On December 10, 2020, the US Department of Health and Human Services (HHS) issued a document containing a large number of proposed changes to HIPAA privacy rules. The document in its entirety is available here, and also contains information on how to send public comments until February 12, 2021.
According to the executive summary, these changes have the broader purpose of transforming the entire healthcare sector by creating a value-based system that pays for quality care. To this end, the updated HIPAA privacy rules proposed by HHS aim to:
The new changes to HIPAA privacy rules aim to create better communication between different healthcare specialties. We will detail below some of the most important changes that may impact your practice if approved.
Before that, in our understanding, the new privacy rules will rely more on the practitioners’ good faith in sharing their patients’ personal health information and reduce the paperwork needed to justify this decision. However, this freedom comes with the increased responsibility to protect electronic health records from unauthorized access.
All in all, the HHS aims to make the healthcare system more agile, flexible, and adapted to the new realities brought about by the global COVID pandemic. Now let us look at some of the most important changes proposed in the document.
The proposed HIPAA privacy rules aim to clarify and broaden the term “health care operations” in order to reduce ambiguity and cover “all care coordination and case management activities”.
The proposed change will cover both population-based and individual health plans and aims to encourage the disclosure of personal health information between healthcare providers.
One of the most extensive parts of the HHS document covers the individuals’ rights to access their own health records. Under the proposed HIPAA privacy rules, an individual will be allowed to take notes or photograph their own health records. At the same time, healthcare providers will have a shorter time available (15 days instead of 30 days) to respond to an application for access to information.
At the present, the HIPAA Privacy Rule does not have a formal definition for the term electronic health record. The proposed definition states that EHR is an individual’s electronic record of health-related information “created, gathered, managed and consulted” by authorized healthcare clinicians and staff.
The definition further details the term clinicians as including:
The proposed HIPAA privacy rules would simplify the process of sharing patient information between healthcare providers. At the present, the privacy standard requires practitioners to base such disclosures on “professional judgment”.
The new standard is more permissive, as it requires practitioners to use their “good faith belief” that such disclosure would benefit the patient. However, such a decision could be counteracted by evidence of bad faith. Hence, although healthcare professionals have more freedom in sharing PHI, they must also exercise great caution is using this freedom.
Finally, healthcare providers will have to charge only the allowable fees proposed by HHS to individuals who want to access their health records. Under the proposed changes, in-person inspection and internet-based methods of requesting and obtain copies of PHI are free.
For other methods, the allowed reasonable fee would cover actual labor and shipping costs, as well as costs to prepare a summary or explanation if requested by the individual.