July 8, 2021
Remember those Privacy Rule modifications that the Department of Health and Human Services (HHS) proposed late last year? Well, after adding a 45-day extension on the public comment period back in March, the responses submitted have finally been made available – giving us some additional insight on what we can expect to see when the updates are officially finalized.
For anyone looking for a light-read while they drink their morning coffee – diving into the official HHS document might not be for you. The proposal included a lengthy list of changes centered around increasing permissible disclosures of protected health information (PHI) and enhancing care coordination and case management. As the healthcare industry has evolved, so have the necessary requirements for protecting data privacy and security – and these modifications address several issues that have become the source of widespread non-compliance over recent years. One of the major areas of focus should come as no surprise considering the initiative that was declared in 2019 to enhance enforcement for patient right of access violations – and the 19 different settlements that have resulted from it so far. So in looking at how the Privacy Rule changes plan to improve this issue, some of the major proposed provisions include:
- Shortening covered entities required response time from its current 30-day requirement to 15 days.
- Providing patients with more rights to view their PHI in person with the ability to take notes or pictures.
- Reducing the identity verification burden on patients exercising their access rights
- Clarifying when electronic PHI (ePHI) must be provided to the patient at no cost.
In addition to addressing patients’ right of access, the proposed modifications also clarify certain definitions and phrasing that oftentimes leads to confusion and misunderstanding by providers and patients. Some of these updates include:
- Adding definitions for the terms electronic health record (EHR) and personal health application
- Amending the definition of health care operations to clarify the scope of permitted uses and disclosures
- Creating an exception to the “minimum necessary” standard
- Modifying the content requirements of the Notice of Privacy Practices (NPP) to better clarify patients’ rights with respect to their PHI
- Expanding the ability of covered entities to disclose PHI in the interest of public health and safety in situations such as seen during COVID-19
While the examples provided are only a snapshot of the full list of proposed modifications, each update follows suit with the evolving environment in the healthcare industry and covers relevant concerns felt by both providers and patients. So much so, that the comment period extension was made due to such a “high degree of public interest” and amounted to a total of 1,391 comments submitted in response to the HHS’s proposal.
So what can we expect?
These proposed modifications take into consideration the public comments received on the OCR’s 2018 RFI that requested public input on how HIPAA rules could improve to better “support care coordination and case management and promote value-based care while preserving the privacy and security of PHI.” Each provision is a direct reflection of the key themes identified in the public opinion received back in 2018 and addresses issues like administrative burdens and the need for improving upon patient rights. So although we don’t have a time machine to jump ahead and see what exactly the final rule will entail, we can pretty confidently say that these concerns addressed in the HHS document will continue to be a focus in regulatory amendments and government enforcement. And the high volume of public interest clearly depicts the impact and value that enacting these changes will have on patients and providers.
When will you need to comply
As far as knowing the what and when of the final ruling – we don’t quite have a definitive answer. But it’s important for all covered entities to be aware and prepared for the expectations of complying with the modified Privacy Rule provisions when they are made official. According to the HHS, “The effective date of a final rule would be 60 days after publication.” Additionally, entities will still have 180 days from that effective date to update or implement policies and procedures to achieve compliance with these new standards.
So when it comes to the timeframe for when the government will actually start enforcing the new compliance standards, you have 240 days of breathing room once the final rule is published. BUT based on the HHS’s acknowledgment that the impact of adhering to these new guidelines will involve “covered entities actions to re-train their employees on, and adopt policies and procedures to implement, the legal requirements of this proposed rule” we highly recommend taking an ‘early bird gets the worm’ approach for compliance. Having a complete HIPAA program in place along with a full understanding of the potential changes that could be coming your way is the best way to ensure that your patients’ data is best protected and your practice is best prepared for avoiding a HIPAA violation and fine.