Proposed changes to HIPAA and HITECH may affect covered entities and business associates in 2022. Now is the time to consider any effects, and respond accordingly.

HHS published proposed modifications to HIPAA and HITECH in early 2021. It appears these changes will be adopted in some form. The modifications could require updates to policies and procedures, notices of privacy practices, forms, business associate agreements, and other HIPAA-related compliance issues. Compliance with some new requirements could be difficult.

The proposed modifications to the HIPAA Privacy Rule are intended to improve the coordination of care and to reduce regulatory burden on the healthcare industry, says Erin Dunlap, JD, an attorney with Coppersmith Brockelman in Phoenix. While these are important goals in terms of transformation to value-based healthcare, most health plans and covered healthcare providers want to know what the proposed modifications mean for them in the short term from an operational perspective.

“If the proposed modifications are finalized, I think policy work will be front and center for compliance/privacy personnel, followed by appropriate training,” Dunlap says. “Patient access will be a key area of focus.” Dunlap says finalization of the proposals will mean patient access policies will need to be revised in several ways:

  • Require responses to patient access requests within 15 calendar days (vs. the current 30 days) and shorten the possible extension time to 15 calendar days (vs. the current 30 days);
  • Prioritize urgent or other high-priority access requests (especially those related to health and safety) and limit the use of an extension for such requests;
  • Prohibit “unreasonable” measures that impede individual access to protected health information (PHI), such as requiring an individual to fill out an extensive request form, obtain notarization, or to submit a request in person or only through an online portal;
  • Permit a patient to inspect PHI that is readily available at the point of care, such as an X-ray, ultrasound, or lab results;
  • Require the electronic transmission of PHI (e.g., by email or through a personal health app, which is defined under the proposed modifications) if the PHI is readily producible through such means; 
  • Provide access free of charge when a patient inspects PHI in person or uses an internet-based method (e.g., a personal health app); 
  • Submit a patient’s request for an electronic copy of PHI in an electronic health record (EHR) to a covered healthcare provider (i.e., the discloser) within 15 calendar days;
  • Allow individuals the right to take notes, videos, and photographs (and other personal resources) to capture PHI in a designated record set, subject to a few limitations.

“While it is unlikely that all of the proposed modifications will be finalized in current form, I think it is important for plans and providers to prepare and budget for significant policy work and training in 2022,” Dunlap says.

The proposed changes, if finalized, also will require several revisions to a covered entity’s notice of privacy practices (NPP), including changes to the introductory statement and the right of access provision. Organizations might have to add a statement indicating patients can discuss the notice with a designated contact person and provide such person’s email address and phone number. “On a positive note, plans and providers will no longer need to obtain a written acknowledgment or receipt of the NPP,” Dunlap says.

More Training Will Be Needed

Most of the proposed changes are intended to improve care coordination and interoperability, says Eric D. Fader, JD, partner with Rivkin Radler in New York City. However, the changes would introduce a training burden for covered entities.

“Training of employees has been one of the things that providers have fallen down on in the past 20 years. HIPAA has never been fully complied with by providers because they purchase a HIPAA manual, put it on the shelf, and think they are in compliance,” Fader says. “Or, they have employees watch a HIPAA video when they’re first onboarded, and that’s it. You’re really supposed to train and retrain your employees every year at least.”

The Office for Civil Rights (OCR) has settled at least 20 Right of Access initiative cases. Fader believes so many settlements indicates covered entities already are struggling to comply with the requirements to allow patient access to records. Now, the proposed changes might introduce even more challenging requirements.

Fader argues the proposed rules try to change the presumption of HIPAA compliance away from restricting PHI consumption more toward a presumption that data must be shared for care coordination.

“Part of the problem with patients trying to get access to their PHI has been that the organization, or individual employees, would use HIPAA as a crutch, an excuse not to go to the trouble of providing the information,” Fader says. “They would say they can’t give the patient these data because HIPAA prohibits it, or you have jump through all these hoops before we will give you your own records.”

Some covered entities would require excessive written authorizations, sometimes notarized, and they might mandate different requirements for transferring data to certain recipients.

“All of this is going to be changed with these proposed rules if they become effective, which they probably will in virtually the form they are in,” Fader offers. “Now, patients are going to have the ability to inspect their PHI in person and take records or photographs. That is potentially a nightmare scenario for some providers, who could have a parade of patients coming in the office to view their records. You’ll need to give them a private and secure place to do that, with someone sitting with them to make sure they don’t get into things they’re not supposed to.”

Many states are likely to align their relevant laws with the new HIPAA standards for how long a patient must wait for records. Fader believes some may see OCR’s move as a signal to enact even shorter time frames. “In addition to violating HIPAA if you don’t get that data to patients in time, you may have to worry about violating state laws as well,” he says. “This can all create a burden for covered entities that are not ready for some of the logistical challenges here.”

In addition, the proposed rules would allow patients to obtain records in the format they choose. For instance, covered entities might struggle if the electronic record system cannot comply with the format a patient requests.

There also are new definitions of an EHR that includes billing records. If the provider keeps billing records in a separate system, it may have to go into both systems to comply with a request for a full EHR.

Better Care Coordination

Lee Barrett, CEO and executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC) in Simsbury, CT, says his organization supports the HHS objective of removing regulatory obstacles and burdens related to HIPAA. The changes would facilitate efficient care coordination and case management while promoting the transformation to value-based healthcare and preserving the privacy and security of PHI.

“One specific question deals with the requirement for providers to gain a signed copy of the Notice of Privacy Practices. With the implementation of interoperability, this task could easily be handled via a customer portal or secure mobile application,” Barrett says. “Likewise, there are questions about whether or not non-HIPAA-covered entities should participate in data exchange. The current movement toward electronic healthcare data exchange allows for non-HIPAA-covered entities to contribute, but only after identity is validated and their feedback can be obtained in a secured fashion.”

EHNAC has worked with organizations like the Workgroup for Electronic Data Interchange and others to facilitate the industry’s implementation of HIPAA Privacy and Security requirements. “While minor adjustments to the regulations could lessen some burdens on some organizations, the full focus of our collective energy and efforts should be on driving industry adoption of standards associated with the secure and efficient exchange of health information in an interoperable manner,” Barrett says. “Once our industry attains a high adoption percentage demonstrating interoperability, many of the current issues experienced as challenges with the rules will be significantly lessened.”

The pending HIPAA changes are mostly an attempt to encode pre-existing subregulatory guidance or best practices, according to Matt Fisher, JD, general counsel for Carium, a telehealth and remote patient monitoring company based in Petaluma, CA

“With that in mind, organizations should prepare to boost efforts related to access by individuals and care coordination. Arguably both of those areas should already be receiving attention, given recent enforcement actions by the Office for Civil Rights and the aims of value-based care or population health initiatives,” Fisher says. “That all means the pending changes should be seen as another kick to implement procedures that should already be in place.”

SOURCES

  • Lee Barrett, CEO and Executive Director, Electronic Healthcare Network Accreditation Commission, Simsbury, CT. Phone: (860) 408-1620.
  • Erin Dunlap, JD, Coppersmith Brockelman, Phoenix. Phone: (314) 255-5988. Email: edunlap@cblawyers.com.
  • Eric D. Fader, JD, Partner, Rivkin Radler, New York City. Phone: (212) 455-9570. Email: eric.fader@rivkin.com.
  • Matt Fisher, JD, General Counsel, Carium, Petaluma, CA. Phone: (508) 603-9202. Email: matt.fisher@carium.com.