Many people in the healthcare IT and HIM communities have been anticipating some changes to HIPAA coming soon. As Rita Bowen from MRO recently shared, “the rule is 20+ years old and the practice of medicine has changed, the maintenance of the health information, etc.. so yes, it is time for a face lift.” As expected, HHS released a number of proposed modifications to the HIPAA Privacy rule. You can find the full 357 pages (small by HHS standards) of the proposed rule here.
These proposed changes to HIPAA are part of a broader effort by the HHS Secretary to do whatever is legally possible to help promote value-based care including the recently released changes to the Stark Law and Anti-Kickback Statute. Plus, HHS clearly wants to support an individual patient’s right to engage in their care, access their data, and remove barriers to being able to more effectively coordinate care.
Some of the big things that stood out to me from looking at the rule initially are the following:
- Removal of the need for patients to sign that they received a Notice of Privacy Practices (NPP)
- Covered Entities will only have 15 days instead of 30 days to respond to patients’ request for their records
- No more charging patients for viewing their records through patient portals
- Less restrictions on patient identity verification when requesting copy of their PHI
- Caregiver and Family access to a patient’s records when in crisis has changed from where there is a “serious and imminent threat” to “serious and foreseeable threat” to allow more flexibility
- Minimum necessary is no longer required when sharing patient info with providers or health plans when requested for care coordination or case management
- Expansion of disclosure options when PHI is shared with social services and community agencies
- Allowing patients to record or take photos of their records
While everyone is still going over the details of the rule, AHIMA issued an interesting statement which includes the question of whether the proposed changes take into account SDoH data. Although, they seem happy with the way the changes will enable patients to gain access to their data:
We are pleased to see the long-awaited release of the Office of Civil Rights’ (OCR) proposed modification to the HIPAA Privacy Rule that aims to empower patients and enhance care coordination.
In particular, we are pleased the rule proposes strengthening the individual right of access under HIPAA. We are also pleased it seeks to clarify how an individual’s right to direct their protected health information (PHI) to a third party should be treated. In certain instances, this has led to delays in individuals being able to access their medical record.
We also look forward to reviewing OCR’s proposal to clarify the scope of covered entities’ ability to disclose PHI to social service agencies or community-based support programs. As social determinants of health increasingly become a priority for many providers, the sharing of information across clinical and non-clinical settings may include PHI. This makes it critically important to prioritize the privacy, security, and confidentiality of this sensitive information.
-Wylecia Wiggs Harris, PhD, CAE, Chief Executive Officer, at AHIMA
The comment period for this proposed HIPAA rule is open for 60 days. I have little doubt this will receive a lot of comments. MGMA’s Anders Gilberg said that they’ll be evaluating this proposed rule using these three considerations: “Will the rule facilitate convenient and timely patient access to healthcare information? Will it support medical practices in their duty to safeguard patient privacy? And will the rule impose reasonable requirements on medical practices that avoid costly administrative burdens?”
No doubt we’ll be sharing a lot more details with you as more people get a chance to dig through the details. What did you see in the rule? Where do you think that they didn’t go far enough?