In terms of compliance requirements, the HIPAA Privacy Rule has been effective since 2003, and the HIPAA Security Rule since 2005. Both are integral components of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Compliance requirements of the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), which addressed many provisions of the Omnibus Rule, have been effective since 2010.
It’s Time for Reform
It is widely agreed that no significant changes or updates have been made to the HIPAA Privacy Rule since at least 2007 and that certain substantial updates are needed to keep pace with changes in healthcare, enable better coordination of patient care, and recognize the roles individuals now play in managing their own healthcare.
That’s why, in December 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a proposal to modify the HIPAA Privacy Rule in 2021, to take effect in 2022. Officially, the proposal is called a Notice of Proposed Rulemaking, or NPRM.
Once the proposed modifications become effective (in the form of a Final Rule), the compliance date will be the standard 180-day period provided in OCR will begin enforcing the revised Privacy Rule provisions 240 days after publication of the Final Rule. For example, if the proposed changes are approved on December 31, 2021, compliance would be required by roughly the end of June 2022, with enforcement 60 days after that, or the end of August 2022.
Primary Purpose of Reform
The overarching purpose of the proposal is to improve the coordination of patient care and the coordination of patient case management.
In its proposal published in the Federal Register, HHS positions the update as supporting “the full scope of care coordination and case management activities to further the Department’s goal of achieving value-based healthcare.”
In achieving that aim, the proposal outlines ten major changes to procedures that will affect healthcare providers, health insurance providers/health plans, business associates, and patients.
As part of Cybersecurity Awareness Month, we’ve outlined the modifications in this blog to make you aware of the changes to procedures and compliance that are likely to be implemented in 2022.
Objectives of HIPAA Privacy Rule Changes
The HHS introduction to its NPRM published in the Federal Register declares that the proposed changes aim to address existing provisions that may be impeding “the transition to value-based healthcare by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other healthcare providers, payors, and insurers), or posing other unnecessary burdens.”
Additionally, in its press release extending the public comment period from March 22 to May 6, 2021, HHS further reinforced the five key components of the proposed update, which include:
- Strengthening individuals’ rights to access their own health information, including electronic information,
- Improving information sharing for care coordination and case management for individuals,
- Facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises, including cases of serious mental illness and substance use disorder,
- Enhancing flexibilities for disclosures in an emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies, and
- Reducing administrative burdens on HIPAA-covered healthcare providers and health plans, while continuing to protect individuals’ health information privacy interests.
Since 2003, HHS has acquired years of practical, real-world experience in observing the implementation of the Privacy Rule and enforcing its provisions. They recognize that some of the existing elements of the Rule no longer work in today’s healthcare environment and are intent on ensuring that the Privacy Rule remains a viable regulation capable of responding to changing needs. So, what changes are on the way?
Three Major Changes to HIPAA Privacy Rule
Following is an outline of the three major modifications to the HIPAA Privacy Rule, encompassing individual access improvements, and changes to the Minimum Necessary Standard and the Notice of Privacy Practices requirement.
ACCESS IMPROVEMENT. Reforms have been made to improve individuals’ right to access to their personal health information (PHI) as part of the larger focus on care coordination and individual case management. Right of access continues to be a prime target of enforcement by the Office for Civil Rights. These various access reforms include:
- Strengthening individuals’ rights to inspect their PHI in person, allowing them to take notes or use other personal resources, such as smartphones, to view and capture images of their PHI.
- Requiring covered entities to respond to requests for PHI within 15 calendar days rather than the original 30 calendar days. Entities have an opportunity to respond time by an additional 15 calendar days if needed.
- Clarifying the form and format required to be used in responding to individuals’ requests for their PHI.
- When a summary of PHI is offered to an individual instead of a complete copy of their PHI, individuals still have a right to obtain or direct copies of their PHI to a third party, and covered entities are required to inform the individual of that retained right.
- Reducing the identity verification burden on individuals who exercise their right to access their PHI, which has been unnecessarily onerous in some cases.
- Requiring covered healthcare providers (physicians, hospitals, clinicians, etc.) and health plans (insurers) to submit an individuals’ PHI access request to another healthcare provider, and to receive back the requested electronic copies of the individual’s PHI in an electronic health record. This provision is intended to create a pathway for individuals to direct the sharing of their PHI in an EHR among covered healthcare providers and health plans.
- Requiring covered healthcare providers and health plans to respond to certain records requests they receive from other covered healthcare providers and health plans when so directed by individuals who are exercising their right to access their own PHI.
- Limiting PHI to electronic copies in an EHR, when an individual directs the PHI to be transmitted to a third party. This is intended to reduce the burden of transmitting paper documents of PHI.
- Specifying when electronic PHI (ePHI) must be provided to an individual at no charge.
- Changing the permissible fee structure for responding to requests to direct records to a third party.
- Requiring covered entities to post on their websites their estimated fee schedules for responding to individuals’ requests for access to PHI copies.
- When requested, providing individuals with personalized estimates of fees for PHI copies, as well as itemized bills for completed requests.
MINIMUM NECESSARY STANDARD. An exception to the “Minimum Necessary” standard has been created to accommodate individual-level care coordination and case management uses and disclosures.
- The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary sharing that will still accomplish the purpose of each use or disclosure.
- This proposal relieves covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by a health plan or covered healthcare provider for the purposes of care coordination and case management activities for an individual, regardless of whether those activities constitute treatment or healthcare operations.
NOTICE OF PRIVACY PRACTICES. Changes have been made to the ubiquitous Notice of Privacy Practices (NPP).
- The requirement to obtain an individual's written acknowledgment that they have received a direct treatment provider's NPP has been eliminated.
- NPP content has been modified to clarify an individual’s rights with respect to their PHI and how to exercise those rights.
Seven Additional HIPAA Privacy Rule Changes
The proposed 2021 reforms to the HIPAA Privacy Rule include seven additional significant modifications, as outlined below.
- Basic Definitions. Since the Privacy Rule does not contain certain definitions that are germane to its purpose, the terms “electronic health record (EHR)” and “personal health application” have been defined in the updated rule.
- Healthcare Operations. The definition of “healthcare operations” has been changed to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management activities that constitute healthcare operations.
- Social Service Agencies. Clarifications have been made governing covered entities' abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties who provide health-related services, in order to facilitate coordination of care and case management for individuals.
- Disclosures of PHI in Health Emergencies. The privacy standard that permits covered entities to make certain uses and disclosures of PHI based on “exercising their professional judgment” is being replaced and relaxed. The new standard permits disclosures based on a covered entity's “good faith belief” that the use or disclosure is in the best interests of the individual, particularly where individuals are experiencing substance use disorder, serious mental illness, and other emergency conditions.
- Threat Mitigation. Closely related to the above, this provision is intended to better enable covered entities to prevent and reduce harm to individuals or the public. The current requirement that an individual's PHI may only be used or disclosed based on a “serious and imminent threat” is being replaced with a less stringent “serious and reasonably foreseeable threat” standard.
- Telecommunications Relay Services. In the proposed update, disclosures of PHI to TRS communications assistants are expressly permitted for persons who are deaf, hard of hearing, deaf-blind, or who have speech disabilities. And TRS providers are no longer defined as business associates.
- Military Scope. The Armed Forces' permission to use or disclose PHI has been expanded to include all uniformed services, which now encompasses the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
Together, these ten updates constitute the major changes proposed to the HIPAA Privacy Rule this year. They can be reviewed in detail in the Federal Register on pages 6446 to 6538.
Since compliance first became effective in 2003, the HIPAA Privacy Rule has permeated every aspect of healthcare provisioning in the U.S. It has transformed how patient information is maintained and safeguarded.
The HIPAA Privacy Rule changes proposed for 2022 will bring overdue reforms to several key elements of the rule, with the primary purpose of reducing unnecessary impediments to the coordination of patient care and case management. Once approved, the Final Rule will be published in the Federal Register to notify all concerned parties of the new procedures. Compliance will be required six months after publication. Two months thereafter, the Office for Civil Rights will begin enforcing compliance to ensure that the revised Privacy Rule is implemented as quickly and as widely as possible.
Healthcare providers, health plans, business associates, and all other covered entities should monitor these upcoming milestones in order to maintain their HIPAA compliance. Watch for future blog posts here.