It is a safe bet that the title of this article would come in last place for the “most popular topic” award. The start of a new year is always a good time to reflect and also look ahead and do our best to prepare. Last year, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) had its busiest year with the announcement of its 22nd enforcement settlement on December 15, 2022.
All indicators show no intention of this slowing down, either.
The very first enforcement of the new year was announced on January 3rd. Enforcement settlements from the OCR are not just a financial inconvenience, they also come with a corrective action plan, which typically lasts for two years. During those two years, the OCR oversees all compliance activities and requires that all HIPAA related documentation and issues be submitted and approved or reported to them according to strict guidelines. The penalty for not following the corrective action plan could result in a Civil Monetary Penalty.
The corrective action plans that have been issued by the OCR over the past few years contain compliance requirements that are not explicitly spelled out in current regulations or guidance. These requirements may be signs of what the OCR will require in future guidance or rulemaking. Nevertheless, they do represent current general best practices. Notable requirements include:
- Signed acknowledgements from each worker (and in some cases, business associates), confirming that the worker has read, understands, and will follow the practice’s policies and procedures (“P&P”).
- Review and revise P&Ps as needed or at least annually. New and revised P&Ps require a new signed acknowledgement from each worker within 30 days of the effective date of the new or revised P&P.
- Training requirements for workers:
- Training within 30 days of a new worker’s employment (in some cases, 15 days),
- No access to PHI until a new worker’s training has been completed,
- Training of all employees at least every 12 months, and
- Each worker must sign an acknowledgement that they have received training and the acknowledgement must include the date training was completed.
- Training materials must be reviewed at least annually and be updated based on any changes in federal law or guidance. Updates should also contain any practice-specific issues that may be identified in a risk assessment or by reviewing privacy or security incidents or breaches from the previous 12 months.
The new year will most certainly bring the finalization of the Proposed Rule that will make changes to the HIPAA Privacy Rule (“NPRM”). The NPRM was published in 2021 for public comments. Basically, the goal of the change is to help patient’s access their PHI, improve providers’ ability to share PHI for care coordination and case management, enable families and caregivers to help during emergencies or health crises, clarify disclosures of PHI in emergency or threatening circumstances, and reduce administrative burdens on providers while continuing to protect patients’ PHI. The NPRM received around 1,390 public comments. Covered entities (providers, practices, etc.) and business associates will have 240 days to become compliant with the new rule after it is published in the Federal Register.
Some of the changes in the NPRM could be an improvement, but some could present uncomfortable changes or challenges. It is important to understand that some of the items listed here might not be included in the final rule.
- Patients could be able to take notes, videos, and photographs, and use other personal resources to view and capture their PHI during their visit as part of their right of access. A practice/provider would still have no obligation to allow anyone to connect their personal device, such as a thumb drive, to the practice’s computer or other system.
- Practices and business associates performing request for information services (processing record requests) could be required to provide copies of a patient’s records within 15 days from receiving the request from a patient or their personal representative, with an optional 15-day extension. The current requirement is 30 days for each.
- Patients may be given a new right to request that their ePHI be transmitted (electronically) to a third party within 15 days. These requests would be able to be made orally instead of in writing. Many comments to the NPRM noted that this would be an operational and compliance risk issue for providers.
- Practices and business associates performing request for information services (processing record requests) could be required to post their fee schedules on their website. If requested, the patient would be entitled to an itemized invoice for completed requests.
- The final rule could clarify:
- How and when fees are charged to patients and third parties for copies of records.
- The following guidelines about the disclosure of PHI for patient care coordination and case management:
- A patient’s authorization is not required.
- The minimum necessary standard does not apply.
- Specifically, disclosure of PHI is permitted to social services agencies, community-based organizations, and other similar third parties that provide health-related services to individual patients for care coordination and case management as a treatment activity or a health care operations activity. Importantly, these entities do not have to be healthcare providers, and do not have to be covered by HIPAA.
- Practices could no longer need to have patients sign an acknowledgement of receipt of the Notice of Privacy Practices.
- The content requirements for the Notice of Privacy Practices could be improved to clarify patients’ rights to their PHI.
As the new year progresses and new requirements are announced and clarified, count on TMC to keep you informed and well within the compliance timeframe after the final rule is published. TMC clients have access to ready to use forms, as well as expert support, white-glove service, and first-class training!