Last year, the US Department of Health and Human Services (HHS) proposed a number of changes that would modify the HIPAA Privacy Rule. The comment period closed in May 2021. The revised rule is expected to be finalized this year.
“While there were quite a few changes proposed, we don’t know yet which ones will be finalized,” said Madison Pool, an attorney in Arnall Golden Gregory’s Healthcare practice and a member of the firm’s Hospitals & Health Systems industry team in Atlanta, Georgia. “However, a few of the proposed areas for changes that could have direct operational impacts include shortening the timeframe for responding to patient requests for records, increasing responsibility for facilitating patient record requests, and changes to the Notice of Privacy Practices.”
The expected changes in the proposed rule will require revision of HIPAA policies, forms, and processes. It would necessitate a reevaluation and possible revision to business associate agreements, especially with regard to patient rights provisions. Health care staff will be required to undergo training to implement the changes. “Although there will be a period of time between when the final rule is issued and compliance is required, it will be important to get started quickly on updates,” Pool said.
Daniel Lebovic, a regulatory attorney at Compliancy Group, a Long Island, New York-based company dedicated to simplifying HIPAA compliance for the entities that HIPAA regulates, said some of the expected changes may include allowing patients to inspect their PHI in person and to take notes or photographs of their PHI. Another potential change makes it easier for patients to access those medical records that are available to them free of charge. This change would require providers to inform patients of the circumstances in which they can obtain their records without being charged for the information. The proposed changes also enhance patients’ ability to receive copies of their health information on electronic devices. Under one proposed change, a patient may direct that a provider send the patient’s electronic protected health information directly to a personal health app, such as FitBit or AppleHealth, Lebovic said.
Another expected change is expansion of the armed forces’ permission to use or disclose PHI to all uniformed services. Lebovic said providers may be required to post estimated fee schedules on their websites for PHI access and disclosures. He said these and other changes are expected, but clinicians should have plenty of time to update their operating systems. “It should be noted that HHS is usually fairly generous in allowing ample time to come into full compliance with regulatory changes, especially when they involve potential changes to technology assets,” Lebovic said.
Laura Miller Andrew, senior counsel in the Executive Compensation and Employee Benefits and Health Care Practices of Smith, Gambrell & Russell, LLP, also in Atlanta, said it has been 8 years since any major changes have been made in HIPAA. The COVID-19 pandemic has fundamentally altered the world and medical treatment. She said the temporary easing of HIPAA compliance rules, such as those for telemedicine, community-based COVID-19 testing and vaccination sites, and disclosure of information for public health and oversight, will remain in place during the pandemic. Medical practitioners should not be complacent, however, as OCR is expected to finalize the proposed changes to the HIPAA Privacy Rule in the next 6 to 9 months. The new HIPAA privacy updates are an attempt to assist value-based health care and allow for coordinated care, said Andrew, who works out of both Atlanta and Jacksonville, Florida. This transparency will require physicians to take a look at their back office practices for handling protected health information, she said.
Cybersecurity and data breaches associated with electronic PHI are a growing concern for physicians, she noted. At the same time, the proposed HIPAA updates would require physicians to provide patients with quicker access to their own PHI. “This requirement may cause providers to possibly revamp or update their PHI access process to accommodate this more immediate access. HIPAA policies and procedures will also need to be updated to comply with the changes and communicated to both the medical staff and to patients,” Andrew said.