Are HIPAA Changes Coming?

Over the past several years there have been numerous governmental regulations enacted to protect our privacy. The European Union has the GDPR and numerous states including Connecticut, Utah, California, Colorado, and Virginia have enacted privacy regulations.

However, one of the original privacy acts in the United States, the Health Information Portability and Accountability Act (HIPAA) has not been updated since 2013 when changes were made to reflect new requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a proposed rule for changes to the act in December of 2020 and a Final Rule is expected to be issued in 2022. While no formal announcement of any HIPAA changes has been made, looking at the proposed rule provided by the OCR does provide some guidance on what we might expect.

Increased Patient Access Requirements. The proposed rule suggests that OCR is attempting to incorporate some of its recent focus on HIPAA Right of Access into the HIPAA Privacy Rule. Among other requirements, they have proposed the following:

• Allow patients to review the medical record PHI in person and take notes or photos of what they review.
• Reducing the time required to provide access to PHI from 30 to 15 days
• Allow patients to request a transfer of their PHI to personal health applications.
• Require covered entities to post estimated fee schedules for PHI access and disclosures and provide estimates to personnel who request their PHI.

Notice of Privacy Practices. The proposed rule recommends dropping the requirement that covered entities obtain written confirmation on the provision of the notice to the patient or representative.

Use and Disclosure of PHI. The proposed rule would change the allowable uses of disclosure related to threats to health and safety, or good faith belief that use or disclosure is in the individual’s best interest.  

HIPAA Definitions. The proposed rule addresses definitions of “electronic health record,” which includes not only the medical information traditionally considered part of the PHI but the billing records. The rule also defines a Personal Health Application as an application used by an individual to access their health records.

Should the rules be changed there will be significant effort required by covered entities to comply with the regulation. Entities will need to update training and ensure the workforce is aware of these new requirements.    

The proposed change in timelines to comply with requests for access to PHI may be especially problematic for some providers.  If you are currently having issues meeting the 30-day standard, the reduction in the time allowed for access requests will present a challenge that needs to be addressed. As we have seen over the past year, the OCR is not hesitant to fine organizations that don’t comply with the timelines on the release of PHI.

Another significant concern could be the inclusion of billing records in the definition of electronic health records. Covered entities often manage billing with a separate system than used to maintain the traditional medical record information. Organizations will have to develop a process to make sure that the provision of medical information includes both clinical and billing information.

In preparation for the potential HIPAA changes, covered entities should first look at their current compliance with the privacy rule regulations. Making sure you are compliant with current regulations will enable you to focus on the changes when they are released without discovering that you have to also address gaps in your existing operations.

CompliancePoint has experienced assessors who can help you evaluate your HIPAA compliance and cyber security practices. If you are interested in how we can help, please contact us at connect@compliancepoint.com.