Upcoming proposed changes to HIPAA law from the Office for Civil Rights (OCR)
Roger Severino, Director of the Office for Civil Rights (OCR), in his keynote address at the 11th Annual OCR/ NIST conference “Safeguarding Health Information: Building Assurance through HIPAA Security”, informed of some proposed policy changes in HIPAA law that OCR is in the process of working through. Be on the lookout for upcoming policy enhancements.
These proposed changes to legislation are provoked by input from covered entities, business associates and experts on what issues they currently face due to HIPAA regulations.
Here are some of the proposed changes that Director Roger Severino talked about.
Good faith disclosures by health care providers
Often people say “I didn’t know” when it comes to either their own health records or those of their loved ones. Sometimes, especially regarding public health emergencies like the opioid crisis, parents don’t know what is happening with the health of their children until it is too late. In those cases, good faith disclosures may be the right way to go. Should OCR pursue action against a provider who disclosed patient health information when the patient’s or someone else’s life was at risk? There should also be a provision for providers to inform the patient’s emergency contacts listed on the consent form, when there is a true emergency.
Improving care coordination and reducing regulatory burden
Notice of Privacy Practices
- Providers make the Notice of Privacy Practices available to patients and often ask patients to sign the notice as part of the patient package of documents. Patients sometimes do not know what this is for, what the notice provides them. It raises several questions like “is this a contract”, “what exactly am I signing here”, “am I giving up my privacy”, etc. OCR is looking into the notice of privacy practices to see how the process can be improved.
Required Provider to Provider Information Sharing
- When patients go from doctor to doctor, the patient’s information should follow seamlessly to provide the best possible coordinated care to the patient. Providers are allowed to share information about patients with each other as part of the treatment process.
- However, today there is no guarantee of receiving the information requested from one provider to another. OCR is looking at the possibility of changing the law to make this provider-to-provider information sharing mandatory upon information request.
Accounting of Disclosures
- Another area of review is the Accounting of Disclosures. Should the TPO (Treatment Payment Operations) provision be revoked or modified?
- Today, TPO allows for sharing of protected health information among entities for the purpose of treatment, payment of operations related to a patient.
OCR is keen on reducing burden in the healthcare process. Director Severino stated that we definitely do not want a situation where a doctor is treating a computer screen instead of the patient in front of the doctor.
Civil Monetary Penalties or Monetary Settlements to harmed individuals
- OCR is also looking at the patient compensation process. Congress wants OCR to compensate patients for breach of privacy.
- This can be very complicated as the gravity of breaches could differ greatly from one breach to another. For instance, the risks vary depending on if patient name and address are stolen, or if name, address and social security number are stolen, or worse, if sensitive health or disease information is stolen. What level of privacy breach should be compensated?
There is joint guidance available between HIPAA and FERPA for educational institutions. FERPA is all-encompassing for educational institutions. However, after a string of recent school shootings, some rules may have to change in terms of communication to psychologists to handle the trauma related to these incidents.
Input from public
Director Roger Severino ended his address saying that the Office for Civil Rights seeks input from the public on their proposed legislation changes and how they may affect healthcare entities and the healthcare system in general. They are interested in protecting patient privacy in a way that improves treatment and care coordination in general. To stay updated on upcoming changes, visit HHS.gov.