Someone once said that "a marathon is hundreds of miles. The finish is the last 26.2." Maybe that “someone” worked at the Office of Civil Rights (OCR) because they are coming to the “finish” at the end of their latest marathon, though it’ll still take some work and time to get over the line.
You may recall that the OCR issued a Notice of Proposed Rulemaking (NPRM) back on December 10, 2020. The notice detailed the changes to the HIPAA Privacy Rule that are due to be implemented and finalized sometime in 2023, a few years, and a lot of deliberating later.
As we continue to anticipate the finalization date, please note that these changes won’t become mandatory immediately; instead, the effective date will be 60 days after publication, and regulated entities will have another 180 days before enforcement begins—best estimates right now indicate for that to begin in 2024.
Although the changes directly affect covered entities, their business associates also need to be ready to comply with the Privacy Rule and support the covered entities’ compliance. We, as HIPAA assessors, are ready to help with that.
In this article, we’ll go over three major changes to the HIPAA Privacy Rule that will likely take effect when final implementation is completed. You may have some time yet before that happens, but with this information, you’ll get ahead of the game in making any necessary internal updates that the new HIPAA Privacy Rule will require.
3 Key HIPAA Privacy Rule Changes
We say the following changes are “likely” because while they were all included in the Department of Health and Human Services (HHS)’ related Notice of Proposed Rulemaking (NPRM) published in January 2021, not all will necessarily be included in the Final Rule.
(HHS has received comments from the public and has since conducted its own analysis.)
And while the following list is not exhaustive—you can view the full NPRM here—here are some of the (likely) key changes that will affect your policies and procedures when the new rule becomes effective.
1. Right of Access
When it comes to the right of access, the new Privacy Rule is set to make some major shifts providers will be expected to accommodate:
- Strengthened Patients’ Right To Inspect Their Protected Health Information (PHI) In Person
- The Proposed Rule would allow patients to take notes and use personal resources (e.g., smartphones) to capture images of their PHI as long as there are no unacceptable security risks.
-
- However, providers are not required to let patients connect personal devices to their information systems.
- A New, Condensed Timeline For Response to PHI Requests
- While providers currently have 30 days to respond to patients’ requests for PHI, with an optional 30-day extension, the Proposed Rule seeks to shorten the timeframe to 15 days with an optional 15-day extension.
- Clarification Regarding Patients’ Right To Receive Their PHI In The Form And Format Requested
- Under the Proposed Rule, “readily producible” copies of PHI would include ePHI requested through secure, standards-based application programming interfaces (APIs), using applications chosen by the individuals.
-
- Providers also would be required to deliver copies of PHI in any form and format required by applicable state and other laws.
- Eased Identity Verification Requirements
- Although verifying individuals’ identities is a crucial step when responding to requests for PHI, unreasonable or tedious identity verification requirements can also create barriers preventing patients’ right of access.
-
- The Proposed Rule would prohibit covered entities from imposing such unreasonable verification measures, including notarized signature requirements or required proof of identification in person (when another credible, more convenient method is available).
- More Information About Fees Associated With Obtaining PHI
- Post estimated fee schedules on their websites;
-
- Offer individualized fee estimates; and
-
- Provide itemized bills for completed requests.
-
- The Proposed Rule specifies when PHI must be provided free of charge (e.g., during in-person viewing) and amends fees related to responding to requests to send PHI to third parties.
-
- Providers also would be required to:
- Post estimated fee schedules on their websites;
- Offer individualized fee estimates; and
- Provide itemized bills for completed requests.
- Providers also would be required to:
2. Information Sharing and Care Coordination
If you’re familiar with the current HIPAA Privacy Rule, you may feel that some of its aspects limit the ability of providers to share information in the pursuit of comprehensive, coordinated care for patients.
Good news—this is about to change because the new Proposed Rule creates a pathway for patients to direct sharing of ePHI among providers and health plans, with other related changes for third parties. These updates break down as such:
Individuals: |
Patients will now be allowed to request that a provider or health plan submit an access request for PHI in an Electronic Health Record (EHR) to another healthcare provider, albeit with some provisions:
|
Providers:
|
For providers and health plans, the OCR also proposes:
|
Third Parties: |
The proposed changes would also permit covered entities to disclose PHI to third-party organizations that provide health-related services for individual-level care coordination and case management (for treatment or healthcare operations). Covered entities would then be expressly permitted to disclose PHI to:
|
3. Notice of Privacy Practices
Finally, to help eliminate an administrative burden created by the current HIPAA Privacy Rule, the Proposed Rule eliminates the requirement for direct healthcare providers to obtain — or to document their good faith efforts to obtain — patients’ written acknowledgment of receipt of the provider’s Notice of Privacy Practices (NPP).
HHS also seeks to modify the header of the NPP to specify that the notice provides individuals with information about:
- How to access their information,
- How to file a HIPAA complaint, and
- Their right to receive a copy of the notice.
(These new NPP headers also would need to include a phone number and email address for the designated contact person.)
Next Steps for HIPAA Compliance
Although these changes are still proposed and not final, covered entities should be aware of them and their potential implications, as you’ll need to update your policies, procedures, NPP, authorization and disclosure materials, and contracts to remain in compliance. In fact, the significance and breadth of these modifications will also necessitate retraining your staff on the HIPAA Privacy Rule.
Despite there being some time left to implement these modifications, taking a proactive approach before the Proposed Rule is finalized can help you identify any issues with current or future processes that could hinder implementation or compliance.
To help you get started, first look at your current compliance with the Privacy Rule regulations—making sure you are compliant with those will save you from being caught off guard by gaps in your existing operations as you try to implement what’s necessary to accommodate these updates.
For more information on HIPAA compliance, make sure to check out our other content on varying aspects that can help you avoid being tripped up by the complexities of this law, including information on a specialized service offered by Schellman:
About Schellman
Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.