Plan Now for Eventual HIPAA Changes
By Greg Freeman
HHS has been expected to finalize proposed modifications to HIPAA in 2023, but it now appears that will not happen until December 2024 — or later. Whenever the changes come, covered entities will need to review their compliance policies and update them within 180 days of final rulemaking.
In the latest federal Unified Agenda and Regulatory Plan published June 13, the Office for Civil Rights (OCR) estimated the final rule will be published in December 2024. The history of government rulemaking suggests that extended deadline is a guess from OCR, which has been working on the final rule since 2018. (The agenda can be found online at: https://www.reginfo.gov/public....)
While everyone waits, there are a few important changes to expect, says Katherine Hyde, JD, an attorney with Coppersmith Brockelman in Phoenix. First, the final rule likely will expand support for care coordination and case management, including clarifying covered entities’ ability to disclose protected health information (PHI) to social services agencies and community-based organization. Second, the rule is expected to strengthen individuals’ right of access to PHI, allowing patients to inspect their PHI in person and to take notes, photographs, or recordings, and requiring covered entities to respond to access requests within 15 calendar days.
Some anticipated changes would reduce the regulatory burden on covered entities, Hyde says, such as the welcome elimination of required written acknowledgment of receipt of the Notice of Privacy Practices and limitations on the minimum necessary rule for care coordination and management. However, other proposed changes may result in an increased regulatory burden. An example would be requiring covered entities to post a fee schedule and provide individualized fee estimates upon request.
“Given the lengthy time it takes many covered entities to revise their policies, they should consider starting the revisions to their policies and procedures related to the intake process, Notice of Privacy Practices, verification, patient access, and release of information,” Hyde says.
Start Planning for Changes
Covered entities and business associates can create a to-do list for the changes in the final rule, says Jennifer Pike, JD, partner with Thompson Coburn in Washington, DC. If finalized as proposed, Pike says covered entities and business associates would be required to complete these tasks:
- Update Notice of Privacy Practices to address changes related to patient rights for accessing their PHI;
- Update policies and procedures to address the same;
- Update policies and procedures to take advantage of increased flexibilities in sharing PHI for care coordination and emergency situations.
The final rule also might finalize a Notice of Proposed Rulemaking (NPRM) issued by OCR in April 2023 related to protecting patients by prohibiting disclosure of PHI for use against patients and providers involved in the provision of reproductive healthcare, including abortion. It could finalize an NPRM issued by OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) in November 2022 to align 42 CFR Part 2 and HIPAA. (The proposed rules are available at: https://www.reginfo.gov/public....) OCR also may act on a Request for Information (RFI) issued by OCR in April 2022 seeking industry feedback on certain security rule provisions under HITECH, Pike says.
The NPRM regarding substance abuse may prompt significant policy revisions if it is finalized in the rule, says Chase Millea, JD, an attorney with Snell & Wilmer in Phoenix. With the NPRM, OCR seeks to amend the HIPAA Privacy Rule to improve individuals’ access to their health information, clarify permitted disclosures of PHI, and reduce administrative burdens on healthcare providers.
To improve individual access, the NPRM proposes to reduce verification barriers for individuals and to define distinct rights of access to enable individuals to inspect their PHI held by the covered entity, direct transmission of their PHI to a third party, and direct sharing of PHI among providers through an EHR, Millea explains. Additionally, to address hesitancy among covered entities to share PHI for certain purposes, the NPRM seeks to amend the definition of “healthcare operations.” In that category, disclosure generally is permitted by covered entities without the patients’ authorization. OCR is seeking to include care coordination and case management activities at both an individual and population level, and to add an express exception to the minimum necessary standard for disclosures to, or requests by, a covered entity for care coordination and case management.
To reduce administrative requirements on healthcare providers, Millea says the NPRM would remove the requirement for providers to obtain written acknowledgement of patients’ receipt of a healthcare provider’s Notice of Privacy Practices required under the Privacy Rule.
“If the changes proposed in the NPRM are set forth in a final rule, covered entities will have increased responsibility with respect to responding to requests by patients and other covered entities,” Millea explains. “While the removal of the requirement to obtain written acknowledgement from the patient of the patient’s receipt of the healthcare provider’s Notice of Privacy Practices will reduce some administrative burden, covered entities will need to ensure health information management and other related policies accurately reflect new requirements to avoid a violation of the Privacy Rule.”
In anticipation of these proposed updates, Millea suggests covered entities consider identifying relevant personnel who will need to be involved in making any policy or other changes in the event of a final rule. They also should identify applicable policies and procedures that may need to be updated to reflect new requirements and ensure executive support to effectively adopt required changes across their organization.
Many Other Changes Coming
Millea notes the 2020 NPRM is one of many ongoing changes in health information technology. With the Information Blocking Rule, the recent NPRM relating to reproductive health, state consumer privacy laws, and other proposals to regulate health information at the state and federal levels, the environment is in a continuous state of change.
“To help ensure effective compliance, regulated organizations should consider engaging a team of appropriate experts in privacy, security, and information technology to help ensure their organization is apprised of the current regulatory obligations and to enable flexibility in the inevitable event of additional changes to compliance obligations,” Millea says.
Positive Move for Transparency
The proposed changes are a good step toward better information transparency and collaboration, says Chris Lippert, senior manager with Schellman, based in Tampa, FL. The changes would align the United States more closely with digital collaboration in other parts of the world.
“Transparency, collaboration, and a little bit faster access to those records, obviously, in the healthcare space is never a bad thing. I think that all of those things are speaking to what a lot of privacy framework and legislation is trying to get at on a global perspective,” Lippert says. “Because PHI is sensitive in nature, there should be a little bit more urgency focused on it. Some of these changes are going to help on that. There’s going to be impact for covered entities, but I think it’s going to be a significant advancement for individuals themselves.”
SOURCES
- Katherine Hyde, JD, Coppersmith Brockelman, Phoenix. Phone: (602) 381-5471. Email: [email protected].
- Chris Lippert, Senior Manager, Schellman, Tampa, FL. Phone: (866) 254-0000.
- Chase Millea, JD, Snell & Wilmer, Phoenix. Phone: (303) 634-2004. Email: [email protected].
- Jennifer Pike, JD, Partner, Thompson Coburn, Washington, DC. Phone: (202) 585-6968.
HHS has been expected to finalize proposed modifications to HIPAA in 2023, but it now appears that will not happen until December 2024 — or later. Whenever the changes come, covered entities will need to review their compliance policies and update them within 180 days of final rulemaking.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.