Since HIPAA’s inception there have been several updates over the years. As technology changes, so must some the of HIPAA rules. We have not seen any major changes since 2013 when the Omnibus Rule gave HIPAA teeth and enforcement became real.
During 2019 the United States Department of Health and Human Services (HHS) had requested comments on 54 questions from providers. In December 2020 HHS issued a Notice of Proposed Rulemaking that outlined several changes to the HIPAA Privacy Rule based on the response they received in 2019. In 2021 HHS again requested comments on the proposed HIPAA changes, however the Final Rule has not been published yet.
The Office for Civil Rights (OCR) has been implementing many files for violations of the HIPAA Right of Access when access to medical records in the designated record set is not provided in a timely manner. With these new proposed changes, the time frame maybe reduced.
The proposed changes strengthen the requirements for providers to offer patients access to their PHI. This also includes data sharing between facilities, technology partners, and mobile apps.
Some of these changes to HIPAA in 2022 are likely to be implemented, but it may take until 2023 for those changes to become enforceable. We will be updating our policies to reflect these changes. At that time, you will receive an email from Aris requesting to review and approve changes and/or new policies. It is suggested to review these changes and update your staff. Many of these changes will directly affect how they interact with your patients.
We are updating our HIPAA training to include the new rules to ensure all staff members understand these changes. We will be dividing the training into two sessions since there is so much to cover. One session will cover the Privacy Rule and the other session will discuss the Security Rule. This will help educate everyone on the new rules and protect your practice.
The proposed updates to the HIPAA Privacy Rule are as follows:
- individuals’ rights to inspect their PHI in person, which includes taking notes or capturing images of their PHI;
- shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
- clarifying the form and format required for responding to individuals’ requests for their PHI, including when business associates are involved;
- requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy;
- reducing the identity verification burden on individuals exercising their access rights;
- creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
- requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access;
- limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR;
- specifying when electronic PHI (ePHI) must be provided to the individual at no charge;
- amending the permissible fee structure for responding to requests to direct records to a third party; and
- requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorizationand, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
- Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers,and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
- Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
Effective and Compliance Dates
The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. The Department of Health and Human Services (HHS) previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.
HHS requested comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, the HHS requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.
To give you some idea of how serious this can be, see below the tiered penalty structure:
Tier 1: Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA and had reasonably tried to adhere to the HIPAA rules: $100 per violation, with an annual maximum of $25,000.
Tier 2: HIPAA violation due to reasonable cause and should have been aware (but was not due to willful neglect), even with the HIPAA rules they had in place: $1,000 per violation, with an annual maximum of $100,000.
Tier 3: HIPAA violation due to willful neglect of the HIPAA rules, but violation is corrected within the required time period: $10,000 per violation, with an annual maximum of $250,000.
Tier 4: HIPAA violation is due to willful or wanton neglect and no attempt to correct: $50,000 per violation, with an annual maximum of $1.5 million.
HIPAA has teeth and the Office for Civil Rights (OCR) is heavily enforcing fines against violations. Let’s work together to avoid this!
To find out more about how our automated HIPAA compliance platform can help your organization click here:
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”