HHS’s Office for Civil Rights published their proposed changes to the HIPAA Privacy Rule. The changes include some required to make HIPAA better align with the requirements of 21st Century Cures Act for patient access to their records. There’s a few other changes to note, as well. Let’s check them out, shall we?
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The HIPAA Boot Camp
Virtual Edition Feb 23-25, 2021
More info at TheHIPAABootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
HIPAA Say What!?!
[12:03]Our entire episode this week falls under HIPAA Say What!?! But before we dive that, there was some good news in the cybersecurity space recently. We have talked about the Emotet malware that has had its fingerprint in lots and lots of cyberattacks worldwide for years now. Well, one of their servers that receives lots of traffic and helps spread malware was seized by “cyber police” from agencies across the globe. This is great news as it helps everyone! How exciting is that!Privacy Rule Proposed Changes
[14:08] This one gets a little tricky due to the fact that we are in the middle of an administration transition in the middle of a pandemic. There are certainly a few other issues that are a bit distracting to complicate things.The NPRM (Notice of Proposed Rulemaking) was introduced in Dec and submitted for publication in the Federal Register. It was officially published there on Jan 21st and open for public review and comment. As of now it states the comment period ends 3/22 but that could be extended. If you want an opportunity to comment, plan to review and make comments sooner rather than later. Pay attention to the change of dates as you go.
How long before this could resolve, no way to know. Under normal circumstances the comments would be reviewed and a Final Rule would be submitted. Once it’s published, then you have 60 days until it takes effect. Then there is 180 days for implementation and 240 days for enforcement to start. Under normal circumstances this would give us several months to get things implemented around year end. Who knows how it will play out now.
Fact Sheet on Proposed Modifications to the HIPAA Privacy Rule to Empower Individuals, Improve Coordinated Care, and Reduce Regu – HHS Fact Sheet
No matter how it works out these are changes that are on their second round of discussions. The review period could get really long. However, the fact that some of these changes sort of go hand in hand with the information blocking roll out.
All this being said. These changes should be on your radar and even consider planning how to implement the tougher ones. So here are the proposed changes.
[18:20] 1 – Facilitate the disclosure of PHI for individuals experiencing certain health emergencies by modifying the standard for certain permitted disclosures from one based on a CE’s “professional judgment” to one based on its “good faith” belief that a disclosure would be in the best interests of the individuals.This one is all about changing that term. Professional judgement has been interpreted by some to require someone that is licensed to practice and been trained to make these decisions. Good faith gets rid of that concern and makes it clear that the provider and their staff can explain a “good faith” belief that what they were doing is correct. Granted, that this doesn’t mean you get to make decisions willy nilly. In fact, it is pretty much the way I have advised groups. Patient care comes first as long as you can explain your decisions process and feel you could explain it in court you are set.
[23:07] 2 – Expand the ability of a CE to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.This one is similar to the change above; it is mostly about terminology. There has always been a concern on what can be considered “imminent”. When do you really know a patient you have been treating for depression could be in imminent danger of suicide? The change makes it easier to meet the standard.
[25:01] 3 – Modify the definition of “health care operations” to clarify that the term includes care coordination and case management for individuals. Sometimes the current definition is interpreted to cover only population-based activities, with the result that some entities believe that health plans are not permitted to use and disclose PHI to coordinate care for individuals. It also includes a specific exception to explain that health plans performing care coordination can get access to entire records.Care coordination is becoming increasingly important in healthcare. It wasn’t clear that care coordination could fall under Treatment activities. It was also clear that health plans didn’t do Treatment but they did do case management so that created more confusion.
[26:38] 4 – To extend the same thing further the proposal suggests allowing disclosures for case management to talk with Social and Community Services organizations who are assisting with care.This really comes to light when you look at the opioid crisis. The care required to help some of the people includes housing and other social services to help them get life back on track.
[27:13] 5 – Make a TRS service that helps employees who are deaf contact patients classified as a BA. TRS can be used when the patient requests one. When employees need to use TRS services to do their job it would make them a BA. [28:13] 6 – Add U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps which are considered Uniformed Services part of the exception for disclosure of Armed Forces patients to their military command.7 – A bunch of proposed changes related to patient access to their records.
- [29:08] Shorten the 30 day time frame for responding to patient requests for records to 15 days with a single 15 day extension.
- [32:59] Require the providers to submit the request for records to other providers in an electronic format. A direct request getting a direct response between providers within the same 15 day time frames.
- [33:17] Allow patients to inspect their records in the office, take notes and even pictures of their records in the provider office.
- [35:54] Clarify that if a provider has the technical capability to send records to a patient’s personal health application then they are considered readily producible.
- [38:13] Reduce identity verification requirements to make sure patients are not unreasonably burdened to confirm their identity. (Like don’t make them have a notarized signature on a request for records.)
- [40:04] Specify when electronic records must be provided free of charge.
- Require CEs to post estimated fee schedules on their websites for right of access requests and for valid authorization disclosures and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
Change the required header on the NPP to include language about right to access records and file a complaint. This has some specific language that is best to share exactly as it is stated in the fact sheet:
The required header of the NPP would inform individuals that the notice provides information about how to access their health information, how to file a HIPAA complaint, and their right to receive a copy of the notice and to discuss its contents with a designated person.
Proposes to modify the required header to also specify whether the designated contact person is available onsite and include a phone number and email address the individual can use to reach the designated person.
- Providing this information at the beginning of the NPP would improve individuals’ awareness of their Privacy Rule rights, what they can do if they suspect a violation of the Privacy Rule, and how to contact a designated person to ask questions.
Consistent with the proposed required header language, and to ensure that individuals are fully informed of their access rights, proposes to modify the required element of an NPP that addresses the access right to describe how an individual can exercise the right of access to obtain a copy of their records at limited cost or, in some cases, free of charge, and the right to direct a covered health care provider to transmit an electronic copy of PHI in an EHR to a third party.
Again, we don’t know when these Privacy Rule Proposed Changes will go into effect. But start preparing now. First, get your ducks in a row and follow the current patients right of access guidelines. Get your fee schedule and the ability to account for those fees ready. Next, get your NPP posted the way it’s supposed to, make sure you know what’s in it, and make sure that your staff understands what is in it.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
