In December 2020, the Department of Health and Human Services (HHS) issued a set of proposed modifications to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The goals of these changes are to ensure patient privacy, reduce regulatory burdens on the healthcare industry, and break down barriers that prevent organizations from helping vulnerable individuals.
The HSS together with the Office for Civil Rights (OCR) will review the rules for any contradictions or concerns brought up during the comment period, which closed on May 6, 2021. Here are a few key parts of these rule changes that may affect your organization.
A Renewed Focus on Patient Access
One of the key changes is to allow patients to request and review their protected health information (PHI) and electronic health records (EHRs). The rules set a window of 15 days for health organizations to complete a patient request for information, including notes, photos and videos. There is the possibility of a 15-day extension. This window is shortened from the previous 30-day rule for patient record sharing.
“The HHS proposal includes strengthening a patient’s right to access their own health records and supports the agency’s Right of Access Initiative, a key priority for the agency over the last year,” says Jessica Davis, senior editor at SC Media. “More than a dozen enforcement actions have been enacted against providers failing to comply with the rule since the initiative was launched in 2019.”
While there has been improvement in this area, regulators believe there is still a long way to go.
The rules also amend the notices of privacy practices (NPP), making it a right for patients to learn about their privacy but not a requirement for providers to review privacy practices with them. Patients should have access to information related to their privacy, but do not have to sign an NPP disclosure acknowledging their rights.
“Our proposed changes to the HIPAA Privacy Rule will break down barriers that have stood in the way of commonsense care coordination and value-based arrangements for far too long,” says Alex Azar, HHS Secretary. “As part of our broader efforts to reform regulations that impede care coordination, these proposed reforms will reduce burdens on providers and empower patients and their families to secure better health.”
New Guidelines for Community Organizations
Along with empowering patients, the new HIPAA rules will allow for greater communication and collaboration between community organizations. This highlights the importance of healthcare outside of a medical setting, especially in groups of people who need assistance from community members.
“We also look forward to reviewing OCR’s proposal to clarify the scope of covered entities’ ability to disclose PHI to social service agencies or community-based support programs,” says Wylecia Wiggs Harris, CEO at American Health Information Management Association. “As social determinants of health increasingly become a priority for many providers, the sharing of information across clinical and non-clinical settings may include PHI. This makes it critically important to prioritize the privacy, security, and confidentiality of this sensitive information.”
The guidelines will allow more community organizations to support vulnerable populations while also protecting their privacy. As a whole, the rules are meant to clarify HIPAA regulations while also breaking down unnecessary barriers.
Concerns About the New Regulations
The OCR initially set the comment period deadline for the new regulations for March 22, 2021, and then extended it to May 6, 2021, as legal experts and healthcare providers reviewed the changes and tried to understand how they would impact their operations. One of the main concerns that experts have is clarity. Will these rules make it easier for organizations to comply with HIPAA or harder?
“While there is broad acknowledgment of the merits of the Proposed Rules’ goals…there are significant concerns with the complexity that is added by the rule and the general issues related to overlapping regimes created by various departments/agencies with HHS,” explain Vinay Bhupathy and Ariana Stobaugh, associates in the corporate practice group at Sheppard Mullin. “If the Proposed Rule is finalized, entities will be required to navigate multiple layers of overlapping and potentially conflicting regulations.”
There will likely also be a learning period if these proposed rules changes are implemented so organizations can adjust their best practices to accommodate the new guidelines.
Additional Proposed Changes
On top of the adjustments to the privacy rule modifications, there could also be changes to penalties levied against organizations that fail to keep up with HIPAA guidelines. Steve Alder, editor-in-chief at HIPAA Journal, writes that “HIPAA penalties could officially change in 2021.”
Previously, there was a maximum limit of $1.5 million in penalties per year in all four categories, from Tier 1 violations to Tier 4. The new structure would set lower maximum penalties in three categories while keeping the $1.5 million maximum for Tier 4.
For example, an organization that had a Tier 1 penalty (meaning they were unaware of the violation and were exercising due diligence) would face maximum penalties of $25,000 per year. Tier 4 violations refer to organizations that willfully ignore HIPAA rules and fail to make an effort to comply with them. Alder shares a chart of these new penalty tiers at HIPAA Journal.
The HHS and OCR will likely review the comments to the HIPAA changes and make any amendments they deem necessary. These new guidelines could roll out later this year or early 2022.