Updated May 17, 2023 – as of today the Final Rule hasn’t been published – the agenda from the Office of Information and Regulatory Affairs still notes 03/00/2023 for the expected publication. This delay pushes the “final compliance date” into January.
HIPAA law is about to change.
A new Final Rule modifying the HIPAA Privacy Rule was expected to be published in March 2023. When published, it does not become effective immediately; the effective date will be 60 days after publication, but regulated entities will have another 180 days before enforcement begins. If the Final Rule had been published in March as originally scheduled, the final ‘compliance date’ would have been in October or November, 2023. Now it may be as late as January.
Although the changes directly affect covered entities, their business associates also need to be ready to comply with the Privacy Rule and support the covered entities’ compliance.
The last big change was ten years ago when the HIPAA Omnibus Rule set out new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. There have been smaller changes since then, but the new proposed changes to the Privacy Rule are significant. Two recent updates (one is final, one proposed) are listed below.
- A recent change to Security Rule enforcement is how ‘recognized security practices‘ can help in an investigation or audit.
- Although not final, a recent proposed rule will support information sharing in substance abuse and mental health cases by aligning HIPAA with Part 2 of the Substance Abuse and Mental Health Services Administration (SAMHSA) regulations.
It’s important to keep up with changes so your compliance program and policies stay up to date. We can help you prepare for what’s ahead.
Potential Privacy Rule Changes
The most recent process started in 2018 when HHS asked the public for comments on the Privacy Rule.
HHS issued a ‘request for information’ asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstructed the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.
HHS then published a Proposed Rule in 2021 inviting more comments. The Proposed Rule contains changes that are designed to support the transition to value-based care by making care coordination and case management communications easier. Communications need to occur between patients and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) without unnecessary burdens. The Proposed Rule also strengthens the patient right of access to their medical records.
The following changes were included in HHS’ Notice of Proposed Rulemaking (NPRM) published in January, 2021. Not all will necessarily be included in the Final Rule, as HHS has received comments from the public and has conducted its own analysis. This list is not exhaustive but you can view the full NPRM here.
Here are some likely key changes that will affect your policies and procedures.
The Patient Right of Access
- Allowing patients to inspect their protected health information (PHI) in person and take notes or photographs of their PHI.
- Shortening the maximum time to provide access to PHI from 30 days to 15 days.
- Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
- Individuals will be permitted to request their PHI be transferred to a personal health application.
- States when individuals should be provided with ePHI at no cost.
- Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- Covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- Covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
The Notice of Privacy Practices
- The requirement for covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided has been dropped.
PHI Uses and Disclosures by Covered Entities
- Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
How to Prepare
Even though the changes won’t be enforced immediately, there are some steps you can take to get ready.
- The patient right of access is an enforcement priority and will only get stronger in the patients’ favor. Review the current requirements of the Right of Access rule and make sure staff understand how important it is to respond as promptly as possible.
- Review your HIPAA training materials; prepare to modify and make time on the calendar to train staff on HIPAA changes.
The HIPAA E-Tool® Stays Up-to-Date
If you have questions about how HIPAA is evolving, let us know. The HIPAA E-Tool® compliance program is always current with HIPAA law, so if you have the E-Tool, you don’t have to change any policies, because we do it for you. You’ll have time to focus on other things.