Happy New Year! As we look back on 2022, we noticed that the Office for Civil Rights (OCR) has really started enforcing the Patients Right of Access. To see a list of fines and resolutions agreements, check out our What are some of the actual HIPAA fines page.
Here is a recap of what you need to be aware of:
1. Information Blocking – Information blocking is a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information (EHI). This rule was created to promote the flow of patient data between providers, patients, and the developers of Health IT. This included electronic health information (EHR) providers. If an actor is found to “block” the flow of information, they can receive up to a $1M fine. It is important to note that The Cures Act established two different “knowledge” standards for actors’ practices within the statute’s definition of “information blocking.” For health IT developers of certified health IT, as well as HIEs/HINs, the law applies the standard of whether they know, or should know, that a practice is likely to interfere with the access, exchange, or use of EHI. For healthcare providers, the law applies the standard of whether they know that the practice is unreasonable and is likely to interfere with the access, exchange, or use of EHI.
There are two categories of exceptions and eight exceptions to this rule.
Exceptions that involve not fulfilling requests to access, exchange, or use ePHI.
a. Preventing harm
e. Health IT performance
Exceptions that involve procedures for fulfilling requests to access, exchange, or use ePHI.
h. Content and manner
Although this is not enforced by the OCR, the HHS’ Office of the National Coordinator for Health Information Technology (ONC) is the agency that has authority to review claims of possible information blocking against health IT developers of certified health IT that may constitute a non-conformity under the ONC Health IT Certification Program. Separately, the HHS OIG has authority to investigate claims of possible information blocking across all types of actors: health care providers, health information networks and health information exchanges, and health IT developers of certified health IT.
Between April 5, 2021 and November 30, 2022, there have been 560 submissions for information blocking and only 43 that did not appear to be a claim of blocking.
Remember, when a patient requests their information to be shared, do not say no, make sure you check with your technology vendors to see if it would be possible.
2. Recognized Security Practices – This is known as the Safe Harbor Act that was passed into law to encourage medical practices and business associates to implement best practices for cybersecurity. Organizations that have completed their HIPAA Security Analysis, reduced their risks, and documented their security practices are looked upon more favorably during an investigation for a data breach. Keep in mind that penalties will not be increased if you have not completed this process. Penalties will remain as the standard permits and the entity’s ability to pay.
3. Charges for medical records – If your office charges for medical records, HIPAA requires your office to post these charges and to notify patients requesting records of the charges.
4. Hospitals must post clear and accessible pricing information online about items and services they provide in two ways. 1. As a comprehensive machine-readable file with all items and services. 2. In a consumer-friendly format that is shoppable.
5. Good Faith Estimates – All facilities must post the HHS Notice, “Right to Receive a Good Faith Estimate of Expected Charges,” on the provider’s or facility’s website, in the office, and onsite where scheduling or questions about the cost of items or service occur. The information must be prominently displayed and published in accessible formats and presumably available in languages spoken by the patient.
The provider or facility must provide a good faith estimate of expected charges for items and services to an uninsured, self-pay individual, or an individual who does not wish file a claim with their insurance company.
6. No Surprise Billing aka as balance billing. Health care providers and facilities must provide an easy-to-understand notice explaining the applicable billing protections, who to contact if the patient has concerns that a provider or facility has violated the protections, and that patient consent is required to waive billing protections (patients must receive notice of and consent to being balance billed by an out-of-network provider).
7. HIPAA updates for 2023 – There are many proposed changes, but the final dates and enforcement dates have yet to be determined. A few notable changes that have been proposed are:
a. Adding the right to inspect their PHI in person, permit taking notes, or taking pictures of their PHI
b. Reducing the covered entities time from 30 days to 15 days to a request for access to PHI. The covered entity will have an opportunity for an extension of no more that 15 calendar days (from the current 30 days extension)
c. Reducing the identity verification burden on individuals exercising their access rights
d. Specifying when electronic PHI (ePHI) must be provided to the individual at no charge
e. Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
f. Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual
g. Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
There are many others, and we are watching all of them. The effective date of a final rule will be 60 days after publication. Covered entities and their business associates would have until the ‘‘compliance date’’ to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change.
The Department previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.
The Department believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus proposes a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.
Click here to find out more how our online HIPAA Keeper™ can help your organization with HIPAA Compliance.
Or to schedule a demo click the contact us tab and scroll down.
“Simplifying HIPAA through Automation, Education, and Support”