Proposed changes to the HIPAA Privacy Rule are not final yet, but change is coming. The changes may not be final for months, or more than a year, but now is a good time to learn about what’s ahead and take steps to be ready.
HIPAA is Constantly Changing
HIPAA has never been static but has adjusted in response to changing times since it began in 1996. Two of the biggest changes happened in 2009 and 2013. In response to changes in healthcare and technology, the HITECH Act (Health Information Technology for Economic and Clinical Health Act) was passed in 2009 which:
- encouraged covered entities to adopt electronic health records,
- added the Breach Notification Rule,
- extended HIPAA liability to Business Associates, and
- strengthened penalties for non-compliance.
The last big change occurred in 2013 with passage of the Final Omnibus Rule which updated HIPAA to reflect requirements mandated by the HITECH Act.
The Final Omnibus Rule, among other things:
- specified the encryption standards required to make electronic protected health information (PHI) unusable, undecipherable and unreadable in the event of a breach,
- clarified that “workforce” under HIPAA includes employees, volunteers and trainees,
- clarified that mobile devices, like smartphones and tablets are included within HIPAA security requirements,
- added requirements to the Notice of Privacy Practices, and
- clarified that subcontractor Business Associates must also comply with HIPAA.
Today, two of the biggest trends in healthcare are patient rights and coordinated care. The two are linked and complementary and the proposed HIPAA changes support both.
Information Sharing and Enhanced Patients’ Rights
Care coordination is not new and has been growing over the past several years. Healthcare has become so specialized that patients are seeing multiple providers with no one in charge, and patients don’t have all the information they need.
The basic idea is that healthcare can be better – better outcomes, lower costs, and better meeting of patients’ needs when patients have more information and control, and their providers share information with one another and with patients.
Patient Right of Access
The Right of Access Initiative began in 2019 at the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) to emphasize how important OCR considers this essential right. As we’ve written before, Right of Access has long been a priority but too many covered entities were not complying. Since 2019, OCR has settled eighteen investigations of Right of Access violations, collecting fines and requiring follow-up corrective actions.
Proposed HIPAA Changes
To Support the Patient Right of Access:
- Shortens the time frame allowed to fulfill a request from 30 days to 15 days (and shortens the one-time 30 day extension to 15 days).
- Strengthens a patient’s right to inspect their PHI by requiring the covered entity to allow a patient to take notes or use resources such as mobile phones to view and photograph their PHI.
- Provides more transparency about costs for access by mandating that covered entities post fee schedules on their websites for common types of requests for copies of PHI. Covered entities will also need to provide individualized estimates of fees, and an itemized list of actual costs, upon request.
- Eases the burden of identity verification by prohibiting covered entities from, for example, requiring an authorization form or a notarized signature.
For more information about allowable costs to provide patient records today, see A Current Simple Guide to Right of Access. Note that state law may govern when the recipient is a third party.
HIPAA Should Not be a Barrier to Information Sharing
Do not use HIPAA as an excuse to block information. The proposed changes make it easier for covered entities to err on the side of sharing instead of holding back.
The proposed changes tweak some current HIPAA provisions, such as:
- Permits information to be shared with family, friends, and others involved in a patient’s care when there is a “serious and reasonably foreseeable” harm to patients or others instead of when the harm is “imminent”.
- Amends the definition of “healthcare operations” to include all care coordination and case management – even at the individual level – for both treatment and healthcare operations.
- Creates an exception to the minimum necessary standard for disclosures to, or requests from, a covered entity for individual-level care coordination and case management activities.
- Permits a covered entity to verify a requester’s identity if it acts with a good faith belief that the disclosure is relevant to the requester’s involvement with the individual’s care or payment for care.
- Allows covered entities more flexibility when making decisions by changing the “exercise of professional judgment” to a “good faith belief” about an individual’s best interests.
The proposed changes expand the definition of the term “healthcare” to include other elements related to an individual’s care, such as support for housing, legal issues, employment, transportation, safety, literacy, language, and hunger. With this change, covered entities will be allowed to disclose PHI to social service agencies and other third parties that may not themselves be healthcare providers but do provide health-related services.
Prepare for Change and Strengthen Your Compliance
- Review your process for responding to a patient’s request for access to their records. Make sure everyone in the organization understands the rules, and make it easy, prompt and at no or minimal cost.
- Ensure you have a complete set of current policies and procedures for the Privacy, Security and Breach Notification Rules, and you conduct regular Risk Analysis and Risk Management.
- Evaluate your HIPAA compliance culture and think about how to share information rather than assuming you cannot.
- Prepare for the enhanced role of patients in managing their own care – be as transparent and responsive as possible.
When any changes become final, we will let you know. In the meantime, if you have questions, ask The HIPAA E-Tool®.