designated by the 
individual. Thus, a health care provider seeking an individual's PHI 
may find it expedient at times to rely on this provision and be 
designated as the third party recipient rather than use the 
treatment disclosure permission under 45 CFR 164.502 and 164.506, 
which do not require a covered entity to respond to a request.
---------------------------------------------------------------------------

vi. Adjusting Permitted Fees for Access to PHI and ePHI
    Based on enforcement experience and comments received on the 2018 
RFI, the Department is aware that individual access is at times 
expensive for individuals. At the same time, some large organizations 
have complained about the time and cost needed to respond to multiple, 
voluminous requests to provide PHI to third parties under the 
individual access right and reported struggling to meet the time 
limitations for such requests while also fulfilling requests for access 
received directly from individuals and provider-to-provider requests 
for PHI for continuity of care purposes. Additionally, commenters 
explained that requests to send medical records to a third party often 
ask for production of non-electronic copies, even when the PHI is in an 
EHR and could be provided electronically.
    To address these multiple concerns and the Ciox v. Azar court 
ruling,\255\ the Department proposes to modify the access fee 
provisions to create separate fee structures for individual requests 
for access and requests to direct electronic copies of PHI in an EHR to 
a third party. Each fee structure would contain two elements based on 
the type of access request: One element describing when access is to be 
provided without charge and another element describing the allowable 
costs for certain types of access, as follows.
---------------------------------------------------------------------------

    \255\ No. 18-cv-0040 (D.D.C. January 23, 2020).
---------------------------------------------------------------------------

    For individual requests for access and copies of PHI:
    (1) Under proposed 45 CFR 524(c)(4)(ii), always free of charge 
(i.e., no fee permitted) when:
    (a) An individual inspects PHI about the individual in person, 
including capturing images or video recordings of PHI in a designated 
record set with the individual's own device.
    (b) An individual uses an internet-based method to view or obtain a 
copy of electronic PHI maintained by or on behalf of the covered 
entity.
    (2) Under proposed 45 CFR 164.524(c)(4)(i), fee permitted, subject 
to the existing access right fee limits, when an individual requests 
electronic or non-electronic copies of PHI through a means other than 
an internet-based method.
    For requests to direct an electronic copy of PHI in an EHR to a 
third party:
    Under proposed 45 CFR 164.524(d)(6), a reasonable, cost-based fee 
for an access request to direct a covered health care provider to 
transmit an electronic copy of PHI in an EHR to a third party through 
other than an internet-based method, provided that the fee includes 
only the cost of:
    (a) Labor for copying the PHI requested by the individual in 
electronic form; and
    (b) Preparing an explanation or summary of the electronic PHI, if 
agreed to by the individual as provided in paragraph (d)(4).
    The Department proposes the two types of no-charge access (for 
inspecting PHI in person or internet-based access, including directing 
electronic copies of EHRs to third parties) because there are no 
additional allowable labor costs or expenses for this type of access. 
The Department does not anticipate additional costs from adding this 
regulatory requirement because the current rule has no provision for 
fees for inspecting PHI and the proposal is based on the 2016 Access 
Guidance, which the Department understands many entities had been 
voluntarily following.
    The proposal to limit the allowable costs for requests to direct 
PHI to third parties to only electronic copies of PHI in EHRs to the 
labor for making the electronic copies would increase covered entities' 
and business associates' costs for electronic media, labor for mailing 
and shipping, and actual postage and shipping. However, the concurrent 
proposal to narrow the right of individuals to direct only electronic 
copies of PHI in an EHR to third parties would allow covered entities 
and business associates to recoup additional costs for handling many 
requests, while maintaining the Privacy Rule's prohibitions on the sale 
of PHI \256\ and preserving individuals' privacy regarding the purpose 
of their requests. As discussed in more detail later in this regulatory 
impact analysis, the Department estimates that the increased costs that 
covered entities and business associates could include in fees for 
sending non-electronic copies of PHI or electronic copies of PHI not in 
an EHR to third parties will exceed the cost items for which they will 
no longer be allowed to include in fees for requests to direct 
electronic copies of PHI in an EHR to third parties. Under these 
proposed changes, a covered entity could charge for reviewing a request 
to send non-electronic copies of PHI and electronic copies of PHI in an 
EHR, searching and retrieving, and segregating or otherwise preparing 
the PHI that is responsive to the request at higher rates than the 
Privacy Rule currently allows for access requests, when requests for 
copies are made with a valid authorization. However, by narrowing the 
scope of access requests to direct PHI to third parties to only 
electronic copies in an EHR, the Department does not intend to allow 
covered entities to engage in what would otherwise be considered a sale 
of PHI.\257\ Thus, the permitted fees under 45 CFR 164.502 and 
164.508--a reasonable, cost-based fee for preparing and transmitting 
PHI or a fee otherwise expressly permitted by other law--would apply to 
many requests that previously would have been made

[[Page 6493]]

under the right of access to direct copies to a third party. This 
combination of proposed changes would likely result in a transfer of 
some costs from covered entities to individuals and third-party 
recipients. This cost transfer would include requests to direct non-
electronic copies of PHI in an EHR to third parties and would also 
include requests to direct electronic copies of PHI not in an EHR that 
previously would have been made as part of the right of access, and 
that could be provided based on a valid authorization under the 
proposed rule.
---------------------------------------------------------------------------

    \256\ The Privacy Rule prohibits the sale of PHI, which is 
defined generally as a disclosure where the covered entity or 
business associate directly or indirectly receives remuneration from 
or on behalf of the recipient of the PHI in exchange for the PHI. 
However, a sale does not include a disclosure for a purpose 
permitted by and in accordance with the Privacy Rule, ``where the 
only remuneration received by the covered entity or business 
associate is a reasonable, cost-based fee to cover the cost to 
prepare and transmit the PHI for such purpose or a fee otherwise 
expressly permitted by other law. See 45 CFR 164.502(a)(5)(ii). 
Further, the sale of PHI does not include providing access to the 
individual under 164.524, but it may include providing copies to a 
third party based on an authorization at a rate that is above a 
reasonable, cost-based fee. In that circumstance, the authorization 
must include a statement that the disclosure will result in 
remuneration to the covered entity.
    \257\ See 45 CFR 164.502(a)(5)(ii)(B)(2)(viii).
---------------------------------------------------------------------------

vii. Notice of Access and Authorization Fees
    Individuals report some barriers to accessing PHI due to 
surprisingly high bills for requested copies. To increase an 
individual's awareness of the cost of access and of sending copies to 
third parties and to enhance the ability for an individual to plan for 
such expenses, the Department proposes to expressly require in 
regulation that covered entities provide advance notice of approximate 
fees for copies of requested PHI by: (i) Posting a fee schedule online 
for all readily producible electronic and non-electronic forms and 
formats for copies if the covered entity has a website; (ii) providing 
the notice of fees to individuals upon request; and (iii) providing an 
individualized estimate of access and authorization fees upon request. 
The Department expects that this advance notice of fees requirement 
would provide certainty and improve access to PHI and payment for 
copies of PHI, to the benefit of individuals and covered entities. The 
Department also believes that many entities already provide such notice 
of fees, and thus the requirement to post the fee schedule should 
create only minimal additional expense beyond revising the fee schedule 
itself.
viii. Technical Amendment to Required Disclosures by Business 
Associates
    The Department proposes a technical amendment to clarify in 45 CFR 
164.502(a)(4)(ii) that a business associate is required to disclose PHI 
to the covered entity so the covered entity can meet its access 
obligations, but if the business associate agreement provides that the 
business associate will provide access directly to the individual or 
the individual's designee, the Privacy Rule requires the business 
associate to do so. The proposed change would expressly insert a 
reference to the business associate agreement as the factor triggering 
required disclosures by the business associate to the individual or the 
individual's designee instead of to or through the covered entity.
b. Reduce Identity Verification Burden for Individuals Exercising the 
Right of Access
    Some covered entities impose seemingly unreasonable verification 
requirements on individuals seeking to obtain their PHI pursuant to the 
individual right of access. Examples include requiring individuals to 
request their PHI in person, or even to go through the process (and 
potential added expense) of obtaining a notarization on a written 
request, to exercise their right of access.
    To address these barriers to an individual's access to their health 
information, the Department proposes to modify 45 CFR 164.514(h)(1) to 
expressly prohibit a covered entity from imposing unreasonable identity 
verification measures on an individual requesting PHI pursuant to the 
individual right of access. In addition, the Department would clarify 
that unreasonable verification measures include requiring individuals 
to provide proof of identity in person when a more convenient remote 
verification measure is practicable for the covered entity, requiring 
individuals to obtain notarization of access requests, or any other 
measure that creates a barrier to, or unreasonably delays, an 
individual's exercise of their rights. The Department also proposes to 
clarify that a covered entity that implements a requirement for 
individuals to submit a request for access in writing, pursuant to 45 
CFR 164.524(b)(1), would not be permitted to do so in a way that 
imposes unreasonable burdens on individuals. This proposed change would 
provide additional clarity regarding the interaction between the 
individual right of access provisions and the verification provisions 
of the HIPAA Rules, and ensure that individuals do not have to expend 
unnecessary effort or expense when other methods are practicable for 
the covered entity.
    While some covered entities would review and update their policies 
and procedures as a result of these proposals, which would cause them 
to incur some additional costs, the Department believes that entities 
would benefit from the regulatory certainty, and most entities would 
not need to change their policies and procedures because they currently 
do not impose unreasonable requirements on individuals.
c. Amending the Definition of Health Care Operations To Clarify the 
Scope of Care Coordination and Case Management
    Some covered entities reported that, due to uncertainty about which 
provisions of the Privacy Rule apply in certain circumstances, they do 
not request or disclose PHI even when doing so would support care 
coordination and case management activities that constitute health care 
operations, which would facilitate the transformation of the health 
care system to value based care. Some have interpreted the existing 
definition of health care operations to include only population-based 
case management and care coordination, which would appear to exclude 
individual-focused case management and care coordination by health 
plans. Because health plans do not perform treatment functions under 
HIPAA, such an interpretation could limit a health plan's ability to 
perform such individual-level care coordination and case management 
activities.
    The Department proposes to modify the definition of health care 
operations \258\ to provide clarity to covered health care providers 
and health plans that ``health care operations'' includes not only 
population-based care coordination and case management, but also 
individual-focused care coordination and case management activities--
and thereby facilitate those beneficial activities.
---------------------------------------------------------------------------

    \258\ 45 CFR 164.501.
---------------------------------------------------------------------------

d. Creating an Exception to the Minimum Necessary Standard for Certain 
Disclosures for Care Coordination and Case Management
    Uncertainty about how to apply the minimum necessary standard 
creates fears of HIPAA enforcement action among covered entities that 
could inhibit information sharing, and may result in less efficient and 
effective care. Because entities that qualify only as health plans do 
not perform treatment functions, any care coordination or case 
management activity conducted by such a health plan is a health care 
operation, subject to the minimum necessary standard. Disclosures by 
health care providers for treatment, including care coordination and 
case management, are subject to the minimum necessary standard only 
when the disclosure is made to a third party that is not a health care 
provider. Thus, the rule imposes greater restrictions on health plans 
than on covered providers when conducting care coordination and case 
management activities related to an individual.

[[Page 6494]]

    The Department proposes to add an express exception to the minimum 
necessary standard for disclosures to or requests by a health plan or 
covered health care provider for individual-level care coordination and 
case management activities that constitute treatment or health care 
operations. This proposal would relieve covered entities from the 
requirement to make determinations about the minimum information 
necessary (or whether it is reasonable to rely on the requestor's 
representation that it is the minimum necessary PHI) when the request 
is from, or the disclosure is made to, a covered health care provider 
or health plan for individual-level care coordination and case 
management activities. This proposed exception would apply only to 
those activities that support individual-level care coordination and 
case management, and not population-based activities. As the Department 
described above, commenters on the 2018 RFI, including covered 
entities, expressed concern about permitting additional disclosures 
without minimum necessary restrictions. The Department believes drawing 
a distinction between disclosures for individual-level versus 
population-based activities is responsive to these concerns, as 
disclosures for population-based activities lack the same nexus that 
individual-level activities have to the treatment of specific 
individuals.
    As such, the proposal would enable health plans and covered health 
care providers to more easily request and disclose PHI for care 
coordination and case management for individuals. This proposal, in 
conjunction with the proposed clarification to the definition of health 
care operations, would result in significant cost savings to covered 
entities on an ongoing basis as they are relieved of conducting minimum 
necessary evaluations for care coordination and case management 
requests and disclosures among covered health care providers and health 
plans. Health plans and covered health care providers would continue to 
be responsible for meeting the minimum necessary requirements that 
apply to the uses of PHI for treatment and health care operations 
purposes \259\ and to uses, requests, and disclosures for other 
purposes, including population-based activities, when applicable.\260\
---------------------------------------------------------------------------

    \259\ See 45 CFR 164.502(b)(1); 164.514(d)(2).
    \260\ See 45 CFR 164.502(b); 164.514(d).
---------------------------------------------------------------------------

e. Disclosing PHI to Social Services Agencies and Community Based 
Organizations To Facilitate Care Coordination and Case Management
    Many covered entities that are health care providers make 
disclosures to social services agencies and community based 
organizations only after obtaining a valid authorization from the 
individual, or never disclose PHI to these health-related services--
even when it would facilitate the individual's treatment. Some covered 
entities may not be aware that the Privacy Rule generally permits 
disclosure to social services agencies and community-based 
organizations for care coordination and case management.\261\ Others 
may be uncertain about the scope of the permission to disclose or about 
when they need a business associate agreement with the recipient, and 
may fear that they will inadvertently violate the HIPAA Rules if they 
make such disclosures.
---------------------------------------------------------------------------

    \261\ See 45 CFR 164.506. See OCR FAQ, Does HIPAA permit health 
care providers to share PHI about an individual with mental illness 
with a third party that is not a health care provider for continuity 
of care purposes? Available at https://www.hhs.gov/hipaa/for-professionals/faq/3008/does-hipaa-permit-health-care-providers-share-phi-individual-mental-illness-third-party-not-health-care-provider-continuity-care-purposes/index.html.
---------------------------------------------------------------------------

    The Department therefore proposes to expressly permit covered 
entities to disclose PHI to social services agencies, community-based 
organizations, HCBS providers, or similar third parties that provide or 
coordinate health-related services that are needed for care 
coordination and case management with respect to an individual. 
Although such disclosures generally may be permitted as treatment or 
certain health care operations activities under the Privacy Rule, 
creating an express permission would provide clarity and assurance to 
covered entities about their ability to disclose PHI to such third 
parties for individual-level care coordination and case management. In 
addition, the premable explains when these third parties are business 
associates of the disclosing entities, and thus when a business 
associate agreement is required. This proposed change would facilitate 
greater wraparound care and targeted services for individuals, leading 
to better health outcomes. The Department expects that the costs for 
implementing this proposed change would be limited to changing policies 
and procedures, to the extent that some covered entities have limited 
their disclosures to agencies and organizations due to uncertainty 
about current policies.
f. Disclosing PHI When Needed To Help Individuals Experiencing 
Substance Use Disorder, Serious Mental Illness, and in Emergency 
Circumstances
    Some covered entities are reluctant to disclose PHI to family 
members and other caretakers of individuals facing health crises, 
including individuals experiencing SMI and SUD (including opioid use 
disorder), for fear of violating the Privacy Rule. To help address this 
reluctance, the Department proposes to amend the five following 
provisions of the Privacy Rule to replace ``the exercise of 
professional judgment'' with a ``good faith belief'' as the standard to 
permit uses and disclosures in the best interests of the individual: 
(1) Parent or guardian not the individual's personal representative, 
(2) Facility directories, (3) Emergency contacts, (4) Emergencies and 
incapacity, and (5) Verifying requestor's identity. The Department also 
proposes to apply a presumption of compliance when covered entities 
make a disclosure based upon a good faith belief that the disclosure is 
in the best interests of the individual with regard to those five 
provisions (by adding a new subsection (k) to 45 CFR 164.502), and to 
replace ``serious and imminent threat'' with ``serious and reasonably 
foreseeable threat'' in 45 CFR 164.512(j)(1)(i)(A) as the standard 
under which uses and disclosures needed to prevent or lessen a threat 
are permitted.
    The Department believes modifying the Privacy Rule to further 
encourage such disclosures would help health care providers, 
individuals, families, and caregivers assist in treatment and recovery. 
The Department also believes these proposed modifications would address 
the specific circumstances where more information disclosure is needed 
to better coordinate care for individuals experiencing SUD, SMI, and 
health related emergencies.
    The Department anticipates that covered entities would incur costs 
to implement the changes due to revising policies and procedures and 
updating workforce member training, covered entities likely would 
experience (unquantified) cost savings due to improved patient care and 
harm reduction (e.g., potentially decreasing the need for costly 
emergency care), and less perceived need to obtain legal review of each 
disclosure made under the changed provisions.
g. Changing the NPP Requirements
    Comments on the 2018 RFI described the requirement for covered 
entities to make a good faith effort to obtain an individual's signed 
acknowledgment of receipt of the NPP as unduly

[[Page 6495]]

burdensome and confusing to patients and health care workers, to the 
extent that, at times, it causes a barrier to treatment.
    The Department proposes to eliminate the requirements for a covered 
health care provider to obtain a written acknowledgment of receipt of 
the NPP (and to retain such documentation for six years) and to replace 
them with an individual right to discuss the NPP with a person 
designated by the covered entity. In addition, the Department proposes 
to modify the content requirements of the NPP to specify to individuals 
that the notice provides information about: (1) How to access their 
health information, (2) how to file a HIPAA Privacy Rule complaint, and 
(3) individuals' right to receive a copy of the notice and ability to 
discuss its contents with a designated person. The required header also 
would specify whether the designated contact person is available onsite 
and must include a phone number and email address by which to reach the 
designated person. Further, the Department proposes to modify the 
required element of NPPs to describe how an individual can exercise the 
right of access to obtain a copy of their records at limited cost or, 
in some cases, free of charge, and to direct a covered health care 
provider to transmit an electronic copy of PHI in an electronic health 
record to a third party. Finally, the Department proposes to add an 
optional element to the NPP to inform individuals of alternatives for 
obtaining or requesting to send copies of PHI to a third party when the 
individuals seek to send PHI to a third party in a manner that does not 
fall within the access right.
    To implement these proposed changes, covered entities would incur 
one-time costs for revising policies and procedures and training, as 
well as for updating the NPP. However, by replacing the acknowledgment 
process for all new patient encounters with a right to discuss the NPP, 
upon request, covered health care providers would experience ongoing 
costs savings from reduced paperwork burdens and the (likely small) 
proportion of individuals who contact the designated person would 
benefit from having meaningful discussions about an entity's privacy 
practices.
h. Permitting Disclosures for Telecommunications Relay Service (TRS)
    Stakeholders have requested that the Department ensure that covered 
entities and business associates are able to disclose PHI to TRS 
communication assistants for individuals and workforce members, and to 
specifically address the use of TRS by covered entity and business 
associate workforce members to share PHI with other workforce members 
or outside parties as needed to perform their duties. These 
stakeholders have shared anecdotal accounts in which a covered entity 
or business associate refuses to allow a workforce member to use this 
essential service because of concerns about violating the Privacy Rule 
if they do not have a business associate agreement with the TRS 
provider.
    The Department proposes in 45 CFR 164.512(m) to expressly permit 
covered entities (and their business associates, acting on the covered 
entities' behalf) to disclose PHI to TRS communications assistants to 
conduct covered functions.\262\ This permission would cover all 
disclosures to TRS communications assistants, including communications 
necessary for care coordination and case management, relating to any 
covered functions performed by or on behalf of covered entities. The 
Department also proposes to add a new subsection (v) to 45 CFR 
160.103(4) to expressly exclude TRS providers from the definition of 
business associate. This proposal would ensure that covered entities 
and business associates do not bear the burdens of analyzing whether 
they need business associate agreements with TRS providers (which 
provide services to the public, not covered entities and business 
associates) and, potentially, establishing such agreements, resulting 
in a cost savings for entities with workforce members who need TRS.
---------------------------------------------------------------------------

    \262\ The terms ``Telecommunications Relay Service'' and 
``Telecommunications Relay Service Communications Assistant'' have 
the same meaning used in 47 CFR part 64.
---------------------------------------------------------------------------

i. Expanding the Permission To Use and Disclose the PHI of Armed Forces 
Personnel To Cover all Uniformed Services Personnel
    The existing rule limits the ability of the USPHS and NOAA 
Commissioned Corps to facilitate care coordination and case management 
for Corps personnel, because the Armed Forces permission to use and 
disclose PHI--which is important for ensuring that personnel meet 
medical readiness standards, and thus for fulfilling the Commissioned 
Corps' missions--does not apply to the USPHS and NOAA Commissioned 
Corps. The permission is important because personnel and the broader 
population are put at risk when personnel do not disclose medical 
conditions to Commissioned Corps leaders and are deployed on a 
Commissioned Corps mission, which often involve emergency situations or 
austere circumstances.
    To improve care coordination and case management for individuals 
serving in the Uniformed Services, the Department proposes to expand to 
all Uniformed Services the Armed Services express permission for 
covered entities to use and disclose PHI, thus permitting USPHS and 
NOAA Commissioned Corps to use and disclose the PHI of such personnel 
for mission requirements and veteran eligibility.\263\ The Department 
anticipates that the costs for covered entities to revise their 
policies and procedures to include such personnel would be minimal, as 
the proposed changes would merely extend existing permissions and the 
expanded disclosure permission would relieve covered entities of the 
need to obtain an individual's valid authorization.
---------------------------------------------------------------------------

    \263\ 45 CFR 512(k), Standard: Uses and disclosures for 
specialized government functions.
---------------------------------------------------------------------------

3. Cost-Benefit Analysis
a. Overview and Methodology
    For purposes of this RIA, the proposed rule adopts the list of 
covered entities and costs assumptions identified in the Department's 
2019 Information Collection Request (ICR).\264\ The Department also 
relies on certain estimates and assumptions from the 1999 proposed 
Privacy Rule \265\ that remain relevant, and the 2013 Omnibus 
Rule,\266\ as referenced in the analysis that follows.
---------------------------------------------------------------------------

    \264\ 84 FR 34905 (July 19, 2019).
    \265\ 64 FR 59918 (November 3, 1999).
    \266\ 78 FR 5566 (January 25, 2013).
---------------------------------------------------------------------------

    In addition, the Department quantitatively analyzes and monetizes 
the impact that this proposed rule may have on covered entities' 
actions to re-train their employees on, and adopt policies and 
procedures to implement, the legal requirements of this proposed rule. 
The Department analyzes the remaining benefits and burdens 
qualitatively because of the uncertainty inherent in predicting other 
concrete actions that such a diverse scope of covered entities might 
take in response to this proposed rule. The Department requests comment 
on the estimates, assumptions and analyses contained herein--and any 
relevant information or data that would inform a quantitative analysis 
of proposed reforms that the Department qualitatively addresses in this 
RIA.
    For reasons explained more fully below, the proposed changes to the 
right of access, acknowledgment of the NPP, and several use and 
disclosure permissions would result in net

[[Page 6496]]

economic cost savings of approximately $3.2 billion over five years 
based on the proposed changes.

                             Table 2--Accounting Table of Estimated Benefits and Costs of All Proposed Changes, in Millions
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                              Year 1          Year 2          Year 3          Year 4          Year 5           Total
--------------------------------------------------------------------------------------------------------------------------------------------------------
Costs:
    Undiscounted........................................            $996             $55             $55             $55             $55          $1,218
    3% Discount.........................................             834              45              44              43              41           1,007
    7% Discount.........................................             664              35              32              30              28             789
Cost Savings:
    Undiscounted........................................             880             880             880             880             880           4,400
    3% Discount.........................................             737             716             695             675             655           3,477
    7% Discount.........................................             586             548             512             479             447           2,573
Net (undiscounted)......................................  ..............  ..............  ..............  ..............  ..............         Savings
                                                                                                                                                  $3,182
--------------------------------------------------------------------------------------------------------------------------------------------------------
Non-quantified benefits and costs are described below.

b. Baseline Assumptions
    The Department based its assumptions for calculating estimated 
costs and benefits on a number of publicly available datasets, 
including data from the U.S. Census, the U.S. Department of Labor, 
Bureau of Labor Statistics (BLM), CMS, and the Agency for Healthcare 
Research and Quality (AHRQ). All calculations using mean hourly wages 
include benefits and overhead by multiplying the mean hourly pay for an 
occupation by two.\267\ The Department relies on the annual number of 
U.S. health care encounters as reported by the AHRQ, 2.46 billion, for 
some of its calculated estimates.\268\
---------------------------------------------------------------------------

    \267\ This represents an increase of 50 percent from the 
Department's prior HIPAA Rules analyses.
    \268\ 2017 ``National Healthcare Quality and Disparities 
Report,'' Agency for Healthcare Research and Quality (September 
2018). AHRQ Pub. No. 18-0033-EF, available at https://www.ahrq.gov/research/findings/nhqrdr/nhqdr17/index.html.

               Table 3--Annual U.S. Health Care Encounters
------------------------------------------------------------------------
                                            Number of health care visits
            Type of encounters                  or days in residence
------------------------------------------------------------------------
Physician office visits...................  923 million.
Hospital outpatient.......................  803 million.
Nursing home days.........................  500 million.
Hospice days in residence.................  120 million.
Home health visits........................  117 million.
    Total Annual..........................  2,463 million or 2.46
                                             billion.
------------------------------------------------------------------------

    Implementing the proposed regulatory changes likely would require 
covered entities to engage workforce members or consultants for certain 
activities. The Department assumes that a lawyer would draft or review 
needed changes to HIPAA policies, including revisions to the NPP and 
the access fee schedule, and that a medical and health services manager 
(e.g., compliance manager) would develop related changes to procedures. 
The Department expects a training specialist would revise the needed 
HIPAA training and a web developer would post the online access fee 
schedule and updated Notice of Privacy Practices. The Department 
further anticipates that a medical records technician or another 
workforce member at that pay level would implement changes to the right 
of access, that a nurse or health professional at a similar pay level 
would disclose PHI to a patient's family, friends, or others in a 
position to prevent harm, that a medical assistant would submit 
requests for PHI to health care providers and health plans, and that a 
receptionist would implement changes to the disclosure of directory 
information. To the extent that these assumptions would impact the 
Department's estimate of costs, the Department welcomes comment on its 
assumptions, particularly those in which the Department identifies the 
level of workforce member (i.e., clerical staff, professional) that 
would be engaged in activities, and the amount of time that particular 
types of workforce members spend conducting activities related to this 
NPRM as further described below.

                   Table 4--Occupational Pay Rates \a\
------------------------------------------------------------------------
                                                          Benefit loaded
                Occupation code and title                   hourly labor
                                                             wage \b\
------------------------------------------------------------------------
23-1011 Lawyer..........................................         $139.72
11-9111 Medical and Health Services Manager.............          110.74
29-2098 Medical Records Technician......................           44.80
31-9092 Medical Assistant...............................           34.34
13-1151 Training and Development Specialist.............           63.12
29-1141 Registered Nurse................................           74.48
43-4171 Receptionist and Information Clerk..............           30.04
15-1134 Web Developer and Digital Interface Designer....           79.20
------------------------------------------------------------------------
\a\ Bureau of Labor Statistics (BLS), U.S. Department of Labor,
  ``Occupational Employment and Wages,'' May 2019, available at https://www.bls.gov/oes/current/oes_stru.htm.
\b\ To incorporate employee benefits, these figures represent a doubling
  of the BLS median hourly wage.


[[Page 6497]]

    The Department assumes that the vast majority of covered entities 
would be able to incorporate changes to their workforce training into 
existing HIPAA training programs because the total time frame for 
compliance from date of finalization would be 240 days, just short of a 
year. In addition, the Department has included additional time spent in 
training by medical records technicians to the calculation of burden 
hours, due to the number of proposed changes to the right of access for 
which they would be responsible.
    For a number of proposals where the Department is incorporating 
existing interpretive guidance into regulation, the Department assumes 
that a portion of covered entities are already voluntarily engaging in 
the best practices highlighted in OCR guidance. For example, the 
Department is aware that 35 percent of hospitals in one study had 
posted an access fee schedule online,\269\ and assumes that many 
entities are voluntarily providing individuals with an estimate of 
access fees, consistent with its widely publicized guidance,\270\ 
although not necessarily doing so in writing. Even for entities that 
are not providing advance fee estimates, the Department assumes that 
they are providing some type of billing statement when charging fees 
for access requests, which would necessitate having a fee structure.
---------------------------------------------------------------------------

    \269\ See Lye CT, Forman HP, Gao R, et al. ``Assessment of US 
Hospital Compliance With Regulations for Patients' Requests for 
Medical Records.'' JAMA Netw Open. 2018;1(6):e183014, available at 
https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2705850.
    \270\ See 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    With respect to cost savings, the Department proposes to recognize 
a previously unquantified burden associated with covered entities 
making minimum necessary determinations. The Department assumes that 
this burden, associated with time spent by workforce member equivalent 
to a Medical and Health Services Manager, would necessarily be reduced 
by alleviating the need to make the determination for disclosures for 
care coordination or case management on behalf of an individual. For 
cost savings associated with the proposal to remove the requirement 
that covered entities obtain a signed acknowledgement of the covered 
entity's NPP or document a good faith effort to do so, the Department 
assumes that time spent by clerical staff for a direct treatment 
provider, such as a Receptionist or Information Clerk, will vary widely 
depending on the practice of that provider in managing its own NPP 
process and whether the process is paper-based or electronic. For all 
of the proposed regulatory changes that covered entities are currently 
allowed to implement, consistent with its interpretive guidance, the 
Department seeks comment on the extent to which covered entities are 
already voluntarily implementing the proposed requirements, and thus 
would not incur additional costs or realize savings as a result of the 
proposed changes.
c. Covered Entities
    This proposed rule would apply to HIPAA covered entities (i.e., 
health care providers that conduct covered electronic transactions, 
health plans, and in certain circumstances, health care clearinghouses 
\271\), which the Department estimates to be 774,331 business 
establishments (see Table 5). By calculating costs for establishments, 
rather than firms (which may be an umbrella organization over multiple 
establishments), there is some tendency toward overestimating some 
burdens, because certain costs would be borne by a parent organization 
rather than each separate facility. Similarly, benefits and transfers 
would be overestimated, as entity assumptions flow through to those 
quantifications as well. However, decisions about what level of an 
organization is responsible for implementing certain requirements 
likely vary across the health care industry. The Department requests 
data on the extent to which certain burdens are borne by each facility 
versus an umbrella organization.
    The Department expects that covered health care providers and 
health plans would be most directly affected by the proposed rule. 
While certain proposed changes would affect some providers and plans 
differently than others, all affected covered entities would need to 
adopt or change some policies and procedures and re-train some 
employees. Affected health care providers would include many federal, 
state, local, tribal, and private sector providers. The Department has 
not separately calculated the effect on business associates because the 
primary effect is on the covered entities for which they provide 
services. To the extent that covered entities engage business 
associates to perform activities under the proposed rule, the 
Department assumes that any additional costs will be borne by the 
covered entities through their contractual agreements with business 
associates. The Department requests data on the number of business 
associates (which may include health care clearinghouses acting in 
their role as business associates of other covered entities) that would 
be affected by the proposed rule and the extent to which they may 
experience costs or other burdens not already accounted for in the 
estimates of covered entity burdens.
    According to Census data, there are 880 Direct Health and Medical 
Insurance Carrier firms compared to 5,350 Insurance Carrier firms, such 
that health and medical insurance firms make up 16.4% of insurance 
firms. Also, according to Census data, there are 2,773 Third Party 
Administration of Insurance and Pension Funds firms. The Department 
assumes that 16.4% of these firms service health and medical insurance. 
As a result, the Department estimates that 456 of these firms are 
affected by this proposed rule. Similarly, the Department estimates 
that 783 associated establishments would be affected by this proposed 
rule. See Table 5 below.
    There were 67,753 community pharmacies (including 19,500 pharmacy 
and drug store firms identified in US Census data) operating in the 
U.S. in 2015.\272\ Small pharmacies largely use pharmacy services 
administration organizations (PSAOs) to provide administrative 
services, such as negotiations, on their behalf.\273\ A 2013 study 
identified 22 PSAOs, and notes there may be more in operation.\274\ 
Based on information received from industry, the Department adjusts 
this number upward and estimates that the proposed rule would affect 40 
PSAOs. The Department assumes that costs affecting pharmacies are 
incurred at each pharmacy and drug store firm and each PSAO.
---------------------------------------------------------------------------

    \271\ Only certain provisions of the Privacy Rule apply to 
clearinghouses as covered entities. In addition, certain provisions 
apply to clearinghouses in their role as business associates of 
other covered entities. See 45 CFR 164.500(b) and (c). Because the 
provisions addressed in this proposed rule generally do not apply 
directly to clearinghouses, the Department does not anticipate that 
these entities would experience costs associated with this proposed 
rule.
    \272\ See Qato, Dima Mazen; Zenk, Shannon; Wilder, Jocelyn; 
Harrington, Rachel; Gaskin, Darrell; Alexander, G. Caleb (2017). 
``The availability of pharmacies in the United States: 2007-2015.'' 
PLOS ONE. 12 (8): e0183172, available at https://doi.org/10.1371/journal.pone.0183172.
    \273\ Government Accountability Office, GAO-13-176, (January 29, 
2013), discussing generally that small and independent pharmacies 
often lack internal resources to support these services, available 
at https://www.gao.gov/products/GAO-13-176.
    \274\ Ibid.
---------------------------------------------------------------------------

    Unless otherwise indicated, the Department relies on data about the 
number of businesses from the U.S.

[[Page 6498]]

Census.\275\ The Department requests public comment on these estimates, 
including those for third party administrators and pharmacies where the 
Department has provided additional explanation. The Department 
additionally requests detailed comment on any situations in which 
covered entities other than those identified here would be impacted by 
this rulemaking.
---------------------------------------------------------------------------

    \275\ See ``2015 Statistics of U.S. Businesses (SUSB) Annual 
Data Tables by Establishment Industry,'' (January 2018), available 
at https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.

                                            Table 5--Covered Entities
----------------------------------------------------------------------------------------------------------------
                  NAICS code                            Type of entity                Firms       Establishments
----------------------------------------------------------------------------------------------------------------
524114.......................................  Health and Medical Insurance                 880            5,379
                                                Carriers.
524292.......................................  Third Party Administrators......             456              783
622..........................................  Hospitals.......................           3,293            7,012
44611........................................  Pharmacies......................          19,540           67,753
6211-6213....................................  Office of Drs. & Other                   433,267          505,863
                                                Professionals.
6215.........................................  Medical Diagnostic & Imaging....           7,863           17,265
6214.........................................  Outpatient Care.................          16,896           39,387
6219.........................................  Other Ambulatory Care...........           6,623           10,059
623..........................................  Skilled Nursing & Residential             38,455           86,653
                                                Facilities.
6216.........................................  Home Health Agencies............          21,829           30,980
532291.......................................  Home Health Equipment Rental....             611            3,197
                                                                                --------------------------------
    Total....................................  ................................         549,713          774,331
----------------------------------------------------------------------------------------------------------------

d. Individuals Affected
    The Department believes that, by having some contact with a HIPAA 
covered entity, a large proportion of the 329 million individuals in 
the United States \276\ would be affected by this proposed rule, 
including those who do not have health insurance coverage or do not 
have a health care visit in the current year. The widespread effect on 
individuals would be due primarily to the proposed changes to the right 
of access, affecting the speed of access, the ability to easily direct 
the transmission of ePHI in an EHR to health plans and health care 
providers, notice of access and authorization fees, and the access and 
authorization fees that could be charged, as well as changes to covered 
entities' ability to disclose PHI to an individual's family, friends, 
and others who are involved in care or payment for care, or who are in 
a position to prevent harm, and disclosures for care coordination and 
case management to third parties such as social services agencies, 
community-based support organizations, and HCBS providers. Eliminating 
the requirement for a covered health care provider to attempt to obtain 
a signed acknowledgment of the NPP, and replacing it with the 
individual right to discuss a covered entity's NPP, will affect nearly 
all individuals who receive services from a health care provider.
---------------------------------------------------------------------------

    \276\ U.S. Census Population Clock, available at https://www.census.gov/popclock/.
---------------------------------------------------------------------------

    To calculate the potential monetary effect on individuals for the 
proposed changes to allowable fees for certain copies of PHI, the 
Department first estimated a baseline average cost for an access 
request under the current Privacy Rule requirements. The Department 
increased the estimated average time for providing a copy of PHI 
requested from 3 minutes in its prior analyses to 5 minutes, resulting 
in an average labor cost of $3.73 per request.\277\ The Department 
requests data on costs from covered entities' data and comments on 
individuals' experiences when charged a fee for copies of PHI or when 
it is provided for free. The Department has heard that many individuals 
are able to obtain a copy of their PHI without charge, but in contrast, 
others receive unexpectedly large bills for obtaining copies, possibly 
in violation of the HIPAA right of access fee limitations.\278\
---------------------------------------------------------------------------

    \277\ Based on 5 minutes of a medical records technician's 
hourly wage, as noted in Table 4.
    \278\ A recent study found access fees for a 200-page record to 
range from $0 to $281.54. Lye CT, Forman HP, Gao R, et al. 
``Assessment of US Hospital Compliance With Regulations for 
Patients' Requests for Medical Records.'' JAMA Netw Open. 
2018:1(6):e183014. See also GAO-18-386, ``MEDICAL RECORDS Fees and 
Challenges Associated with Patients' Access,'' GAO Report to 
Congress (May 2018), available at https://www.gao.gov/assets/700/691737.pdf. See also 2016 Access Guidance, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html.
---------------------------------------------------------------------------

    The Department believes the persons most affected by the proposed 
changes to the rule permitting certain disclosures based on ``good 
faith'' would include individuals who are unable to agree or object to 
the use or disclosure of PHI due to incapacity or who are at risk of 
harming themselves or others and loved ones and caregivers of such 
individuals. This would include those experiencing a health emergency, 
SUD, or SMI; and individuals to whom permissible disclosures would be 
made as a result of the rule, such as family members and other 
caregivers, and persons in a position to prevent or lessen (e.g., make 
less likely or less severe) a threat to health or safety. The proposed 
changes also would include individuals experiencing temporary 
incapacity due to injuries or health conditions, and those with long-
term incapacity, such as from Alzheimer's disease or, in some cases, 
traumatic brain injury or stroke.
    The individuals most affected by the proposal to add a regulatory 
permission for workforce members to disclose PHI to a TRS 
communications assistant, would be the estimated 170,000 persons 
employed in the health care sector who are deaf, hard of hearing, deaf-
blind, or who have a speech disability.\279\
---------------------------------------------------------------------------

    \279\ See ``Task Force on Health Care Careers for the Deaf and 
Hard-of-Hearing Community, Final Report'' (March 2012), p. 14, 79 
(Table 4), available at https://www.rit.edu/ntid/healthcare/task-force-report; see also Moreland CJ, et al.,'' Deafness among 
physicians and trainees: a national survey.'' Acad. Med. 2013 Feb; 
88(2):224-32, available at https://journals.lww.com/academicmedicine/Fulltext/2013/02000/Deafness_Among_Physicians_and_TraineesA.27.aspx.
---------------------------------------------------------------------------

e. Qualitative Analysis of Non-quantified Benefits
Clarity Regarding the Scope of EHRs and Personal Health Applications
    The Department proposes to add a new definition within the Privacy 
Rule at 45 CFR 164.501 for the term ``Electronic health record'' or EHR 
to clarify the intended scope of the Privacy Rule provisions pertaining 
to ePHI in an EHR. Additionally, the Department proposes to add a new 
definition for the

[[Page 6499]]

term ``Personal health application'' to clarify the intended scope of 
the proposed changes to the right of access, including the form and 
format requirements and adjustments to allowable access fees. These 
definitions would benefit covered entities and individuals by 
increasing the understanding of how to apply the proposed changes to 
the right of access for PHI in an EHR, including allowable fees (if 
any).
Improved Access to Inspect PHI
    The Department proposes to add a new subsection to amend the right 
of access provision at 45 CFR 164.524(a)(1) to establish that the right 
to inspect PHI generally includes the right to take notes, take 
photographs, and use other personal resources to capture their PHI in a 
designated record set, but that a covered entity is not required to 
allow an individual to connect a personal device to the covered 
entity's information systems when it would create a risk to the 
security of the covered entity's electronic systems. Expressly enabling 
individuals to take notes and photographs when inspecting their own PHI 
in person would help individuals exercise their right of access in a 
convenient way. Most individuals who inspect, rather than request a 
copy, of their PHI otherwise would be unable to retain the amount or 
details of PHI that would assist them with decision-making.
Reducing the Timeframe for Access to PHI (From 30 Days to 15 Calendar 
Days)
    The Department proposes to amend 45 CFR 164.524(b) to shorten the 
allowable time limit for covered entities to provide copies of PHI by 
half, from 30 days (with the possibility of one 30-day extension) to 15 
calendar days (with the possibility of one 15 calendar-day extension). 
In addition, where other federal or state law time limit requires 
covered entities to provide individuals with access to the PHI 
requested in less than 15 calendar days, the Department proposes to 
deem such time limits ``practicable'' under the Privacy Rule. The 
Department also proposes to add a requirement for covered entities to 
develop and implement a policy to explicitly prioritize urgent or 
otherwise high priority requests (especially with respect to health and 
safety) so as to limit the need to use a 15 calendar day extension for 
such requests. The Department does not propose to define what 
constitutes an urgent or high priority request, and does not intend 
with this proposal to encourage covered entities to require individuals 
to reveal the purposes for their requests for access. However, examples 
of urgent or high priority requests could include when an individual 
voluntarily reveals that the PHI is needed in preparation for urgent 
medical treatment, or that the individual needs documentation of a 
diagnosis of severe asthma to be allowed to bring medication to school 
the next day.
    The proposal to shorten the time for covered entities to provide 
individuals with access to their PHI would improve patient-centered 
care by empowering individuals to review their health information in a 
timely manner and enhance patient decision making. It also would 
improve care coordination by enabling individuals to share their 
records more rapidly with other providers, informal caregivers, 
community based support services, and family members, as just a few 
examples. The Department believes that the overall effect would lead to 
improved health care communications and improved health outcomes. It 
also may reduce health expenditures due to a reduction in unnecessary, 
duplicative medical testing, reductions in medical errors, and more 
timely care delivery. For example, a research study found that the use 
of health information is ``important for improving patient attitudes 
regarding their health status and confidence in caring for themselves. 
Perceived health-status and patient confidence, in turn, are associated 
with preventative health behaviors.'' \280\
---------------------------------------------------------------------------

    \280\ Hearld, K. R., Hearld, L. R., Budhwani, H., McCaughey, D., 
Celaya, L. Y., & Hall, A. G. (2019). The future state of patient 
engagement? Personal health information use, attitudes towards 
health, and health behavior. Health services management research, 
32(4), 199-208.
---------------------------------------------------------------------------

    Although nine states require some health care entities to provide 
access within 15 days or a lesser period,\281\ these requirements do 
not apply to all entities within such states. Therefore, the proposed 
shortened time requirement within HIPAA would expand the benefits of 
the short time limits to individuals interacting with all covered 
entities, even in states that already require it for certain health 
care providers.
---------------------------------------------------------------------------

    \281\ California, Cal. Health & Safety Code 123110 (5 days to 
inspect; 15 days to receive a copy); Colorado, 6 Colo. Regs. 
1011:1:II-5.2 (24 hours to inspect; 10 days to receive a copy); 
Hawaii, HRS 622.57 (10 days to receive a copy); Louisiana, LSA-R.S. 
40:1165.1 (15 days to receive a copy); Montana, MCA 50-16-541(10 
days, copy and inspect); Tennessee, TCA 63-2-101 (10 days to receive 
a copy); Texas, Tex. Health & Safety Code 241.154 (hosp.) (15 days, 
copy and inspect); Tex. Occupations Code 159.006 (physicians) (15 
days to receive a copy), Tex. Health & Safety Code 181.102 (15 days 
to receive electronic copies), Tex. Admin. Code 165.2 (physicians) 
(15 days to receive a copy); and Washington, Wash. Rev. Code 
70.02.080 (15 days, copy and inspect).
---------------------------------------------------------------------------

Improving Production of Required Formats of PHI
    The Department proposes to modify 45 CFR 164.524(c)(2) to clarify 
that where a covered entity is subject to other federal law that 
requires the provision of access to individuals in a particular form 
and format, such form and format is deemed readily producible under the 
Privacy Rule's individual access right. To the extent that other 
applicable federal laws require production of copies of PHI in a 
certain form and format, the proposed inclusion of these finalized 
requirements within the Privacy Rule would not significantly increase 
covered entities' compliance burdens. However, by providing that a form 
and format required to be produced under other federal law are readily 
producible under the Privacy Rule, the change would allow the 
Department to enforce the individual's right to receive their PHI in 
that form and format. Although quantifying the impacts of this 
provision is challenging, the Department believes the proposed 
clarification would benefit individuals by enhancing their ability to 
receive PHI in the form and format requested. It also would benefit 
covered entities by providing greater certainty about the Department's 
expectations regarding when a requested form and format is ``readily 
producible.''
    The Department also proposes in 45 CFR 164.524(c)(2(iv) and (d)(4) 
to add a new set of parallel requirements so that when covered entities 
offer to provide or direct a summary of PHI in lieu of requested 
copies, they must inform individuals that they retain the right to 
obtain or direct the requested copies if they do not agree with the 
offered summary. These requirements would not apply when the covered 
entity denies access on unreviewable or reviewable grounds, in which 
case the covered entity must implement the required procedures for such 
denial under 45 CFR 164.524(e). These requirements would benefit 
individuals by ensuring that they are aware of their access rights and 
empowered to make choices about the form of access with full knowledge 
about the available options under the right of access. The proposals 
would benefit covered entities by engaging individuals in more robust 
discussions about requested forms of access early in the process, thus 
reducing potential complaints and fee disputes.

[[Page 6500]]

Clarifying the Right to Direct the Transmission of Certain PHI to 
Health Care Providers and Health Plans
    The Department proposes to modify 45 CFR 164.524(c)(3)(ii) (and 
redesignate it as 45 CFR 164.524(d)) to clarify the access right to 
direct the transmission of an electronic copy of PHI in an EHR to 
another person designated by the individual and add a new provision for 
access requests to be submitted by covered health care providers and 
health plans at the request of the individual in 45 CFR 164.524(d)(7). 
The Department proposes to require covered health care providers and 
health plans to submit individuals' requests directing electronic 
copies of PHI in an EHR to be transmitted back to the entity that 
submitted the request. The new provision would specify that a covered 
health care provider or health plan must submit an individual's request 
to transmit an electronic copy of PHI in an EHR from another health 
care provider or health plan when the request is clear, conspicuous, 
and specific (which may be orally or in writing, including 
electronically) and that the covered health care provider or health 
plan must submit the access request as soon as practicable, but no 
later than 15 calendar days after receiving the individual's direction 
and information needed to make the request. The Department also 
proposes to add language clarifying that covered entities that receive 
access requests under this new provision are required to respond based 
on an individual's clear, conspicuous, and specific request.
    The proposal to expressly include individual access requests 
submitted by health care providers and health plans as part of the 
right to direct the transmission of ePHI in an EHR to a third party 
would improve care coordination and patient-centered care by enhancing 
the individual's ability to direct the sharing of ePHI among health 
care entities. The change would improve health care communications and 
assist individuals' decision-making as they consult with various health 
care providers and health plans, and evaluate treatment alternatives, 
recommendations, and health plan coverage. All health care providers 
and health plans would benefit from receiving electronic records from 
other covered entities more quickly under the shortened timeframe, and 
the proposal to explicitly require covered health care providers and 
health plans to submit requests for copies of ePHI as directed by the 
individual within the right of access would enhance covered entities' 
compliance with responding to such requests received from other covered 
entities because such disclosures would be mandatory. This means of 
obtaining access also would ease the burden on individuals to 
separately contact their other providers and request that they transmit 
electronic records to their treating physician. Instead, the individual 
may initiate such requests through the provider (or health plan) with 
whom they are currently communicating or receiving services, and who 
will receive the ePHI. Taken together, these changes would empower 
individuals by clarifying the scope of a patient's HIPAA rights and 
providing a convenient means to effectuate certain mandatory transfers 
of electronic medical records between covered entities.
Improving Access to PHI by Specifying When Access Must be Free of 
Charge
    The Department proposes to modify 45 CFR 164.524(c)(4) to prohibit 
covered entities from charging fees for access when an individual 
inspects PHI about the individual in person or accesses an electronic 
copy using an internet-based application method. The Department 
proposes to expressly provide that covered entities may not charge a 
fee when an individual, in the course of inspecting PHI, takes notes or 
photographs, or uses other personal resources to capture the 
information.
    All individuals would benefit from improved access to their PHI and 
regulatory requirements stating the circumstances in which access is 
always to be provided free of charge. In addition to any quantifiable 
increases in the number of access requests fulfilled without charge, 
the Department believes that individuals' abilities to manage their own 
health care and payment for care would be improved by improving access 
to their own PHI.
    Additionally, although the Department is not expressly prohibiting 
fees when an individual uses an internet-based method to direct the 
transmission of an electronic copy of PHI in an EHR to a third party, 
the Department expects that, in most cases, there will be no allowable 
labor costs for such access.
Improving Access to Pricing Information for Copies of PHI
    The Department proposes to add a new subsection 525 to 45 CFR 164 
to require a covered entity to provide advance notice to individuals of 
the fees the entity charges for providing access to and copies of PHI. 
Specifically, the Department proposes to require a covered entity to 
post a fee schedule online (if they have a website) and make the fee 
schedule available to individuals at the point of service upon request. 
The notice must include: (i) All types of access to PHI available free 
of charge; (ii) approximate fees for copies of PHI provided to 
individuals under 45 CFR 164.524(a), to third parties designated by the 
individual under 45 CFR 164.524(d), and to third parties with the 
individual's valid authorization under 45 CFR 164.508; (iii) provide, 
upon request, an individualized estimate of the approximate fee that 
may be charged for the requested copy of PHI; and (iv) upon request, 
provide an individual with an itemized list of charges for labor, 
supplies, and postage, if applicable, that constitute the total fee 
charged.
    The Department anticipates that all individuals interested in 
access to PHI would benefit from having advance notice of a covered 
entity's approximate fee schedule for standard or common data access 
requests for PHI, by learning about how they may access their PHI for 
free, and obtaining pricing information for copies prior to or at the 
time of making an access request or a request for copies with a valid 
authorization. Readily available public information about access fees 
would also serve to promote compliance with the Privacy Rule because 
covered entities will want to avoid posting fee schedules that show 
noncompliance with fee limitations,\282\ or that publicly misrepresent 
their business practices, and individuals will be empowered to insist 
on covered entities' compliance as well.
---------------------------------------------------------------------------

    \282\ In addition to the access fees limits contained in 45 CFR 
164.524, the Privacy Rule limits the fees that may be charged for 
uses and disclosures of PHI based on an authorization. Under the 
Privacy Rule's provisions on the sale of PHI, covered entities 
generally must limit fees for disclosures pursuant to an 
authorization to a ``reasonable, cost-based fee to cover the cost to 
prepare and transmit the protected health information for such 
purpose or a fee otherwise expressly permitted by other law'' or 
must state in the authorization that the disclosure will result in 
remuneration to the covered entity. See 45 CFR 
164.502(a)(5)(ii)(B)(2)(viii); 45 CFR 164.502(a)(5)(ii)(A); 45 CFR 
164.508(a)(4).
---------------------------------------------------------------------------

    Providing an access and authorization fee schedule, and an 
individualized estimate of fees for an individual's request for copies 
of PHI upon request, would also benefit covered entities because this 
information is likely to prevent or resolve potential fee disputes that 
occur when individuals are surprised by unexpectedly high fees.
Improved Coordination of Care by Covered Entities, Including for 
Population-Based Activities
    The Department proposes to add an exception to the minimum 
necessary standard in 45 CFR 164.502(b)(2) for

[[Page 6501]]

disclosures to, or requests by, a health plan or covered health care 
provider for individual-level (i.e., not population-based) care 
coordination and case management that constitute health care 
operations. The Department first recognized the ongoing annual burden 
of compliance with the minimum necessary standard in the 2000 Privacy 
Rule \283\ and now quantifies the burden of this existing requirement. 
The Department believes the proposed exception to the minimum necessary 
standard, in addition to decreasing quantifiable burdens as described 
elsewhere, would contribute to non-quantifiable but qualitative 
improvements in the scale and design of care coordination and case 
management, and therefore improve health of individuals. Facilitating 
health plans' involvement in care coordination and case management may 
prove instrumental in improving individual health outcomes. The 
proposed change would eliminate some of the differential treatment 
between health plans' care coordination and case management disclosures 
under the health care operations provisions and covered health care 
providers' care coordination and case management under the provisions 
regarding treatment disclosures (which are not subject to the minimum 
necessary standard). The proposed change also would address the 
concerns of both covered health care providers and health plans about 
having to determine what PHI is or is not the minimum necessary for 
requests by, and disclosures to, health plans and health care 
providers, a requirement that may be an ongoing impediment to value-
based care delivery and a disincentive to information sharing.
---------------------------------------------------------------------------

    \283\ See 65 FR 82462, 82767, 82773 (December 28, 2000).
---------------------------------------------------------------------------

Increased Coordination of Care Between Covered Entities and Third 
Parties Such as Social Services Agencies, Community-Based 
Organizations, and HCBS Providers
    The Department proposes to add an express permission for a covered 
entity to disclose PHI for individual-level care coordination and case 
management to a social services agency, community based organization, 
HCBS provider, or other similar third party that provides health-
related services to those specific individuals, as a new paragraph (6) 
in 45 CFR 164.506(c). The Department believes the proposed changes and 
clarifications about the disclosures permitted for care coordination 
and case management would help covered entities and others achieve 
their health-related missions, particularly those that are not health 
care providers or HIPAA covered entities. The Department has continued 
to hear that health care providers and health plans want to refer 
individuals to such organizations for health-related supportive 
services, but are reluctant to do so because of uncertainty regarding 
the applicable permissions and obligations. The Department interprets 
the Privacy Rule to allow health care providers to disclose PHI for 
their own treatment activities to both covered entities and entities 
that are not subject to HIPAA, which may include supportive services in 
the community related to health. By expressly identifying social 
services agencies, community based organizations, and HCBS providers 
and similar third parties as entities to which PHI may be disclosed for 
individual-level care coordination and case management that constitute 
treatment or health care operations, the Department will remove 
regulatory uncertainty and ease the ability of covered health care 
providers to facilitate comprehensive transitions of care. The 
Department believes these proposed clarifications would affect at least 
137,052 organizations providing social assistance to individuals.\284\ 
The proposed clarifications to these use and disclosure permissions 
would enhance the ability of such organizations to receive PHI to 
improve service coordination and delivery for the individuals served 
within the scope of their respective missions. These organizations 
serve many individuals for whom supportive services are essential to 
regain health and maintain recovery and individuals who lack stable 
housing or communications capabilities, making the need for immediate 
referrals (i.e., without needing to obtain an individual's valid 
authorization) imperative.
---------------------------------------------------------------------------

    \284\ See ``2015 SUSB Annual Data Tables by Establishment 
Industry,'' (January 2018), available at https://www.census.gov/data/tables/2015/econ/susb/2015-susb-annual.html.
---------------------------------------------------------------------------

Improved Treatment and Recovery Outcomes Resulting From a Good Faith 
Standard With a Presumption of Compliance
    The Department proposes to amend five provisions of the Privacy 
Rule to replace the exercise of ``professional judgment'' with a ``good 
faith belief'' as the standard to permit uses and disclosures in the 
best interests of the individual, and include a presumption of 
compliance with the good faith requirements. These proposed 
modifications would apply to uses and disclosures involving a parent or 
guardian who is not the individual's personal representative (45 CFR 
502(g)(3)(ii)(c)), facility directories (45 CFR 164.510(a)(3)(i)(B)), 
emergency contacts (45 CFR 164.510(b)(2)(iii)), limited uses and 
disclosures when the individual is not present or incapacitated (45 CFR 
164.510(b)(3)), and verifying a Requester-Recipient's identity (45 CFR 
164.514(h)(2)(iv)). The proposed presumption of compliance could be 
overcome with evidence that a covered entity acted in bad faith.
    The Department believes that replacing the professional judgment 
standard with one based on good faith, as proposed, would result in 
improved treatment and recovery outcomes for individuals who are most 
affected, for example, by the current opioid crisis, as well as those 
experiencing SMI or other SUD, by facilitating the increased disclosure 
of PHI by covered entities to persons who care about the individual and 
who need to be involved in the individual's care. The Department 
expects that health care providers who have confidence in their ability 
to disclose information to individuals' family members, friends, and 
others involved in care or payment for care when it is in an 
individual's best interests, without fear of violating HIPAA, would be 
more likely to disclose PHI that could be used by those persons to 
provide needed care and support.
    The Department does not have data to quantify such benefits, but 
research supports the conclusion that family involvement improves the 
engagement in treatment and recovery of these individuals.\285\ For 
example, a study by Dobkin, Civita, Paraherakis, and Gill examined the 
effect of social support on substance use and treatment retention. They 
found that ``higher functional social support at intake is a positive 
predictor of retention in treatment, and a modest predictor of 
reductions in

[[Page 6502]]

alcohol intake, but not in drug use.'' \286\ Another study examined the 
effect of social support on women's substance abuse relapse within 6 
months following residential treatment and found that ``positive 
activities such as families getting along and helping each other during 
the post-discharge period significantly decreased the likelihood of 
relapse.'' \287\ According to the National Institute on Drug Abuse of 
the National Institutes of Health, the degree of support from family 
and friends influences the degree of engagement by individuals with 
treatment and retention in treatment programs.\288\ Therefore, the 
changes to the Privacy Rule proposed in this NPRM may result in 
improved outcomes in treatment and recovery.
---------------------------------------------------------------------------

    \285\ See ``Alcohol and Drug Addiction Happens in the Best of 
Families . . . and it Hurts,'' U.S. Dept. of Health and Human 
Services, Substance Abuse and Mental Health Services Administration, 
available at https://store.samhsa.gov/shin/content//PHD1112/PHD1112.pdf; ``Incorporating the family in a culturally appropriate 
fashion within routine clinical settings improves access to 
treatment, client participation in care, integration of care, and 
ultimately, clinical outcomes for populations with SMI and SED.'' 
Interdepartmental Serious Mental Illness Coordinating Committee, 
``The Way Forward: Federal Action for a System That Works for All 
People Living With SMI and SED and Their Families and Caregivers,'' 
U.S. Dept. of Health and Human Services, Substance Abuse and Mental 
Health Services Administration, (December 2017), Publication ID 
PEP17-ISMICC-RTC, available at https://store.samhsa.gov/system/files/pep17-ismicc-rtc.pdf.
    \286\ Dobkin, P. L., Civita, M. D., Paraherakis, A., & Gill, K. 
(2002). The role of functional social support in treatment retention 
and outcomes among outpatient adult substance abusers. Addiction, 
97(3), 347-356.
    \287\ Ellis, B., Bernichon, T., Yu, P., Roberts, T., & Herrell, 
J. M. (2004). Effect of social support on substance abuse relapse in 
a residential treatment setting for women. Evaluation and Program 
Planning, 27(2), 213-221.
    \288\ See Principles of Drug Addiction Treatment: A Research-
Based Guide (3rd Edition), ``What helps people stay in treatment?'', 
U.S. Dept. of Health and Human Services, National Institutes of 
Health, National Institute on Drug Abuse, (January 2018), available 
at https://www.drugabuse.gov/publications/principles-drug-addiction-treatment-research-based-guide-third-edition/frequently-asked-questions/what-helps-people-stay-in-treatment.
---------------------------------------------------------------------------

Avoidance of Harm From Serious and Reasonably Foreseeable Threats
    The Department proposes to amend the Privacy Rule at 45 CFR 
164.512(j)(1)(i)(A) to replace the ``serious and imminent threat'' 
standard with the ``serious and reasonably foreseeable threat'' 
standard. This proposed change would permit covered entities to use or 
disclose PHI without determining whether the threat is imminent (which 
may be impossible to determine with any certainty), but rather whether 
it is likely to happen. The Department expects this proposed 
modification to improve the timeliness of uses and disclosures of PHI 
that would have otherwise occurred, but for the covered entity's 
uncertainty about whether a threat is ``imminent.'' The Department 
believes that individuals, covered entities, and communities would 
benefit from threat reduction and improved health and safety as a 
result. The Department also proposes to add a new paragraph (5) to this 
provision to define ``reasonably foreseeable.'' The Department's 
proposed definition of ``reasonably foreseeable'' would apply a 
reasonable person standard to permit uses and disclosures by covered 
health entities in instances where similarly situated covered entities 
would use or disclose PHI to avert a threat based on facts and 
circumstances known at the time of the disclosure. The proposed 
definition also would include an express presumption that threats to 
health or safety identified by a covered health care provider with 
specialized training, expertise, or experience in assessing an 
individual's risk to health or safety (such as a licensed mental or 
behavioral health professional)--and whose assessment relates to their 
specialized training, expertise, or experience--meet the definition of 
``reasonably foreseeable.'' A covered entity, however, need not have 
such specialized training, expertise, or experience in order to meet 
the reasonably foreseeable standard. The Department expects that these 
proposed changes to the standard at 45 CFR 164.512(j) would improve 
communication and coordination between health care providers, 
caregivers and others in a position to lessen harm and avert threats, 
including opioid overdose and incidents of mass violence.
Improved Understanding of Covered Entities' Privacy Practices
    The Department proposes to add subsection (G) to 45 CFR 
164.520(b)(1)(iv), to give individuals the right to discuss the NPP 
with a person designated by the covered entity as the contact person 
pursuant to section 164.520(b)(1)(vii). The Department proposes to 
include information about this right in the header of the NPP to ensure 
that individuals are aware of their ability to discuss the NPP with a 
designated person. Requiring that an entity's NPP include the name or 
title and contact information for a designated person who is available 
to provide further information about the covered entity's privacy 
practices, and adding an individual right to discuss the notice with 
the designated person, would help improve an individual's understanding 
of the covered entity's privacy practices and the individual's rights 
with respect to his or her PHI. Even for individuals who do not request 
a discussion under this proposal, knowledge of the right may promote 
trust and confidence in how their PHI is handled.
Improved Access to Communications Assistance and Enhanced Service 
Delivery for Workforce Members Who are Deaf, Hard of Hearing, or Deaf-
Blind, or Who Have a Speech Disability
    The Department proposes to amend the Privacy Rule at 45 CFR 
164.512, by adding a new standard in paragraph (m) to expressly permit 
covered entities (and their business associates, when acting on the 
covered entities' behalf) to disclose PHI to Telecommunication Relay 
Service (TRS) communications assistants when such disclosures are 
necessary for a covered entity, or a business associate to conduct 
covered functions. This permission would cover all disclosures to TRS 
communications assistants, including communications necessary for care 
coordination and case management, relating to any covered functions 
performed by or on behalf of covered entities. The Department also 
proposes to expressly exclude TRS providers from the definition of 
business associate. The Department intends for these new provisions to 
ensure that regulated entities do not bear the burdens of analyzing 
whether they need a business associate agreement with a TRS and, 
potentially, establishing one before a workforce member discloses PHI 
to a TRS communications assistant, to assist the workforce member, in 
the course of performing their duties. Adding an express permission for 
covered entities' workforce members to share PHI via a TRS 
communications assistant would improve communications for health care 
delivery and benefit covered entities by supporting their compliance 
with employment nondiscrimination laws, such as the ADA. Further, by 
enhancing the ability of an estimated 170,000 workforce members \289\ 
to perform the necessary communication tasks of their jobs, the 
proposed change would also have a positive effect on health service 
delivery generally and improve health care services and payment for 
such services.
---------------------------------------------------------------------------

    \289\ See ``Task Force on Health Care Careers for the Deaf and 
Hard-of-Hearing Community, Final Report,'' available at https://www.rit.edu/ntid/healthcare/task-force-report.
---------------------------------------------------------------------------

    The Department requests comment or examples that could assist the 
Department in quantifying costs or cost savings in relation to the 
following:
     Any relationship between individuals' access to medical 
records and improved health outcomes, including data about any health 
effects related to the amount of time between a request for access and 
the provision of access;
     Any relationship between fees individuals pay to obtain 
medical records and the frequency with which the individual seeks 
treatment;
     Any relationship between the ease or difficulty faced by 
covered health care providers and health plans to make minimum 
necessary determinations and

[[Page 6503]]

health outcomes of individuals or populations;
     Any relationship between the ease or difficulty faced by 
covered health care providers' and health plans' to disclose PHI based 
on a professional judgment standard or a good faith belief standard, 
and the frequency with which an individual will seek care from that 
provider or enroll with that plan, especially for treatment or coverage 
related to substance use disorders or serious mental illness.
     The frequency with which different types of covered 
entities currently disclose PHI based on:
    [cir] Professional judgement about an individual's best interests; 
and
    [cir] A good faith belief that a threat or harm is serious and 
imminent, and the type of harm; and
     Any relationship between improved compliance with non-
discrimination laws, such as the ADA, and health outcomes of 
populations protected by those laws.
f. Estimated Cost Savings and Costs Arising From Proposed Changes
    The Department provides below the basis for its estimated costs and 
savings due to the proposed changes to specific provisions of the 
Privacy Rule and invites comments on the Department's assumptions, 
data, and calculations, as well as any additional considerations that 
the Department has not identified here. Many of the estimates are based 
on assumptions formed through OCR's experience in its compliance and 
enforcement program and accounts from stakeholders received at outreach 
events. The Department welcomes information or data points from 
commenters to further refine its estimates and assumptions.
    To evaluate the potential benefit and burden of changes to the 
right of access, the Department calculated a range of estimated total 
annual numbers of access requests for covered entities, from 1.5 
million to 3.3 million. The Department's initial projections were drawn 
from prior rulemaking and burden estimates; however, based on its 
experience and comments received on the 2018 RFI, the Department 
believes an upward adjustment to the estimated number of access 
requests is needed. The Department developed the estimates herein based 
on three datasets: The total number of covered entities; the total 
number of U.S. health care encounters with a health care provider in a 
year; and the total population of the U.S. The calculated results are 
as follows: (1) 1.5 Million, by estimating that 774,331 covered 
entities receive an average of two access requests per year; (2) 2.46 
million, by estimating that in one year one-tenth of a percent of 
health care encounters \290\ with health care providers results in an 
access request (.001 x 2.46 billion); and (3) 3.3 million, by 
estimating that one percent of the U.S. population in 2019 makes an 
access request (.01 x 329,001,648).\291\ For purposes of this analysis, 
the Department selected the mid-point estimate of the number of total 
annual access requests, 2.46 million.
---------------------------------------------------------------------------

    \290\ See 2017 ``National Healthcare Quality and Disparities 
Report,'' Agency for Healthcare Research and Quality (September 
2018). AHRQ Pub. No. 18-0033-EF, available at https://www.ahrq.gov/research/findings/nhqrdr/nhqdr17/index.html, reporting 923 million 
total annual physician office visits, including visits to physicians 
in health centers, 803 million annual hospital outpatient visits, 
117 million annual home health visits, 500 million annual patient 
days in nursing homes, 213 million annual days in hospitals, and 120 
million annual days in hospice.
    \291\ ``U.S. Census Population Clock,'' available at https://www.census.gov/popclock/ (visited June 5, 2019). Projections are 
based on a monthly series of population estimates starting with the 
April 1, 2010 resident population from the 2010 Census.
---------------------------------------------------------------------------

    The Department received widely varying reports from covered 
entities that commented on the RFI regarding the number of access 
requests they receive annually and it was unclear whether the numbers 
included requests that are not part of the right of access, such as 
disclosures accompanied by a valid authorization, disclosures for 
purposes of treatment, payment, or health care operations, or other 
disclosures permitted by the Privacy Rule.\292\ In addition, while 
large covered entities may receive many more than two requests per 
year, the Department assumes that small doctor's offices, which make up 
the majority of covered entities, receive very few requests. The 
Department requests comment on these assumptions.
---------------------------------------------------------------------------

    \292\ For example, the Veterans Health Administration, reported 
that it receives 1.7 million access requests annually; however, 
rather than individuals' exercising the right of access, many of 
these requests likely are for benefit determinations, and may be 
based on an authorization. A Cincinnati health system reported that 
two of its hospitals receive 31,102 and 22,000 requests from 
individuals per year, respectively.
---------------------------------------------------------------------------

i. Estimated Cost Savings and Costs From Adding a Definition of EHR
    The Department believes that covered entities would benefit from 
the certainty offered by its interpretation of the proposed definition 
of EHR; however, the Department lacks sufficient data to develop a 
quantifiable estimate. The Department does not anticipate additional 
costs for covered entities from the proposal to codify in regulation a 
definition of EHR because the definition itself imposes no 
requirements, the proposed definition is based on the statutory 
definition in the HITECH Act which has been in effect for more than a 
decade, and the proposed definition incorporates existing Privacy Rule 
definitions, such as direct treatment relationship, that are familiar 
to regulated entities. Costs savings and costs related to limiting the 
scope of the access right to direct a copy of PHI to a third party to 
PHI in an EHR are addressed elsewhere.
ii. Estimated Cost Savings From Changes to the Right to Inspect PHI
    The Department proposes to add a requirement to the right of access 
at 45 CFR 164.524 (a)(1) to establish that the right to inspect PHI in 
a designated record set includes the right to take notes, take 
photographs, and use other personal resources to capture the 
information, but that a covered entity is not required to allow an 
individual to connect a personal device to the covered entity's 
information systems. The Department assumes that requests to inspect 
PHI may result in a reduction in requests for covered entities to make 
copies because individuals may choose to capture the information they 
need through notetaking, photographing, or other means, and that 
reviewing the PHI may enable individuals to narrow the scope of any 
request for copies. This could reduce costs for covered entities; 
however, the Department lacks sufficient data about the number of 
inspection requests received by covered entities to make a reasonable 
estimate of the projected savings. For individuals who prefer to view 
PHI in person and use their own resources, the proposed changes may 
offer out-of-pocket cost savings. Individuals who would not want to 
view their PHI in person would simply not exercise this new right, but 
would continue to access their PHI as before, thus not incurring any 
new costs or achieving any new savings. The Department requests data on 
the number of requests to inspect PHI received by covered entities and 
the experiences of entities and individuals with how the inspection of 
PHI affects the number, frequency, or scope of requests for copies.
iii. Costs Arising From Changes to the Right to Inspect PHI
    Upon consideration of the instances where PHI is readily available 
at the point of service, such as when viewing x-rays or lab results, 
the Department anticipates that there may be a much greater demand by 
individuals for the ability to use one's own device to capture the 
images or other PHI as a result of this proposal. The Department 
anticipates this would result in

[[Page 6504]]

individuals having better access to their medical information, leading 
them to potentially make better decisions about their health. The 
Department does not anticipate that covered entities would incur 
additional costs for allowing this type of access to ``readily 
available'' PHI, but requests comment on this assumption and data on 
potential costs.
    To the extent that covered entities are currently prohibiting 
individuals from notetaking, photographing, or other ways of capturing 
PHI using their own devices, they would incur costs involved in 
changing the existing policy for in-person access. The Department 
anticipates that a covered entity would need 25 minutes of lawyer time 
\293\ to change its policy and procedure for individuals to inspect 
their own PHI to include taking notes and photographs or using other 
resources to capture the PHI (without connecting to the covered 
entity's system), and may experience costs for adding this policy to 
its HIPAA training content. This would amount to approximately 322,638 
total burden hours for changing related policies and procedures and 
total costs of approximately $45 million. Revising the related training 
content would incur average costs for 20 minutes of a training 
specialist's time \294\ for each covered entity, resulting in total 
increased burden hours of 258,110 and a total cost of approximately $16 
million. The Department seeks comments on the extent to which covered 
entities already have policies permitting individuals to photograph or 
otherwise capture the PHI, and how changing policies to allow such 
activities would increase or decrease costs to the entity or 
individuals. For example, taking a photograph may decrease the time 
spent by individuals reviewing medical records in the covered entity's 
office, decrease the number of subsequent calls to the physician for 
information, or increase adherence to treatment regimens. In 
particular, the Department seeks comments providing any quantifiable 
projected cost increases or decreases due to the proposed changes, 
including allowing individuals to photograph PHI that is readily 
viewable at the point of service in conjunction with a health care 
appointment.
---------------------------------------------------------------------------

    \293\ See Table 4.
    \294\ Ibid.
---------------------------------------------------------------------------

iv. Estimated Cost Savings From Shortening the Access Time Limits
    The Department proposes to shorten the time for covered entities to 
provide copies of PHI from 30 days (with the possibility of one 30-day 
extension) to 15 calendar days, or shorter where practicable (with the 
possibility of one 15 calendar-day extension). The Department lacks 
sufficient data to quantify any potential cost savings to covered 
entities resulting from this proposal; however, the receipt of PHI more 
rapidly from other covered entities may create efficiencies throughout 
the entire health system and contribute to improved health outcomes and 
decreased treatment costs. While the Department believes that many 
covered entities already are providing copies of PHI in far less than 
30 days, the increased certainty provided by the proposed regulatory 
time limit would create additional benefits. For individuals, shortened 
access times may result in cost savings due to an improved ability to 
make timely and cost-effective decisions about treatment options and a 
reduction in duplicative procedures, such as repeat lab tests. For 
example, an individual who is able to receive a timely copy of a lab 
result would be able to share it with a consulting provider who 
otherwise may need to re-order the test, thus saving time and money and 
enabling timely treatment; or a patient considering surgery who is able 
to receive a timely copy of PHI would be able to evaluate treatment 
alternatives with different providers to select which best fits the 
patient's circumstances. In short, the Department projects that the 
ability to obtain health information faster may result in cost savings 
overall. The Department invites comments providing data on projected 
cost savings from shortening the access time limits from 30 days to 15 
calendar days.
v. Costs Arising From Shortening the Access Time Limits
    The Department estimates that at least 50 percent of access 
requests are already being fulfilled in 15 calendar days or less, 
taking into account those covered entities (primarily health care 
providers) subject to state laws with 15-day (or shorter) requirements 
\295\ and other covered entities that fulfill requests in 15 calendar 
days or less voluntarily.\296\ The Department estimates that the burden 
to covered entities to provide copies of PHI to individuals in half the 
time than currently permitted would result in increased costs for 
responding to access requests by 1 minute of a medical records 
technician's labor which can be attributed to search and retrieval 
activities that are not included in the allowable labor costs that may 
be charged to individuals. Based on an estimated 1.46 million annual 
total access requests for copies of PHI provided to individual at an 
average increased labor cost of $.75 per request, the Department 
calculates the total additional annual burden would be approximately 
$918,400. The Department requests comment on these assumptions.
---------------------------------------------------------------------------

    \295\ At least eight states require some health care entities to 
provide copies within 15 days (or a shorter time) by law. Three 
additional states require access to view records within 10 days or a 
shorter period. New York State has published guidance that copies 
should be provided within 14 days, even though it is not a mandatory 
time limit. Thus, providers in three high-population states are 
currently subject to expectations of providing access within 15 days 
or less: New York, California, and Texas. As a percentage of the 
U.S. population, the 8 states with shorter requirements plus New 
York, represent over one-third of individuals (using 2018 
projections based on the 2016 Census Bureau estimates drawn from 
2010 data). There is variability as to how the days are counted 
within the state laws (e.g., working days vs. calendar days); 
however, allowing for the proposed 15-day extension, these state 
requirements are still shorter than the total to be allowed under 
the proposed HIPAA changes.
    \296\ Half of the entities commenting on the RFI access question 
indicated that they are providing access within 15 days or less, 
including some in states where it is not required. In addition, an 
ONC report found that, ``In 2018, about half of individuals were 
offered online access to their medical record by a health care 
provider or insurer. Among these individuals, 58 percent viewed 
their online medical record at least once within the past year. 
Nationally, this represents about three in 10 individuals.'' Patel V 
& Johnson C. (May 2019). Trends in Individuals' Access and Use of 
Online Medical Records and Technology for Health Needs: 2017-2018. 
ONC Data Brief, no.48 Office of the National Coordinator for Health 
Information Technology: Washington DC, (May 2019), available at 
https://www.healthit.gov/sites/default/files/page/2019-05/Trends-in-Individuals-Access-Viewing-and-Use-of-Online-Medical-Records-and-Other-Technology-for-Health-Needs-2017-2018.pdf (last accessed June 
14, 2019).
---------------------------------------------------------------------------

vi. Estimated Costs and Cost Savings From Addressing the Form and 
Format of Access
    The Department proposes to clarify that a readily producible form 
and format includes access through an application programming interface 
(API) using a personal health application. It also proposes that a 
covered entity must inform any individual to whom it offers to provide 
a summary in lieu of a copy of PHI that the individual retains the 
right to obtain a copy of the requested PHI if the individual does not 
agree to receive such summary. The Department lacks sufficient 
information to quantify the potential costs or cost savings from these 
proposals and requests information about how these proposals would 
affect covered entities, business associates, and individuals.

[[Page 6505]]

vii. Cost Savings From Addressing the Individual Access Right to Direct 
Copies of PHI to Third Parties
    The Department proposes to limit the access right to direct a copy 
of PHI to a third party to only electronic copies of PHI in an EHR. The 
Department proposes to implement this proposal by adding an optional 
element to the Notice of Privacy Practices and changing the allowable 
fees for transmitting such copies--thus, most of the estimated costs 
and cost savings for those changes are discussed as cost transfers in 
separate sections on those topics. However, the Department recognizes 
that covered entities may incur some labor costs for requests by 
individuals under the right of access to direct electronic copies of 
ePHI to a third party and estimates that costs may increase for 25 
percent of the estimated annual 615,000 such requests (153,750) in the 
amount of 2 minutes of labor at the hourly wage of a medical records 
technician ($44.80) or $1.49 per request that cannot be charged to the 
individual as an allowable fee for copies.
    The Department also assumes that many covered entities correctly 
interpret the current HIPAA right to direct the transmission of 
electronic copies of PHI in an EHR to a third party to apply to 
individuals' requests to direct the transmission of such ePHI to 
another provider or to their health plan. With respect to such 
requests, the Department assumes that many covered health care 
providers and health plans are already disclosing PHI to other 
providers and plans in a timely manner, which in most instances would 
be far less than 30 days. The Department further expects that providers 
using HIEs and certified EHR technology (CEHRT) are disclosing ePHI to 
other providers in much less than 15 calendar days, as indicated by 
comments the Department received in response to the RFI. Thus, the 
Department projects that the costs for complying with the proposed 
changes for sending electronic copies of PHI in an EHR to health care 
providers and health plans in no more than 15 calendar days would be 
limited to a small percentage of covered entities and that those costs 
would mostly be attributable to changes in 45 CFR 164.524(c)(3), as 
described in the section above. However, in recognition that covered 
entities are unlikely to recoup costs for requests by individuals under 
the right of access to direct electronic copies of ePHI to health plans 
and health care providers, the Department estimates that costs may 
increase for 25 percent of the estimated annual 615,000 of such 
requests (153,750) in the amount of 4 minutes of labor at the hourly 
wage of a medical records technician ($44.80) or $2.99 per request. 
This is greater than the uncompensated burden estimate for copies sent 
to other third parties because the Department understands that health 
care providers and health plans may not routinely charge any fees for 
disclosures to other covered entities.
    Additionally, the Department proposes, at 45 CFR 164.524(d)(7), to 
require that a covered health care provider or health plan must submit 
a request for an electronic copy of PHI in an EHR from another health 
care provider, to be directed to the requesting covered entity (i.e., 
the third party recipient), when the request is clear, conspicuous, and 
specific, which may be orally or in writing (including an 
electronically executed request). The Department proposes to require 
that the covered health care provider or health plan must submit the 
access request as soon as practicable, but no later than 15 calendar 
days after receiving the individual's direction and information needed 
to make the request. A health care provider that receives the access 
request would be required to provide the electronic copy requested 
under this section as soon as practicable but no later than 15 calendar 
days upon receipt of an individual's request that is clear, 
conspicuous, and specific. The Department considers that a signed, 
written request and use of a personal health application are both 
examples of means that an individuals may use that meet the condition 
that the request be clear, conspicuous, and specific, and that a 
signature may be provided in electronic form.
    Based on comments on the 2018 RFI, in many instances covered 
entities are already requesting copies of PHI from other health care 
providers within 30 days or less of communicating with an individual 
who requests such information to be added to his or her health record. 
The disclosure of PHI to the covered entity that submitted the request 
is permitted without an individual's authorization for purposes of 
treatment, payment, and certain health care operations, as applicable, 
and required under the current right of access when an individual 
submits a written request.\297\ The Department anticipates that with 
the clear and certain path provided by this proposal to obtain ePHI 
from other covered health care providers (who are required to respond), 
covered entities may experience savings from spending less time 
attempting to obtain electronic copies of PHI in an EHR from other 
covered health care providers based on an individual's request. The 
Department has not quantified these cost savings, but invites comments 
on any projected savings to covered entities and/or individuals from 
this regulatory clarification.
---------------------------------------------------------------------------

    \297\ Following the court's ruling in Ciox v. Azar, the 
Department is limiting the right to direct the transmission of PHI 
to third parties to requests for electronic copies of PHI in an EHR.
---------------------------------------------------------------------------

viii. Costs Arising From Changes to the Individual Access Right to 
Direct Copies of PHI to Third Parties
    The Department anticipates that once individuals and third party 
recipients learn about the changes (i.e., limiting the right to only 
directing electronic copies of PHI in an EHR) they likely would shift 
to submitting access requests and authorizations when requesting that a 
complete medical record be sent to a third party. Although covered 
entities may bear some initial costs while the public is adjusting to 
the new requirements, they would benefit financially from the increased 
number of copies for which they can charge a less restricted fee (an 
effect categorized as a ``transfer'' from the society-wide perspective 
reflected in this regulatory impact analysis). The Department estimates 
that covered entities may incur some one-time costs for changing their 
policies and procedures and revising their training program for 
employees who handle access requests, as well as initial implementation 
costs for adjusting to the revised policies and procedures. 
Specifically, the Department estimates that covered entities will incur 
an increase in burden hours for 30 minutes of a lawyer's time to revise 
policies and procedures related to the changes to this part of the 
right of access. Additionally, the Department estimates that covered 
entities will incur an increase in labor expenses for 20 minutes of a 
training specialist's time to incorporate the newly revised policies 
and procedures into the covered entity's existing HIPAA training 
program.
    As stated in the discussion of changes to the proposed access fees, 
the Department estimates a total of 2.46 million access requests per 
year and that half of these are for the individual to obtain his or her 
own records, one-fourth (615,000) are to direct the transmission of 
records to a health care provider or health plan, and the remaining 
one-fourth (615,000) are to direct the transmission of records to a 
third party. Of the 615,000 estimated requests to direct the 
transmission of PHI to a third party other than a health care provider 
or health plan, the

[[Page 6506]]

Department estimates that covered entities would not fulfill half 
(307,500) on the basis that the request is for non-EHR copies of PHI 
(i.e., are requests that do not fall within the right of access).
    The cost savings associated with these changes are discussed 
separately as cost transfers in the sections on the proposed changes to 
access fees.
    The Department estimates that covered entities, primarily 
providers, would incur some costs from the proposed new requirement to 
submit requests for access on behalf of individuals who are seeking to 
direct the transmission of electronic copies of PHI in an EHR from 
another health care provider (``Discloser'') to the requesting entity 
(``Requester-Recipient''). The Department estimates that the proposed 
requirement would increase costs for 15 percent of the 615,000 annual 
requests to direct copies of ePHI to health plans and providers 
(92,250) by 3.5 minutes per request at the adjusted labor rate of a 
medical assistant ($34.34, see Table 4), for a total of 5,381 burden 
hours at a total annual cost of $184,792. These costs are presented in 
Table 12 as ongoing costs of the proposed rule.
    The Department does not anticipate that covered entities would 
incur a significant additional burden from an express inclusion of 
health care providers and health plans as recipients to whom 
disclosures are mandated when the individual exercises the right to 
direct the transmission of electronic copies of PHI in an EHR to a 
third party. Based on a notable lack of comments or concerns expressed 
by stakeholders about directing PHI to covered entities as part of the 
right of access, the Department expects that most covered entities have 
correctly interpreted the Privacy Rule and included individuals' 
requests to direct the transmission of ePHI to health care providers 
and health plans into their access request fulfillment process. The 
small proportion of covered entities or business associates who are not 
already fulfilling individuals' access requests to transmit ePHI to 
health care providers or health plans may experience a small increase 
in costs resulting from their current noncompliance. The Department 
estimates that 25 percent of these requests (153,750 total) would 
result in transmitting an electronic copy of ePHI via a non-internet 
based means (e.g., mailing a copy of ePHI stored on electronic media to 
a health plan or health care provider), at a labor cost of 4 minutes of 
a medical records technician's adjusted hourly rate of $44.80, for a 
total annual cost of $459,200.
    Overall, the Department believes that, for covered health care 
providers and health plans, any costs to fulfill requests made under 
this proposal would be counterbalanced by the increased responsiveness 
from other covered entities that would transmit records to them, when 
requested, on a timelier basis, which would improve care and contribute 
to cost reductions.
ix. Estimated Cost Savings and Cost Transfers From Changes to Access 
Fees
    The Department proposes to expressly prohibit covered entities from 
charging fees for access when an individual inspects PHI about the 
individual in person and for copies of PHI that an individual accesses 
using an internet-based method.
    Expressly permitting individuals to copy and photograph their PHI 
for free during an in-person inspection may reduce the number and scope 
of subsequent access requests made by such individuals. In addition, to 
the extent that covered entities increase the free availability of PHI 
via an internet-based method, they may experience a decrease in other 
types of access requests for which costs are incurred. The Department 
expects that individuals may increasingly choose to initiate and obtain 
access via an internet-based method, which will result in cost savings 
to individuals.
    Prohibiting covered entities from recouping certain costs for 
providing electronic copies of PHI, or transmitting an electronic copy 
of PHI in an EHR to third parties, would increase expenses for these 
items: electronic media onto which copies of PHI from an EHR are 
transferred, and actual mailing and shipping costs for electronic 
copies.\298\ At the same time, covered entities' ability to charge fees 
for directing non-electronic copies of PHI and electronic copies of PHI 
not in an EHR to third parties based on a valid authorization would 
reduce unreimbursed costs for covered entities. Of an estimated 2.46 
million annual access requests, the Department assumes that 50 percent 
(1.23 million) are for individuals to directly access PHI, 25 percent 
(615,000) direct copies to health care providers or health plans, and 
the remaining 25 percent (or 615,000) direct copies to other third 
parties, as indicated in Table 6. Of the 615,000 requests directed to 
other third parties, assuming an average record size of 200 pages, 
\299\ the Department assumes 100 pages are electronic copies and 100 
pages are non-electronic copies (a ``hybrid'' records request) because 
it lacks sufficient data to estimate the average length of a record 
that is requested by an individual. The Department expects that there 
is considerable variation, ranging from individuals who seek only 
billing records, those who want only records of a single 
hospitalization, those who request only lab results or a copy of a 
single doctor's order, to those who need a complete longitudinal record 
of all of their medical visits. The Department requests data that would 
refine its assumptions and estimates about the average size of a 
request for access.
---------------------------------------------------------------------------

    \298\ OCR's Breach Portal reflects numerous breaches involving 
the loss or destruction during transit of mailed electronic media, 
such as USB drives and CDs, affecting thousands (more) of 
individuals. See https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.
    \299\ See Lye CT, Forman HP, Gao R, et al. ``Assessment of US 
Hospital Compliance With Regulations for Patients' Requests for 
Medical Records.'' JAMA Netw Open. 2018;1(6):e183014, available at 
https://jamanetwork.com/journals/jamanetworkopen/fullarticle/2705850, citing a study evaluating the state of medical records 
request processes in US hospitals in which a hypothetical assumption 
of 200 pages per request was used. The Department requests comment 
and evidence regarding the actual lengths of medical records.

    Table 6--Estimated Number of Annual Access Requests, by Recipient
------------------------------------------------------------------------
                                                             Number of
                 Recipient of PHI copies                      access
                                                             requests
------------------------------------------------------------------------
Individuals.............................................       1,230,000
Health Care Providers and/or Health Plans...............         615,000
Third Parties other than Providers and/or Plans.........         615,000
    Total...............................................       2,460,000
------------------------------------------------------------------------

    Under the Department's proposed changes, covered entities would be 
disallowed from charging for certain expenses that the Privacy Rule 
currently allows when providing copies to an individual and when 
directing an electronic copy of PHI in an EHR to a third party under 
the right of access. The non-chargeable expenses would be the portion 
of costs attributable to emailing, mailing, or shipping the electronic 
copies and the costs of electronic media requested by individuals. 
Labor costs for copying or transferring EHR records to another 
electronic format (such as a PDF) or onto electronic media (e.g., CDs, 
USB drives) would continue to be allowed as part of a reasonable, cost-
based access fee. Table 7 indicates the allowable and non-allowable 
expense items for directing copies of PHI to third parties under the 
current right of access and as proposed.

[[Page 6507]]



 Table 7--Allowable and Non-Allowable Elements of Expenses Incurred for
    Transmitting Copies of Electronic PHI in an EHR to a Third Party
------------------------------------------------------------------------
                                                        Expense allowed
          Cost elements               Expense item       under proposed
                                    currently allowed         rule
------------------------------------------------------------------------
Labor for making requested copies  Yes...............  Yes
Postage and shipping.............  Yes...............  No
Electronic media.................  Yes...............  No
Copying supplies.................  Yes...............  No
Costs of searching, retrieving,    No................  No
 collating or preparing the PHI
 for copying.
Costs of EHR and other electronic  No................  No
 information systems.
------------------------------------------------------------------------

    The Department has not estimated postage or shipping costs in 
earlier Privacy Rule rulemaking because the rule permitted actual costs 
for those expenses to be passed on to the individual making the request 
for copies of PHI. To estimate how the proposed changes would affect 
covered entities, the Department has estimated that a 100-page paper 
record (one pound of material) can be shipped via U.S. Mail for $7.50 
and a CD or USB drive can be shipped for $3.00.
    To readily compare the potential burden or burden reduction from 
various types of requests to direct copies of PHI to third parties, the 
Department presents its estimates in the charts below and provides 
detailed explanations of the included cost items for each calculation 
under the current rule, state law, and the proposed rule in the 
paragraphs that follow. State law remains a relevant consideration in 
two ways. First, to the extent that state law limits on fees for copies 
of medical records for individuals are lower than the limits in the 
Privacy Rule, the state law applies. For instance, some states require 
a free copy for individuals who are indigent or who are applying for 
public benefits. Second, for copies of PHI provided in response to a 
valid authorization, the Privacy Rule limits the allowable fee to ``a 
reasonable, cost-based fee to cover the cost to prepare and transmit 
the protected health information for such purpose or a fee otherwise 
expressly permitted by other law'' \300\ (absent an authorization 
including a statement that the disclosure will result in remuneration 
to the covered entity). ``Other law'' includes, among other sources of 
law, state medical records laws addressing allowable fees for copies.
---------------------------------------------------------------------------

    \300\ 45 CFR 164.502(a)(5)(ii)(B)(2)(viii).

Table 8--Estimated Fees for Copying and Sending a 200-Page Hybrid Record
  (100 Electronic Pages and 100 Non-Electronic Pages) to a Third Party
------------------------------------------------------------------------
                                                            Estimated
                                                          allowable fees
 Estimated allowable fees for a 200-page hybrid record    for a 200-page
                 under the current rule                   hybrid record
                                                         under state law
------------------------------------------------------------------------
$25.23.................................................         $133.50
------------------------------------------------------------------------


               Table 9--Estimated Fees for Copying and Sending a 100-Page Record to a Third Party
----------------------------------------------------------------------------------------------------------------
                                                                     Estimated       Estimated       Estimated
                                                     Estimated       allowable       allowable       allowable
                                                     allowable     fees for 100    fees for 100    fees for 100
 Estimated allowable fees for 100 non-electronic   fees for 100   non-electronic    electronic      electronic
              pages under state law                 electronic      pages under     pages under     pages under
                                                    pages under     the current     the current    the proposed
                                                     state law         rule            rule            rule
----------------------------------------------------------------------------------------------------------------
$88.16..........................................          $76.70          $16.74           $8.49           $1.41
----------------------------------------------------------------------------------------------------------------

Allowable Access Fees Under Current Rule To Send a Copy to a Third 
Party
    The Department's estimate of allowable costs that may be charged 
for a 200-page hybrid record directed to a third party under the 
current right of access is approximately $14.73 (estimating $3.73 for 5 
minutes of labor \301\ and $11 for supplies \302\) per request, plus 
estimated postage and shipping of $10.50 or $25.23 total. See Table 8. 
This represents an overall increase in labor of 2 minutes above the 
Department's prior burden estimates of 3 minutes for all access 
requests. The updated estimate allows 3 minutes of labor for the non-
electronic copies and 2 minutes of labor for electronic copies, 
resulting in total allowable labor costs of 5 minutes for a hybrid 
record. The updated estimated allowable fee under the current rule for 
only the electronic portion of the request (100 pages in electronic 
format) is $5.49 ($1.49 for 2 minutes of labor and $4 for electronic 
media) plus postage of $3.00 or $8.49 total per request. See column 4 
of Table 9. The estimated allowable fee under the current rule for only 
non-electronic copies (100 pages) is $9.24 (estimating $2.24 for 3 
minutes of labor and $7 for supplies), plus postage of $7.50 or $16.74 
total. See column 3 of Table 9.
---------------------------------------------------------------------------

    \301\ See Table 4, median adjusted wage rate for medical records 
technician of $44.80.
    \302\ The costs of supplies includes $7 for paper, toner, etc., 
and $4 for electronic media such as a USB drive.
---------------------------------------------------------------------------

    In addition to the costs that may be charged as fees for providing 
copies, the Department estimates a previously unacknowledged burden of 
2 minutes of labor per request that is not allowed to be charged to the 
individual or the third party recipient of the ePHI for copies that are 
sent via a non-internet method (e.g. on electronic media that is 
mailed). The Department assumes that none of the costs for electronic 
copies of ePHI sent to third parties that are health plans and health 
care providers through a non-internet method would be recouped as fees 
charged to individuals or the covered entity recipients. In recognition 
of this burden, the Department also estimates that all of the labor for 
sending electronic copies of ePHI to third parties that are health 
plans and health care providers is uncompensated, resulting in a 
previously unacknowledged uncompensated burden of 4 minutes of labor 
per request for electronic copies of ePHI sent to third parties that 
are health plans and health care providers through a non-internet 
method at the direction of the individual. The Department acknowledges 
the lack of data on actual labor associated with sending electronic 
copies of ePHI because some copies will be sent on electronic media and 
some by internet. The Department estimates no labor for sending copies 
via an internet-based method. These adjusted estimates

[[Page 6508]]

are included in the uncertainty analysis in subsection m. and the 
burden estimates in section G., Paperwork Reduction Act.
Allowable Fees Under State Law for Sending Copies of Medical Records to 
a Third Party
    The Department estimates that the average charge allowed by state 
law for a 200-page hybrid record directed to a third party is $123 per 
request (including a handling or administrative fee \303\ not allowed 
by the Privacy Rule), plus postage and shipping of approximately 
$10.50. This would result in an estimated total of $133.50 in state-
allowed fees for a 200-page hybrid request. See Table 8. The estimated 
state-allowed fee for 100 electronic pages that are not contained in an 
EHR is $73.70 plus $3 postage for sending a USB drive or $76.70 total. 
See column 2 of Table 9. The estimated state-allowed charge for 100 
non-electronic pages is $80.66 plus $7.50 for postage or $88.16 total. 
See column 1 of Table 9.
---------------------------------------------------------------------------

    \303\ In states that have one search fee for electronic copies 
and another search fee for paper copies, the Department assumes that 
a covered entity would only charge the individual one administrative 
fee for a hybrid request.
---------------------------------------------------------------------------

Allowable Fees Under Proposed Rule for Sending an Electronic Copy of 
PHI in an EHR to a Third Party
    The estimated average allowable fee under the proposed rule (100 
pages in electronic format) is $1.49 per request (estimating 2 minutes 
for labor).
    In developing its estimated costs and cost benefits the Department 
employed several methods to arrive at a range of costs and cost 
benefits and average estimated costs and cost benefits for the proposed 
adjustments to the allowable access fees.
Methodology 1
    The Department applied its estimated fees to a 200-page hybrid 
record and compared the costs under the proposed changes to a baseline 
of $25.23 in estimated allowable costs under the current right of 
access. See Table 8. The resulting estimated cost savings for three 
different types of requests are as follows.
When a Request is Entirely for Copying and Sending Copies That are not 
Contained in an EHR (100 Non-Electronic Pages and 100 Electronic Pages) 
to a Third Party
    Under the proposed rule, a covered entity could charge the state 
law rate ($133.50) or $108.27 more for the request than allowed under 
the current rule.\304\ For an estimated annual total of 615,000 
requests directed to a third party, this type of request would generate 
an estimated cost savings for covered entities of $66,586,050.
---------------------------------------------------------------------------

    \304\ $133.50 minus $25.23.
---------------------------------------------------------------------------

When a Request is for 100 Electronic Pages That are not in an EHR and 
100 Electronic Pages That are in an EHR
    Under the proposed rule, a covered entity could charge the state 
law rate for copying and sending 100 electronic pages not in an EHR 
($76.70) plus the allowable labor for copying the 100 EHR pages ($1.49) 
for a total of $78.19 or $52.96 more per request than allowed under the 
current rule.\305\ For an estimated annual total of 615,000 requests 
directed to a third party, this type of request would generate an 
estimated cost savings for covered entities of $32,570,400.
---------------------------------------------------------------------------

    \305\ $78.19 minus $25.23.
---------------------------------------------------------------------------

When a Request is for 100 Non-Electronic Pages and 100 Electronic Pages 
That are in an EHR
    Under the proposed rule, a covered entity could charge the state 
law rate for copying and sending 100 non-electronic pages ($88.16) 
based on a valid authorization, plus the allowable labor for copying 
the 100 EHR pages ($1.49) under the right of access, for a total of 
$89.65 or $64.42 more per request than allowed under the current 
rule.\306\ For an estimated annual total of 615,000 requests directed 
to a third party, this type of request would generate an estimated cost 
savings for covered entities of $39,618,300.
---------------------------------------------------------------------------

    \306\ $89.65 minus $25.23.
---------------------------------------------------------------------------

    To summarize, under the options presented above, the Department 
estimates that the cost savings of the proposed changes to the access 
right to direct an electronic copy of PHI in an EHR to a third party 
and allowable fees for directing copies of PHI to third parties, would 
range from $53 to $108 per request.
Methodology 2
    The Department also applied a second method for estimating the 
potential costs and cost savings of the proposed fee changes. Under the 
second approach, the Department assumed that half of the 615,000 annual 
requests to direct copies of PHI to a third party would be for 
electronic copies of PHI in an EHR (307,500) and that half would no 
longer fall within the right of access (307,500), but then would be 
disclosed with a valid authorization. Costs for covered entities would 
increase for the estimated 307,500 requests that are accepted (for 
electronic copies of PHI in an EHR) by an estimated $7 per request in 
supplies and postage they would no longer be able to recoup in fees, 
for a total estimate of $2,152,500 annually.\307\ Cost savings for 
covered entities would accrue for the estimated 307,500 requests that 
are no longer within the right of access (for non-electronic copies or 
electronic copies not in an EHR) by an estimated $108.27 for a total 
estimate of $33,293,025 \308\ annually. This estimation method would 
result in an estimated net cost savings for covered entities of 
$31,140,525 annually ($33,293,025 minus $2,152,500).\309\
---------------------------------------------------------------------------

    \307\ $7 multiplied by 307,500 requests.
    \308\ $108.27 multiplied by 307,500 requests.
    \309\ Estimated net costs subtracted from estimated net savings.
---------------------------------------------------------------------------

Summary Results of the Department's Estimated Costs and Cost Savings 
for Proposed Fee Adjustments
    Under the proposed changes, a covered entity would be allowed to 
charge less per request to transmit an electronic copy of PHI to a 
third party under the right of access and significantly more per 
request to send non-electronic copies or electronic copies not 
maintained in an EHR to a third party with a valid authorization, as 
compared to what is allowed under the current right of access. Under 
the several methods for calculating estimated fees for copies of PHI 
the Department estimates total annual cost savings for covered entities 
ranging from $31 million to $67 million, or an average of $43 million. 
However, the Department estimates that all of these cost savings on the 
part of covered entities would be transferred to individuals and/or 
their third party designees as costs. The Department estimates that 50 
percent of these costs savings would be transferred as an additional 
cost imposed on individuals and the other 50 percent would be 
transferred to the third parties to whom the PHI is directed. For each 
of the estimated 615,000 requests that would have been made under the 
current rule to direct the transmission of copies of PHI to a third 
party under the right of access the allowable fee for copies would 
increase by an estimated average of $70 ($43 million in estimated 
annual cost savings divided by 615,000 requests).
    The Department seeks comments on these estimates, averages, and 
assumptions underlying its analysis and invites comments on the number 
and type of access requests received by covered entities, costs 
incurred, and fees charged.

[[Page 6509]]

x. Costs Arising From Changes to Access Fees
    The Department anticipates that the burden on covered entities for 
drafting or updating their access fee schedules would include the one-
time costs for lawyer to review the new HIPAA provisions and evaluate 
the entity's fee structure based on changes to allowable access fees. 
This would include lawyer time at an adjusted mean hourly rate of 
$139.72. For each covered entity, the Department estimates an average 
of three hours for a lawyer to make policy and procedure revisions 
related to all the proposed changes to the right of access, including 
allowable fees. In total, the Department estimates 2,322,993 burden 
hours, for approximately $325 million in lawyers' costs related to the 
proposed changes to the right of access.
    Covered entities also would need to add new access fee policies and 
procedures to their HIPAA training content. In its estimates, the 
Department includes two hours and thirty minutes of a training 
specialist's time for each covered entity to revise the training 
content for all of the proposed changes to the right of access, 
including fees and responding to requests for fee estimates, at an 
adjusted mean hourly rate of $63.12. The Department believes this 
estimate is reasonable, but welcomes comment and data to further inform 
its assumption. In total, the Department estimates 1,935,828 burden 
hours for all of the revisions to training content related to the right 
of access and costs of approximately $122 million. The Department 
assumes, for all of the proposed changes, that entities would 
incorporate the updated training content into their ongoing HIPAA 
training program, and that for most workforce members there would be no 
additional training costs for the time spent in HIPAA training. 
However, for medical records technicians, the Department has estimated 
an average seven minute increase in the time for spent in training on 
the proposed right of access changes in the first year of 
implementation, for a total estimate of 90,339 burden hours at a total 
estimated cost of $4 million.
    Free Access for Inspecting PHI In-Person: To the extent that 
covered entities are charging individuals for the copies individuals 
make with their own devices or resources, the covered entities would 
incur some loss of revenue; however, the Department anticipates that 
any loss would be minimal and that covered entities do not view this as 
a significant source of revenue, if any do charge a fee to inspect PHI 
in person. The Department seeks comments on the number of requests 
covered entities receive to inspect PHI in person and on the number of 
covered entities that charge fees for or prohibit individuals from 
making copies with their own devices or taking notes of their own PHI, 
and if so, the amount of fees charged for such activities.
    Free Internet-Based Access: Because covered entities do not incur 
additional costs for labor, supplies, or postage for this method of 
providing access and because it only applies to covered entities that 
choose to use this method, the Department does not anticipate an 
increased burden for expressly requiring entities to provide such 
access for free. The Privacy Rule requires a covered entity to provide 
an individual with access to existing PHI maintained electronically in 
the electronic form and format requested, if it is readily producible, 
but neither the current access standard nor this proposed change would 
require covered entities to create a patient portal or other internet-
based access method. In practice, such internet-based access is 
``readily producible'' for most covered entities that use EHRs because 
the Office of the National Coordinator of Health IT requires an EHR to 
implement API technology in order to be certified.\310\
---------------------------------------------------------------------------

    \310\ In the Cures Act Final Rule, ONC has adopted a new secure, 
standards-based API certification criterion in Sec.  170.315(g)(10) 
to implement the 21st Century Cures Act's requirement that 
developers of certified health IT publish APIs that can be used 
``without special effort.'' See https://www.healthit.gov/cures/sites/default/files/cures/2020-03/APICertificationCriterion.pdf.
---------------------------------------------------------------------------

    Reducing the Expenses that can be Included in Calculated Access 
Fees for Providing Individuals with Copies of PHI in an EHR on 
Electronic Media: The Department proposes to disallow covered entities 
from charging individuals for the costs of electronic media and postage 
when providing access by mailing copies of PHI in an EHR on electronic 
media. The Department estimates that the costs of electronic media may 
range from $1 for a CD to $4 for a USB drive and the postage may range 
from $1 to $3, resulting in a range of estimated increased costs of $2 
to $7 per request of this type or an average estimated increase of 
$4.50. The Department estimates that half of the 2.46 million total 
estimated annual access requests (or 1.23 million) would be made by 
individuals to obtain copies of PHI for themselves, and that half of 
those requests would be for non-electronic copies of PHI (or 615,000), 
one-fourth would be for internet-based access (or 307,500), and one-
fourth would be subject to the proposed fee limitations for sending 
copies on electronic media (or 307,500). Thus, the Departments 
estimates a total cost incurred by covered entities of $1,383,750 due 
to this proposal. At the same time, these are costs that would have 
been borne by individuals, and thus may be considered a cost transfer 
from individuals to covered entities as reflected in Table 17.
    Narrowing the Scope of Requests to Direct PHI to Third Parties that 
are Subject to the Access Fee Limits: Allowing covered entities to 
charge higher access fees than currently permitted when directing non-
electronic copies of PHI or electronic copies of PHI not in an EHR to 
third parties, based on a valid authorization rather than an access 
request, would reduce their burden for directing copies of PHI to a 
third party, and shift the costs to the individuals or to the third 
parties to whom the responses to such requests are directed. Because 
individuals still may request copies of records to be sent to the 
individuals themselves at the lower rate currently allowed under the 
Privacy Rule, this proposed change would not impede individuals from 
receiving their own PHI; however, it may cause some individuals to bear 
the burden of transmitting non-EHR ePHI to some third parties to avoid 
the higher fees, expend higher amounts for using a valid authorization 
to request that the PHI be disclosed to a third party, or avoid making 
some requests to direct copies of non-electronic PHI to a third party. 
The Department has insufficient information to quantify the potential 
increased burden on individuals for these options and welcomes 
information and comment on these potential changes to individuals' 
expenditures of time and money.
xi. Estimated Cost Savings From Requiring Covered Entities To Provide 
Access and Authorization Fee Information
    The Department proposes, in a new subsection 525 to 45 CFR 164, to 
require a covered entity to provide advance notice to individuals of 
the fees the entity charges for providing copies of PHI. Specifically, 
the Department proposes to require a covered entity to (i) post a fee 
schedule for standard or common types of access requests, including all 
types of access which are free, on the entity's website (if it has 
one), and make the fee schedule available to individuals; (ii) provide, 
upon request, an individualized estimate of the approximate fee that 
may be charged for the requested copy of

[[Page 6510]]

PHI, including any associated fees that may impact the form, format, 
and manner in which the individual requests or agrees to receive a copy 
of PHI; and (iii) upon request, provide an individual with an itemized 
list of charges for labor, supplies, and postage, if applicable, that 
constitute the total access fee charged. Finally, the Department 
proposes that such requests not automatically extend the deadline by 
which a covered entity is required to respond to an access request.
    The Department thinks it is likely that covered entities that 
provide fee estimates for access and disclosures pursuant to a valid 
authorization would find that such action results in a narrower scope 
for some requests than would exist without the changes, improved 
collection rates for access fees, and reduced time needed for workforce 
members to resolve access payment disputes and complaints. Thus, the 
Department believes that the benefits of changing covered entities' 
access procedures in a way that incentivizes individuals to make more 
targeted access requests and informs them of fees in advance would 
counterbalance the burdens on covered entities. However the Department 
has no data with which to estimate the reduction in burden and welcomes 
comments on this change, including covered entities' experiences with 
the collection of access and authorization fees, the factors affecting 
the scope of individuals' requests for copies, and the costs to covered 
entities for handling fee disputes.
xii. Costs Arising From Requiring Covered Entities to Provide Access 
and Authorization Fee Information
    Posting the fee schedule online or otherwise making the access and 
authorization fee schedule available: In calculating covered entities' 
burdens for posting a notice of access and authorization fees, the 
Department presumes that a number of entities charge no fees for copies 
provided under the access right \311\ or for copies sent to other 
covered entities. These entities would have no burden for complying 
with the new notice provision.
---------------------------------------------------------------------------

    \311\ OCR's 2016 Access Guidance encourages covered entities to 
provide individuals with a free copy. At least one state, Kentucky, 
requires certain health care entities to provide an initial free 
copy, KRS section 422.317(1). Several states require a free copy for 
persons who are indigent and/or applying for public benefits. See, 
e.g., California, CA Health and Safety Code Sec.  123110(d), (e), 
Connecticut, Conn. General Statutes Sec.  20-7c(d), Massachusetts, 
MGLA Ch. 111 Sec.  70 and MGLA Ch. 112 Sec.  12CC, Michigan, Mich. 
Comp. Laws 333.26269, sec. 9(4), Nebraska, Neb. Rev. Stat Sec.  71-
8405, Nevada, Nev. Rev. Stat. Sec.  629.061(5), Ohio, Ohio Revised 
Code, section 3701.741(C), Rhode Island, RI Sec.  23-17-19.1(16), 
Tennessee, TCA Sec.  68-11-304(a)(2)(B), Texas, Texas Code, Health & 
Safety Sec.  161.202, Vermont, 18 V.S.A. Sec.  9419, and West 
Virginia, WV Code Sec.  16-29-2(g).
---------------------------------------------------------------------------

    The Department seeks comments on the number of covered entities 
that charge fees only for copies provided based on a valid 
authorization, no fees for fulfilling requests pursuant to the right of 
access.
    The Department assumes that all entities that charge for providing 
copies of PHI already have some type of standard fee structure. The 
Department also presumes that some covered entities have already posted 
an online access and authorization fee schedule consistent with 
existing guidance recommending this practice, although this is not 
required by the Privacy Rule, and have been making it available to 
individuals. For those covered entities that have not yet posted the 
fee schedule online, the costs of doing so should be minimal because 
this requirement only applies to entities that have a website. The 
Department anticipates that posting an online notice of access and 
authorization fees would require the costs of reviewing, formatting, 
and posting one document. Making the notice available may include, for 
example, having copies available in the office where individuals make 
access and authorization requests or emailing it to individuals upon 
request.
    Because the proposed change requires covered entities to make the 
access and authorization fee schedule available at the point of service 
and upon request (in addition to posting online when a website is 
utilized), it may be least burdensome for entities to add the fee 
schedule to their access and authorization request forms (although the 
Department does not propose to require this, or to require the use of a 
standard form for access requests), resulting in no additional labor 
costs for distribution. Further, for covered entities that already have 
a fee schedule, the proposed change would only require revisions to an 
existing document, resulting in no additional costs for paper. The 
Department estimates the potential burden on all covered entities 
(774,331) as the cost of 10 minutes of a web developer's time at a rate 
reported in Table 4, for a total labor cost of approximately $10 
million. Although the Department assumes that 35 percent of covered 
entities have already posted an access and authorization fee schedule 
available, as discussed in the baseline assumptions following Table 4, 
it recognizes that all covered entities may need to post an updated fee 
schedule and accounts for this in its estimates. In addition, the 
Department estimates that all covered entities will incur first-year 
and ongoing capital costs for making the fee schedule available at a 
cost of $0.10 for paper and printing or a total of $232,299. This 
assumes each covered entity prints an average of three copies of the 
fee schedule as a separate document. We anticipate that covered 
entities will provide the fee estimate in a variety of ways, not all of 
which will incur additional costs, such as including the fee schedule 
on the access and/or authorization form and providing it 
electronically. The Department seeks comments and data on its 
assumptions, and on the number of covered entities that require 
individuals to use an access request form and how many currently make 
an access and/or authorization fee schedule available to individuals, 
either online or through other means, such as email or telephonically.
    Providing the individual, upon request, with an individualized 
estimated access and/or authorization fee: The proposed changes would 
require billing information to be provided to individuals in advance as 
an estimate, upon request. Providing advance notice of the fees for 
providing the requested PHI would require a statement of charges 
pertinent to the individual's request (e.g., giving some estimate of 
the number of pages if a per page fee is involved, identifying whether 
records are in paper or electronic form, and giving an estimate of the 
individual's access and/or authorization fees). The Department assumes 
that three percent of 2.46 million total access requests, or 73,800, 
would result in a request for a fee estimate at a cost per request of 
three minutes of a medical records technician's time, at the rate 
reported in Table 4, for a total new labor cost of approximately 
$165,312. The Department assumes that most of the requested fee 
estimates will be provided electronically or orally, and that only a 
small proportion will result in mailing a paper copy of the estimate to 
the individual. Thus, the Department estimates that 15 percent of 
73,800 requests for an access fee estimate (or 11,070) would need to be 
printed and mailed, at a total estimated capital expense of $7,638 at a 
cost of $0.69 per estimate. The Department anticipates that many 
covered entities are already providing access fee estimates, as 
recommended in OCR's 2016 Access Guidance; however, the Department

[[Page 6511]]

seeks comments on the number of covered entities that provide estimates 
of access and authorization fees.
    Providing an itemized list of allowable access and authorization 
charges for labor, copying, and postage: The Department assumes that: 
(a) Many entities are already providing this information when requested 
by an individual as recommended in OCR's existing guidance, although it 
is not required by the Privacy Rule; and (b) a small proportion of 
individuals who request copies of PHI will make such requests. Limiting 
this requirement to instances when the cost details are requested would 
further minimize the burden of this proposed change. The Department 
estimates the potential labor costs as one minute of a medical records 
technician's time at the hourly rate of $44.80 for an estimated 24,600 
annual requests for an itemized list of access charges, or a total of 
410 burden hours and $18,368 in total costs. The Department estimates 
that covered entities would incur capital costs for printing one sheet 
of paper at a cost of $0.10 per request for an itemized list of charges 
and no additional postage because the itemized list of charges would be 
included with the copies of PHI sent to the individual, for a total 
cost of $2,460 annually. The Department seeks comments on the number 
(and relative volume) of requests for the specific details of allowable 
charges for copies of PHI that covered entities receive from 
individuals or their personal representatives.
xiii. Estimated Cost Savings From Changes to the Verification 
Requirements
    The Department proposes to add a new paragraph (v) to 45 CFR 
164.514(h)(1), which would state that a covered entity may not impose 
identity verification requirements on an individual that would serve as 
a barrier to or unreasonably delay the individual from exercising an 
individual right under HIPAA when a less burdensome measure is 
practicable for the covered entity. Individuals would accrue cost 
savings by reductions in expenses for obtaining notarized documents, 
traveling in person to request access, paying verification fees, or 
meeting other unreasonable verification practices. Because the 
Department assumes that most entities do not impose such barriers to 
individual access, the Department anticipates that the total cost 
savings will be modest, but they may be significant for any particular 
affected individual. The Department invites comment and examples of the 
extent to which covered entities impose measures that some may view as 
unreasonable and create costs for individuals when seeking to request 
access to PHI.
xiv. Costs Arising From Changes to the Verifications Requirements
    The Department, based on OCR's experience with HIPAA enforcement 
and recommendations in guidance, anticipates that most entities already 
are avoiding unreasonable verification measures. However, OCR has 
received some complaints and anecdotal reports that some entities are 
forcing individuals to engage in these burdensome practices, such as 
obtaining a notarized signature or appearing in-person to make an 
access request. The Department estimates that 5% of covered entities 
(38,717), and any business associates that fulfill requests for access 
on their behalf, would need to modify their verification policies and 
forms and update related HIPAA workforce training content. The 
Department estimates that these covered entities would incur costs for 
30 minutes of a lawyer's time (or $69.86) to revise these policies and 
procedures, and costs for 10 minutes of a training specialist's time 
(or $10.52) to update the HIPAA training content on this provision for 
a total of approximately $80.38 per covered entity. As the Department 
does not have data upon which to refine its assumptions and estimates, 
the Department invites comments in this regard for future 
consideration, as well as on any costs associated with implementing the 
proposed changes.
xv. Estimated Cost Savings From Adding an Exception to the Minimum 
Necessary Standard for Care Coordination and Case Management for 
Individuals
    The Department proposes to add, at 45 CFR 164.502(b)(2), an express 
exception to the minimum necessary standard for disclosures to or 
requests by a covered health care provider for individual-level care 
coordination and case management activities that constitute treatment 
or health care operations. The Department expects to achieve 
significant cost savings from this proposal. The Privacy Rule generally 
requires a covered entity to make reasonable efforts to limit use of, 
disclosure of, and requests for, PHI to the minimum necessary to 
accomplish the intended purpose and to make an assessment of what PHI 
is reasonably necessary for a particular purpose. These requirements 
apply to all requests for, and disclosures of PHI for payment and 
health care operations purposes, including care coordination and case 
management. In some circumstances, a covered entity may, but is not 
required to, rely on representations by a requesting covered entity 
that the amount of PHI requested is the minimum necessary. In such 
cases, the disclosing covered entity remains responsible for 
determining when such reliance is reasonable under the 
circumstances.\312\
---------------------------------------------------------------------------

    \312\ See 45 CFR 164.514(d)(3)(iii).
---------------------------------------------------------------------------

    The Department lacks quantifiable data on the number of such 
determinations that occur in every covered entity and requests comment 
on the number of determinations, the type and level of workforce 
members making the determinations, and how such determinations are made 
consistent with an entity's minimum necessary policies and procedures. 
The Department assumes that any covered entity makes numerous minimum 
necessary determinations daily as to whether a request or disclosure 
related to patient information can be made consistent with the covered 
entity's policies and procedures. The Department estimates that each 
covered health care provider and health plan would save 25 minutes per 
month in time currently spent considering requests for care 
coordination and case management disclosures, to determine whether the 
information requested could be provided consistent with its internal 
minimum necessary policies, and to follow the requisite procedure for 
doing so.
    The Department assumes that this proposal would relieve covered 
entities from the requirement to make determinations about the minimum 
information necessary to accomplish the purpose of a disclosure (or 
whether it is reasonable to rely on the requestor's representation that 
it is requesting the minimum necessary) when the request is from, or 
the disclosure is made to, a covered health care provider or health 
plan for individual-level care coordination and case management 
activities. In the 2000 Privacy Rule, the Department estimated that the 
minimum necessary requirement was one of the two largest cost items of 
the Privacy Rule, imposing a likely burden of $926.2 million in the 
first year and $536.7 million annually in subsequent years.\313\ 
Specifically, the Department estimated that on ``an annual ongoing 
basis (after the first year), hospitals will require 320 hours, health 
plans 100

[[Page 6512]]

hours, and nonhospital providers 8 hours to comply with this 
provision.''
---------------------------------------------------------------------------

    \313\ 65 FR 82461, 82760, 82767 (December 28, 2000).
---------------------------------------------------------------------------

    The Department has attempted to refine its estimates related to 
minimum necessary by reviewing publically available materials from the 
Agency for Healthcare Research and Quality Medical Expenditure Panel 
Survey,\314\ and the Centers for Disease Control and Prevention 
National Health Interview Survey \315\ for additional data but was 
unable to locate recent responsive information. Most recently, 
commenters on the 2018 RFI described how the minimum necessary standard 
had a negative impact on the ability of a covered entity to promote 
care coordination and case management. For example, one commenter noted 
that accountable care organizations rely on care coordination and case 
management to improve quality and costs, but believed that the current 
rule hampered the ability to receive complete data sets to conduct 
these activities.\316\ Another commenter noted that minimum necessary 
requirements, when applied to population-based services and wellness 
activities, ``hindered'' the advancement of population-based 
analytics,\317\ while yet another commenter described it having a 
``detrimental impact'' on the ability of clinical registries to 
contribute expertise and research toward value-based care models.\318\ 
None of the commenters estimated the amount of time it takes a covered 
entity to make a minimum necessary determination. The Department does 
not intend to more heavily weight the comments cited herein above other 
comments submitted in response to questions about minimum necessary 
determinations in the 2018 RFI. The Department does intend to 
illustrate that some covered entities continue to view minimum 
necessary determinations as burdensome and to the extent a new 
exception for care coordination and case management would relieve this 
burden, should be quantified as a cost savings. The Department requests 
comment on this approach.
---------------------------------------------------------------------------

    \314\ Available at https://www.meps.ahrq.gov/mepsweb/.
    \315\ Available at https://www.cdc.gov/nchs/nhis/index.htm.
    \316\ Comment No. HHS-OCR-2018-0028-0601.
    \317\ Comment No. HHS-OCR-2018-0028-0998.
    \318\ Comment No. HHS-OCR-2018-0028-0990.
---------------------------------------------------------------------------

    The public comments on the 2018 RFI make clear that there is a 
burden associated with making minimum necessary determinations with 
respect to uses and disclosures of PHI for care coordination and case 
management, and therefore savings will be associated with relief from 
the burden. The Department's proposed estimates are informed first by 
the cost burdens the Department first identified in the 2000 Privacy 
Rule and for which the Department has not received public input to the 
contrary. The proposed estimates also are informed by the understanding 
that a covered entity is able to rely on the representations of certain 
requestors about the minimum necessary information to accomplish the 
purpose of a use or disclosure, and that minimum necessary 
determinations are a component of every covered entity's workflow. For 
purposes of calculating burden, the Department assumes that minimum 
necessary determinations generally are made outside of a patient 
encounter by workforce members at a registered nurse level, although 
the Department believes workforce members at a variety of levels in an 
organization may apply a covered entity's minimum necessary policies 
and procedures to routine disclosures of PHI. Recognizing the 
variability among the types and complexity of requests for PHI received 
by various types of covered health care providers and health plans, and 
that some record requests are not subject to the minimum necessary 
standard (e.g., requests from treating providers or requests 
accompanied by authorizations from individuals), the Department has 
calculated a range of estimates for cost savings resulting from the 
combined effects of the proposed regulatory modifications to the 
definition of health care operations, and to the minimum necessary 
standard for disclosures for care coordination. At the low end, the 
Department estimates a cost savings of 1 hour of labor annually per 
covered entity at the adjusted mean hourly rate of a health services 
manager ($110.74, including benefits) for a total reduction of 774,331 
burden hours and an annual cost savings of $85,749,415. At the high 
end, the Department estimates costs savings of 7 hours of labor for a 
total annual reduction of 5,420,317 burden hours and $600,245,905 in 
cost savings.
    The Department proposes to adopt the mid-range estimate of burden 
reduction, which is 4 hours per covered entity per year for an annual 
reduced total of 3,097,324 burden hours and $342,997,660 in total 
annual projected cost savings. The estimate assumes that covered 
entities already are making minimum necessary determinations as part of 
normal workflow. These proposals do not introduce a new process into 
that workflow, but likely will tilt the scale in favor of disclosure 
rather than non-disclosure. The difference in the low and high end of 
the range is based on the Department's assumption that there is a wide 
range in the level of complexity of minimum necessary determinations 
that each covered entity makes for routine and non-routine requests 
for, or disclosures of, PHI. Using the mid-range estimate, the 
Department estimates that under the current rule covered entities 
spend, on average, one and a half hours of workforce member time per 
month evaluating uses and disclosures to comply with the minimum 
necessary requirement, or 18 hours annually. The Department estimates 
that the cost savings from its proposed changes with respect to uses 
and disclosures in connection with care coordination and case 
management would equal 25 minutes of burden reduction for each covered 
entity for a total annual burden reduction of 4 hours per covered 
entity, resulting in remaining annual burden for complying with the 
minimum necessary requirement of 14 hours on average. The Department 
welcomes comments and information about its estimates and the 
assumptions underlying its proposed burden calculations and cost 
savings, including:
     The level of workforce member (e.g., clerical staff, 
professional) responsible for making minimum necessary determinations 
on behalf of covered health care providers and health plans and a 
description of how the determination is made based on a covered 
entity's minimum necessary policies and procedures;
     Time spent by a covered health care provider or health 
plan to make a minimum necessary determination;
     The frequency with which a covered health care provider or 
health plan makes minimum necessary determinations (i.e., the number of 
determinations by day or month); and
     The frequency with which a covered health care provider or 
health plan currently obtains individuals' authorizations prior to 
making a disclosure of PHI for care coordination or case management for 
that individual.
xvi. Costs Arising From Adding an Exception to the Minimum Necessary 
Standard For Disclosures for Individual-Level Care Coordination and 
Case Management
    The proposed changes to the minimum necessary standard are 
deregulatory in nature, so the Department anticipates that the costs 
arising from the proposal to add an exception to the minimum necessary 
standard would be due primarily to time spent revising policies and 
procedures for using and disclosing information and updating the 
content of workforce

[[Page 6513]]

training. While the expenses of actually conducting such training 
typically would be included in such estimates, the Department would 
expect covered entities to include the updates in their existing HIPAA 
training and, thus, to incur additional training costs only for 
updating the training content. The Department estimates that changes to 
policies and procedures for minimum necessary and disclosures for care 
coordination and case management would require 75 minutes of lawyer 
time at an adjusted mean hourly rate of $139.72, and revisions to 
training content would require one hour of training specialist time 
(including related training for care coordination and case management 
definitions and disclosures to third parties, such as social services 
agencies, community based support programs, and HCBS providers) at an 
adjusted mean hourly rate of $63.12.
xvii. Estimated Cost Savings From Changing ``Professional Judgment'' to 
``Good Faith'' and ``Imminent'' to ``Reasonably Foreseeable''
    The Department proposes to amend five provisions of the Privacy 
Rule to replace the exercise of ``professional judgment'' with a ``good 
faith belief'' as the standard to permit certain uses and disclosures 
in the best interests of the individual, to apply a presumption of 
compliance with the good faith requirement, and to replace ``serious 
and imminent threat'' with ``serious and reasonably foreseeable 
threat'' in 45 CFR 164.512(j)(1)(i)(A). As discussed in the analysis of 
non-quantifiable benefits, the Department does not have data sufficient 
to estimate the reduction in professional time spent analyzing the risk 
of harm; however the Department believes this change would result in 
cost savings to covered entities, in addition to the cost savings from 
improved patient safety and treatment outcomes, as well as, 
potentially, the decreased costs due to avoided public safety incidents 
The Department seeks comment on the potential cost savings from this 
proposed change.
xviii. Costs Arising From Changing ``Professional Judgment'' to ``Good 
Faith'' and ``Imminent'' to ``Reasonably Foreseeable''
    The Department anticipates that some covered entities, such as 
covered entity facilities that maintain patient directories and covered 
entity facilities and providers that routinely treat patients with SMI 
or SUD, would need to update their policies and procedures and train 
their workforce about the modifications to the Privacy Rule. The 
Department estimates that these costs would be due to one hour of a 
lawyer's time to update policies and procedures (for a total of 768,169 
burden hours at a cost of $107,328,573) and 40 minutes of a training 
specialist's time to update related HIPAA training content (for a total 
of 512,113 burden hours at a cost of $32,324,552). The Department 
believes there may be some initial increase in costs for health plans, 
including Medicare and state Medicaid agencies, who pay for treatment 
or recovery of individuals experiencing substance use disorder due to 
the increase in disclosures to family members and other caregivers. In 
this regard, the Department believes that family members and caregivers 
are likely to encourage and support these individuals in seeking 
treatment, and thus that these individuals will be more likely to seek 
or remain in treatment. However, the Department would expect lower 
long-term costs for potentially avoiding public safety incidents, 
emergency health care services to offset any initial higher utilization 
costs. The Department also acknowledges the concerns that the proposed 
changes could have the unintended adverse effect of deterring some 
individuals from seeking care, due to concerns about providers 
disclosing PHI to family members and others. The Department seeks 
comment on the extent to which the proposed changes would support or 
frustrate access to effective treatment, or impose costs and burdens on 
individuals or covered entities.
xix. Estimated Cost Savings From Eliminating the Acknowledgment of 
Receipt of the NPP
    The Department proposes to eliminate the requirements in 45 CFR 
164.520 for certain covered health care providers \319\ to obtain a 
written acknowledgment of receipt of the providers' NPP and, if unable 
to obtain the written acknowledgment, to document their good faith 
efforts and the reason for not obtaining the acknowledgment. The 
proposal also would remove the current requirement to retain copies of 
such documentation for six years. The Department estimates that 
approximately 613 million individuals annually receiving care for the 
first time from a covered health care provider would receive the NPP 
from the health care provider.\320\ In a prior Paperwork Reduction Act 
burden estimate, the Department projected that the requirements related 
to disseminating and obtaining an acknowledgment would impose, on 
average, three minutes for each covered health care provider with a 
direct treatment relationship with an individual to disseminate each 
notice and obtain a documented acknowledgment of receipt, or document 
the good faith effort to obtain the acknowledgment and reason it was 
not obtained.\321\ This estimate was based on the assumption that the 
required notice and acknowledgment would be bundled with and 
disseminated with other patient materials. The total annual burden 
associated with this requirement was calculated to be 30,650,000 
hours.\322\
---------------------------------------------------------------------------

    \319\ The requirements related to the acknowledgment of receipt 
of an NPP apply only to covered health care providers that have 
direct treatment relationships with individuals. See 45 CFR 
164.520(c)(2)(ii) and (3)(iii); 45 CFR 164.520(e).
    \320\ See 81 FR 31646 (May 19, 2016). The ICR estimated 613 
million individuals would receive the notice of privacy practices 
from a health care provider and 100 million would receive the notice 
from their health plan via direct mail and another 100 million 
individuals would receive the notice from their health plan 
electronically.
    \321\ Ibid.
    \322\ Ibid.
---------------------------------------------------------------------------

    In the 2018 RFI, the Department solicited public input to evaluate 
the accuracy of its burden estimates associated with obtaining an 
individual's acknowledgement of receipt of the NPP. Question 43 of the 
2018 RFI asked ``[w]hat is the burden, in economic terms, for a covered 
health care provider that has a direct treatment relationship with an 
individual to make a good faith effort to obtain an individual's 
written acknowledgement of receipt of the provider's NPP? OCR requests 
estimates of labor hours and any other costs incurred, where 
available.'' \323\ Question 49 asked ``[w]hat is the burden, in 
economic terms, for covered health care providers to maintain 
documentation of the good faith effort to obtain written 
acknowledgement and the reason why the acknowledgment was not obtained? 
What alternative methods might providers find useful to document that 
they provided the NPP?'' \324\ Comments highlighted the burden but did 
not provide estimated numbers of labor hours associated with these 
activities. For example, one commenter representing community 
pharmacies noted that pharmacists spend ``many hours'' verifying and 
making good faith attempts to obtain an individual's written 
acknowledgment of receipt of the providers' NPPs in face-to-face or 
mail interactions. Removing this requirement would lead to ``additional

[[Page 6514]]

labor hours'' to spend with patients.\325\ Another commenter discussed 
the burden associated with its field-based programs to obtain a signed 
acknowledgment of receipt, but did not describe the economic burden. 
This same commenter also noted that its NPP was always bundled with 
patient intake forms described as ``numerous'' and a part of a lengthy 
process but did not provide more specific data other than to state that 
the full NPP was eight pages.\326\ Yet another commenter, a large 
medical group, responded that NPPs are part of a package of documents 
provided to patients at intake or registration, but the number of pages 
``varies widely'' depending on the setting and nature of the particular 
provider. This same commenter explained that NPP acknowledgement forms 
were stored in the patient record but rarely, ``if ever,'' 
referenced.\327\
---------------------------------------------------------------------------

    \323\ See 83 FR 64302, 64308 (December 14, 2008).
    \324\ Id. at 64309.
    \325\ Comment No. HHS-OCR-2018-0028-0995.
    \326\ Comment No. HHS-OCR-2018-0028-0559.
    \327\ Comment No. HHS-OCR-2018-0028-0649.
---------------------------------------------------------------------------

    The Department acknowledges the uncertainty and wide variability in 
how different covered health care providers disseminate the NPP 
acknowledgement and make a good faith attempt to obtain the signed 
acknowledgement and store and maintain it. The comments to the 2018 
RFI, described above, demonstrate that quantifying the burden would 
necessarily include examining the manner or process by which a covered 
entity obtains the acknowledgement, as well as the format. With the 
increasing use of technology by covered entities (e.g., electronic 
check-in), it is reasonable to assume that the time associated with 
this burden is low in some instances but higher for those covered 
entities that have not integrated technology into the process, or who 
have fully integrated the acknowledgment into other NPP processes that 
may need to be revised if the proposal is finalized. Therefore, the 
Department is estimating a range, from 30 seconds to 2 minutes and 55 
seconds, taken to disseminate the NPP acknowledgement, request the 
patient's signature, explain what the acknowledgement consists of, wait 
for the patient to sign, complete the check-off or other procedure 
applied when the patient is unable or unwilling to sign, file the 
acknowledgement documentation, and store the documentation for six 
years. The Department estimates that covered health care providers 
would experience total annual savings of: 5,108,331 burden hours and 
$153,454,272 in cost savings at the low end, up to 29,798,610 burden 
hours and $895,150,257 in cost savings at the high end. The Department 
utilizes the mid-range estimate of 17,879,169 reduction in burden hours 
for an annual cost savings of $537,090,228 associated with the proposal 
to eliminate the requirements associated with the good faith attempt to 
obtain acknowledgment of receipt of the NPP.
    While the wide variation in procedures that covered health care 
providers use to fulfill the current requirements does not allow for 
precise quantification of burdens, the Department's assumptions and 
estimates reflect reasonable analysis of the available data and 
consideration of public input. With respect to the low end of the 
range, the Department assumes that in some instances, such as when a 
covered health care provider uses electronic means to disseminate and 
obtain the acknowledgement, the burden hours associated with these 
activities may be near negligible. For estimates at the high end of the 
range, the Department assumes that these covered entities expend more 
labor hours to disseminate and collect paper forms with individuals' 
signed acknowledgments of receipt of the NPP and file the forms. The 
Department accounts elsewhere in this regulatory impact analysis (RIA) 
for the increased time associated with the new individual right to 
discuss a covered entity's privacy practices. The remaining burden of 
one minute and 15 seconds encompasses time for direct treatment 
providers to copy and distribute each NPP. The Department calculates, 
based on the mid-range estimate of hours of a clerical employee's time 
(based on an adjusted mean hourly rate of $30.04) that this proposal 
would result in an estimated annual savings of $537,090,228. The 
Department seeks comment and other examples of how these reductions in 
compliance burdens translate into quantifiable cost savings, including 
the time spent by a covered health care provider to conduct the 
following health care activities, including by electronic means if 
applicable:
     Disseminate the NPP, including an acknowledgement form;
     Collect the NPP acknowledgment form;
     Determine whether an individual's acknowledgement form is 
current, including for processes that are paper-based or electronic.
    The Department also assumes that eliminating the related 
requirement to maintain documentation of the acknowledgment of the NPP 
for six years would result in significant cost savings to direct 
treatment health care providers in the form of a reduction of one page 
(electronic or paper) of each patient's record, and reduced space 
needed for one page of medical records (if that is where such 
documentation is stored) per patient or reduced electronic storage 
space for systems that store these notices electronically; however, the 
Department has not quantified the potential savings. The Department 
anticipates that most of the savings would result from eliminating the 
collection and maintenance of these records in the future. The 
Department seeks comments on the cost savings covered health care 
providers would be likely to accrue as a result of these proposed 
changes.
xx. Costs Arising From Eliminating the Acknowledgment of Receipt of the 
NPP
    The Department anticipates no costs for eliminating the requirement 
for direct treatment providers to make a good faith effort to obtain an 
individual's signed acknowledgment of receipt of the NPP and to 
maintain related documentation. The Department welcomes comments on 
this assumption.
xxi. Estimated Cost Savings Arising From Changes to the NPP Content
    The Department proposes to modify the header of the NPP to specify 
to individuals that the notice provides information about: (1) How to 
access their health information, (2) how to file a HIPAA complaint, and 
(3) individuals' right to a copy of the notice and ability to discuss 
its contents with a designated person. The required header also would 
have to specify whether the designated contact person is available 
onsite and must include a phone number and email address an individual 
could use to reach the designated person.
    The Department does not anticipate quantifiable cost savings to 
covered entities from making the required changes to the NPP; however, 
the improvements to individuals' right of access may contribute to 
improvements to health care delivery and the health of patients 
overall.
xxii. Costs Arising From Changes to the NPP Content
    The Department believes the burden associated with revising the NPP 
consists of costs related to developing and drafting the revised NPP 
for covered entities. The Department estimates that the proposal to 
update and revise the language in the NPP (including drafting the 
language in the header) would require one hour of professional legal 
services at the wage reported in Table 4. There are no new costs for 
providers

[[Page 6515]]

associated with distribution of the revised notice other than posting 
it on the entity's website (if it has one), as providers have an 
ongoing obligation to provide the notice to first-time patients. The 
Department bases the estimate on its previous estimates from the 2013 
Omnibus Rule, in which the Department estimated approximately 613 
million first time visits with health care providers annually.\328\ 
Health plans that post their NPP online would incur minimal costs by 
posting the updated notice, and then, including the updated NPP in the 
next annual mailing to subscribers.\329\
---------------------------------------------------------------------------

    \328\ 78 FR 5566, 5675 (January 25, 2013).
    \329\ 45 CFR 164.520(c)(1)(v)(A).
---------------------------------------------------------------------------

    The Department further estimates the cost of posting the revised 
NPP on the covered entity's website would be ten minutes of a web 
developer's time at the wage reported in Table 4.
    The Department assumes that about 1% of an estimated 613 million 
new patients \330\ will ask for further discussion with the designated 
contact person. The Department believes this estimate is reasonable, 
given public comments indicating that individuals rarely ask questions 
about the NPP, and the assumption that most requests for discussion 
will be made in the context of a visit with a health care provider. The 
Department therefore estimates that 6,130,000 individuals may ask for a 
discussion on the NPP as a result of OCR's media campaigns as well as 
through general awareness of individual privacy rights under HIPAA. The 
Department does not have data to support a different assumption or 
estimate at this time, and the Department requests such data for future 
consideration. In particular, the Department seeks comments addressing 
the likelihood and any associated burden that individuals will contact 
their health plans to request a discussion of the plans' privacy 
practices, and if so, the frequency with which health plans would be 
contacted for these conversations. The Department estimates that its 
proposal to require covered entities to make available a person who may 
be contacted for further information on the covered entity's privacy 
practices would add $8.69 in burden per request for information or $53 
million (or 715,167 burden hours) total per year. The Department 
assumes each discussion between the contact person and individual will 
last an average of 7 minutes as individuals ask questions and receive 
answers, at the adjusted mean hourly rate for a registered nurse, as 
reported in Table 4.
---------------------------------------------------------------------------

    \330\ See 81 FR 31646 (May 19, 2019) and related explanation 
that there are an estimated 613 million individuals who would 
receive the NPP.
---------------------------------------------------------------------------

    The Department invites comments on all aspects of its estimates and 
assumptions, including the time spent on the identified activities and 
the occupations or professions of persons designated to perform those 
tasks.
xxiii. Estimated Cost Savings From Adding a Permission to Disclose PHI 
to a TRS Communications Assistant
    The Department proposes to expressly permit covered entities (and 
their business associates, acting on the covered entities' behalf) to 
disclose PHI to TRS communications assistants to conduct covered 
functions, at proposed 45 CFR 164.512(m), and to expressly exclude TRS 
providers from the definition of business associate at 45 CFR 160.103.
    Based on information from stakeholders, the Department believes 
that some covered entities with workforce members who are deaf, hard of 
hearing, or deaf-blind, or who have a speech disability may have 
entered into, or tried to enter into, a business associate agreement 
with a TRS provider before permitting a workforce member to disclose 
PHI to a TRS communications assistant, while others limited the use of 
TRS communications assistants by workforce members. Thus, some covered 
entities incurred legal costs for entering into a BAA or for analyzing 
the legal risk of not permitting workforce members to use needed 
accommodations, which they would not have to incur under the proposed 
changes. The Department lacks sufficient data to quantify the cost 
savings of this proposed change, and requests comment on the extent to 
which covered entities and business associates currently have business 
associate agreements with TRS providers, and on any costs such entities 
incur when analyzing whether a business associate agreement is needed.
xxiv. Costs Arising From Adding a Permission to Disclose PHI Through 
TRS
    The Department has not identified any additional costs to covered 
entities arising from the proposed change other than changes to 
policies and procedures and training, as TRS is provided without charge 
to the user.\331\
---------------------------------------------------------------------------

    \331\ See FCC's 2017 ``Consumer Guide, Telecommunications Relay 
Service'', available at https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.
---------------------------------------------------------------------------

g. Quantifiable Cost Savings Estimates
    Table 10 summarizes the estimated annual cost savings of the 
proposed rule for covered entities, as described in the preceding 
section.

                                                  Table 10 \a\
----------------------------------------------------------------------------------------------------------------
                                                                                                      Savings
                Cost item                        Burden count                 Multiplier            (millions)
----------------------------------------------------------------------------------------------------------------
Clarifying Minimum Necessary............  4 hours of health manager   Total CEs (774,331).......            $343
                                           time x $110.74 = $442.96.
Eliminating NPP Acknowledgment..........  1 minute 45 seconds         613,000,000 1st time                   537
                                           (.0292) of clerk/           encounters.
                                           receptionist time x
                                           $30.04 = $.877.
                                                                                                 ---------------
    Total Annual Cost Savings...........  ..........................  ..........................             880
                                                                                                 ---------------
    Total Cumulative Cost Savings (5      ..........................  ..........................           4,400
     years) (undiscounted).
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.


[[Page 6516]]

h. Estimated Quantifiable Costs to Covered Entities
    The Department summarizes in Table 11 the additional estimated 
administrative costs that entities would incur on a one-time basis in 
the first year of implementing the proposed regulatory changes. The 
Department anticipates that these costs would be for posting an access 
fee schedule online for entities that have not already done so and 
posting a revised NPP online.

                                                    Table 11
----------------------------------------------------------------------------------------------------------------
                                                                                                      Total
             One-time costs                     Burden count                 Multiplier          administrative
                                                                                                cost  (millions)
----------------------------------------------------------------------------------------------------------------
Post access fee schedule online........  10 min. x web developer     Total covered entities                  $10
                                          ($79.20) = $13.20.          (774,331).
Post revised NPP online................  10 min. x web developer     Total covered entities                   10
                                          ($79.20) = $13.20.          (774,331).
                                                                                               -----------------
    Total One-Time Administrative        ..........................  .........................            \a\ 20
     Burden.
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.

    Table 12 summarizes the ongoing labor costs that the Department 
anticipates covered entities would incur as a result of the proposed 
regulatory changes. These new requirements would be based on an 
individual's request and include providing copies of PHI and ePHI under 
the right of access within a shorter time, providing an estimate of 
access and authorization fees, providing an itemized list of allowable 
access charges, discussing privacy practices with individuals, and 
submitting requests for copies of PHI to health care providers or 
health plans.

                                                  Table 12a \a\
----------------------------------------------------------------------------------------------------------------
                                                                                                  Total annual
             Ongoing costs                   Burden hours & pay              Multiplier          administrative
                                                                                                cost  (millions)
----------------------------------------------------------------------------------------------------------------
Access for Individuals --Search and      1 min. x records            50% of 2,460,000 access                 $.9
 retrieval within shorter times.          technician time ($44.80)    requests = 1,230,000.
                                          = $.75.
Sending copies of ePHI to third parties  2 min. x records            25% of 615,000 access             \b\ 0.230
 other than covered entities--Non-        technician time ($44.80)    requests = 153,750.
 internet based method.                   = $1.49.
Sending copies of ePHI to health plans   4 min. x records            25% of 615,000 access             \c\ 0.459
 and providers under the right of         technician time ($44.80)    requests = 153,750.
 access--Non-internet methods.            = $2.99.
Providing good faith fee estimates upon  3 min. x records            3% (.03) of 2,460,000                 0.165
 request.                                 technician time ($44.80)    access requests = 73,800.
                                          = $2.24.
Providing itemized list of access and    1 min. x records            1% (.01) of 2,460,000              \d\ .018
 authorization fees upon request.         technician time ($44.80)    access requests = 24,600.
                                          = $0.75.
Discussing privacy practices with        7 min. x registered nurse   1% (.01) of 613 million                  53
 individuals upon request.                time ($74.48) = $8.69.      1st time encounters =
                                                                      6,130,000 requests.
Submitting access requests to providers  3.5 min. x medical          15% (.15) of 615,000                  0.185
 & plans for individuals.                 assistant time ($34.34) =   access requests = 92,250.
                                          $2.00.
                                                                                               -----------------
    Total Ongoing Annual Administrative  ..........................  .........................                55
     Burden.
----------------------------------------------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.
\b\ The estimate is $229,600.
\c\ The estimate is $459,200.
\d\ The estimate is $18,368.

    The total estimated additional first year administrative labor 
costs (including costs that will be ongoing) would be approximately $76 
million (Table 11 total and Table 12a total).
    Table 12b summarizes the increased capital costs that covered 
entities are estimated to incur as a result of the proposed new section 
45 CFR 164.525 with respect to fee estimates for copies of PHI provided 
under the right of access and with a valid authorization.

[[Page 6517]]



                                                    Table 12b
----------------------------------------------------------------------------------------------------------------
                                                                     Number of
    Fees  estimates  section     Proposed regulatory requirement    pages to be    Average cost        Total
                                                                      printed
----------------------------------------------------------------------------------------------------------------
164.525........................  Making fee schedule available         2,322,993           $0.10        $232,299
                                  at the point of service and
                                  upon request.
164.525........................  Provide an individualized                11,070        \b\ 0.69           7,638
                                  estimate of fees by mail \a\.
164.525........................  Printing itemized list of copy       \d\ 24,600            0.10           2,460
                                  charges \c\.
                                                                 -----------------------------------------------
    Total Capital Costs.........................................  ..............  ..............         242,398
----------------------------------------------------------------------------------------------------------------
\a\ This represents only the requests for which the individual asks for a written estimate to be mailed to them,
  which the Department estimates to be 10% of the annual 2.46 million total access requests.
\b\ This includes costs for printing ($0.08), postage ($0.55), paper ($.02), and an envelope ($.04).
\c\ This estimate assumes that the itemized list of charges would be included in the mailing of requested copies
  of protected health information, so postage costs are not added here.
\d\ 1% of 2.46 million annual total access requests.

i. Additional Costs for Revising Policies and Procedures
    Table 13 summarizes the total projected costs for covered entities 
to revise their policies and procedures to comply with the proposed 
regulatory changes to the Privacy Rule. The Department includes the 
costs for legal review and drafting of policies and for a compliance 
manager to revise procedures for relevant workforce members or 
departments.

                                                    Table 13
----------------------------------------------------------------------------------------------------------------
     Revising policies & procedures        Time  (mins.)   Covered entities affected         Burden hours
----------------------------------------------------------------------------------------------------------------
Minimum Necessary, Disclosures for Care               75  774,331...................  967,914.
 Coordination & Disclosures to Social
 Services Agencies & CBOs.
Right of access (multiple provisions,                180  774,331...................  2,322,993.
 including fee schedule).
Disclosures to family & friends of                    60  768,169 (providers).......  768,169.
 individual; Disclosures to prevent harm.
Revise NPP..............................              60  774,331...................  774,331.
Disclosures for Uniformed Services & TRS              10  774,331...................  129,055.
Simplify verification & revise form.....              30  5% of 774,331 covered       19,358.
                                                           entities = 38,717.
                                                                                     ---------------------------
    Total Burden Hours..................  ..............  ..........................  4,981,820.
                                                                                     ---------------------------
    Total Costs.........................  ..............  ..........................  $696 million.
----------------------------------------------------------------------------------------------------------------

j. Estimated Additional Costs for Revising HIPAA Training Programs

                                                    Table 14
----------------------------------------------------------------------------------------------------------------
     Training content to be revised        Time  (mins)    Covered entities affected         Burden hours
----------------------------------------------------------------------------------------------------------------
Minimum Necessary, Disclosures for Care               60  774,331...................  774,331.
 Coordination, & Disclosures to Social
 Services Agencies & CBOs.
Changes to Access Times, Changes to                  150  774,331...................  1,935,828.
 Access Procedures, Submitting PHI to
 Providers & Plans, and Fees and
 Estimates.
Disclosing PHI to Family & Friends; Uses              40  768,169--Providers........  512,113.
 and Disclosures to Prevent Harm.
Disclosures for Uniformed Services;                   15  774,331...................  193,583.
 Telecommunications Relay Services.
Right to Discuss NPP....................               5  774,331...................  64,528.
Verification of Identity................              10  5% of covered entities =    6,453.
                                                           38,717.
                                                                                     ---------------------------
    Total Time to Update Training         ..............  ..........................  3,486,834.
     Content.
                                                                                     ---------------------------
    Total Costs for Updating Training     1 hour of Training Specialist time =        $220 million
     Content.                             $63.12
----------------------------------------------------------------------------------------------------------------

    The Department also estimates potential increased first-year costs 
for training medical records technicians to initially implement the 
changes to the right of access procedures, as shown in Table 14b.

[[Page 6518]]



                                                                        Table 14b
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                      Time  (in      Covered entities                       Costs  (in
                        Staff in training                         Hourly wage \a\      minutes)          affected         Burden hours      millions)
--------------------------------------------------------------------------------------------------------------------------------------------------------
Medical Records Technician......................................          $44.80                7             774,331           90,339           $4,047
--------------------------------------------------------------------------------------------------------------------------------------------------------
\a\ See Table 4.


                Table 14c--Total Estimated Training Costs
                           [Table 14a and 14b]
------------------------------------------------------------------------
                                                            Costs  (in
                Cost item                  Burden hours    millions) \a\
------------------------------------------------------------------------
Updated Training Content................       3,486,834            $220
Increased Time in Training..............          90,339               4
                                         -------------------------------
    Total New Training Costs............       3,577,173             224
------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.

k. Costs Borne by the Department
    The Department expects that it would incur costs related to 
disseminating information about the proposed regulatory changes to 
covered entities, including health care providers and health plans. 
However, the Department expects that many of these costs could be made 
part of the ongoing dissemination of guidance and other explanatory 
materials that OCR already provides. The covered entities that are 
operated by the Department would be affected by the proposed changes in 
a similar manner to other covered entities, and those costs have been 
factored into the estimates above.
l. Comparison of Benefits and Costs
    The Department expects the benefits of the proposed rule to 
outweigh any costs because covered entities will save costs each year 
after the first year, having experienced initial higher costs related 
to implementation of proposed changes. The proposed changes to, or 
clarifications of, the minimum necessary standard, access fees, and the 
acknowledgment of the NPP would be largely deregulatory. The Department 
expects covered entities and individuals to benefit from the increased 
flexibility and confidence covered entities would have to act in 
individuals' best interests without undue concerns about HHS 
enforcement actions. The Department also expects covered entities to 
realize savings from less frequent consultations with legal counsel 
about when they can disclose PHI regarding individuals who are 
incapacitated or experiencing another emergency and reductions in 
minimum necessary analyses when disclosing PHI for individual-level 
health care coordination and case management activities that constitute 
treatment or health care operations. The Department further expects 
that, by involving family members and others, this proposed action 
would result in improved care coordination and case management and 
better patient health outcomes. The Department also expects that 
changes to the right of access, such as a shortened time limit for 
responding to a patient's request, the right to photograph or otherwise 
capture PHI using the individual's own device, and the right to an 
estimate of access and authorization fees, would significantly 
strengthen the access right, to the benefit of individuals. 
Additionally, replacing the requirement to obtain an acknowledgment of 
an individual's receipt of the NPP with an individual right to discuss 
a covered entity's privacy practices upon request would improve access 
to care and strengthen individual's understanding of their rights. The 
Department expects these benefits would substantially outweigh 
estimated costs, such as covered entities providing access in a shorter 
time, providing the new discussion right, posting an access fee 
schedule, modifying internal policies, and providing new trainings to 
workforce members.
    The Department requests comment on these assumptions and on all 
aspects of this regulatory impact analysis. The tables below present 
the Department's summary of estimated quantifiable costs and cost 
savings (Tables 15 and 16), cost transfers (Table 17), and non-
quantifiable costs and benefits (Table 18).

    Table 15--First Year Estimated Quantifiable Costs/Cost Savings to
                    Covered Entities, in Millions \a\
------------------------------------------------------------------------
                Cost item                      Costs          Savings
------------------------------------------------------------------------
Revised Training........................            $224  ..............
Revising P&P............................             696  ..............
Administrative Costs....................              76  ..............
Capital Costs...........................           0.242  ..............
Eliminating NPP Acknowledgment..........  ..............          ($537)
Clarifying Minimum Necessary............  ..............           (343)
                                         -------------------------------
    Total...............................             996           (880)
                                         -------------------------------
    Net Savings/Cost--First Year........  ..............             116
------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.


[[Page 6519]]


   Table 16--Ongoing Estimated Quantifiable Annual Costs/Costs Savings
               Estimates to Covered Entities, in Millions
                             [Years 2-5] \a\
------------------------------------------------------------------------
                                                          Set-off amount
                Cost item                      Costs         (savings)
------------------------------------------------------------------------
Access & Administrative Costs...........             $55  ..............
Capital Costs...........................           0.242  ..............
Eliminating NPP Acknowledgment..........  ..............          ($537)
Clarifying Minimum Necessary............  ..............           (343)
                                         -------------------------------
    Total...............................              55           (880)
                                         -------------------------------
    Net Costs/Savings...................  ..............           (825)
------------------------------------------------------------------------
\a\ Totals may not add up due to rounding.


               Table 17--Estimated Transfers, in Millions
------------------------------------------------------------------------
                                 Amount of costs     Amount of new costs
          Cost item                transferred            incurred
                                  (transferors)         (transferees)
------------------------------------------------------------------------
Decreased fees for providing  $1.4 (individuals)..  $1.4 (covered
 electronic copies in an EHR                         entities, primarily
 on electronic media to                              providers).
 individuals.
Additional fees for           43 (covered           21.5 (individuals).
 authorizing copies of non-    entities, primarily  21.5 (third party
 EHR PHI to a third party.     health care           recipients).
                               providers): 615,000
                               access requests x
                               $70 average
                               estimated increased
                               fee.
------------------------------------------------------------------------

    Covered entities would benefit from a total estimated net increase 
of $41.6 million in transferred costs for allowable fees for providing 
copies of PHI, while individuals would incur the same amount.

   Table 18--Non-quantifiable Costs/Benefits for Covered Entities and
                               Individuals
------------------------------------------------------------------------
     Regulatory changes               Costs               Benefits
------------------------------------------------------------------------
Changing to minimum           Potential increase    Improved care
 necessary, health care        in number of          coordination and
 operations definition, and    requests for          case management,
 the addition of permissible   disclosures for       resulting in better
 disclosures to social         certain care          health outcomes.
 services agencies.            coordination and
                               case management
                               purposes.
Changing from ``professional  Potential increased   Improved care
 judgment'' to ``good          complaints to OCR     coordination and
 faith'' and from              from individuals      case management;
 ``imminent'' to               who did not want      increased harm
 ``reasonably foreseeable''.   their PHI used or     reduction; likely
                               disclosed;            increase in
                               potential to chill    adherence to
                               some individuals'     treatment and
                               willingness to        increased service
                               access care.          utilization.
Changing verifications......  ....................  Improved access to
                                                     PHI.
Adding permission to          ....................  Improved employment
 disclose to TRS and                                 conditions and
 excluding TRS providers                             opportunities for
 from the definition of                              workforce members
 business associate.                                 who are deaf, hard
                                                     of hearing, or deaf-
                                                     blind, or who have
                                                     a speech
                                                     disability;
                                                     improved compliance
                                                     with non-
                                                     discrimination
                                                     laws.
Adding right to discuss       ....................  Improved
 covered entity privacy                              understanding of
 practices, eliminating NPP                          individuals' rights
 acknowledgment requirement                          & covered entities'
 & changes to NPP.                                   privacy practices;
                                                     improved access to
                                                     care.
Better enabling individuals   ....................  Improved care
 to direct the transmission                          coordination and
 of electronic PHI in an EHR                         case management;
 among providers and plans                           increased
 as part of the right of                             individual control
 access.                                             over directing ePHI
                                                     for health-related
                                                     purposes.
Strengthening right of        Increased burden on   Improved access to
 access (free online access;   individuals to        PHI by individuals--
 shorter access times; right   directly obtain       receiving PHI twice
 to inspect; access fee        lower cost copies     as fast; improved
 information).                 of non-EHR PHI and    access to ePHI by
                               send it to third      providers & plans;
                               parties to avoid      reduction in access
                               paying higher fees    fee disputes/
                               under an              improved collection
                               authorization.        of access fees;
                                                     increased certainty
                                                     about allowable
                                                     fees; increased
                                                     adoption and
                                                     utilization of EHR
                                                     technology.
Restricting the right to      Increased burden on   Improved clarity and
 request that a covered        individuals to        certainty for
 entity direct the             submit two forms:     covered entities.
 transmission of certain PHI   An access request
 to a third party.             and an
                               authorization, when
                               seeking to send a
                               complete medical
                               record to a third
                               party.

[[Page 6520]]

 
Adding an optional element    ....................  Increased knowledge
 of the NPP for covered                              by individuals of
 entities to provide                                 their rights to
 information about alternate                         access and their
 ways to obtain PHI directly                         options for
 or have it sent to a third                          accomplishing their
 party, for certain requests                         information sharing
 to direct the transmission                          goals.
 of certain PHI to a third
 party.
------------------------------------------------------------------------

    The Department's costs-benefits analysis asserts that the proposed 
regulatory changes would significantly advance care coordination and 
the transformation to value-based care and strengthen individual 
rights. Although there is a projected total net cost of $116 million in 
the first year, the total estimated annual net cost savings to covered 
entities in subsequent years would be approximately $825 million, with 
total projected net savings of $3.2 billion and an average increase in 
allowable fees for copies of $70 per request to direct copies of PHI to 
third parties.
m. Uncertainty Analysis for Estimated Costs and Cost Savings
    The Department has analyzed a range of estimated costs and costs 
savings for key compliance burdens that are likely to be affected if 
the proposed regulatory changes are implemented as outlined. The 
Department performed an uncertainty analysis for each of the main 
drivers of costs and cost savings, reporting low, mid, and high values 
for each category, and for the proposed rule as a whole to better 
capture the range of potential outcomes. In summary, the Department 
estimates total costs of implementation over a five-year period ranging 
from a low of approximately $0.8 billion to a high of approximately $4 
billion and a range of five-year cost savings of approximately $1.2 
billion to $7.5 billion.

                            Table 19--Range of Total Estimated Costs Over Five Years
                                                   [2021-2025]
----------------------------------------------------------------------------------------------------------------
                       Cost item                                Low                Mid                High
----------------------------------------------------------------------------------------------------------------
Training...............................................       $195,651,092       $224,136,148       $250,512,185
Policies & Procedures..................................        542,791,420        696,059,917      1,302,384,017
Access & Administrative Tasks..........................         40,984,833        296,648,766      2,879,447,799
Capital Costs..........................................          1,175,457          1,211,988          1,979,493
                                                        --------------------------------------------------------
    Total Costs........................................        780,602,802      1,218,056,819      4,434,323,494
----------------------------------------------------------------------------------------------------------------


                         Table 20--Range of Total Estimated Cost Savings Over Five Years
                                                   [2021-2025]
----------------------------------------------------------------------------------------------------------------
                   Cost savings item                            Low                Mid                High
----------------------------------------------------------------------------------------------------------------
Eliminating NPP Acknowledgement........................       $767,271,360     $2,685,451,140     $4,475,751,287
Clarifying Minimum Necessary...........................        428,747,075      1,714,988,299      3,001,229,523
                                                        --------------------------------------------------------
    Total Cost Savings.................................      1,196,018,434      4,400,439,439      7,476,980,809
----------------------------------------------------------------------------------------------------------------

i. Cost Estimates
Updated Training Content
    Because required HIPAA training is based on covered entities' 
policies and procedures, changes to the policies and procedures are 
accounted for separately, and a training specialist's time is allocated 
for time spent in updating existing training content. The burden hours 
are based on an adjusted hourly cost of $63.12 (see table 4). The 
content area for which the greatest training burden is estimated is due 
to the combination of proposed changes to the right of access and the 
new right to request fee estimates and itemized lists of charges for 
copies of PHI. At the low end, the Department estimates a burden of two 
hours for updating this section of the training content, and at the 
high end, three hours. This results in a low estimate of 1,548,662 
total annual burden hours for all covered entities at a one-time cost 
of $97,751,545 and a high estimate of 2,322,993 burden hours at a cost 
of $146,627,318 for updating the access portions of the training 
program. The Department proposes to adopt a mid-range estimate of 2 
hours and 30 minutes to update the access and fee estimate portions of 
the training content for a total of 1,935,828 burden hours at a cost of 
$122,189,432. The Department also estimates additional time spent in 
training for an average of one medical records technician per covered 
entity in the first year at an adjusted hourly labor cost of $44.80 
(see Table 4), ranging from a low of 5 minutes to a high of 10 minutes. 
Overall one-time training costs for all proposed changes to the Privacy 
Rule are estimated to range from a low of $198,541,928 (and 3,164,196 
burden hours) to a high of $250,512,185 (and 4,006,281 burden hours). 
The Department proposes adopting a mid-range estimate of 3,577,173 
total burden hours at a one-time cost of $224,136,148. The 2013 Omnibus 
Final Rule contained no cost estimates for updates to HIPAA training 
programs and in the 2000 Privacy Rule the Department based its 
estimates on the time spent by covered entity workforce members to 
participate in training and not the time for a training specialist to 
update training content. In 2000, the Department anticipated that, in 
part,

[[Page 6521]]

professional associations and other organizations would develop 
training for different types of covered entities, thus reducing 
potential burden for implementing the new requirement. Because time 
spent in training by workforce members is already an acknowledged 
burden, the training estimates developed for this proposed rule reflect 
only the new burden: The time to update training program content. These 
estimates are slightly less than those for updating policies and 
procedures, to reflect that the foundation for the work is already laid 
by the updated policies and procedures established by legal counsel.
Updated Policies and Procedures
    The Department estimates a range of average total burden hours per 
covered entity to update policies and procedures as a result of the 
proposed modifications to the Privacy Rule, based on only the adjusted 
hourly wage for a lawyer of $139.72 (see Table 4) for the low and mid-
range estimates, and adds the adjusted hourly wage for a health care 
manager of $110.74 for the high-range estimate. At the low end, the 
Department estimates a total burden per covered entity of 5 hours and 
30 minutes (for a total of 3,884,851 hours and a cost of $542,791,420) 
for updating policies and procedures and at the high end 13.51 hours 
(for a total of 10,014,867 hours and a cost of $1,302,384,017). The 
Department proposes adopting a mid-range estimate of 6 hours and 55 
minutes for a total estimate of 4,981,820 burden hours at a one-time 
cost of $696,059,017.
Access and Administrative Tasks
Post an Access Fee Schedule Online
    The Department estimates a low burden of 8 minutes of a web 
developer or designer's hourly wage of $79.20 (see Table 4) to post an 
access fee schedule online per covered entity and a high estimated 
burden of 15 minutes. These costs would range from 103,244 total annual 
burden hours to 193,583 burden hours, and costs of $8,176,935 at the 
low end to $15,331,754 at the high end. The Department proposed to 
adopt the mid-range estimate of 10 minutes for posting the new access 
fee schedule for a one-time total of 129,055 burden hours and a cost of 
$10,221,169.
Post an Updated Notice of Privacy Practices (NPP)
    The Department estimates a range of costs for covered entities to 
post an updated NPP at the hourly wage of a web developer or designer 
from a low of 8 minutes (and total burden hours of 103,244) to a high 
of 15 minutes (and total burden hours of 193,583), and total costs from 
a low of $8,176,935 to a high of $15,331,754. The Department proposes 
to adopt the mid-range estimate of 10 minutes for posting the revised 
NPP for a one-time total of 129,055 burden hours and a cost of 
$10,221,169.
Unreimbursed Costs of Providing Access
    The Department has separately estimated the charges that a covered 
entity may pass on to individuals who request copies of their PHI in 
the form of fees and allocated those as a transfer of costs. However, 
the Department estimates that due to the proposed changes to the access 
right covered entities may incur some costs above those that are 
allowed to be charged as fees. The Department has developed a range of 
cost estimates based on the hourly wage of a medical records technician 
($44.80, see Table 4), ranging from .5 to 2.5 additional minutes of 
labor, and total burden hours ranging from a low of 10,250 total annual 
burden hours to a high of 51,250 hours. Annual cost estimates range 
from a low of $459,200 to a high of $2,296,000. The Department proposes 
to adopt the mid-range estimate of 1 minute per request of 
uncompensated labor for providing access within a shorter time period 
for a total of 20,500 annual burden hours and an annual cost of 
$918,400. All of these estimates are based on an estimate that 50 
percent of the total estimated 2,460,000 annual access requests (or 
1.23 million) will be from individuals seeking copies of their own PHI 
or ePHI.
Submit Access Requests for Individuals to Health Plans and Providers
    The Department estimates on the low end that 10 percent of the 
total 615,000 requests by individuals to direct electronic copies of 
their PHI to their health care provider or health plan will be made by 
requesting that the receiving health care provider or health plan 
submit the request on the individual's behalf (or 61,500) and on the 
high end that 20 percent of such requests (or 123,000) will be made by 
requesting the assistance of the receiving health care provider or 
health plan. The Department believes that a medical assistant would 
submit these access requests to health plans and providers for 
individuals, at an hourly wage of $34.34 (see Table 4). The range of 
estimated costs is based on a low estimate that this task, on average, 
will take 2 minutes to complete, to a high estimate of 5 minutes. The 
total estimated annual burden hours ranges from 2,050 (and a cost of 
$70,397) to 10,250 (and a cost of $351,985). The Department proposes to 
adopt the mid-range estimate of 3.5 minutes for submitting 92,250 
requests (15 percent of 615,000) for individuals for a total of 5,381 
annual burden hours and an annual total cost of $184,792.
Transmit ePHI to Health Plans and Providers Through Non-Internet Means
    The Department's proposal to prohibit covered entities from charges 
fees for the labor associated with sending electronic copies of PHI 
through non-internet means (e.g., the mail) could result in some 
unreimburseable costs for covered entities. The Department estimates 
that the costs would be based on the hourly wage of a medical records 
technician ($44.80, see Table 4) and a low estimate of 3 minutes to a 
high estimate of 5 minutes for 153,750 requests (representing 25 
percent of the estimated 615,000 total annual requests to direct copies 
of PHI to health plans and providers). This results in a low estimate 
of 7,688 total annual burden hours at a cost of $344,400 and a high 
estimate of 12,813 total annual burden hours at a cost of $574,000. The 
Department proposes to adopt the mid-range estimate of 4 minutes per 
request for transmitting ePHI to health plans and providers through 
non-internet means for a total of 10,250 annual burden hours and a cost 
of $459,200. These estimated costs have not been previously calculated 
as a potential burden on covered entities and the Department requests 
comment on these ranges and the assumptions underlying them.
Transmit ePHI to Third Parties Through Non-Internet Means
    The Department estimates that the unreimburseable costs for 
transmitting electronic copies of ePHI to third parties other than 
health plans and providers would be half of that for transmitting the 
same information to health plans and providers because some of the 
costs are likely to be charged as fees to individuals for copies. The 
estimated costs are based on the hourly wage of a medical records 
technician ($44.80, see Table 4), ranging from a low estimate of 1.5 
minutes to a high estimate of 2.5 minutes for 153,750 requests 
(representing 25 percent of the total estimated 615,000 annual requests 
to direct copies of PHI to third parties other than health plans and 
providers). This results in a low estimate of 3,844 total annual burden 
hours at a cost of $172,200 and a high estimate of 6,406 total annual 
burden hours at a cost of $287,000. The Department proposes to adopt 
the mid-range estimate of 2 minutes per request for transmitting

[[Page 6522]]

ePHI to health plans and providers through non-internet means for a 
total of 5,125 annual burden hours and a cost of $229,600.00.
Providing Fee Estimates
    The Department estimates costs for providing good faith 
individualized fee estimates to individuals for a low of 24,600 
requests (1% of total 2.46 million annual access requests) to a high of 
123,000 requests (5% of 2.46 million annual access requests). The 
Department has also estimated the time it would take a medical records 
technician to develop a good faith individualized fee estimate from a 
low of 3 minutes to a high of 5 minutes per request, or an annual total 
of burden hours ranging from 1,230 (at a cost of $55,104) to 10,250 (at 
a cost of $459,200). The Department proposes to adopt the low-range 
estimate of 3 minutes of labor and the mid-range number of 73,800 
requests (3 percent of 2.46 million total annual access requests) 
resulting in a total of 3,690 annual burden hours and a total annual 
cost of $165,312.
Providing Itemized Lists of Charges
    The Department estimates costs for providing an itemized list of 
charges for requested copies of requested PHI, ranging from a low of 
2,460 requests (0.1% of total 2.46 million annual access requests) to a 
high of 123,000 (5% of total annual access requests). The Department 
has also estimated a range of burden from a low of 41 total annual 
burden hours (at a cost of $1,837) to a high of 2,050 total annual 
burden hours (at a cost of $91,840). The Department proposes to adopt 
the mid-range estimate of 410 annual burden hours and a total annual 
cost of $18,368.
Discussing Privacy Practices
    The Department estimates a range of costs for the requirement to 
discuss a covered entity's privacy practices with an individual upon 
request. The range is based on a low of 5 minutes of a registered 
nurse's time for 613,000 health care encounters (.1% of 613,000,000 
total new health care encounters per year) to a high of 10 minutes of a 
health care manager's time for 30,650,000 health care encounters (5% of 
total new health care encounters per year). The total estimated annual 
burden hours for this proposed regulatory change ranges from 51,083 at 
the low end to 5,108,333 at the high end, and costs of $3,804,687 at 
the low end to $565,696,833 at the high end. The Department proposes to 
adopt the mid-range estimate of 7 minutes of a registered nurse's time 
for 6,130,000 requests (1 percent of 613,000,000) for a total estimate 
of 715,167 annual burden hours and a total annual cost of $53,265,613.
Capital Costs
    The Department estimates annual capital costs for three elements of 
the proposed rule: making an access fee schedule available, providing 
fee estimates for copies of PHI, and providing itemized lists of 
charges for copies of PHI. The capital costs for fee estimates and 
itemized lists of charges are based on the estimated number of 
requests, while the range of access fee schedule costs varies due to 
the number of copies provided by each covered entity. The total annual 
capital cost estimates range from a low of $235,091, a mid-range of 
$242,398, to a high of $395,899.
ii. Cost Savings Estimates
Minimum Necessary
    Because the Department is without data to estimate the actual 
average compliance burden, it has calculated a range of estimates for 
the costs savings resulting from the combined effects of the proposed 
regulatory modifications to the definition of health care operations 
and the minimum necessary standard. At the low end, the Department 
estimates a cost savings of 1 hour of labor annually per covered entity 
at the hourly rate of a health services manager ($110.74, see Table 4) 
for a total reduction of 774,331 burden hours and an annual cost 
savings of $85,749,415. At the high end, the Department estimates costs 
savings of 7 hours of labor for a total annual reduction of 5,420,317 
burden hours and $600,245,905 in cost savings. The Department proposes 
to adopt an approximate mid-range estimate of burden reduction, which 
is 4 hours per covered entity for an annual total of 3,097,324 burden 
hours and $342,997,660 in total annual projected cost savings.
NPP Acknowledgement
    The Department has previously estimated a burden of 3 minutes for 
providing the NPP and obtaining the signed acknowledgement of receipt 
or documenting a good faith effort to do so. The Department estimates 
that the requirement to obtain the signed acknowledgement or document a 
good faith effort accounts for a large portion of the 3-minute burden 
because it involves engaging with the individual or their personal 
representative, obtaining or creating documentation, and storing the 
documentation for each individual. Lacking data to precisely estimate 
the amount of burden reduction for the proposed removal of the 
acknowledge requirements, the Department estimates a range of labor 
cost savings from a high of two minutes and 55 seconds to a low of 30 
seconds for each NPP that is provided by a direct treating health care 
provider to a new patient. On an annual basis for all covered entities, 
this would range from a total savings of 5,108,331 burden hours and 
$153,454,272 in cost savings at the low end to 29,798,610 burden hours 
and $895,150,257 in cost savings at the high end. The Department 
proposes adopting a mid-range estimate of burden reduction in the 
amount of one minute and 45 seconds of labor for each NPP due to the 
proposed regulatory modifications for a total annual reduction of 
17,879 burden hours and $537,090,228 of cost savings.
4. Consideration of Regulatory Alternatives
    The Department carefully considered several alternatives to issuing 
this NPRM, including the option of not pursuing any regulatory changes, 
but rejected that approach for several reasons. First, the proposed 
regulatory changes would further the Administration's goal of reducing 
regulatory burden on individuals and the regulated community and 
promoting care coordination. Second, many commenters on the 2018 RFI 
believed the Privacy Rule could be improved, and offered comments 
supportive of some of the ideas suggested in the RFI that now are 
proposed in this NPRM. Revising the Privacy Rule would clarify covered 
entities' obligations and flexibilities, improve individuals' access to 
their PHI, and improve care coordination and case management overall.
a. Increase Outreach and Issue Additional Clarifying Guidance Without 
Rulemaking
    As an alternative to rulemaking, the Department considered 
expanding OCR outreach, guidance, and educational materials to address 
misconceptions about (1) when HIPAA permits uses and disclosures of 
PHI, including to social services agencies and to family, friends, 
caregivers, and others; (2) what fees may be charged for providing 
access to PHI; (3) when the minimum necessary standard applies to 
disclosures for case management and care coordination; (4) when covered 
entities are required to transmit PHI to third parties, including 
health care providers and health plans; and (5) when individuals have 
the right to take photos of their own PHI.
    The Department has published extensive guidance on existing

[[Page 6523]]

standards in the form of videos, fact sheets, FAQs, decision trees, and 
infographics. Still, OCR has received comments and heard anecdotal 
evidence that, despite the existing guidance and ongoing outreach 
efforts, covered entities remain fearful of incurring HIPAA penalties 
for using and disclosing PHI in the circumstances addressed in this 
proposed rule. In addition, some of the beneficial disclosures that 
this NPRM proposes to expressly permit currently are not permitted, or 
are burdensome to complete, under the existing Privacy Rule, as 
described throughout the preamble. Therefore, in addition to continued 
outreach efforts, the Department believes it would effectively address 
the concerns outlined in the preamble discussion by modifying the 
existing standards.
b. Alternative Regulatory Proposals Considered
    The Department welcomes public comment on any benefits or drawbacks 
of the following alternatives it considered while developing this 
proposed rule.
Right of Access
Changing the Right To Direct Electronic Copies of EHR to a Third Party 
and Form and Format for Such Requests
    The Department considered how to modify the Rule consistent with 
the HITECH Act and the Ciox v. Azar decision. An approach considered 
and not adopted would have created two new unreviewable grounds to deny 
an access request to direct a copy of PHI to a third party: (1) If the 
requested copy was for PHI not contained in an EHR; and (2) if the 
request was for a copy of PHI not in electronic format. As part of the 
response to the written denial a covered entity would have been 
required to provide information about how the individual could access 
the requested PHI directly or how to request it with a valid 
authorization.
    The Department also considered a simplified approach, which would 
have required a covered entity to inform the individual about other 
options to obtain PHI, but without creating new grounds for denying the 
request. Instead, the Department decided to propose an optional element 
that covered health care providers may add to their Notice of Privacy 
Practices (NPP) that would address individuals' requests to direct 
copies of PHI to a third party that are not in an EHR or that are not 
electronic copies of PHI by informing them of the ability to request 
the copies of PHI directly and how to use a valid authorization to 
request the disclosure of the requested copies to a third party.
    The Department also considered requiring covered health care 
providers to provide the electronic copies to third parties in a 
readable form and format as agreed to by the individual and the covered 
entity. This approach would not have required health care providers to 
provide the copies in the format requested by the individual, but would 
have required some mutual agreement about the format. The Department, 
however, believes that the Ciox v. Azar decision does not permit it to 
propose requirements with respect to the form and format of copies of 
PHI directed to an individual's designated third party. Instead, the 
preamble to this NPRM encourages covered health care providers to 
produce copies in a readable electronic format that provides meaningful 
access to the requested PHI. The preamble also describes several 
examples of commonly accepted electronic formats for copies of PHI from 
an EHR.
    As raised in the 2018 RFI, the Department considered whether to 
require covered entities to disclose PHI to other covered entities for 
purposes of treatment, payment, or health care operations and 
variations on that idea, such as limiting the requirement to health 
care providers or limiting such required disclosures to treatment 
purposes only. The Department also considered how much individual 
control should be permitted for disclosures between covered entities, 
such as an opt-in or opt-out mechanism or some type of express 
permission. Due to the privacy concerns raised in comments on the RFI, 
the Department adopted a different approach whereby an individual could 
direct their current health care provider or health plan to submit an 
access request to another health care provider (``Discloser'') on the 
individual's behalf to have the individual's PHI sent to the current 
provider or plan (``Requester-Recipient''). This new pathway promotes 
disclosures to individuals' current health care providers and health 
plans in a manner that retains individual control. The Department 
believes that this proposal would be less burdensome than imposing 
mandatory disclosures for all requests for PHI for treatment, payment, 
and health care operations purposes.
Access Time Limits
    The Department considered the feasibility of changing the access 
time limits by requiring covered entities to provide copies of 
electronic PHI within a shorter time period than non-electronic PHI. 
The comments on this question in the 2018 RFI revealed that multiple 
factors affect how long it takes a covered entity to provide access to 
PHI, separate from whether the PHI was created, or is maintained, in 
electronic or non-electronic format. Given this input, the Department 
believes that imposing a shorter time limit in the Privacy Rule for 
individual's access to electronic PHI than for non-electronic PHI would 
create unnecessary complexity and add to covered entities' burdens. For 
example, a request for a complete medical record may require the 
production of copies of both electronic and non-electronic PHI, and 
complying with differing time limits for different parts of a request 
would be difficult to track. However, the Department's proposals would 
result in different timelines for electronic and non-electronic copies 
of PHI sent to third parties because certain requests could be made by 
means of the right of access (for electronic copies of PHI in an EHR) 
and other requests would not be within the right of access (for non-
electronic copies or electronic copies not in an EHR), and there is no 
time limit for disclosures requested using an authorization which are 
not required disclosures.
    The Department also considered whether to modify the Privacy Rule 
to require covered entities to disclose PHI for continuity of care or 
medical emergencies within a shorter time than required under the 
access right. Many commenters on the 2018 RFI supported this concept; 
however, commenters also stressed the importance of streamlined and 
simplified requirements for ensuring compliance with any changes to the 
Privacy Rule. In light of this feedback, rather than impose a different 
time requirement for providing access for continuity of care or 
emergencies, the Department proposes at 45 CFR 164.524(b)(2)(ii)(C) to 
require entities to adopt a policy addressing the prioritization of 
access requests, to reduce or avoid the need for an extension of the 
time limit for providing copies of PHI at the direction or with the 
agreement of the individual. The Department understands that many 
covered health care providers already prioritize requests for PHI for 
these purposes. This proposed change would require covered entities 
that do not yet have such a policy to incur the one-time cost of 
developing a new policy and procedures and incorporate them into 
existing HIPAA training content.
    The Department also considered whether to change the access time 
limits overall to a period shorter than the 15 calendar-day proposed 
time and did not

[[Page 6524]]

pursue this approach because that is more stringent than many of the 
short time limits contained in state access laws and may overly burden 
covered entities and affected business associates. However, to the 
extent a shorter requirement in which to provide access to individuals 
already exists in state or other laws, the Department is proposing at 
45 CFR 164.524(b)(2)(iii) that said requirement be deemed practicable 
under the Privacy Rule. The Department requests comment on whether a 
time limit shorter than 15 calendar days would be appropriate, and 
welcomes data on the burdens and benefits such a time limit would 
impose or concerns about using others laws as a measure of 
practicability.
Access Fees
    The Department considered retaining the existing access fee 
structure without change. However, the Department believes it can 
address the concerns of some commenters on the 2018 RFI that multiple, 
voluminous access requests to direct copies of PHI to third parties may 
be taking entities' time and resources away from fulfilling access 
requests to provide copies to individuals themselves and requests from 
other covered entities for disclosures for care coordination and case 
management.
    The Department also considered allowing covered entities to charge 
no more than the limited access fee amounts for directing non-
electronic copies of PHI to a third party for any treatment, payment, 
and health care operations purposes, while permitting higher fees for 
directing non-electronic copies of PHI to a third party for any other 
purposes. The Department does not propose this approach because it 
would open the door for covered entities to inquire into individuals' 
purposes in directing their own PHI to third parties. Instead, the 
Department proposes to adopt an approach that decreases the fees for 
access requests to direct electronic copies of PHI in an EHR to third 
parties. However, covered entities could charge higher fees for 
disclosing non-electronic copies of PHI or electronic copies of PHI 
that is not in an EHR, provided the fee does not result in an 
impermissible ``sale'' of PHI under 45 CFR 164.502(a)(5)(ii).
Verification of Identity
    The Department considered modifying the individual right of access 
provision to prohibit burdensome paperwork requirements for individuals 
without also changing the identity verification provisions. However, 
the Department determined that changing both would help covered 
entities and individuals understand how the access and verification 
provisions interact. The Department also considered applying the 
proposed prohibition against unreasonable measures only to identity 
verification related to access requests, which would be more narrowly 
tailored to situations the Department has seen in complaints filed with 
the Department. However, the Department does not see a meaningful 
distinction between the access right and the other individual rights 
under HIPAA that would justify treating them differently with respect 
to verification of identity.
Exceptions to the Minimum Necessary Standard
    The Department considered limiting the new exception to the minimum 
necessary standard to disclosures to and requests by covered health 
care providers for all health care operations purposes. This would have 
relieved the burden on covered health care providers who conduct 
population-based care coordination and case management of needing to 
assess the minimum necessary PHI when exchanging information with other 
covered health care providers. Limiting the exception to health care 
providers also would have addressed the concerns of commenters who 
opposed an exception for disclosures to health plans due to concerns 
that the plans may use the information against patient interests. The 
Department rejected this option, however, because health plans 
collaborate with health care providers, other health plans and other 
entities, including public health agencies, to improve patient health 
through care coordination and case management activities. In response 
to concerns raised about privacy protections, the Department is 
limiting this proposal to disclosures for individual-level activities 
that constitute treatment or health care operations. In addition, 
covered health care providers and health plans would continue to be 
responsible for meeting the minimum necessary requirements that 
currently apply, including when using PHI for treatment and health care 
operations purposes, as applicable. The proposed exception should 
reduce overall compliance burdens for both health plans and health care 
providers.
Disclosures to Third Parties Such as Social Services Agencies, 
Community Based Organizations, and HCBS Providers
    The Department considered proposing to clarify in the definition of 
treatment when a covered health care provider's disclosures to a social 
services agency, community based organization, or HCBS provider are 
considered part of that covered health care provider's treatment 
activities, without adding an express disclosure permission. The 
Department also considered limiting the proposed disclosure permission 
to only covered entity health care providers and excluding health plans 
from the proposed policy. Ultimately, the Department rejected that 
option and proposed a permission for covered health care providers and 
health plans to encourage beneficial information sharing that would 
support care coordination and case management for individuals. As 
described more fully in the preamble above, the Department seeks 
comments on the appropriate recipients of PHI under this proposal, 
activities and purposes for which the PHI should be used or disclosed, 
and the covered entities to which an expanded disclosure permission 
would apply.
``Professional Judgment'' and ``Good Faith''
Replace the Professional Judgment Standard With the Good Faith Standard 
Throughout the Privacy Rule
    The Department considered applying a presumption of good faith to 
all fourteen provisions in the Privacy Rule that allow covered entities 
to use or disclose PHI based on the exercise of professional judgment. 
However, the Department intends this proposed modification to carefully 
expand the ability of covered entities to use or disclose PHI to 
facilitate the involvement of family and caregivers in the treatment 
and recovery of people experiencing the impacts of the opioid crisis, 
serious mental illness, and health emergencies. The Department believes 
the remaining nine provisions would be beyond the scope of this goal.
    The Department further believes there likely could be unintended 
consequences if it replaced the exercise of professional judgment 
standard with a good faith standard across all fourteen provisions, 
including those provisions not rooted in emergency circumstances. For 
example, in the case of disclosures to government agencies pursuant to 
45 CFR 164.512(c), Standard: Disclosures about victims of abuse, 
neglect or domestic violence, the Department believes these provisions 
are well suited to ensuring that the necessary reporting can occur, and 
it does not believe replacing the professional judgment standard would 
change or prevent a course of action related to an individual affected 
by the opioid crisis or other urgent health situations. Covered

[[Page 6525]]

entities still would be permitted to exercise professional judgment to 
use or disclose PHI under the nine remaining provisions.
    The Department requests comment on whether the Department should 
apply the good faith standard to any or all of the other nine 
provisions in the Privacy Rule that call upon health care providers to 
exercise professional judgment, identified below.
     Disaster relief. 45 CFR 164.510(b)(4).
     Law enforcement--crime victims. 45 CFR 164.512(f)(3).
     Reviewable grounds for denying individual access to 
records. 45 CFR 164.524(a)(3).
    [cir] Safety or endangerment. 45 CFR 164.524(a)(3)(i).
    [cir] References another person. 45 CFR 164.524(a)(3)(ii).
    [cir] Personal representative. 45 CFR 164.524(a)(3)(iii).
     Victims of abuse, neglect, domestic violence. 45 CFR 
164.512(c)(1)(iii)(A).
    [cir] Informing the individual. 45 CFR 164.512(c)(2)(i).
    [cir] Informing the personal representative. 45 CFR 
164.512(c)(2)(ii).
     Personal representative suspected of abuse or neglect. 45 
CFR 164.502(g)(5)(ii).
Apply a Presumption of Compliance to All Privacy Rule Provisions 
Referencing Professional Judgment Without Changing the Professional 
Judgment Standard to a Good Faith Standard
    The Department considered proposing to apply a presumption of 
compliance to all existing provisions that permit covered entities to 
make decisions about uses and disclosures of PHI based on the exercise 
of professional judgment, without replacing the standard with a good 
faith standard. However, as noted above, where the Department 
summarizes its proposed application of the good faith standard, the 
Department intends not only to presume compliance with existing 
permissions, but to broaden the circumstances in which covered entities 
will use or disclose PHI in order to help address the needs of 
individuals experiencing opioid use disorder and other similarly 
situated individuals. The exercise of professional judgment generally 
is limited to covered entities who can, for example, draw upon a 
professional license or training and therefore, by definition, limits 
the scope of persons who could use or disclose PHI to aid individuals 
experiencing substance use disorder, SMI, or a health emergency.
Replace the Professional Judgment Standard With a Good Faith Standard 
Only in Specified Provisions of 45 CFR 164.510
    The Department considered replacing the professional judgment 
standard with a good faith standard only in those provisions in 45 CFR 
164.510 that are included in this rulemaking: 45 CFR 164.510(a)(3)(B), 
164.510(b)(2)(iii) and 164.510(b)(3). However, modifying only 45 CFR 
164.510 would encourage the disclosure of information only to family 
members, friends, caregivers, and other involved persons and only in 
the circumstances addressed at 45 CFR 164.510. As previously stated, 
the Department intends through this proposal to carefully broaden the 
permissible uses and disclosures of PHI by covered entities in 
circumstances that relate to the opioid crisis, serious mental illness, 
and health emergencies, to ensure that covered entities are able to 
share information as needed to care for individuals and protect the 
public. Changing only the applicable provisions at 45 CFR 164.510 would 
limit the scope of individuals and circumstances that would benefit 
from this proposed rule.
Define ``Imminent'' in 45 CFR 164.512(j)(1)(A) Instead of Replacing the 
Term With ``Reasonably Foreseeable''
    The Privacy Rule does not define the term ``imminent,'' although 
common understanding of the term conveys that an event will happen 
soon.\332\ The Department considered defining the term to provide 
improved clarity, but believes that defining the term could have the 
unintended consequence of further restricting uses and disclosures 
under this provision. Instead, the Department proposes to create a 
standard based on reasonable foreseeability because the Department 
believes it would provide needed flexibility for covered entities to 
address serious threats to health and safety that are likely to occur. 
The new standard would address serious threats that might only be 
prevented if the covered entity is free of the constraint of having to 
predict the timeframe for a serious threat to occur.
---------------------------------------------------------------------------

    \332\ See Merriam-Webster definition of ``imminent'': Ready to 
take place: Happening soon; often used of something bad or dangerous 
seen as menacingly near, available at https://www.merriam-webster.com/dictionary/imminent.
---------------------------------------------------------------------------

NPP and Acknowledgment of Receipt
    The Department considered requiring the online posting of the NPP 
by all covered entities, including those that do not currently have a 
website. However, the Department believes the burden of creating a 
website solely to post the NPP for those few covered entities without a 
website outweighed the benefits to individuals of such a requirement.
Telecommunications Relay Service
    The Department considered an alternative proposal to categorize TRS 
providers as ``conduits'' because of their temporary access to 
PHI,\333\ and thus deem them not to be business associates. However 
this alternative would not have addressed the lack of an applicable 
permission to disclose PHI for some necessary communications not 
contemplated under the current Privacy Rule. In addition, TRS 
communications assistants have ``access on a routine basis'' to PHI, 
which is clearly distinguishable from the narrow category of conduits 
with only transient access, which was intended to exclude only those 
entities providing mere courier services such as the U.S. Postal 
Service or United Parcel Service and their electronic equivalents such 
as internet service providers (ISPs) providing mere data transmission 
services.\334\ In addition, the Department considered clarifying that 
the definition of health care operations includes activities for 
purposes of providing accommodations for persons with disabilities; 
however, the Department believes the permission to disclose PHI for 
health care operations would be too narrow to fully address 
circumstances in which a covered entity's workforce member needs to 
disclose PHI to a communications assistant helping another entity's 
workforce member to perform activities of the second entity. Thus, the 
Department believes it is necessary to propose an express permission to 
disclose PHI to TRS communications assistants without a business 
associate agreement.
---------------------------------------------------------------------------

    \333\ See OCR's guidance on conduits, available at https://www.hhs.gov/hipaa/for-professionals/faq/245/are-entities-business-associates/index.html and https://www.hhs.gov/hipaa/for-professionals/special-topics/cloud-computing/index.html#_ftn14.
    \334\ See 78 FR 5566, 5571 (January 25, 2013), available at 
https://www.govinfo.gov/content/pkg/FR-2013-01-25/pdf/2013-01073.pdf.
---------------------------------------------------------------------------

5. Request for Comments on Costs and Benefits
    The Department requests comments on all of the assumptions and 
analyses within the cost-benefits analysis. The Department also 
requests comments on whether there may be other indirect costs and 
benefits resulting from the proposed changes in the proposed rule, and 
welcomes additional information that may help quantify those costs and 
benefits.

[[Page 6526]]

B. Executive Order 13771

    Executive Order 13771 (January 30, 2017) declares that ``it is 
important that for every one new regulation issued, at least two prior 
regulations be identified for elimination,'' and that ``whenever an 
executive department or agency (agency) publicly proposes for notice 
and comment or otherwise promulgates a new regulation, it shall 
identify at least two existing regulations to be repealed.'' The 
Department intends to comply as necessary with Executive Order 13771 at 
the time a final rule is issued.
    The Department believes this proposed rule will be deemed an 
Executive Order 13771 deregulatory action when finalized. The 
Department estimates that this final rule would generate $0.6 billion 
in net annualized savings at a 7% discount rate (discounted relative to 
year 2016, over a perpetual time horizon, in 2016 dollars).

                         EO 13771 Summary Table
      [In millions of 2016 dollars, over an infinite time horizon]
------------------------------------------------------------------------
                                                        Primary estimate
                         Item                                  (7%)
------------------------------------------------------------------------
Present Value of Costs................................    $1,122,453,212
Present Value of Cost Saving..........................     9,209,556,752
Present Value of Net Costs............................    -8,087,103,541
Annualized Costs......................................        78,571,725
Annualized Cost Savings...............................       644,668,973
Annualized Net Costs..................................      -566,097,248
------------------------------------------------------------------------

C. Regulatory Flexibility Act

    The Department has examined the economic implications of this 
proposed rule as required by the Regulatory Flexibility Act (5 U.S.C. 
601-612). If a rule has a significant economic impact on a substantial 
number of small entities, the Regulatory Flexibility Act (RFA) requires 
agencies to analyze regulatory options that would lessen the economic 
effect of the rule on small entities. For purposes of the RFA, small 
entities include small businesses, nonprofit organizations, and small 
governmental jurisdictions. The Act defines ``small entities'' as (1) a 
proprietary firm meeting the size standards of the Small Business 
Administration (SBA), (2) a nonprofit organization that is not dominant 
in its field, and (3) a small government jurisdiction of less than 
50,000 population. Because 90 percent or more of all health care 
providers meet the SBA size standard for a small business or are 
nonprofit organization, the Department generally treats all health care 
providers as small entities for purposes of performing a regulatory 
flexibility analysis. The SBA size standard for health care providers 
ranges between a maximum of $8 million and $41.5 million in annual 
receipts, depending upon the type of entity.\335\
---------------------------------------------------------------------------

    \335\ See U.S. Small Business Administration, Table of Small 
Business Size Standards (Version 2019), available at https://www.sba.gov/document/support--table-size-standards.
---------------------------------------------------------------------------

    With respect to health insurers, the SBA size standard is a maximum 
of $41.5 million in annual receipts, and for third party administrators 
it is $35 million.\336\ While some insurers are classified as 
nonprofit, it is possible they are dominant in their market. For 
example, a number of Blue Cross/Blue Shield insurers are organized as 
nonprofit entities; yet they dominate the health insurance market in 
the states where they are licensed.
    For the reasons stated below, it is not expected that the cost of 
compliance would be significant for small entities. Nor is it expected 
that the cost of compliance would fall disproportionately on small 
entities. Although many of the covered entities affected by the 
proposed rule are small entities, they would not bear a 
disproportionate cost burden compared to the other entities subject to 
the proposed rule.
    The projected costs and savings are discussed in detail in the 
regulatory impact analysis. The Department does not view this as a 
burden because the result of the changes would be a net average 
estimated cost per covered entity of $150 in year one, followed by an 
average of $1,065 of estimated annual savings thereafter, for an 
average estimated total savings over five years of approximately $4,110 
per covered entity. Thus, this proposed rule would not impose net costs 
on small entities, and the Secretary certifies that this proposed rule 
would not result in a significant negative impact on a substantial 
number of small entities.

D. Unfunded Mandates Reform Act

    Section 202(a) of The Unfunded Mandates Reform Act of 1995 (URMA) 
(section 202(a)) requires the Department to prepare a written 
statement, which includes an assessment of anticipated costs and 
benefits, before issuing ``any rule that includes any federal mandate 
that may result in the expenditure by state, local, and tribal 
governments, in the aggregate, or by the private sector, of 
$100,000,000 or more (adjusted annually for inflation) in any one 
year.'' Section 202 of UMRA also requires that agencies assess 
anticipated costs and benefits before issuing any rule whose mandates 
require spending that may result in expenditures in any one year of 
$100 million in 1995 dollars, updated annually for inflation. In 2019, 
that threshold is approximately $154 million. This proposed rule is not 
anticipated to have an effect only on state, local, or tribal 
governments, in the aggregate, of $154 million or more, adjusted for 
inflation. The Department believes that the proposed rule would impose 
mandates on the private sector that would result in an expenditure of 
$154 million in at least one year. As the estimated costs to private 
entities alone may exceed the $154 million threshold, UMRA requires the 
Department to prepare an analysis of the costs and benefits of the 
rule. The Department has already done so, in accordance with Executive 
Orders 12866 and 13563, and presents this analysis in the preceding 
sections.

E. Executive Order 13132--Federalism

    Executive Order 13132 establishes certain requirements that an 
agency must meet when it promulgates a proposed rule (and subsequent 
final rule) that imposes substantial direct requirement costs on state 
and local governments, preempts state law, or otherwise has federalism 
implications. The Department does not believe that this rulemaking 
would have any federalism implications.
    The federalism implications of the Privacy and Security Rules were 
assessed as required by Executive Order 13132 and published as part of 
the preambles to the final rules on December 28, 2000 (65 FR 82462, 
82797), February 20, 2003 (68 FR 8334, 8373), and January 25, 2013 (78 
FR 5566, 5686). Regarding preemption, the preamble to the final Privacy 
Rule explains that the HIPAA statute dictates the relationship between 
state law and Privacy Rule requirements, and the Rule's preemption 
provisions do not raise federalism issues. The HITECH Act, at section 
13421(a), provides that the HIPAA preemption provisions shall apply to 
the HITECH Act provisions and requirements.
    The Department anticipates that the most significant direct costs 
on state and local governments would be the cost for state and local 
government-operated covered entities to revise policies and procedures, 
including drafting, printing, and distributing NPPs for individuals 
with first-time health encounters, which would include the cost of 
mailing these notices for state health plans, such as Medicaid. The 
regulatory impact

[[Page 6527]]

analysis above addresses these costs in detail.
    In considering the principles in and requirements of Executive 
Order 13132, the Department has determined that these proposed 
modifications to the Privacy Rule would not significantly affect the 
rights, roles, and responsibilities of the states.

F. Assessment of Federal Regulation and Policies on Families

    Section 654 of the Treasury and General Government Appropriations 
Act of 1999 requires federal departments and agencies to determine 
whether a proposed policy or regulation could affect family well-being. 
If the determination is affirmative, then the Department or agency must 
prepare an impact assessment to address criteria specified in the law. 
The Department believes that these regulations would positively impact 
the ability of individuals and families to coordinate treatment and 
payment for health care by increasing access to PHI, particularly for 
families to participate in the care and recovery of their family 
members experiencing SMI, SUD, or health emergencies. These changes 
must necessarily be carried out by the Department through the 
modification of the Privacy Rule. The Department does not anticipate 
negative impacts on family well-being as a result of this regulation.

G. Paperwork Reduction Act of 1995

    Under the Paperwork Reduction Act of 1995 (PRA) (Pub. L. 104-13), 
agencies are required to submit to the Office of Management and Budget 
(OMB) for review and approval any reporting or record-keeping 
requirements inherent in a proposed or final rule, and are required to 
publish such proposed requirements for public comment. The PRA requires 
agencies to provide a 60-day notice in the Federal Register and solicit 
public comment on a proposed collection of information before it is 
submitted to OMB for review and approval. To fairly evaluate whether an 
information collection should be approved by the OMB, section 
3506(c)(2)(A) of the PRA requires that the Department solicit comment 
on the following issues:
    1. Whether the information collection is necessary and useful to 
carry out the proper functions of the agency;
    2. The accuracy of the agency's estimate of the information 
collection burden;
    3. The quality, utility, and clarity of the information to be 
collected; and
    4. Recommendations to minimize the information collection burden on 
the affected public, including automated collection techniques.
    The PRA requires consideration of the time, effort, and financial 
resources necessary to meet the information collection requirements 
referenced in this section. The Department explicitly seeks, and will 
consider, public comment on its assumptions as they relate to the PRA 
requirements summarized in this section. To comment on the collection 
of information or to obtain copies of the supporting statements and any 
related forms for the proposed paperwork collections referenced in this 
section, email your comment or request, including your address and 
phone number to [email protected], or call the Reports Clearance 
Office at (202) 690-6162. Written comments and recommendations for the 
proposed information collections must be directed to the OS Paperwork 
Clearance Officer at the above email address within 60 days.
    In this NPRM, the Department is revising certain information 
collection requirements and, as such, is revising the information 
collection last prepared in 2019 and previously approved under OMB 
control # 0945-0003. The revised information collection describes all 
new and adjusted information collection requirements for covered 
entities pursuant to the implementing regulation for HIPAA at 45 CFR 
parts 160 and 164, the HIPAA Privacy, Security, Breach Notification, 
and Enforcement Rules.
    The estimated annual burden presented by the proposed regulatory 
modifications in the first year of implementation, including one-time 
and ongoing burdens, is 9,577,626 burden hours at a cost of 
$996,122,087 (including capital costs of $242,398), reduced by first 
year annual costs savings of $880,087,888, for an estimated first year 
net cost of $116,034,199 and $880,087,888 of estimated annual cost 
savings in years two through five, resulting in annual net cost savings 
of $824,604,205. The overall total burden for respondents to comply 
with the information collection requirements of all of the HIPAA 
Privacy, Security, and Breach Notification Rules, including one-time 
and ongoing burdens presented by proposed program changes, is 
952,089,673 burden hours at a cost of $93,937,597,924, plus 
$118,269,943 in capital costs for a total estimated annual burden of 
$94,055,867,867 in the first year following the effective date of the 
final rule, assuming all changes are adopted as proposed. Details 
describing the burden analysis for the proposals associated with this 
NPRM are presented below.
1. Explanation of Estimated Annualized Burden Hours
    Due to the number of proposed changes to the Privacy Rule that 
would affect the information collection, the Department presents in 
separate tables, in Section V.G.2 below, the collections that reflect 
estimates to existing burdens, new and previously unquantified ongoing 
burdens, and new one-time burdens. Below is a summary of the 
significant program changes and adjustments made since the 2019 
information collection. These program changes and adjustments form the 
bases for the burden estimates presented in the tables that follow:
Adjusted Estimated Annual Burdens of Compliance
    (1) Increasing the number of covered entities from 700,000 to 
774,331 based on program change;
    (2) Increasing the number of access requests under 45 CFR 164.524 
from 200,000 to 2,460,000 annually based on program change;
    (3) Increasing the estimated burden hours for responding to access 
requests under 45 CFR 164.524 from 3 to 5 minutes per request due to 
program change and allocating 1 minute as uncompensated;
    (4) Increasing the burden hours by a factor of two for responding 
to individuals' requests for restrictions on disclosures of their 
protected health information under 45 CFR 164.522 due to program 
change;
    (5) Newly estimating the burdens resulting from the pre-existing, 
ongoing requirement for covered entities to make minimum necessary 
evaluations under 45 CFR 164.514 before using or disclosing protected 
health information for payment and health care operations purposes (and 
for using protected health information for treatment) in the amount of 
18 hours annually per covered entity, and decrease the annual minimum 
necessary burden to by 4 hours per covered entity due to program 
change, resulting in a total ongoing annual burden of 14 hours per 
covered entity;
    (6) Recognizing for the first time burdens associated with 
providing electronic copies of PHI to third parties designated by 
individuals under 45 CFR 164.524 in the amount of 2 minutes per request 
for 25 percent of 615,000 such requests received annually;
    (7) Recognizing for the first time burdens associated with 
providing electronic copies of PHI to health plans and health care 
providers as third

[[Page 6528]]

parties designated by individuals under 45 CFR 164.524 in the amount of 
4 minutes per request for 25 percent of 615,000 such requests received 
annually; and
    (8) Decreasing the estimated burden for disseminating the Notice of 
Privacy Practices and obtaining an acknowledgement of receipt under 45 
CFR 164.520, from 3 minutes to 1 minute and 15 seconds due to program 
change.
New Burdens Resulting From Program Changes
    In addition to these changes, the Department added new burdens as a 
result of program changes:
    (1) An annualized burden of 10 minutes per covered entity for 
posting an updated Notice of Privacy Practices due to program changes;
    (2) An annualized burden of 3.5 minutes per request for submitting 
an access request for an individual to another provider for an 
estimated 92,250 annual requests;
    (3) An annualized 10-minute burden per covered entity for posting 
an access and authorization fee schedule online under 45 CFR 164.525;
    (4) An annualized 7-minute burden for each of an estimated 
6,130,000 annual requests from individuals to discuss their direct 
treating health care provider's Notice of Privacy Practices under 45 
CFR 164.520;
    (5) An annualized three-minute burden for each of an estimated 
73,800 annual requests from individuals for an individualized estimate 
of the fees to provide copies of requested protected health information 
under 45 CFR 164.525;
    (6) An annualized one-minute burden for each of an estimated 24,600 
annual requests from individuals for an itemized list of charges for 
their requested copies of protected health information under 45 CFR 
164.525;
    (7) A one-time burden of 6 hours and 55 minutes for each covered 
entity to update its policies and procedures under 45 CFR 164.530 due 
to program changes; and;
    (8) A one-time burden of 4 hours and 40 minutes for each covered 
entity to update the content of its HIPAA training program under 45 CFR 
164.530 and a related one-time burden of 7 additional minutes of 
workforce member time spent in training on 45 CFR 164.524 per covered 
entity.
2. Tables Demonstrating Estimated Burden Hours Ongoing Annual Burdens 
of Compliance With the Rules

----------------------------------------------------------------------------------------------------------------
                                                    Number of                     Average burden
   Section         Type of         Number of      responses per       Total         hours per      Total burden
                  respondent      respondents      respondent       responses        response          hours
----------------------------------------------------------------------------------------------------------------
160.204......  Process for      1..............               1               1  \a\ 16.........              16
                Requesting
                Exception
                Determinations
                -states or
                persons.
164.308......  Contingency      1,774,331......               1       1,774,331  8..............      14,194,648
                Plan--Testing
                and Revision.
164.308......  Contingency      1,774,331......               1       1,774,331  4..............       7,097,324
                Plan--Critical
                ity Analysis.
164.310......  Maintenance      1,774,331......              12      21,291,972  6..............     127,751,832
                Records.
164.314......  Security         1,000,000......              12      12,000,000  20.............     240,000,000
                Incidents--Bus
                iness
                Associate
                reporting of
                non-breach
                incidents to
                Covered
                Entities.
164.316......  Risk Analysis--  \b\ 1,774,331..               1       1,774,331  \c\ 10.........      17,743,310
                Documentation,
                164.308.
164.316......  Information      1,774,331......              12      21,291,972  .75............      15,968,979
                System
                Activity
                Review--Docume
                ntation,
                164.308.
164.316......  Security         1,774,331......              12      21,291,972  1..............      21,291,972
                Reminders--Per
                iodic Updates,
                164.308.
164.316......  Security         1,774,331......              52      92,265,212  5..............     461,326,060
                Incidents--Oth
                er than
                breaches--Docu
                mentation,
                164.308.
164.316......  Documentation--  1,774,331......               1       1,774,331  6..............      10,645,986
                Review and
                Update,
                164.306.
164.404......  Individual       \d\ 58,482.....               1          58,482  .5.............          29,241
                Notice--Writte
                n and E-mail
                Notice--Drafti
                ng.
164.404......  Individual       58,482.........               1          58,482  .5.............          29,241
                Notice--Writte
                n and E-mail
                Notice--Prepar
                ing and
                documenting
                notification.
164.404......  Individual       58,482.........       \e\ 1,941     113,513,562  .008...........         908,108
                Notice--Writte
                n and E-mail
                Notice--Proces
                sing and
                sending.
164.404......  Individual       \f\ 2,746......               1           2,746  1..............           2,746
                Notice--Substi
                tute Notice--
                Posting or
                publishing.
164.404......  Individual       2,746..........               1           2,746  \g\ 3.42.......           9,391
                Notice--Substi
                tute Notice--
                Staffing toll-
                free number.

[[Page 6529]]

 
164.404......  Individual       \h\ 113,264....               1         113,264  \i\ .125.......          14,158
                Notice--Substi
                tute Notice--
                Individuals'
                voluntary
                burden to call
                toll-free
                number for
                information.
164.406......  Media Notice...  \j\ 267........               1             267  1.25...........             334
164.408......  Notice to        267............               1             267  1.25...........             334
                Secretary--Not
                ice for
                breaches
                affecting 500
                or more
                individuals.
164.408......  Notice to        \k\ 58,215.....               1          58,215  1..............          58,215
                Secretary--Not
                ice for
                breaches
                affecting
                fewer than 500
                individuals.
164.410......  Business         20.............               1              20  50.............           1,000
                Associate
                notice to
                Covered
                Entity--500 or
                more
                individuals
                affected.
164.410......  Business         1,165..........               1           1,165  8..............           9,320
                Associate
                notice to
                Covered
                Entity--Less
                than 500
                individuals
                affected.
164.414......  500 or More      267............               1             267  50.............          13,350
                Affected
                Individuals--I
                nvestigating
                and
                documenting
                breach.
164.414......  Less than 500    2,479 (breaches               1           2,479  8..............          19,832
                Affected         affecting 10-
                Individuals--I   499
                nvestigating     individuals).
                and
                documenting
                breach.
                                55,736                        1          55,736  4..............         222,944
                                 (breaches
                                 affecting <10
                                 individuals).
164.504......  Uses and         774,331........               1         774,331  0.083333333....          64,528
                Disclosures--O
                rganizational
                Requirements.
164.508......  Uses and         774,331........               1         774,331  1..............         774,331
                Disclosures
                for Which
                Individual
                Authorization
                is Required.
164.512......  Uses and         \l\ 113,524....               1         113,524  0.08333333.....           9,460
                Disclosures
                for Research
                Purposes.
164.520......  Notice of        \m\ 100,000,000               1     100,000,000  0.00416666 [1           416,667
                Privacy                                                           hour per 240
                Practices for                                                     notices].
                Protected
                Health
                Information--H
                ealth plans--
                Periodic
                distribution
                of NPPs by
                paper mail.
164.520......  Notice of        100,000,000....               1     100,000,000  0.00278333 [1           278,333
                Privacy                                                           hour per 360
                Practices for                                                     notices].
                Protected
                Health
                Information--H
                ealth plans--
                Periodic
                distribution
                of NPPs by
                electronic
                mail.
164.520......  Notice of        \n\ 613,000,00.               1     613,000,000  \o\                  12,770,833
                Privacy                                                           0.02083333[deg
                Practices for                                                     ].
                Protected
                Health
                Information--H
                ealth care
                providers--Dis
                semination.
164.522......  Rights to        \p\ 40,000.....               1          40,000  0.05...........           2,000
                Request
                Privacy
                Protection for
                Protected
                Health
                Information.
164.524......  Access of        \q\ 1,230,000..               1       1,230,000  \r\ 0.016666 67          20,500
                Individuals to
                Protected
                Health
                Information--C
                opies of PHI.
164.526......  Amendment of     150,000........               1         150,000  0.08333333.....          12,500
                Protected
                Health
                Information--R
                equests.
164.526......  Amendment of     50,000.........               1          50,000  0.08333333.....           4,167
                Protected
                Health
                Information--D
                enials.

[[Page 6530]]

 
164.528......  Accounting for   \s\ 5,000......               1           5,000  0.05...........             250
                Disclosures of
                Protected
                Health
                Information.
                               ---------------------------------------------------------------------------------
    Total....                                                                                        931,691,910
----------------------------------------------------------------------------------------------------------------


--------------------------------------------------------------------------------------------------------------------------------------------------------
     New or  previously
   unquantified  ongoing                                                        Number of         Total        Average burden hours per    Total burden
   burdens of compliance,      Type of respondent    Number of  respondents   responses per     responses              response                hours
    annualized  section                                                        respondent
--------------------------------------------------------------------------------------------------------------------------------------------------------
164.514....................  Minimum necessary       774,331...............               1         774,331  \t\ 14.....................  \u\ 10,840,634
                              evaluations for
                              treatment, payment,
                              and health care
                              operations--Uses and
                              disclosures.
164.520....................  Notice of Privacy       6,130,000.............               1   \v\ 6,130,000  0.1166667..................         715,167
                              Practices for
                              Protected Health
                              Information--Right to
                              discuss privacy
                              practices.
164.524....................  Access of Individuals   92,250................               1      \w\ 92,250  \x\ .0583333...............           5,381
                              to Protected Health
                              Information--Provider
                              submitting
                              individual's access
                              request to another
                              provider or plan.
164.524....................  Access of Individuals   \y\ 153,750...........               1         153,750  0.0666666..................          10,250
                              to Protected Health
                              Information--Directin
                              g copies of ePHI to
                              health plans and
                              providers.
164.524....................  Access of Individuals   \z\ 153,750...........               1         153,750  0.0333333..................           5,125
                              to Protected Health
                              Information--Directin
                              g copies of ePHI to
                              third parties other
                              than health plans and
                              providers.
164.525....................  Notice of Access and    73,800................               1     \aa\ 73,800  0.05.......................           3,690
                              Authorization Fees--
                              Individualized
                              estimates.
164.525....................  Notice of Access and    \bb\ 24,600...........               1          24,600  0.0166667..................             410
                              Authorization Fees--
                              Itemized list of
                              charges for copies.
                                                    ----------------------------------------------------------------------------------------------------
    Total..................                                                                                                                   11,580,657
--------------------------------------------------------------------------------------------------------------------------------------------------------
\a\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities,
  particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here due to their size and
  complexity.
\b\ This estimate includes 774,331 estimated covered entities and 1 million estimated business associates. The Omnibus HIPAA Final Rule burden analysis
  estimated that there were 1-2 million business associates. However, because many business associates have business associate relationships with
  multiple covered entities, the Department believes the lower end of this range is more accurate.
\c\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities,
  particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here due to their size and
  complexity.
\d\ Total number of breach reports submitted to OCR in 2015. Breaches reported to OCR in 2015 affected more individuals than have been affected by
  breaches reported in each subsequent year; therefore, the Department bases its burden estimates on 2015 data to ensure that it fully accounts for the
  annual burdens of the Breach Notification Rule.
\e\ Average number of individuals affected per breach incident reported in 2015.
\f\ This number includes all 267 large breaches and all 2,479 breaches affecting 10-499 individuals that were reported to OCR in 2015. As the Department
  stated in the preamble to the Omnibus HIPAA Final Rule, although some breaches involving fewer than 10 individuals may require substitute notice, it
  believes the costs of providing such notice through alternative written means or by telephone is negligible.
\g\ This assumes that 10% of the sum of (a) all individuals affected by large breaches in 2015 (113,250,136) and (b) 5% of individuals affected by small
  breaches (0.05 x 285,413 = 14,271) will require substitute notification. Thus, the Department calculates 0.10 x (113,250,136 + 14,271) = 11,326,441
  affected individuals requiring substitute notification for an average of 4,125 affected individuals per such breach. The Department assumes that 1% of
  the affected individuals per breach requiring substitute notice annually will follow up with a telephone call, resulting in 41.25 individuals per
  breach calling the toll-free number. The Department assumes that call center staff will spend 5 minutes per call, with an average of 41 affected
  individuals per breach requiring substitute notice, resulting in 3.42 hours per breach spent answering calls from affected individuals.
\h\ As noted in the previous footnote, this number equals 1% of the affected individuals who require substitute notification (0.01 x 11,326,441).

[[Page 6531]]

 
\i\ This number includes 7.5 minutes for each individual who calls with an average of 2.5 minutes to wait on the line/decide to call back and 5 minutes
  for the call itself.
\j\ The total number of breaches affecting 500 or more individuals for which OCR received reports in 2015.
\k\ The total number of breaches affecting fewer than 500 individuals for which OCR received reports in 2015.
\l\ The number of entities who use and disclose PHI for research purposes.
\m\ As in the Department's previous submission, it assumes that half of the approximately 200,000,000 individuals insured by covered health plans will
  receive the plan's NPP by paper mail, and half will receive the NPP by electronic mail.
\n\ The Department estimates that each year covered health care providers will have first-time visits with 613 million individuals, to whom the
  providers must give an NPP.
\o\ This represents 1 minute and fifteen seconds (75/3,600) to disseminate the NPP and eliminates the 1 minute and 45 seconds previously allocated for
  obtaining the signed patient acknowledgement.
\p\ The Department doubled the estimated number of requests for confidential communications or restrictions on disclosures per year due to the combined
  effect of changes to the minimum necessary standard and the information blocking provisions of the ONC Cures Act Final Rule.
\q\ The Department has increased our estimate of the number of requests from individuals for copies of their PHI that covered entities annually provide
  to them directly to 1,230,000.
\r\ This represents an estimated average of 1 minute per request which is not chargeable as a fee to the individual.
\s\ The Department estimates that covered entities annually fulfill 5,000 requests from individuals for an accounting of disclosures of their PHI.
\t\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities,
  particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here due to their size and
  complexity.
\u\ This represents a previously unacknowledged annual burden of 18 hours per covered entity for making minimum necessary evaluations for purposes of
  treatment, payment, and health care operations uses and disclosures, reduced by an estimated 4 burden hours annually per covered entity (or 3,097,324
  total) as a result of the proposed changes to the minimum necessary standard combined with proposed changes to the definition of health care
  operations.
\v\ 1% of an estimated 613 million new patient encounters annually.
\w\ 15% of 615,000 annual access requests to direct electronic copies of ePHI to health plans and providers as third parties under the right of access.
\x\ This represents 3.5 minutes for a medical assistant to obtain the needed information and submit it for the individual.
\y\ This represents one-fourth of the estimated 615,000 annual requests under the right of access for copies of ePHI directed to health plans and health
  care providers as third parties and reflects only the labor burden for such requests for ePHI to be sent via other than an internet-based method
  (e.g., on electronic media and mailed to the recipient).
\z\ This represents one-fourth of the estimated 615,000 annual requests for copies of ePHI directed to third parties and reflects only uncompensated the
  labor burden for requests for ePHI to be sent via other than an internet-based method (e.g., on electronic media and mailed to the recipient).
\aa\ 3% of an estimated 2.46 million annual access requests for copies of PHI.
\bb\ 1% of an estimated 2.46 million annual access requests for copies of PHI.


                                                           New One-time Burdens of Compliance
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                           Number of
         Section                Type of respondent         Number of     responses per       Total          Average burden hours per       Total burden
                                                          respondents     respondent       responses                response                   hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
164.520..................  Notice of Privacy Practices         774,331               1         774,331  \a\ 0.16666667..................         129,055
                            for Protected Health
                            Information--Post updated
                            notice online.
164.525..................  Notice of Fees for Copies           774,331               1         774,331  0.16666667......................         129,055
                            of PHI--Post fee schedule
                            online.
164.530..................  Administrative                      774,331               1         774,331  1...............................         774,331
                            Requirements--Training
                            Minimum necessary, 164.514.
164.530..................  Administrative                      774,331               1         774,331  2.5.............................       1,935,828
                            Requirements--Training--Ri
                            ght of access, 164.525,
                            and fee estimates,
                            164.525--Updated training
                            content.
164.530..................  Administrative                      774,331               1         774,331  0.116666667.....................          90,339
                            Requirements--Training--Ac
                            cess--Workforce member
                            time in training, 164.524.
164.530..................  Administrative                      768,169               1         768,169  0.6666667.......................         512,113
                            Requirements--Training--Di
                            sclosing PHI under164.510;
                            uses and disclosures to
                            prevent harm, 164.512.
164.530..................  Administrative                      774,331               1         774,331  0.25............................         193,583
                            Requirements--Training--Di
                            sclosures for Uniformed
                            Services, & disclosures to
                            Telecommunications Relay
                            Services for treatment,
                            payment and health care
                            operations, 164.512.
164.530..................  Administrative                      774,331               1         774,331  0.0833333.......................          64,528
                            Requirements--Training--No
                            tice of privacy practices,
                            changes in content & right
                            to discuss privacy
                            practices, 164.520.
164.530..................  Administrative                   \b\ 38,717               1          38,717  0.1666667.......................           6,453
                            Requirements--Training--Ve
                            rification of identity,
                            164.514.
164.530..................  Administrative                      774,331               1         774,331  1.25............................         967,914
                            Requirements--Policies &
                            Procedures--Individual
                            care coordination and case
                            management, 164.501 &
                            164.502, minimum
                            necessary, 164.514, and
                            social services agencies
                            for care coordination,
                            164.506.
164.530..................  Administrative                      774,331               1         774,331  3...............................       2,322,993
                            Requirements--Policies &
                            Procedures--Right of
                            access, 164.524, & fee
                            estimates, 164.525.

[[Page 6532]]

 
164.530..................  Administrative                  \c\ 768,169               1         768,169  1...............................         768,169
                            Requirements--Policies &
                            Procedures--Disclosing PHI
                            under 164.510; uses and
                            disclosures to prevent
                            harm, 164.512(j).
164.530..................  Administrative                      774,331               1         774,331  1...............................         774,331
                            Requirements--Policies &
                            Procedures--Revising the
                            Notice of Privacy
                            Practices, 164.520.
164.530..................  Administrative                      774,331               1         774,331  \d\ 0.16666667..................         129,055
                            Requirements--Policies &
                            Procedures--Disclosures
                            for Uniformed Services &
                            Telecommuni-cations Relay
                            Services, 164.512.
164.530..................  Administrative                   \e\ 38,717               1          38,717  0.5.............................          19,358
                            Requirements--Polices &
                            Procedures--Identity
                            verification changes,
                            164.514.
                                                       -------------------------------------------------------------------------------------------------
    Total................  ...........................  ..............  ..............      10,131,413  ................................   \f\ 8,817,103
--------------------------------------------------------------------------------------------------------------------------------------------------------
\a\ The figures in this column are averages based on a range. Small entities may require fewer hours to conduct certain compliance activities,
  particularly with respect to Security Rule requirements, while large entities may spend more hours than those provided here due to their size and
  complexity.
\b\ This represents 5% of all covered entities.
\c\ This represents all health care providers.
\d\ This equates to 10 minutes.
\e\ This represents 5 percent of all covered entities.
\f\ Total may not add up due to rounding.

List of Subjects

45 CFR Part 160

    Administrative practice and procedure, Computer technology, 
Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health professions, Health records, Hospitals, Investigations, 
Medicaid, Medical research, Medicare, Penalties, Privacy, Reporting and 
record keeping requirements, Security.

45 CFR Part 164

    Administrative practice and procedure, Computer technology, Drug 
abuse, Electronic information system, Electronic transactions, Employer 
benefit plan, Health, Health care, Health facilities, Health insurance, 
Health professions, Health records, Hospitals, Medicaid, Medical 
research, Medicare, Privacy, Reporting and record keeping requirements, 
Security.

Proposed Rule

    For the reasons stated in the preamble, the Department of Health 
and Human Services proposes to amend 45 CFR Subtitle A, Subchapter C, 
Parts 160 and 164 as set forth below:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

0
1. The authority citation for part 160 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); 5 
U.S.C. 552; secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279 (42 
U.S.C. 17921, 17931-17954); and sec. 1104 of Pub. L. 111-148, 124 
Stat. 146-154.

0
2. Amend Sec.  160.103, by adding new paragraph (4)(v) to the 
definition of ``Business associate'' to read as follows:


Sec.  160.103  Definitions

* * * * *
    Business associate * * *
    (4) * * *
    (v) A provider of Telecommunications Relay Service, as defined in 
47 U.S.C. 225(a)(3), with respect to enabling communications through 
services regulated under 47 CFR part 64.
* * * * *

PART 164--SECURITY AND PRIVACY

0
3. The authority citation for part 164 is revised to read as follows:

    Authority: 42 U.S.C. 1302(a); 42 U.S.C. 1320d-1320d-9; sec. 264, 
Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2 (note)); and 
secs. 13400-13424, Pub. L. 111-5, 123 Stat. 258-279 (42 U.S.C. 
17921, 17931-17954).

0
4. Amend Sec.  164.501 by:
0
a. Adding in alphabetical order a definition for ``Electronic health 
record'';
0
b. Revising paragraph (1) of the definition of ``Health care 
operations''; and
0
c. Adding in alphabetical order a definition for ``Personal health 
application''.
    The additions and revision read as follows:


Sec.  164.501  Definitions.

* * * * *
    Electronic health record means an electronic record of health-
related information on an individual that is created, gathered, 
managed, and consulted by authorized health care clinicians and their 
staff. Such clinicians shall include, but are not limited to, health 
care providers that have direct treatment relationships with 
individuals as defined at Sec.  164.501, such as physicians, nurses, 
pharmacists, and other allied health professionals. For purposes of 
this paragraph, ``health-related information on an individual'' covers 
the same scope of information as the term individually identifiable 
health information as defined at Sec.  160.103.
* * * * *
    Health care operations * * *
    (1) Conducting quality assessment and improvement activities, 
including outcomes evaluation and development of clinical guidelines, 
provided that the obtaining of generalizable knowledge is not the 
primary purpose of any studies resulting from such activities; patient 
safety activities (as defined in 42 CFR 3.20); population-based 
activities relating to improving health or reducing health care costs; 
protocol development; case management and care coordination; contacting 
of health care providers and

[[Page 6533]]

patients with information about treatment alternatives; and related 
functions that do not include treatment.
* * * * *
    Personal health application means an electronic application used by 
an individual to access health information about that individual, which 
can be drawn from multiple sources, provided that such information is 
managed, shared, and controlled by or primarily for the individual, and 
not by or primarily for a covered entity or another party such as the 
application developer.
* * * * *
0
5. Amend Sec.  164.502 by:
0
a. Revising paragraph (a)(4)(ii) and (a)(5)(ii)(B)(2)(vi)
0
b. Revising paragraph (b)(2)(i);
0
c. Adding paragraph (b)(2)(vii);
0
d. Revising paragraph (g)(3)(ii)(C); and
0
e. Adding new paragraph (k).
    The revisions read as follows:


Sec.  164.502  Uses and disclosures of protected health information: 
General Rules.

    (a) * * *
    (4) * * *
    (ii) To the covered entity or, when specified in the business 
associate agreement, to the individual or the individual's designee, as 
necessary to satisfy a covered entity's obligations with respect to 
Sec. Sec.  164.524(c)(2)(ii) or 164.524(d)(1).
    (5) * * *
    (ii) * * *
    (B) * * *
    (2) * * *
    (vi) To an individual, or a third party designated by the 
individual, when requested under Sec. Sec.  164.524 or 164.528.
* * * * *
    (b) * * *
    (2) * * *
    (i) Disclosures to or requests by a health care provider for 
treatment, including for care coordination and case management 
activities with respect to an individual;
* * * * *
    (vii) Disclosures to or requests by a health plan for care 
coordination and case management activities with respect to an 
individual.
* * * * *
    (g) * * *
    (3) * * *
    (ii) * * *
    (C) Where the parent, guardian, or other person acting in loco 
parentis, is not the personal representative under paragraphs 
(g)(3)(i)(A), (B), or (C) of this section and where there is no 
applicable access provision under state or other law, including case 
law, a covered entity may provide access under Sec.  164.524 to a 
parent, guardian, or other person acting in loco parentis, if such 
action is consistent with state or other applicable law, provided that 
such decision must be made by a licensed health care professional, 
based on a good faith belief that providing access is in the best 
interests of the individual.
* * * * *
    (k) Standard: Good Faith--Presumption of Compliance. When using or 
disclosing protected health information as provided in Sec. Sec.  
164.502(g)(3)(ii)(C); 164.510(a)(3)(i)(B); 164.510(b)(2)(iii); 
164.510(b)(3); and 164.514(h)(2)(iv), a covered entity is presumed to 
have complied with the good faith requirement, absent evidence that the 
covered entity acted in bad faith.
* * * * *
0
6. Amend Sec.  164.506, by adding new paragraph (c)(6) to read as 
follows:


Sec.  164.506  Uses and disclosures to carry out treatment, payment, or 
health care operations.

* * * * *
    (c) * * *
    (6) A covered entity may disclose an individual's protected health 
information to a social services agency, community-based organization, 
home and community based services provider, or similar third party that 
provides health or human services to specific individuals for 
individual-level care coordination and case management activities 
(whether such activities constitute treatment or health care operations 
as those terms are defined in Sec.  164.501) with respect to that 
individual.
* * * * *
0
7. Amend Sec.  164.510 by revising paragraphs (a)(3)(i)(B), 
(b)(2)(iii), and (b)(3) to read as follows.


Sec.  164.510  Uses and disclosures requiring an opportunity for the 
individual to agree or to object.

* * * * *
    (a) * * *
    (3) * * *
    (i) * * *
    (B) In the individual's best interests based on a good faith belief 
of the covered health care provider.
* * * * *
    (b) * * *
    (2) * * *
    (iii) Reasonably infers from the circumstances, based on a good 
faith belief, that the individual does not object to the disclosure.
    (3) Limited uses and disclosures when the individual is not 
present. If the individual is not present, or the opportunity to agree 
or object to the use or disclosure cannot practicably be provided 
because of the individual's incapacity or an emergency circumstance, 
the covered entity may, based on a good faith belief that the 
disclosure is in the best interests of the individual, disclose only 
the protected health information that is directly relevant to the 
person's involvement with the individual's care or payment related to 
the individual's health care or that is needed for notification 
purposes. A covered entity may make reasonable inferences of the 
individual's best interests in allowing a person to act on behalf of 
the individual to pick up filled prescriptions, medical supplies, X-
rays, or other similar forms of protected health information.
* * * * *
0
8. Amend Sec.  164.512 by:
0
a. Revising paragraph (j)(1)(i)(A);
0
b. Adding paragraphs (j)(5) through (6);
0
c. Revising the heading for paragraph (k)(1);
0
d. Revising paragraphs (k)(1)(i) introductory text, (k)(1)(i)(A), and 
(k)(1)(ii); and
0
e. Adding paragraph (m).
    The revisions and additions read as follows:


Sec.  164.512  Uses and disclosures for which an authorization or 
opportunity to agree or object is not required.

* * * * *
    (j) * * *
    (1) * * *
    (i) (A) Is necessary to prevent a serious and reasonably 
foreseeable harm, or lessen a serious and reasonably foreseeable 
threat, to the health or safety of a person or the public; and
* * * * *
    (5) ``Reasonably foreseeable'' means that an ordinary person could 
conclude that a threat to health or safety exists and that harm to 
health or safety is reasonably likely to occur if a use or disclosure 
is not made, based on facts and circumstances known at the time of the 
disclosure.
    (6) When a covered health care provider (or a member of the 
workforce of the covered health care provider) that has specialized 
training, expertise, or experience in assessing an individual's risk to 
health or safety--such as a licensed mental or behavioral health 
professional--determines that it is appropriate to use or disclose 
protected health information under paragraph (j)(1)(i)(A) of this 
section, such determination will be entitled to heightened deference if 
the determination is related to facts and circumstances about which the 
covered

[[Page 6534]]

entity (or a member of its workforce) has such training, expertise, or 
experience.
* * * * *
    (k) * * *
    (1) Uniformed Services and veterans activities--
    (i) Uniformed Services personnel. A covered entity may use and 
disclose the protected health information of individuals who are 
Uniformed Services personnel for activities deemed necessary by 
appropriate Uniformed Services command authorities to assure the proper 
execution of the Uniformed Services mission, if the appropriate 
Uniformed Services authority has published by notice in the Federal 
Register the following information:
    (A) Appropriate Uniformed Services command authorities; and
* * * * *
    (ii) Separation or discharge from Uniformed Service. A covered 
entity that is a component of the Departments of Defense, Homeland 
Security, Commerce, or Health and Human Services may disclose to the 
Department of Veterans Affairs (DVA) the protected health information 
of an individual who is a member of the Uniformed Services upon the 
separation or discharge of the individual from Uniformed Service for 
the purpose of a determination by DVA of the individual's eligibility 
for or entitlement to benefits under laws administered by the Secretary 
of Veterans Affairs.
* * * * *
    (m) Standard: Disclosures to Telecommunications Relay Service. A 
covered entity may disclose protected health information to a 
Telecommunications Relay Service Communications Assistant, as defined 
at 47 CFR 64.601(a)(10), as necessary to conduct covered functions.
* * * * *
0
9. Amend Sec.  164.514 by:
0
a. Revising paragraph (h)(2)(iv); and
0
b. Adding paragraph (h)(2)(v).
    The revision and addition read as follows:


Sec.  164.514  Other requirements related to uses and disclosures of 
protected health information.

* * * * *
    (h) * * *
    (2) * * *
    (iv) Exercise of good faith. The verification requirements of this 
paragraph are met if the covered entity acts on a good faith belief in 
making a use or disclosure in accordance with Sec.  164.510 or making a 
disclosure in accordance with Sec.  164.512(j).
    (v) Exercise of individual rights. A covered entity may not impose 
unreasonable verification measures on an individual that would impede 
the individual from exercising a right under this part. An unreasonable 
measure is one that causes an individual to expend unnecessary effort 
or resources when a less burdensome verification measure is practicable 
for the covered entity. Practicability considerations include a covered 
entity's technical capabilities, its obligations to protect the privacy 
of protected health information under Sec.  164.530(c), the security of 
electronic protected health information under Sec.  164.306, and the 
costs of implementing measures that are more convenient for 
individuals. Examples of unreasonable measures include requiring an 
individual to provide proof of identity in person when a method for 
remote verification is practicable for the covered entity and more 
convenient for the individual, or requiring an individual to obtain 
notarization of the individual's signature on a written request to 
exercise the individual right.
0
10. Amend Sec.  164.520 by:
0
a. Revising paragraphs (b)(1)(i) and (b)(1)(iv)(C);
0
b. Adding new paragraph (b)(1)(iv)(G);
0
c. Revising paragraph (b)(1)(vii);
0
d. Adding new paragraph (b)(2)(iii);
0
e. Removing paragraph (c)(2)(ii);
0
f. Redesignating paragraph (c)(2)(iii) and (iv) paragraphs (c)(2)(ii) 
and (iii);
0
g. Revising paragraph (c)(3)(iii); and
0
h. Revising paragraph (e).
    The revisions and additions read as follows:


Sec.  164.520  Notice of privacy practices for protected health 
information.

* * * * *
    (b) * * *
    (1) * * *
    (i) Header. The notice must contain the following statement as a 
header or otherwise prominently displayed:

NOTICE OF PRIVACY PRACTICES OF [NAME OF COVERED ENTITY, AFFILIATED 
COVERED ENTITIES, OR ORGANIZED HEALTH CARE ARRANGEMENT, AS APPLICABLE]
    THIS NOTICE DESCRIBES:
     HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND 
DISCLOSED
     YOUR RIGHTS WITH RESPECT TO YOUR MEDICAL INFORMATION
     HOW TO EXERCISE YOUR RIGHT TO GET COPIES OF YOUR RECORDS 
AT LIMITED COST OR, IN SOME CASES, FREE OF CHARGE
     HOW TO FILE A COMPLAINT CONCERNING A VIOLATION OF THE 
PRIVACY, OR SECURITY OF YOUR MEDICAL INFORMATION, OR OF YOUR RIGHTS 
CONCERNING YOUR INFORMATION, INCLUDING YOUR RIGHT TO INSPECT OR GET 
COPIES OF YOUR RECORDS UNDER HIPAA.

YOU HAVE A RIGHT TO A COPY OF THIS NOTICE (IN PAPER OR ELECTRONIC FORM) 
AND TO DISCUSS IT WITH [ENTER NAME OR TITLE AT [PHONE AND EMAIL] IF YOU 
HAVE ANY QUESTIONS.
* * * * *
    (iv) * * *
    (C) The right of access to inspect and obtain a copy of protected 
health information at limited cost or, in some cases, free of charge; 
and the right to direct a covered health care provider to transmit an 
electronic copy of protected health information in an electronic health 
record to a third party, as provided by Sec.  164.524;
* * * * *
    (G) The right to discuss the notice with a designated contact 
person identified by the covered entity pursuant to Sec.  
164.520(b)(vii);
* * * * *
    (vii) Contact. The notice must contain the name or title and 
telephone number and email for a designated person who is available to 
provide further information and answer questions about the covered 
entity's privacy practices, as required by Sec.  164.530(a)(1)(ii).
* * * * *
    (2) * * *
    (iii) A covered entity may provide in its notice information about 
how an individual who seeks to direct protected health information to a 
third party, when the protected health information is not in an 
electronic health record and/or is in a non-electronic format, can 
instead obtain a copy of protected health information directly under 
Sec.  164.524 and send the copy to the third party themselves, or 
request the covered entity to send a copy of protected health 
information to a third party using a valid authorization under Sec.  
164.508.
* * * * *
    (c) * * *
    (2) * * *
    (ii) If the covered entity health care provider maintains a 
physical service delivery site:
* * * * *
    (3) * * *
    (iii) For purposes of paragraph (c)(2)(i) of this section, if the 
first service delivery to an individual is delivered electronically, 
the covered health care provider must provide electronic notice 
automatically and contemporaneously in response to the individual's 
first request for service.
* * * * *
    (e) Implementation specifications: Documentation. A covered entity 
must

[[Page 6535]]

document compliance with the notice requirements, as required by Sec.  
164.530(j), by retaining copies of the notices issued by the covered 
entity.
* * * * *
0
11. Amend Sec.  164.524 by:
0
a. Redesignating paragraphs (a)(1) introductory text and (a)(1)(i) and 
(ii) as paragraphs (a)(1)(i) and (a)(1)(i)(A) and (B), respectively;
0
b. Adding new paragraph (a)(1)(ii);
0
c. Revising paragraph (a)(2) introductory text;
0
d. Revising paragraph (a)(3) introductory text;
0
e. Removing paragraph (a)(4);
0
f. Redesignating paragraph (b)(1) as paragraph (b)(1)(i);
0
g. Designating the second sentence of newly redesignated paragraph 
(b)(1)(i) as paragraph (b)(1)(ii) and revising newly designated 
paragraph (b)(1)(ii);
0
h. Revising paragraph (b)(2)(i) introductory text;
0
i. In paragraph (b)(2)(i)(B), removing ``paragraph (d)'' and adding in 
its place ``paragraph (e)'';
0
j. In paragraph (b)(2)(ii), removing ``30 days'' and adding in its 
place ``15 calendar days'';
0
k. In paragraph (b)(2)(ii)(A), removing the word ``and'' at the end;
0
l. In paragraph (b)(2)(ii)(B), removing the period at the end and 
adding in its place ``; and'';
0
m. Adding paragraph (b)(2)(ii)(C) and (b)(2)(iii)
0
n. Redesignating paragraphs (c)(2)(iii) introductory text and 
(c)(2)(iii)(A) and (B) as paragraphs (c)(2)(iv)(A) introductory text 
and (c)(2)(iv)(A)(1) and (2);
0
o. Adding paragraphs (c)(2)(iii) and (c)(2)(iv)(B);
0
p. Revising paragraphs (c)(3) and (4);
0
q. Redesignating paragraphs (d) and (e) paragraphs (e) and (f), 
respectively;
0
r. Revising newly redesignated paragraph (e);
0
s. Adding a new paragraph (d);
0
t. Further redesignating newly redesiganted paragraph (f)(2) as 
paragraph (f)(3); and
0
u. Adding a new paragraph (f)(2).
    The revisions and additions read as follows:


Sec.  164.524  Access of individuals to protected health information.

    (a) * * * Standard: Access to protected health information--
    (1) Right of access. (i) Except as otherwise provided in paragraphs 
(a)(2) or (3) of this section, an individual has a right of access to 
inspect and obtain a copy of protected health information about the 
individual in a designated record set, for as long as the protected 
health information is maintained in the designated record set, except 
for:
    (A) Psychotherapy notes; and
    (B) Information compiled in reasonable anticipation of, or for use 
in, a civil, criminal, or administrative action or proceeding.
    (ii) An individual's right to inspect protected health information 
about the individual in a designated record set includes the right to 
view, take notes, take photographs, and use other personal resources to 
capture the information, except that a covered entity is not required 
to allow an individual to connect a personal device to the covered 
entity's information systems and may impose requirements to ensure that 
an individual records only protected health information to which the 
individual has a right of access.
    (2) Unreviewable grounds for denial. A covered entity may deny an 
individual access under paragraph (a)(1) of this section, without 
providing the individual an opportunity for review, in the following 
circumstances.
* * * * *
    (3) Reviewable grounds for denial. A covered entity may deny an 
individual access under paragraph (a)(1) of this section, provided that 
the individual is given a right to have such denials reviewed, as 
required by paragraph (e)(4) of this section, in the following 
circumstances:
* * * * *
    (b) * * *
    (1) Individual's request for access.
    (i) The covered entity must permit an individual to request access 
to inspect or to obtain a copy of the protected health information 
about the individual that is maintained in a designated record set.
    (ii) The covered entity may require an individual to make a request 
for access in writing (in electronic or paper form), provided that it 
informs the individual of such a requirement and does not impose 
unreasonable measures that impede the individual from obtaining access 
when a measure that is less burdensome for the individual is 
practicable for the entity. For example, requiring individuals to 
complete a standard form containing only the information the covered 
entity needs to process the request is a reasonable measure because it 
does not cause an individual to expend unnecessary effort or expense. 
In contrast, examples of unreasonable measures include requiring an 
individual to do any of the following when a measure that is less 
burdensome for the individual is practicable for the entity: fill out a 
request form with extensive information that is not necessary to 
fulfill the request; obtain notarization of the individual's signature 
on a request form; or submit a written request only in paper form, only 
in person at the entity's facility, or only through the covered 
entity's online portal.
    (2) * * *
    (i) Except as provided in paragraph (b)(2)(ii) of this section, the 
covered entity must act on a request for access as soon as practicable, 
but no later than 15 calendar days after receipt of the request as 
follows.
* * * * *
    (B) If the covered entity denies the request, in whole or in part, 
it must provide the individual with a written denial, in accordance 
with paragraph (e) of this section.
    (ii) If the covered entity is unable to take an action required by 
paragraph (b)(2)(i)(A) or (B) of this section within the time required 
by paragraph (b)(2)(i) of this section, as applicable, the covered 
entity may extend the time for such actions by no more than 15 calendar 
days, provided that:
    (A) The covered entity, within the time limit set by paragraph 
(b)(2)(i) of this section, as applicable, provides the individual with 
a written statement of the reasons for the delay and the date by which 
the covered entity will complete its action on the request;
    (B) The covered entity may have only one such extension of time for 
action on a request for access; and
    (C) The covered entity has implemented a policy to prioritize 
urgent or otherwise high priority requests (especially those relating 
to the health and safety of the individual or another person), so as to 
limit the use of a 15 calendar-day extension for such requests.
    (iii) Where another federal or state law requires a covered entity 
to provide an individual with access to the protected health 
information requested in less than 15 calendar days, that shorter time 
period is deemed practicable under paragraph (b)(2)(i) of this section.
* * * * *
    (c) * * *
    (2) * * *
    (iii) Where another federal or state law applicable to the covered 
entity requires the provision of access in a particular electronic form 
and format, the protected health information is deemed readily 
producible in such form and format under paragraphs (c)(2)(i) and (ii) 
of this section.
    (iv)(A) The covered entity may provide the individual with a 
summary of the protected health information requested, in lieu of 
providing access to the protected health information, or may

[[Page 6536]]

provide an explanation of the protected health information to which 
access has been provided, if:
    (1) The individual agrees in advance to such a summary or 
explanation; and
    (2) The individual agrees in advance to the fees imposed, if any, 
by the covered entity for such summary or explanation.
    (B) The covered entity must inform any individual to whom it offers 
to provide a summary in lieu of a copy of protected health information 
that the individual retains the right to obtain a copy of the requested 
protected health information if the individual does not agree to 
receive such summary. This requirement does not apply if a covered 
entity is offering to provide a summary in lieu of a copy of protected 
health information because the covered entity is denying an 
individual's request for a copy; however, the covered entity still must 
follow the denial procedures under Sec.  164.524(e).
    (3) Time and manner of access. The covered entity must provide the 
access as requested by the individual in a timely manner as required by 
paragraph (b)(2) of this section, including arranging with the 
individual for a convenient time and place to inspect or obtain a copy 
of the protected health information, or, at the individual's request, 
mailing or electronically transmitting the copy of the protected health 
information to the individual, including by email, or to or through the 
individual's personal health application (if a copy is readily 
producible to or through such application). When protected health 
information is readily available at the point of care in conjunction 
with a health care appointment, a covered health care provider is not 
permitted to delay the right to inspect. The covered entity may discuss 
the scope, format, and other aspects of the request for access with the 
individual as necessary to facilitate the timely provision of access; 
however, such discussion shall not extend the time allowed for the 
covered entity to provide access.
    (4) Fees. (i) If the individual requests a copy of the protected 
health information or agrees to a summary or explanation of such 
information, the covered entity may impose a reasonable, cost-based 
fee, provided that the fee includes only the cost of:
    (A) Labor for copying the protected health information requested by 
the individual, whether in non-electronic (e.g., paper, film) or 
electronic form;
    (B) Supplies for creating a non-electronic copy;
    (C) Postage, when the individual has requested that a non-
electronic copy, or the summary or explanation, be mailed; and
    (D) Preparing an explanation or summary of the protected health 
information, if agreed to by the individual as required by paragraph 
(c)(2)(iii) of this section.
    (ii) A covered entity may not impose a fee when:
    (A) an individual inspects the protected health information about 
the individual, as described at (a)(1)(ii) of this section, or
    (B) an individual accesses electronic protected health information 
maintained by or on behalf of the covered entity using an internet-
based method such as a personal health application.
* * * * *
    (d) Standard: Right to direct the transmission of certain protected 
health information in an electronic format to a third party--(1) An 
individual has a right of access to direct a covered health care 
provider to transmit an electronic copy of protected health information 
in an electronic health record directly to another person designated by 
the individual (a ``third party''). The covered health care provider 
must provide access under this paragraph when the individual's request 
to exercise the right of access is clear, conspicuous, and specific, 
which may be orally or in writing (including electronically), except 
for:
    (i) Psychotherapy notes; and
    (ii) Information compiled in reasonable anticipation of, or for use 
in, a civil, criminal, or administrative action or proceeding.
    (2) Unreviewable grounds for denial. A covered entity may deny an 
individual's request to exercise the right of access to direct a 
covered health care provider to transmit an electronic copy of 
protected health information in an electronic health record directly to 
a third party under paragraph (d)(1) of this section, without providing 
an opportunity for review, in the following circumstances:
    (i) The protected health information is excepted from the right of 
access by paragraph (d)(1) of this section.
    (ii) A covered entity that is a correctional institution or a 
covered health care provider acting under the direction of the 
correctional institution may deny, in whole or in part, an inmate's 
request to exercise of the right of access, if transmitting such copy 
would jeopardize the health, safety, security, custody, or 
rehabilitation of the individual or of other inmates, or the safety of 
any officer, employee, or other person at the correctional institution 
or responsible for the transporting of the inmate.
    (iii) An individual's ability to exercise of the right of access 
may be temporarily suspended by a covered health care provider in the 
course of research that includes treatment for as long as the research 
is in progress, provided that the individual has agreed to the denial 
of access when consenting to participate in the research that includes 
treatment, and the covered health care provider has informed the 
individual that the right of access will be reinstated upon completion 
of the research.
    (iv) An individual's request to exercise the right of access may be 
denied if the protected health information is contained in records that 
are subject to the Privacy Act, 5 U.S.C. 552a, and if the denial of 
access under the Privacy Act would meet the requirements of that law.
    (v) An individual's request to exercise the right of access may be 
denied if the protected health information was obtained from someone 
other than a health care provider under a promise of confidentiality 
and providing the copy to the third party would be reasonably likely to 
reveal the source of the information.
    (3) Reviewable grounds for denial of a request to direct an 
electronic copy of protected health information in an electronic health 
record. A covered entity may deny an individual's request under 
paragraph (d)(1) of this section, provided that the individual is given 
a right to have such denials reviewed, as required by paragraph (e)(4) 
of this section, in the following circumstances:
    (i) A licensed health care professional has determined, in the 
exercise of professional judgment, that the access is reasonably likely 
to endanger the life or physical safety of the individual or another 
person; or
    (ii) The protected health information makes reference to another 
person (unless such other person is a health care provider) and a 
licensed health care professional has determined, in the exercise of 
professional judgment, that the access is reasonably likely to cause 
substantial harm to such other person.
    (4) Implementation specification: Summary or explanation prepared 
by covered health care provider. (i) A covered health care provider may 
transmit, to a third party designated by an individual, a summary of 
requested protected health information in an electronic health record, 
in lieu of transmitting a copy of the protected health information, or 
may transmit an explanation of the requested protected health 
information in an electronic

[[Page 6537]]

health record in addition to such protected health information, if:
    (A) The individual agrees in advance to such a summary or 
explanation; and
    (B) The individual agrees in advance to the fees imposed, if any, 
by the covered health care provider for such summary or explanation.
    (ii) A covered health care provider must inform any individual to 
whom it offers to transmit a summary in lieu of a copy of protected 
health information that the individual retains the right to direct an 
electronic copy of the requested protected health information in an EHR 
if the individual does not agree to receive such summary. This 
requirement does not apply if a covered entity is offering to provide a 
summary in lieu of a copy of protected health information because the 
covered entity is denying an individual's request for a copy; however, 
the covered entity still must follow the denial procedures under Sec.  
164.524(e).
    (5) Implementation specification: Timely action by the covered 
entity. (i) Except as provided in paragraph (d)(5)(ii) of this section, 
a covered health care provider is required to provide the copy 
requested under paragraph (d)(1) of this section as soon as practicable 
but no later than 15 calendar days after receipt of the individual's 
request.
    (A) If the covered entity grants the request, in whole or in part, 
it must inform the individual of the acceptance of the request and 
provide the access requested, in accordance with paragraph (d) of this 
section.
    (B) If the covered entity denies the request, in whole or in part, 
it must provide the individual with a written denial, in accordance 
with paragraph (e)(2) of this section.
    (ii) If the covered entity is unable to take an action required by 
paragraph (d)(5)(i)(A) or (B) of this section within the time required 
by paragraph (d)(5)(i) of this section, as applicable, the covered 
entity may extend the time for such actions by no more than 15 calendar 
days, provided that:
    (A) The covered entity, within the time limit set by paragraph 
(d)(5)(i) of this section, as applicable, provides the individual with 
a written statement of the reasons for the delay and the date by which 
the covered entity will complete its action on the request; and
    (B) The covered entity may have only one such extension of time for 
action on a request.
    (C) The covered entity has implemented a policy to prioritize 
urgent or otherwise high priority requests (especially those relating 
to the health and safety of the individual or another person), so as to 
limit the use of a 15 calendar-day extension for such requests.
    (iii) Where another federal or state law requires a covered entity 
to provide an individual with an electronic copy of the protected 
health information in an electronic health record in less than 15 
calendar days, that shorter time period is deemed practicable under 
paragraph (d)(5)(i) of this section.
    (6) Fees. A covered health care provider may impose a reasonable, 
cost-based fee for an access request to direct an electronic copy of 
protected health information in an electronic health record to a third 
party, provided that the fee includes only the cost of:
    (i) Labor for copying the protected health information requested by 
the individual in electronic form; and
    (ii) Preparing an explanation or summary of the protected health 
information, if agreed to by the individual as provided in paragraph 
(d)(4) of this section.
    (7) Right to direct covered health care providers or plans to 
submit an access request.
    (i) An individual has a right of access to direct a covered health 
care provider or health plan (``Requester-Recipient'') to submit to a 
covered health care provider (``Discloser'') a request for an 
electronic copy of the individual's protected health information in an 
electronic health record maintained by or on behalf of the Discloser.
    (ii) A Requester-Recipient must submit to the Discloser a request 
made by the individual, orally or in writing (including 
electronically), and that is clear, conspicuous, and specific, if the 
individual is:
    A. a current or prospective new patient of the Requester-Recipient 
health care provider, or
    B. a current enrolled member (or dependent) of the Requester-
Recipient health plan.
    (iii) The Requester-Recipient must submit the access request to the 
identified Discloser as soon as practicable, but no later than 15 
calendar days after receiving the individual's direction and any 
information needed to submit the request. An extension is not available 
for submitting the request. The Discloser must respond to the access 
request within the time limits in paragraph (d)(5) of this section.
    (e) Implementation specifications: Denial of access. If a covered 
entity denies access, in whole or in part, to protected health 
information, the covered entity must comply with the following 
requirements.
* * * * *
    (2) Denial. The covered entity must provide a timely, written 
denial to the individual. The denial must be in plain language and 
contain:
* * * * *
    (ii) If applicable, a statement of the individual's review rights 
under paragraph (e)(4)(i) of this section, including a description of 
how the individual may exercise such review rights;
* * * * *
    (3) Other responsibility. If the covered entity (or its business 
associate on the covered entity's behalf) does not maintain the 
protected health information that is the subject of the individual's 
request for access, and the covered entity knows where the requested 
protected health information is maintained, the covered entity must 
inform the individual where to direct the request for access.
* * * * *
    (4) Review of a denial of access. If access is denied on a ground 
permitted under paragraphs (a)(3) or (d)(3) of this section:
    (i) The individual has the right to have the denial reviewed by a 
licensed health care professional who is designated by the covered 
entity to act as a reviewing official and who did not participate in 
the original decision to deny access. The covered entity must provide 
or deny access in accordance with the determination of the reviewing 
official under paragraph (e)(4)(i) of this section.
    (ii) If the individual has requested a review of a denial under 
paragraph (e)(4)(i) of this section, the covered entity must designate 
a licensed health care professional, who was not directly involved in 
the denial to review the decision to deny access. The covered entity 
must promptly refer a request for review to such designated reviewing 
official. The designated reviewing official must determine, within a 
reasonable period of time, whether or not to deny the access requested 
based on the standards in paragraph (a)(3) or (d)(3) of this section, 
whichever is applicable, of this section. The covered entity must 
promptly provide written notice to the individual of the determination 
of the designated reviewing official and take other action as required 
by this section to carry out the designated reviewing official's 
determination.
    (f) Implementation specification: Documentation. A covered entity 
must document the following and retain the documentation as required by 
Sec.  164.530(j):

[[Page 6538]]

    (1) The designated record sets that are subject to access by 
individuals under paragraph (a) of this section;
    (2) The electronic health records that are subject to the right of 
access to direct the transmission of an electronic copy of protected 
health information in an electronic health record under paragraph (d) 
of this section; and
    (3) The titles of the persons or offices responsible for receiving 
and processing requests for access by individuals.
0
12. Add Sec.  164.525 to subpart E to read as follows:


Sec.  164.525  Notice of Access and Authorization Fees.

    (a) If a covered entity imposes fees allowed under Sec. Sec.  
164.524(c)(4), 164.524(d)(6) or 164.502(a)(5)(ii)(A) and 164.508(a)(4), 
the covered entity must provide advance notice of such fees as follows.
    (1) The covered entity must post a fee schedule on its website, if 
it has one, and make the fee schedule available to individuals at the 
point of service and upon request. The fee schedule must specify:
    (i) All types of access to protected health information available 
free of charge; and
    (ii) Standard fees for:
    (A) Copies of protected health information provided to individuals 
under Sec.  164.524(a), with respect to all readily producible 
electronic and non-electronic forms and formats for such copies;
    (B) Copies of protected health information in an electronic health 
record and directed to third parties designated by the individual under 
Sec.  164.524(d), with respect to any available electronic forms and 
formats for such copies; and
    (C) Copies of protected health information sent to third parties 
with the individual's valid authorization under Sec.  164.508, with 
respect to any available forms and formats for such copies.
    (2) Upon request, the covered entity must provide an individualized 
estimate of the approximate fee that may be imposed for providing a 
copy of the requested protected health information for any type of 
request covered by the fee schedule required by paragraph (1) of this 
section.
    (3) Upon request, the covered entity must provide an individual 
with an itemized list of the specific charges for labor, supplies, and 
postage, if applicable, that constitute the total fee charged for any 
type of request covered by the fee schedule required by paragraph (1) 
of this section.
    (b) A request under paragraph (a)(2) or (3) of this section shall 
not automatically extend the time allowed for the covered entity to 
provide copies of protected health information under 164.524.
* * * * *

Alex M. Azar II,
Secretary, Department of Health and Human Services.
[FR Doc. 2020-27157 Filed 1-19-21; 8:45 am]
BILLING CODE 4153-01-P