Proposed 2021 HIPAA Changes and How They Can Affect a Medical PracticeGreg Garner
The Office of Civil Rights (OCR) dropped the Notice of Proposed Rulemaking for HIPAA in December of 2020. Since then, everyone in the medical community has been wondering about the future of the medical field.
If you aren’t caught up on the new HIPAA regulations, you need to keep reading. They’re different than the standard HIPAA rules. And, you don’t want to get behind on the lawful regulations, especially if you’re the one with the liability.
Let’s get started.
What Is a Notice of Proposed Rulemaking for HIPAA?
First, we should clarify what this notice means (and does not mean).
It does not mean that your practice needs to make changes this second. It does not mean that you’ve been breaking the rules if you haven’t complied with the changes yet. It does not mean that your current HIPAA training certificate is taken back.
It does mean that you have some time to get compliant. It does mean that you may need to make some changes to your current medical practices.
Basically, a proposed rule is simply that: a proposal. Since the OCR submitted this proposal, there was a 60-day waiting period. This is the time during which stakeholders can comment on the proposed rule.
If the proposed rule passes this stage, then medical providers have 180 days to comply with the new standards.
Whenever an organizational body presents a rule proposal, it’s always best to assume that the rule is going to pass. This way, you can prepare to make the necessary changes.
What Are the HIPAA Changes?
Now that you’re caught up on the legalities that come with this proposal, it’s time to dive into the changes that you may encounter. There are several rules that may change.
Given that the proposed rules are focused on patient care and support, you’ll find this as a common theme in the changes.
1. Individual Right of Access
One of the major changes to the HIPAA rules includes access-related rights. Within this realm, there are many subsections:
- Expanded Right to Inspect
- Unreasonable Access Requirements Prohibited
- Response Turnaround Time Shortened
- API Access
Let’s talk more in-depth about each of these changes.
Expanded Right to Inspect
This proposal states that patients should have the right to access their personal health information quickly and without charge. This means that healthcare providers cannot unnecessarily restrict patients from their own health information.
And, patients would have the right to store or document their own personal health information as well.
Unreasonable Access Requirements Prohibited
The proposal also states that medical facilities should not be allowed to make unreasonable requests regarding a patient’s legal statements. These kinds of unreasonable requests include the following:
- Requiring a patient to notarize forms
- Requiring a patient to fill out forms only on paper
- Requiring a patient to be present at the facility when filling out forms
- Requiring a patient to only fill out forms through the facility’s online portal
The group plans on creating an exhaustive list in the future.
Response Turnaround Time Shortened
This proposed rule change is in regards to a prior rule surrounding the distribution of a patient’s personal health information to themselves.
As of now, a patient can request their personal health information and receive said personal health information within 30 calendar days of the request. With the rule change, this 30-day period would be shortened to 15 days.
API stands for application programming interface. This allows two applications to speak to one another.
The proposal brings this up because the committee is determining whether or not they should require healthcare professionals to use existing API features of their electronic health record (EHR) system. As of now, the organization is learning towards requiring this, as long as it doesn’t require any extra cost from the medical facility.
2. Access to Patient Records By Third Parties
Just like those rules regarding patient access to their own medical records, the new proposal also includes new regulations for how third parties access patient records. There are three main changes:
- Requests to Third Parties Limited to ePHI
- No Requirement for Written Authorization
- Requirement That Providers Facilitate Access Requests
Let’s go through each one in-depth.
1. Requests to Third Parties Limited to ePHI
The proposal requires that physicians fulfill third-party requests for personal health information (PHI). However, they must do so through ePHI.
ePHI is simply the electronic version of PHI. This means that information would be sent electronically rather than physically.
2. No Requirement for Written Authorization
The new rule proposals do not change the fact that third parties that are requesting PHI must have a signed HIPAA document. This signature must be from the patient to whom the PHI belongs.
However, these requests must be clear and specific. And, they can be spoken or in writing, whether physically or electronically.
3. Requirement That Providers Facilitate Access Requests
If a patient is going to see a new provider, they can ask that provider to access medical records from a previous provider. However, the providers must be the ones to facilitate the passing of information. This is not the patient’s responsibility.
However, this should only happen when the patient approves of the sharing of information. He/she must sign a HIPAA form clearly stating what the transfer of information is going to be.
3. Fees for Records
The proposed rules also address any fees that providers may charge for accessing records. Here, the organization is trying to reduce the barriers between patients and their personal health information. Thus, they are trying to reduce and eliminate fees.
Specifically, the new proposal states that patients should only be responsible for ‘reasonable’ fees.
These are fees that a provider may charge for printer usage or excess copies. Overall, these reasonable fees point to labor costs, as well as the cost of supplies that the provider may need to use to provide the patient with the information that he/she is requesting.
4. Disclosure of PHI Without Authorization
There are few situations in which a provider can share a patient’s personal health information without their consent. The proposal walks through these situations as well.
In particular, the new proposal broadens these scenarios while being clearer on appropriate situations. These help professionals understand HIPAA exceptions easily.
Healthcare Operation Exception
Currently, the HIPAA rules and regulations state that health professionals can share patient information without explicit consent from the patient if they are collaborating with other professionals on the case. This could be other specialists, case management professionals, or others.
The new proposal clarifies these rules and makes this stipulation clearer for professionals.
Minimum Necessary Standard Expansion
This part of the proposal addresses the information that case management professionals need to know in order to help a patient. The proposed rule expands the minimum necessary standard procedure to case management professionals.
Those who work in case management need some patient information to help with social cases.
From “Professional Judgment” to “Good Faith”
The proposal changes the rule that professionals should use their judgment. Rather, they want to use the wording that states that professionals should act in “good faith.”
In sum, this means that professionals need to act in the best interests of the patient and what they believe the patient needs.
Health and Safety Issues
If the patient is a serious health or safety risk, the provider can share their health information. They can tell those individuals who would help the patient if that health or safety problem were to occur.
You may recognize this HIPAA rule in action when medical providers share health information with public service professionals like policemen.
5. Notice of Privacy Practices
The new rule proposals also change a few privacy practices.
The first stipulation states that healthcare providers do not need a written acknowledgment. Usually, the patient has to sign a Notice of Privacy Practices. They see this as unnecessary administrative strain.
Rather, the new rules propose that the providers should be clearer about sharing the patient’s HIPAA rights with them. They should also share ways in which patients can exercise their HIPAA rights.
The organization also shared that they would like to compose a standardized header. This would provide information about privacy policies with the patient. And, it would share key information about personal health information to patients.