On December 10th, 2020, the Office for Civil Rights released a proposed rule to modify the current HIPAA Privacy Rule. While this rule is not yet finalized, it is important that practices are aware of the proposed changes and begin to prepare for the new level of interoperability and sharing that is reflected in these proposals. The changes in the proposal align closely with the ONC’s Cures Act final rule, which was finalized almost a year ago, with changes that will increase the ability to coordinate care across systems as well as allow patients to access and direct their own care.
The HHS has stated that the changes in the proposed rule “aim to amend provisions of the Privacy Rule that could present barriers to coordinated care and case management or impose other regulatory burdens that may impede the transformation of the healthcare system from a volume to value system.”
Below is a summary of some of the main proposed changes:
- Individuals will now have greater rights to inspect their PHI in person, including taking notes or capturing images of their PHI. This includes video recording of their healthcare visit.
- Modifications to provisions on an individual’s right of access to PHI:
- One of the most imminent provisions is the decrease in response time for a required response to request for records from the current 30 days to only 15 days. It also shortens the optional extension from an additional 30 days to only 15 days. Note that these are calendar days, not business days.
- Covered entities must inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a full copy.
- Reduces the identity verification burden on individuals exercising their access rights.
- Creates a pathway for individuals to direct the sharing of PHI in an EHR among covered healthcare providers and health plans electronically.
- New permissible fee structure for responding to requests for direct records to a third party or providing an individual with copies of their records. This must be published on the practice website. Upon request, practices must provide individualized estimates of fees for a request for copies of PHI, and itemized bills for completed requests. Electronic PHI (ePHI) must be provided to the individual at no charge.
- Creates an exception to the “minimum necessary” standard for individual level care coordination and case management uses and disclosures.
- A more permissive standard on disclosures of PHI from basing it on “professional judgment” to a “good faith belief” that the use or disclosure is in the best interest of the individual.
- Expands the ability of Covered Entities (CEs) to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
- Eliminates the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
- Modifies the content requirements of the NPP to clarify individuals' rights with respect to their PHI and how to exercise those rights.
The proposed rule will be open for comments for 60 days after publication in the Federal Register. If you have concerns about any of the proposed provisions, you can submit comments once the rule is published in the Federal Register. The effective date of finalized provisions will be 60 days after publication of a final rule in the Federal Register, which will likely be April 2021. The compliance date will be 180 days after the effective date. This means that any changes that you must make in your practice will likely need to be in place sometime around late 2021 or early 2022. Once the final rule is published, you will need to revise your existing policies and practices, train your staff and implement all new requirements.
While we don’t yet know what provisions will be finalized, now is a good time to review your current policies and procedures. Do not wait to begin bringing awareness to your staff of impending changes. Now is also the time to become vigilant and keep an eye out for publication of the final rule.
Nextech will continue to monitor for release of the final rule in our continuing effort to make compliance seamless for our users and providers. To learn how Nextech can prepare your practice for successful compliance, fill out this form and a member of our team will be in touch soon!