INDUSTRY WATCH Cybersecurity HHS Proposes HIPAA Privacy Rule Changes Related to Care Coordination

The U.S. Department of Health and Hu- man Services (HHS) has proposed signif- icant changes to the HIPAA Privacy Rule with the goal of reducing impediments to care coordination and case management communications among individuals and providers. HHS is proposing a compli- ance date of 180 days after the effective date of a final rule, and the Office for Civil Rights would begin enforcement of the new and revised standards 240 days after publication of a final rule. Several of the proposals modify pro- visions related to the individuals’ right of access to protected health informa- tion, including strengthening individu- als’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal re- sources to view and capture images of their PHI. Another change shortens cov- ered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension). The proposed rule clarifies the form


CMS Proposed Rule to Require API Implementations for Prior Authorization, Data Sharing

A new proposed rule released by the Centers for Medicare & Medicaid Ser- vices (CMS) would require payers in certain federal programs to build appli- cation programming interfaces (APIs) to support data exchange and prior au- thorization.

The rule, if finalized, would require

payers in Medicaid, CHIP and QHP programs to build APIs, which federal officials note “allow two systems, or a payer’s system and a third-party app, to communicate and share data electroni- cally.” Payers would be required to im- plement and maintain these APIs using the Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) stan- dard, according to the proposal. On be- half of HHS, the Office of the National Coordinator for Health IT (ONC) is also proposing to adopt certain standards through an HHS rider on the CMS pro- posed rule.

The CMS rule proposes significant changes around prior authorization.

“Medicaid, CHIP and QHP payers would be required to build and imple- ment FHIR-enabled APIs that could al- low providers to know in advance what documentation would be needed for each different health insurance payer, streamline the documentation process, and enable providers to send prior authorization requests and receive re- sponses electronically, directly from the provider’s EHR or other practice management system,” the proposal outlines.

The proposed rule builds on the CMS Interoperability and Patient Access final rule released last year. For example, in that rule CMS finalized its policy to re- quire a select group of CMS-regulated payers to implement a FHIR-based Pa- tient Access API. In this new proposed rule, starting Jan. 1, 2023, CMS would require impacted payers to include, as part of the already established Patient Access API, information about the pa- tient’s pending and active prior autho-


rization decisions. This proposed rule would also require impacted payers to establish, implement, and maintain an attestation process for third-party application developers to attest to cer- tain privacy policy provisions prior to retrieving data via the payer’s Patient Access API. And, this rule would require impacted payers to report metrics quar- terly about patient use of the Patient Ac- cess API to CMS to assess the impact the API is having on patients, CMS has outlined.

While Medicare Advantage plans are not included in these proposals, CMS said it is considering whether to do so in future rulemaking. Industry groups such as the Medical Group Manage- ment Association (MGMA) and Premier Inc. have responded to the proposal, contending that by excluding Medicare Advantage plans from new prior autho- rization requirements, CMS fails to en- sure widespread adoption of standards that could have a major impact.

and format required for responding to individuals’ requests for their PHI. It requires covered entities to inform in- dividuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy. It reduces the identity verification burden on individuals exer- cising their access rights. HHS claims this will create a pathway for individuals to di- rect the sharing of PHI in an EHR among providers and health plans, by requiring providers and health plans to submit an individual’s access request to another provider and to receive back the request- ed electronic copies of the individual’s PHI in an EHR.

The Notice of Proposed Rule Mak- ing (NPRM) also requires providers and health plans to respond to certain records requests received from other providers and health plans when directed by indi- viduals pursuant to the right of access. The NPRM specifies when electronic PHI (ePHI) must be provided to the individual at no charge and amends the permis- sible fee structure for responding to re-

quests to direct records to a third party. It requires covered entities to post esti- mated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for cop- ies of PHI, and itemized bills for complet- ed requests.

The rule would also create an excep- tion to the “minimum necessary” stan- dard for individual-level care coordina- tion and case management uses and disclosures. The minimum necessary standard generally requires covered enti- ties to limit uses and disclosures of PHI to the minimum necessary needed to ac- complish the purpose of each use or dis- closure. This proposal would relieve cov- ered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treat- ment or healthcare operations.

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32