Finalization of Privacy Rule modifications is still pending

The Department of Health and Human Services (HHS) published proposed changes to HIPAA’s Privacy Rule on January 21, 2021. The proposal was under a public comment period until May 2021 and HHS expects to publish final changes in March or April 2023.

Effective Date – Once published, the final rule will become effective 60 days from its date of publication in the Federal Register.

Compliance Date – The important date for covered entities and other parties affected by the rule will be the Compliance Date which will be 180 days from the Effective Date.  This will allow covered entities ample time to make changes in policies, forms, and procedures.

Proposed Changes – There are multiple possible changes affecting an individual’s (patient’s) right of access, permitted disclosures for the purpose of care coordination and case management activities, and more.  Here is a brief listing of proposed changes that, if finalized, will have the greatest impact for providers and their practices:

• New Terms will be introduced for Electronic Health Records and Personal Health Applications.

• Timeliness for access to records will be amended from the current 30-day period to 15 calendar days for responding to access requests for inspection and/or copies of PHI. An additional 15 calendar days will be permitted to fulfill the request if certain conditions are met.

• Strengthened right of inspection – Individuals will be permitted to take notes, take photographs, and use other personal resources to capture information when inspecting their designated record set.

• Right of access fees – Reasonable, cost-based fees that may be imposed for copies of PHI (or for a summary of PHI if agreed to by the individual) will be clarified.

• Notice of access and authorization fees – A covered entity will be required to post a fee schedule on its website, if it has one, and make the fee schedule available at the point of service and upon request that specifies the types of access to PHI that are available free of charge and standard copy fees, including for any readily producible electronic and non-electronic forms and formats. Upon request, the covered entity must provide an individualized estimate of the approximate fee for any type of request covered by the fee schedule and provide an individual with an itemized list of the specific charges for labor, supplies, and postage that constitute the total fee charged, if requested.

• Requests to direct PHI to a third party will enable an individual to make a request to disclose their PHI to a third party in oral as well as written form (current requirement is written form) and to direct transmission of their PHI in an electronic format to a third party (if records are maintained electronically by the covered entity).

• Care coordination and case management activities are added to the exceptions to the Minimum Necessary Standard regarding disclosures to or requests by healthcare providers or health plans with respect to an individual.

• Business Associate Agreements must specify if the Business Associate is expected to disclose PHI to an individual or the individual’s designee upon request, rather than to the Covered Entity, as necessary to satisfy the covered entity’s obligations (to comply with patient access rights).

• Modified Language for Notice of Privacy Practices – Several new, specific statements will need to be prominently displayed in the notice. In addition, the email address of the person who is designated to provide further information and answer questions about the notice will need to be included.

• Obtaining acknowledgement of receipt of the Notice of Privacy Practices will no longer be required.

• Providers of Telecommunications Relay Services (as defined in 47 U.S.C. 255(a)(3)) will be specifically excluded from the definition of Business Associates and covered entities will be permitted to disclose PHI to a TRS Communications Assistant as necessary to conduct covered functions.

• Presumption of compliance – There are several permissions for disclosure within the Privacy Rule that will be based on a covered entity’s good faith belief that providing access is in the best interests of the individual (e.g., to prevent a serious and reasonably foreseeable harm, or lessen a serious or reasonably foreseeable threat, to the health or safety of a person or the public). The covered entity will be presumed to have complied with the good faith requirement absent evidence that the covered entity acted in bad faith.

• Uses to carry out treatment, payment or healthcare operations – Covered entities will be permitted to disclose an individual’s PHI to a social services agency, community-based organization, home and community-based services provider, or similar third party that provides health or human services to specific individuals for individual-level care coordination and case management activities.

• Reducing identity verification burden – Verification of patient access requests will be permitted to be done orally or in writing.

• Unreasonable measures of verification – Unreasonable verification measures will be defined, and examples provided to help covered entities avoid impeding an individual’s access rights.

Note – Eagle Associates will provide a detailed explanation of all changes and operational recommendations once the final rule is published. 

Notice for Subscribers to Eagle Associates’ HIPAA Compliance System – Eagle Associates will publish revised policies, forms (such as Notice of Privacy Practices and Business Associate Agreements), and workforce member training prior to the compliance date.  We will also provide guidance documents to help ensure your practice is fully prepared to meet the new requirements.