Upcoming Changes to HIPAA Not Set in Stone

Last month HHS released a set of proposed upcoming changes to the HIPAA Privacy Rule. Anyone can review and submit comments about the proposed changes until March 22, 2021. After that, HHS will review all comments and make any changes they feel are necessary and issue a final rule that will require compliance. This can sometimes take 90-120 days after the deadline for comments, especially during a year like this when new leadership is in office. Compliance with a final rule is usually required within 60 days after it is published but can sometimes be longer if the changes are complex.

This might mean that we will not see definite changes to the Privacy Rule until late this year, or the required compliance date of early next year.

Thankfully, the theme of the proposed changes is a familiar one. They align with what we have seen other offices under the HHS umbrella doing over the past few years, like the:
• OCR’s Right of Access Initiative, which has resulted in increasingly large monetary settlements with covered entities over failure to provide patients timely access to their records.
• ONC’s Information Blocking Final Rule, which helps ensure patients have the ability to access their PHI electronically.
• CMS’s Interoperability and Patient Access Final Rule, that interacts with the ONC’s Information Blocking Final Rule for providers and patients involved in Medicare and Medicaid plans.

The proposed changes come mostly from the Request for Information posted by HHS in December 2018 that asked for input on how to improve coordination of patient care between unaffiliated healthcare providers as well as patients’ right to access their own information.

The timeline to respond to a patient’s request for access might be shortened from 30 days to 15 days, with an extension of 15 days instead of the currently permitted 30 days (unless a state or other federal law requires a shorter response time). The Rule clarifies that responses must be made in calendar days, not business days.

Other changes included in the proposed Rule:
• Clarification of fees healthcare providers can charge for patient-initiated access requests, depending on the format requested.
• Requirements of verifying the identification of a person requesting PHI.
• Removal of the requirement to obtain a written acknowledgment of the NPP from a patient, which could be replaced by the right to discuss the NPP with a designated member of the practice.

A few other sections that are frequently reported as barriers to patient care and safety may be modified as well. TMC is closely monitoring this process and is committed to keeping its clients informed and prepared for the changes ahead.