HIPAA Privacy Rule: What’s New?
HHS proposed sweeping changes to the HIPAA Privacy Rule. These suggested modifications are not yet published, but what could these mean for your facility and patients? We break it down for you here.
Individual Right of Access
What’s the Purpose?
To reduce an individual’s barriers to accessing their own Protective Health Information (PHI), as well as to increase the availability of PHI for Care Coordination and Case management.
1st Proposal: Individuals will have the right to take notes, photos, and videos of their own PHI at the time of a visit when a patient is in office. This does depend however, on the individual’s state rules about dual consent for video taking.
2nd Proposal: Reduces the amount of time a covered entity has to respond to a request from a patient to have access to their records. The reduced time will go from 30 calendar days to 15 calendar days.
- Note: You cannot delay a request for a record. If the records are ready in 5 days, you have to get them out. For example, lab results. If a patient requests access to lab results, and you have them ready the day of their request, you need to provide it to them as soon as possible, without any delay.
Addressing the Form of Access
This is a clarification that further addresses the Individual Rights of Access.
If a patient requests electronic access to data, you must provide it. Patients may bring their own USB or jumpdrive to download their data, however, you do not have to take it and insert it into your system. Instead, you can provide them with a new USB or jumpdrive and charge them for it later, or you can send their data to their Patient portal. The patient portal option is hypothetically the most ideal option.
If they are requesting hard copy it must be in readable format. You can agree with the patient on format.
- Note: Patients are allowed to request billing records.
HIPAA also addresses requests to disclose to third-parties. For example, if a patient wants their father’s records, it is considered a mandatory request because the father has given consent for them to do so. You can ask for written consent, vs taking oral requests. This kind of request is chargeable.
Fees for Records
4th Proposal: You must review all of your agreements with your vendors that have access to your PHI. Then decide whether or not you want that Business Associate to be able to access or disclose PHI. The Business Associate Agreement must clarify when that Business Associate must disclose records.
For example, if you have an outside billing company, you want it to handle all patient requests for access to their billing records.
Be detailed! Your Business Associate Agreement should already detail what that access is. Additionally, it must clarify when that Business Associate has access to your PHI.
Patient Identification Verification
Patient Identification Verification clarifies the language on what an ‘unreasonable identification measure’ is. This clarification is trying to remove all the obstacles and hoops patients go through in order to identify who they are to access their PHI.
You are allowed to start providing information to a patient on their next appointment if you recognize them. They can access their records and do not have to show ID because your staff already knows them.
However, if a patient walks into an office, for example their father’s doctor’s office, requesting information, that patient would have to provide an ID. Because this is not removing your obligation to properly identify who is asking for the information.
HIPAA is making sure that those who do not have an ID, can still be identified by you.
Healthcare Operations
This is a clarification.
There has been some confusion recently about the definition of Healthcare Operation or the “O” in “TPO”. Unfortunately, it occurred because of the way the rule was written grammatically. People have interpreted Healthcare Operations as only ‘population-based’ Care Coordination and Case Management. Because of this, covered entities were not disclosing or requesting PHI to support coordinated care.
This new clarification defines healthcare operations as ALL Care and Coordination and Case management by health plans.
If you are a health plan and not a covered entity, then everything you are doing falls under the healthcare operations piece.
Use your own judgment in the process of sharing records between providers and other covered entities. Does it make sense to you to require release information? You can use your best judgment on whether or not that is a valid request. Every time you receive a CC request you can act upon it accordingly.
Creating an Exception to Minimum Necessary Standard
6th Proposal: The OCR is very clear on making the Minimum Necessary Standard flexible. They believe that the current standard is flexible enough for entities of all sizes.
For example, a covered healthcare provider may determine that it is reasonable to rely on the representations from a health plan, and a health plan may rely on representations from a public health authority- meaning you can rely on people telling the truth about their need for access.
HIPAA is giving an exception for treatment, under the proposed Minimum Necessary Standard. For example, you can disclose PHI to a rehab hospital when needed.
Also, make sure to define your internal use and disclosure policy. This 6th proposal only applies for external disclosures. Everything you’re doing internally, meaning who you allow access to PHI based on their roles inside your clinic or hospital, must be clearly defined and addressed.
Additionally, they want to make sure that Care Coordination and Case Management under this standard is defined.
For example- Diabetes patients. A healthcare plan is allowed to access this patient’s information on their diabetes, in order to send out information like diet plans and so forth. If you are a care provider, looking up diabetes for case management, then that would be an example of internal use. Internally you can access the PHI of all your diabetes patients.
Health plans are more restricted in regards to Care Coordination and Case Management because they are not treatment providers. Treatment providers have lesser restrictions on this standard because they are allowed to access their own PHI in order to provide Care Management.
This new proposal also adds an express exception for Care Coordination and Case Management. Because the purpose of these changes is to increase the access to Care Coordination and Case Management and to ease the burden of the HIPAA rules as they stand, to encourage more CC and case management for patients to increase healthcare quality.
This standard would only apply at the individual level. Meaning if you are accessing a patient’s records, then you are only allowed to access what you should be accessing under the standard. Does not apply to population-based health. Additionally, you are not allowed to send out information on a mass level to a third party.
- Note: Uses for care coordination and case management, T or O you are allowed to access and disclose PHI underneath minimum standard. Uses, requests, and disclosures for other purposes, i.e population-based health- This was done to track covid-19 cases. In this example, they were only allowed to disclose the patient name, age, zip code, and their COVID results. You are not allowed to give information to the public health agency, unless they are doing contact tracing, but then that has to be documented properly.
Cures Act Final Rule
The 21st century act changes information on the MNS. This is in effect right now. As of now, you are prohibited, as a healthcare provider from limiting permissible disclosure to minimum necessary, when to an individual. An individual has the right to access all of their information.
It encourages disclosures for population- based management. Encouraged to share with health information exchanges to promote access.
A provider can honor individual requests for restrictions, but not required to do so. Except for restrictions for privacy.
Third Party Disclosures
7th Proposal: The OCR is proposing to add a new subsection to expressly permit covered entities to disclose PHI to non-covered entities.
For example, you are permitted to disclose a PHI to senior centers. If you have a patient that is also at a senior center, and if you know he/she is at high risk of a fall, you can disclose that to the senior center. You are also allowed to disclose to other third-parties that are ‘health-related’ such as social services, HCBS providers, community based organizations, etc. You do not need an agreement for these disclosures.
PHI Disclosures- Substance Use Disorders
These 2 proposals are for bettering rule 42 CFR Part 2, which concerns the privacy around substance use disorders. They are making 2 major proposal changes-
9th Proposal: Replacing ‘exercise professional judgement’ with ‘good faith belief’. The ‘presumption of good faith belief’ improves timeliness of disclosure threats, facts and circumstances surrounding disclosures, and policies procedures.
10th Proposal: Replacing ‘serious and imminent threat’, to ‘reasonably foreseeable threat’.
Previously there was confusion around who could exercise judgment. Many thought that professional judgement was limited to licensed healthcare providers. This new proposal will broaden that to all workforce members.
- Note: The PHI SUD has the same Identity Verification Clarifications that we saw under regular PHI. They are adding in the good faith standard to have the patient’s best interest in mind.
“Lawful Holders”
This is not a part of the new proposed rules; but, is a part of the Cares Act and 42 CFR Part 2.
A lawful holder can be defined as a primary care practice or a hospital that is involved in CC and Case Management, but is not actively providing substance abuse order treatment, yet you still receive information from a part 2 entity. You are required to protect that information at a higher level than HIPAA. Meaning, if someone requests information from you, the lawful holder, you must have specific authorization
Make sure you have a QSOA- Qualified Service Organization Agreement with the Part 2 program in order to have those disclosures made to you without freely without patient authorization. The patient can reject the disclosure, but if you have a QSOA it can protect you.
NPP Requirements
This proposal will remove the requirement for acknowledgment and also removes the retention of acknowledgment records.
It will replace the written acknowledgment with the individual right to discuss the NPP.
11th Proposal: The NPP header will be modified to educate patients on what rights they have, in regards to their access.
HIPAA is proposing to include in the header the following:
- A statement saying that the patient has the right to access their PHI
- How they can submit a request
- How to file a HIPAA complaint, both to HIPAA and to their organization
- Who your HIPAA privacy officer is
- A right to receive NPP and discuss its contents
Hearing Impaired/ Deaf Blind Speech Disability
12th Proposal: This proposal adds express consent to disclose PHI to TRS systems. A Business Associate Agreement is not needed.
For example, if you have this kind of patient and they utilize their TRS for communication, how they communicate is not a BAA of your organization. Their communication is something you can disclose to aid communication.
