Prepare for the 2021 Proposed HIPAA Changes

Since the introduction of HIPAA, the U.S. Department of Health and Human Services has taken care to ensure its rules and regulations keep up with new technologies and practices.

What you need to know

The deadline has passed for comments regarding the proposed changes to the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) will review the comments over the next couple of months. It is integral for healthcare providers and patients to begin learning the new regulations. 

How does a proposed rule become law?

As health technology evolves, HIPAA rules and regulations need an amendment to remain relevant. HHS accepts feedback regarding current regulations which have become less important or more problematic.

HHS uses this feedback to develop a notice of proposed rulemaking (NPRM). They then accept and review comments before posting a final rule after 60 days. Once these are finalized, HIPAA-covered entities have a grace period of 180 days to make any necessary adjustments before the changes take effect.

The 2021 proposed changes to HIPAA seek to further enhance many of the goals of the HITECH Act and the subsequent Omnibus Rule – both of which sought to promote the use of electronic health records, improve health data security, and increase punishment for non-compliance.

The primary goals of the proposed updates to HIPAA regulations are as follows:

  • Strengthen care coordination and  case management within health information networks
  • Bolster and clarify a patient’s HIPAA right of access to their protected health information (PHI)
  • Reduce information blocking, or a “practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information”

Ease of access to records for patients

The current NPRM proposes several improvements to the accessibility of medical records for patients and between providers during care coordination. While the proposal aims to improve and modernize HIPAA regulations, the new rules may burden providers. To ensure continued compliance, training sessions and additional staff may prove necessary. Alternatively, improved workflows and tools can help covered entities manage requests and securely release information. 

Reduced timeframe for fulfilling medical records requests

Providers will need to respond more quickly to release of information (ROI) requests if this NPRM is passed. Currently, HIPAA calls for a turnaround time of no more than 30 calendar days. HHS proposed to reduce the deadline for completing a medical records request to 15 calendar days. 

The NPRM allows for one 15-day extension if the provider notifies the requestor and offers a valid reason for the delay. Asking for additional information will not constitute a valid reason for an extension. This prevents covered entities from asking for additional information just before the request deadline to receive an extension.

Enhance a patient’s HIPAA right to access their records

The proposed changes to HIPAA will allow patients to view, photograph, and take notes on their health information in person.

Additionally, they will reduce the burden of identification to combat information blocking. The proposal dictates that the process should not create a barrier to access medical records. HHS offered the following examples of unreasonable identity verification measures:

  • Requiring that patients receive PHI in-person
  • Requesting extensive information either via a form or a web app
  • Requiring a notarized signature to release PHI

Improved information sharing during care coordination and case management.

Reduced signatures, reduced administrative burden

Providers will no longer need patients to sign to confirm that a Notice of Privacy Practices (NPP) was provided. HHS will edit the NPP for clarity regarding the patients’ rights and how they can exercise them.

Additionally, the NPRM proposes that written PHI requests will no longer be required for all ROI requests. If passed, patients will be able to easily direct a copy of their PHI to a third party via an oral or web-based request, as long as it is “clear, conspicuous, and specific.”

Improved accessibility to electronic health records

The form and format of released PHI will be required to be one that is readily accessible for the recipient. HHS specified that PDF files are a great option for fulfilling this requirement because the file format was developed to be accessible regardless of the operating system.

The NPRM also proposes to ease the HIPAA privacy rule to allow for disclosures of PHI based on “the exercise of professional judgment.” In its current form, the privacy rule’s standard allows such disclosures in the case of a “serious and imminent threat.”

Increased protection for good-faith disclosures

The proposal permits covered entities to disclose PHI in certain circumstances based on a “good faith belief” that the disclosure is in the patients’ best interest. It allows providers to disclose PHI in the case of a “serious and reasonably foreseeable threat.” 

For example, the covered entity will be allowed to make a disclosure to relevant parties, such as parents or law enforcement, to minimize harm in cases including: 

  • Serious mental illness
  • Substance abuse
  • Potentially violent situations

Clearer request fees

HIPAA-covered entities will be required to make estimated fee schedules for PHI access and disclosure available on their websites. These fees must be reasonable and cost-based. This includes labor for making copies, supplies, postage, and the costs of preparing a requested summary or explanation.

Potential penalties for not following guidelines

Since it was signed into law in 1996, HIPAA requires covered entities to protect PHI, strictly controlling its divulgence since it was signed into law in 1996. The Enforcement Final Rule gave OCR the authority to financially penalize covered entities who do not comply with HIPAA regulations based on the guidelines introduced by the HITECH Act.

These guidelines introduced a tiered system of penalties based on the covered entity’s knowledge of the violation. The tiers are as follows:

An infographic containing the penalty tiers for HIPAA violations. It shows that the penalties increase in severity based on the covered entity's perceived neglect.

How we can help

Our goal is to facilitate health information exchange to help our clients ensure the highest quality of care. Regardless of your facility’s size, we can help you manage your health information requests. Come see how we can help you revolutionize the ROI process. Schedule a software demo with ChartRequest today!