Over the past few years, there have been increasing calls for changes to HIPAA regulations that would decrease their administrative burden. However so far none of these proposals has materialized into new rules or guidelines until now. In 2021, the Office of Civil Rights, OCR, sought feedback on the proposed HIPAA changes from healthcare industry stakeholders before issuing a Final Rule. The date of its publishing has yet to be provided.
Individuals receive ePHI free of charge.
Allow patients to check their PHI in person and take notes or photos of it.
Reduce the maximum time from 30 days - 15 days to provide access to PHI.
Limit the transfer of ePHI to an EHR when individuals request it to be transferred to a third party.
Permit individuals to request their PHI be transferred to a personal health application.
A pathway was created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
The Covered Entity must notify individuals that they are entitled to obtain or direct copies of their PHI to a third party when a summary is offered instead of a copy.
Require HIPAA-covered entities to post estimated payment schedules on their websites for PHI access and disclosures.
HIPAA-covered entities will be required to provide individual estimates of the fees for providing a person with a copy of their own PHI.
Covered entities will not be required to obtain written confirmation that a Notice of Privacy Practices has been provided.
Allow covered entities to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
Covered entities are allowed to make certain uses and disclosures of PHI based on their sincere belief that it is in the best interests of the individual.
Require healthcare providers and health plans to respond to certain record requests from other covered healthcare providers and health plans when a person directs those them to do so under the HIPAA Right of Access.
Adding a minimum required standard exception for individual care coordination and case management uses and disclosures, regardless of whether the activities are treatment or health care operations.
The definition of healthcare operations has been broadened to cover care coordination and case management.
The permission of the Armed Forces to use or disclose PHI to all uniformed services has expanded.
A definition has been added for electronic health records.
While some of the proposed changes to the HIPAA Privacy Rule are intended to ease the administrative burden on healthcare organizations, healthcare providers will also face short-term challenges. Considerable time and effort may be needed to comply with its requirements once the Final Rule is published.
One challenge is the updated definition of electronic health records where billing records are included. The billing record must be provided also when an individual requests a copy of PHI. Billing records are often kept in a different system, not in the EHR System. Another is the provision added to HIPAA rules that allows patients to personally examine their PHI and take notes and photos. Requesting individuals must be able to do this privately to ensure the privacy of the information. Healthcare providers must find the best way to comply with these updates in the HIPAA Privacy Rule.
It may be necessary for healthcare providers to seek help from a HIPAA compliant software development firm to update their EHR software and enable their systems to process the HIPAA Right of Access requests in a timely manner and provide electronic means that individuals can perform in-person checking of their health information. And because in-person requests to inspect PHI will also need to be provided at no cost, healthcare providers may consider hiring a Business Associate for software development that can develop software application with minimal cost impact on them.