The onset of the Covid-19 pandemic brought unprecedented challenges and disruptions to individuals, businesses, and industries alike. Along with altering social interactions, capacity limits, and work arrangements, the novel coronavirus has increased the amount of protected health information (PHI) being collected. From temperature screenings and health questionnaires to drive-through testing and telehealth, healthcare providers and businesses are struggling to balance the privacy concerns of the individuals being tested with the responsibility to protect others from the virus.
However, any organization that collects, receives, maintains, or transmits PHI is subject to the rules of the Health Insurance Portability and Accountability Act (HIPAA). While many of the HIPAA requirements were loosened at the start of the pandemic, the growing spread of COVID-19 continues to create numerous privacy and compliance concerns. Now, to better protect the integrity of the health information being collected and give patients improved access to their health information, the HIPAA Privacy Rule is currently being revised and proposed modifications have been released.
In this blog, we'll take a closer look at the HIPAA Privacy Rule changes introduced by the U.S. Department of Health and Human Services (HHR) Office for Civil Rights (OCR).
Proposed HIPAA Privacy Rule Changes
Although HIPAA outlines the data privacy and security provisions for safeguarding PHI, the regulation hasn't been significantly updated since 2013. In a time when technology rapidly advances and a pandemic has increased the need for efficient sharing of health information, many advocates have called for HIPAA to keep pace. On December 10, 2020, these requests were answered as the Office of Civil Rights for the U.S. Department of Health and Human Services released proposed amendments to the HIPAA Privacy Rule.
These proposed changes are aimed at expanding individuals' rights for accessing their personal digital health information, removing the regulatory burdens that impede communication and care coordination, and boosting family and caregiver involvement during emergencies and health crises.
Below, we take a closer look at some of the major revisions found in the draft regulation:
Individual Rights of Access Provisions
Shortened Response Times
The time to respond to a patient access or record request would be reduced from 30 days to 15 days from the date of the request with the opportunity for an extension of no more than 15 days (currently 30 days).
Strengthened Individual Access Right to Inspect
An individual's right to inspect their PHI in person would be strengthened to allow the individual to take notes or use other personal resources (e.g., cell phone) to see and record their health information.
Limited Third-Party Right of Access
The individual right of access directing the transmission of PHI to a third party would be limited to only electronic copies of PHI in an electronic health record (EHR) (i.e., patient medical chart). Requests for the transmission of non-electronic records or electronic copies of PHI not in an EHR would no longer fall within this right of access.
Provider Supported Access Request
Covered healthcare providers and health plans would be required to respond to and submit an individual's access request to another healthcare provider and health plan when directed.
Identity Verification Measures
The requirements for identity verification of individuals would be reduced to prohibit a covered entity from imposing unreasonable identity verification measures.
Fees for Access to PHI and ePHI
Modified Fee Structure
The revisions made would modify the permissible fee structure for responding to requests for directing health records to a third party. The proposed rule would also amend the access fee structure for individuals based on the type of request. Individuals would be able to inspect and obtain copies of their PHI in person or request electronic copies via the internet for free. For other instances, individuals can be charged a "reasonable, cost-based fee" when receiving a non-electronic copy of their PHI, an electronic PHI copy not through an internet-based method, or when directing an electronic copy of their PHI in an EHR to a third party.
Published Fee Schedule
Covered entities would be required to post an estimated fee schedule on their website for access and disclosures with an individual's valid authorization. They would also be required to provide individualized estimates of fees for PHI copy requests, along with an itemized bill for completed requests.
Health Care Operations and Care Coordination
Definition of Health Care Operations
The definition of "health care operations" would be modified to clarify and broaden the scope of permitted uses and disclosures for individual-level care coordination and case management that constitutes as health care operations.
Expanded Scope of Covered Entities
The scope for covered entities would be expanded to allow them to disclose PHI to social services agencies, community-based organizations, home and community-based service providers, and other similar third parties that provide health-related services. This scope expansion would help facilitate the coordination of care and case management for individuals.
Care Coordination and Case Management
The proposed amendment would create an exception to the "minimum necessary" standard, which requires covered entities to make a reasonable effort to limit the use and disclosure of PHI to the minimum necessary for achieving the purpose of each request. With the new proposal, the minimum necessary standard would not apply to the use, disclosure, or requests by a healthcare provider or health plan for care coordination and case management activities with respect to the individual. This applies to both treatment activities and healthcare operations.
Notice of Privacy Practices (NPP)
Elimination of the NPP
The requirement to obtain an individual's written acknowledgement or receipt of a direct treatment provider's NPP would be eliminated.
Content Requirements of the NPP
The content requirements of the NPP would be modified in order to clarify an individual's PHI rights and how to exercise those rights. This includes how to access health information, how to file a HIPAA compliant, and how an individual can receive a copy of the notice and discuss its contents with a designated person.
Additional Proposed Modifications
Averting a Threat to Health or Safety
The standard would be amended to expand the ability of covered entities to disclose PHI in order to avert a threat to health or safety. The rule would be relaxed to when harm is "seriously and reasonably foreseeable" rather than "serious and imminent."
Telecommunications Relay Services (TRS)
Telecommunications Relay Services (TRS) is a service available to individuals who are hearing-impaired or need assistance communicating by telephone. Communication assistants relay the PHI between both parties through a TRS-supported conversation. The change proposed would allow covered entities to disclose PHI to TRS communication assistants without a business associate agreement. Therefore, TRSs would be considered a conduit, or transmission-only service under HIPAA, similar to the U.S. Postal Service.
Good Faith Belief
Instead of allowing covered entities to make certain use and disclosures of PHI based on their "professional judgement," the standard would be altered to be based on their good faith belief that it is in the best interest of the individual.
The Armed Forces permission to use or disclose PHI would be expanded to include all uniformed services, including the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps. This change will help provide consistent treatment of all uniformed personnel, regardless of their service.
The HIPAA Privacy Rule Public Commentary Period
As with most regulations, the suggested modifications are subject to a commentary period of 60 days, which begins once the proposed standard is published in the Federal Register. The Department of Health and Human Services (HHS) has called for feedback from HIPAA-covered entities, healthcare and technology stakeholders, consumer advocates, and even patients and their families. After HHS has reviewed and responded to public comments and revised the proposal, the final regulation will be published in the Federal Register.
Currently, the timeline is set for the updated HIPAA Privacy Rule to go into effect 60 days after its final publication. Covered entities would then only have 180 days to comply with the new modified standards and establish and implement the appropriate policies and practices. While this timeline could change, HHS does not believe compliance with the proposed regulations should take longer than the standard 180-day period.
The Future of the HIPAA Privacy Rule
HIPAA has been plagued by red tape, administrative struggles, and regulatory challenges for years. In attempts to innovate and coordinate patient care and increase secure health data sharing while still upholding the privacy promise of HIPAA, HHS unveiled modifications to its Privacy Rule. If passed, the updated HIPAA Privacy Rule could increase privacy, allow patients to receive better care, and even save healthcare organizations, health plans, and other covered entities roughly $3.2 billion over the next five years.
While some changes would be minor, others will create a significant impact and likely require a more in-depth update to the policies and procedures of covered entities. Although these changes would not take effect for another few months, it's crucial to remain informed about the current status of these revisions to ensure compliance when that day arrives.
If you need further information on the newly proposed HIPAA Privacy Rule modifications, or want to stay current on all things HIPAA, Focal Point is here to help.
Get more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.