December 11, 2020
When you thought of HIPAA, was the image that came to mind an old, never-changing and outdated law? If it was, the Department of Health & Human Services (HHS) just issued a wake-up call with a new Notice of Proposed Rulemaking (NPRM), announced yesterday, to make fresh new modifications to the HIPAA Privacy Rule.
So what may be changing when it comes to HIPAA? The proposed modifications are designed to address barriers to value-based health care, particularly those that limit or discourage care coordination and case management communications, as well as amend provisions of the Privacy Rule that pose “unnecessary regulatory burdens” without sufficiently improving privacy protections.
While the 357 page document contains a lot of information, a few highlights of the proposed changes include:
- Adding definitions for the terms electronic health record (EHR) and personal health application.
- Strengthening individuals’ rights to inspect their PHI in person, includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
- Shortening covered entities’ required response time to no later than 15 calendar days (currently 30 days) and possible extensions to no more than 15 calendar days (currently 30-days).
- Reducing identity verification burden on individuals exercising their access rights.
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans.
- Amending the definition of ‘health care operations’ to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management.
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge, and amending the permissible fee structure for responding to requests to direct records to a third party.
- Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
- Creating an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures – proposing to relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of the provider’s Notice of Privacy Practices (NPP).
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
- Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistance for persons who are deaf, hard of hearing, or deafblind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
There’s a lot to unpack within these proposed changes, but in general, the proposal helps to bring the HIPAA Privacy Rule up to date with current technology usage, in addition to expanding and emphasizing patient’s rights to view, receive, and handle their own PHI. While these rules are just a proposal, it’s highly likely that most of these changes will go into effect (or a similar version of them) once the proposal’s comment period ends.
So when will you need to worry about these changes? Since the proposal’s announcement on December 10th, comments on the notice are due within 60 days. Once the comment period has ended and any changes are finalized, the effective date will be 60 days from the final publication. Your practice will still have a little breathing room, as covered entities would have 180 days from the effective date to update or implement policies to achieve compliance with these new or modified standards – essentially, you’ll have 240 days after the rule is finalized to comply.
While complying with these proposed Privacy Rule changes won’t be necessary for quite a while, knowing what is coming and preparing your practice ahead of time is still key. If you don’t have a current compliance program in place that reflects the most recent industry threats and updates, consider throwing out what may be a very old HIPAA binder and seeking out a new solution that can help you dynamically update your policies as these changes go into effect next year.