Release of Information Report: Get Set for HIPAA Changes
By Diane E. Ferry, MS, RHIA
For The Record
Vol. 34 No. 3 P. 26
In place since 2013, the HIPAA regulations have remained largely intact since then. However, expect several significant regulatory changes in the near future.
On December 10, 2020, the Office for Civil Rights issued a Notice of Proposed Rule Making regarding HIPAA regulations that were published in the Federal Register on January 21, 2021. At this time, final regulations are expected to be published by late 2022 or early 2023, with implementation and enforcement in 2023. In general, the process for introducing new or revised regulations is as follows:
• Health and Human Services (HHS) requests comment on those aspects of regulations that may have become problematic or contain information that needs to be updated.
• Following the receipt and review of comments that have been received, HHS issues a Notice of Proposed Rule Making.
• Comments are again solicited and considered from all parties before a final rule is proposed.
• The Final Rule is announced and implementation and enforcement begins.
The proposed new HIPAA regulations include the following:
• allowing patients to inspect their health information and take notes or photographs of the information;
• changing the time requirement to provide information to patients from the current 30 to 15 days;
• specifying that requests by individuals to transfer electronic personal health information (ePHI) to a third party will be limited to the ePHI maintained in an EMR;
• allowing individuals to request their PHI be transferred to a personal health representative;
• defining when individuals will be provided their ePHI at no cost;
• requiring HIPAA-covered entities to inform individuals that they have the right to obtain a copy of their PHI or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy;
• requiring HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures;
• requiring HIPAA-covered entities to provide individualized estimates of the fees for providing an individual with a copy of their own PHI;
• requiring a conduit to be created for individuals to direct the sharing of PHI maintained in an EMR among covered entities;
• requiring health care providers and health plans to respond to certain record requests from other covered health care providers and health plans in cases when an individual directs those entities to do so under the HIPAA Right of Access;
• eliminating the requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy practices has been provided;
• allowing covered entities to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable” (The current definition is when harm is “serious and imminent”);
• allowing covered entities to make certain uses and disclosures of PHI based on their good faith and belief that the use or disclosure is in the best interest of the individual;
• adding a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures regardless of whether the activities constitute treatment or health care operations;
• broadening the definition of health care operations to cover care coordination and case management;
• expansion of the armed forces’ permission to use or disclose PHI to all uniformed services; and
• adding a definition of EHRs.
The proposed changes have caused significant concern for many health care entities and third parties. Among the reasons for concern are its financial effects on the health care providers and third-party service organizations. Shifting the cost burden to those providers and organizations will contribute significantly to overall health care costs while benefitting mostly requestors other than the patients themselves. Specifically, the proposed cost-based fee schedule for attorneys and other third-party requestors of health information will result in all patients paying for the costs of providing information to those parties.
Currently, attorneys and third parties pay according to each state’s regulations, most of which have been in place for many years. If the fees are lowered for those requestors, it will cause an additional burden on the health care facilities that will need to enlist a third party to complete the work or bring it in-house, where they will need to pay for additional staff who will need initial and ongoing training. In addition, this will divert HIM staff from providing records services to support ongoing care. This may cause additional workflow issues. With the current state of employment in the country, staffing to achieve this function will be difficult, if not nearly impossible.
Another area of concern is the expansion of the definition of the EMR to include billing records. Traditionally, billing records have not been subject to HIPAA. However, they will need to be included if the proposed changes are passed and implemented. Inasmuch as billing records are commonly maintained and managed separately from clinical care records, this will present significant interoperability challenges. For example, it will create a need for new workflows and changes to EMR integration. The legacy systems of business functions were not designed for such use. Combining the billing records under the HIPAA operating regulations will add to the difficulty and cost of meeting the timeliness, completeness, and security of information release.
The proposed new regulations also require releases to provide photocopies of health information in the format requested by a patient or individual. Ideally, this would be a simple format designation. However, the universality of such capability does not exist. Not all EHR systems allow for the duplication of information in all formats. For some health care entities, this will surely contribute to financial and workflow costs and implementation challenges.
The proposed changes also allow patients to inspect and photograph their ePHI. For this process, health care entities will need to make equipment and staffing arrangements while maintaining the privacy and security of this information. They will need to provide secure areas where the PHI can be viewed and/or photographed, which may create the need for additional staff. This new service is provided to the patient at no charge.
Besides the financial challenges presented by the proposed changes, the reduction in the time allotted to respond to a patient or individual request for PHI figures to be a source of concern for health care organizations. Having the time frame reduced from 30 days to 15 for individuals to gain access to their PHI is likely to cause significant workflow issues.
While individuals should not have to wait to gain access to their PHI, not all EMRs make it easy to perform this function. It may seem simple to respond more quickly, but many health care organizations struggle to meet even the current 30-day requirement. On top of that, the Office for Civil Rights (OCR) has been cracking down on HIPAA Right of Access violations.
The logistical challenges of uneven operational systems and communication obstacles will likely contribute to increased costs and implementation difficulties for all parties involved in the process.
While not yet specified, the OCR is expected to implement new penalties for noncompliance with the updated HIPAA rules. These penalties could cost a health care entity or third party more than a million dollars per violation.
The American Hospital Association (AHA) is one of many stakeholders that have raised concerns about the proposed changes. Specifically, the AHA has raised concerns over the time frame to respond to patient requests for their health information. It has also questioned the idea of patients being allowed to photograph their health information and to transfer their PHI to personal health applications.
After the final rule is published, health care entities likely will have time to understand the changes and determine how they’ll affect their operations and economics. While it is unlikely that all of the proposed new regulations will come to fruition, health care systems should be working now to plan how they will respond to each of the proposed new requirements.
If a final rule is passed in 2022 or early 2023, the OCR will provide an implementation time frame for both health care entities and third parties to implement the changes. It’s during this period that prudent HIM management will become a necessity to ensure compliance.
— Diane E. Ferry, MS, RHIA, is currently an associate with ScanSTAT Technologies. She was president and CEO of Star-Med LLC for 22 years.