What Are the Proposed Changes to The HIPAA Privacy Rule?

What Are the Proposed Changes to The HIPAA Privacy Rule?

The agency that is responsible for creating and enforcing HIPAA regulations, the Department of Health and Human Services (HHS), recently proposed to modify the HIPAA Privacy Rule. The proposed modifications have been published in the Notice of Proposed Rule Making (NPRM). Individuals had 60 days to comment on the proposed changes, and comments were due by March 22, 2021. After a significant amount of public interest, the due date was extended to May 6, 2021.

The HHS will take into consideration the comments to determine whether the proposed changes will be made final.

The Purpose of the Proposed Changes

The proposed changes to the HIPAA Privacy Rule was launched to support the concept of “value-based care” as part of the HHS’s Regulatory Sprint to Coordinated Care. The proposed changes seek to support individual’s engagement in their healthcare, remove barriers to coordinated care, lessen the regulatory burden on the healthcare industry, and provide patients’ better rights to access their own health information.

Key proposed changes to the HIPAA Privacy Rule include the following

Notice of Privacy Practices (NPP)

The Proposed Rule eliminates the requirement to obtain an individual’s written acknowledgment or signature of NPP, instead of the requirement, it allows an individual the right to discuss NPP with the person designated at a covered entity. In addition, the NPP header will include details about how individuals can access their information, file a HIPAA complaint, and contact designated personnel.

Gets rid of the barriers to coordinated care and care management

The Proposed Rule grants covered entities the right to disclose PHI to entities that coordinate “health and ancillary related services”, such as community-based organizations, home and community-based service providers, and social service agencies, or more of the same, to provide individuals with enhanced support. This provision, in particular, reinforces the goals of interoperability under the Interoperability Rules by removing obstacles to obtaining individual authorization and consent under the previous Privacy Rule.

Expands the Scope of Disclosures for Health Emergencies

Under the proposed changes, covered entities can disclose PHI for the care and treatment of individuals suffering from substance abuse disorders, severe mental health issues, and other health-related problems. Specifically, if covered entities determine that there is a “serious and reasonable threat”, then they would be permitted to disclose PHI if there is a good faith belief it is in the individual’s best interest.

Broadens Individual’s Right to Access their PHI

Under the Proposed Rule, individuals have greater rights to access their own PHI, including allowing them to take notes, pictures and videos and the use of other personal resources to view and record PHI in person, omitting unacceptable security risks. What’s more, it reduces the time period for covered entities to provide individuals with access to their PHI as soon as practicable, but no later than 15 days with one 15-day deadline, as opposed to the former 30-day deadline with one 30-day extension.

Added Descriptions

The Proposed Rule added definitions for “Electronic Health Record” (EHR) and “Personal Health Application” (PHA) with the aim of clarifying individuals’ rights to direct a covered entity to transmit and access PHI given how the terms previously lacked regulatory definitions.

Either way, these proposed changes have not yet been finalized even though there is a broad acknowledgment of the merits of the proposed changes made by several commenters. However, there may seem to be a conflict with other regulations and covered entities will be required to navigate multiple overlapping layers.

There also seems to be another problem with the proposed changes conflicting with state laws since HIPAA does not preempt state laws.

In any case, if you are struggling with HIPAA compliance, you can get guidance from HIPAA Ready!

Author Bio: Riyan N. Alam is a digital marketing analyst at CloudApper, a supplier of mobile ERP solutions, including HIPAA compliance software, facility management software, and many more. Combining his passion for reading books, he writes about subjects valuable to people and their daily lives. Riyan loves traveling and trading in his free time.