They have been a long time coming, but the Department of Health and Human Services has finally revealed a slew of HIPAA Privacy Rule updates as part of its ‘Regulatory Sprint to Coordinated Care’. The proposed changes to the HIPAA Privacy Rule take into account feedback received from healthcare industry stakeholders following a request for information issued by the HHS in December 2018.
The HHS received more than 4,000 pages of comments and requests for HIPAA Privacy Rule changes, all of which have been read and considered. When deciding on appropriate changes to the HIPAA Privacy Rule, the HHS had to ensure that any updates would achieve the desired effect, without negatively impacting patient privacy or data security.
The main aims of the changes are to reduce the burden on HIPAA-covered entities and patients and their families, improve coordination of care, and empower patients to take a more active role in their healthcare by strengthening patient rights to access their own healthcare data.
When the HIPAA Privacy Rule was introduced, many healthcare providers had not yet implemented electronic health records, and mobile applications were not being used by patients to create, receive, and transmit healthcare data. The definitions of electronic health records and personal health applications have now been defined.
Many of the proposed HIPAA Privacy Rule changes relate to patients’ access to their own health information. When this important patient right was introduced with the HIPAA Privacy Rule, providers were given a 30-day deadline for providing copies of patient information after receiving a request. That timeframe is no longer appropriate in a digital age. “We think [the 30-day timeframe] is a relic of a pre-internet age that should be dispensed with,” said OCR Director, Roger Severino. HIPAA-covered entities will be given 15 days to respond, with the option of a 15-day extension. Currently, there is an option of a 30-day extension.
Some healthcare providers allow patients to take photos of their own medical images or other forms of their own PHI, but many do not. The HHS has updated the HIPAA Privacy Rule to expressly permit this to make it easier for patients to obtain their PHI in person. Covered entities will be required to provide estimates of the costs involved in providing access to PHI, via their websites, and itemized bills must be provided when PHI requests are completed. The HHS has also specified when charges for electronic copies of health information cannot be applied, such as when the information is provided through patient portals.
The form and format required to respond to individuals’ PHI requests have also been clarified, and covered entities will be required to inform patients that they retain the right to obtain or direct copies of PHI to a third party, in cases when a summary of PHI is offered in lieu of a copy. The HHS has also created a pathway for individuals to direct the sharing of ePHI in an EHR among covered health care providers and health plans. Patients have faced burdens related to identity verification when trying to obtain a copy of their PHI, and that burden has been reduced.
Currently, healthcare providers must provide patients with a copy of their notice of privacy practices and obtain a signature confirming the document has been received by each patient. Those records need to be kept for 6 years. The notice of privacy practices must still be provided, but signatures will no longer need to be obtained. The notice of privacy practices changes are expected to save healthcare providers considerable time and effort, with the cost savings expected to be $3.2 billion over 5 years.
The Privacy Rule has been changed to better facilitate caregiver and family involvement in the care of patients facing health crises or emergencies, and greater flexibility has been introduced concerning disclosures of PHI in emergency situations and when patients could to harm, such as those related to the opioid and COVID-19 public health emergencies, or when patients have indicated they are contemplating suicide. A change of the wording from disclosures in cases where there is a “serious and imminent threat” to “serious and foreseeable threat” provides more flexibility.
The privacy standard requiring providers to use ‘professional judgement’ to determine whether certain uses and disclosures are permitted has been changed to a standard permitting certain uses and disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the patient. Several changes have also been proposed to improve information sharing for care coordination and case management.
“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” said HHS Secretary Alex Azar. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”
Healthcare industry stakeholders, including HIPAA-covered entities, health IT vendors, business associates, patients and their families, have been invited to download the 357-page document detailing the HIPAA Privacy Rule updates and submit their comments and feedback, which will be accepted for 60 days after publication of the proposed HIPAA Privacy Rule updates in the Federal Register.