Will 2023 Finally Usher in the New HIPAA Regulations

Author: Todd McDonagh, Principal & CEO

Back on December 10, 2020,  the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued the Notice of Proposed Rulemaking (NPRM) with proposed changes to the Privacy Rule. The proposed modifications support individuals’ engagement in their care, removes barriers to coordinated care and reduces regulatory burdens in the health care industry under HHS’s Regulatory Sprint to Coordinated Care. The NPRM solicits comments on OCR’s proposals, which are due 60 days after publication of the NPRM in the Federal Register.

As it turns out, the final comment period was completed at the end of June 2021, and I was ready to announce these changes to our clients. 2021 came to an end and I figured, the world is moving forward with the prospects of vaccinations and new strategies to combat COVID-19, so this information will drop for sure, in 2022. Wrong again, but with the PHE just sunsetting, I am feeling confident that 2023 is the year. The changes will primarily deal with patient access, as many of you are likely already seasoned veterans having had to negotiate the Cures Act. The Cures Act and the HIPAA Privacy both have the goal of protecting patient’s rights. Let us refresh ourselves with the context related to patient access.

Individual Right of Access proposed changes would:

  • expand the methods that individuals may use when inspecting their health information to include the ability to take notes, videos, and photographs.
  • require covered entity health care providers to allow patients to review PHI upon request that is readily available at the point of care in conjunction with a health care appointment.
  • reduce the time limit for covered entities to provide access from 30 to 15 calendar days.
  • clarify that PHI is “readily producible” in a requested electronic form or format if another state or federal law requires the covered entity to provide access in the form or format requested.
  • require patients to sign a valid HIPAA authorization (and not rely on the HIPAA right of access) before sending certain non-electronic PHI or electronic PHI outside of an electronic health record directly to a third party.
  • require health care providers to transmit an electronic copy of PHI in an electronic health record (EHR) directly to a health care provider or health plan designated by the individual.
  • limit and clarify the fees that covered entities may charge for providing access to individuals.

Other areas of proposed change include:

  • care coordination and case management.
  • changes to encourage disclosures of PHI to help individuals experiencing substance use disorder, serious mental illness and in emergency circumstances.
  • uses and disclosures to avert a threat to health or safety.
  • elimination of requirement to obtain acknowledgment of notice of privacy practices and content requirements.

These changes will not bring the heavy lifting that was experienced in 2013 and when they do drop, there will be 180 days to become compliant, so stay tuned. We will get you through them.