• Register to Access the Free Forums and 3 Free CEUs!

    To view the content for the 3 free CEUs, please sign up today.

    CLICK HERE TO REGISTER
  • Missing Access To A Course, Blitz or Exam? Have Technical Issues? Open a Help Desk Ticket
    Please Do Not Post in the Community About Access or Technical Issues
    CCO Business Hours for Help Desk and Coaching: Mon-Fri 9am-4pm Eastern

Resource HIPAA Updates

Are you complying with HIPAA?

HIPAA laws are about to change again.

Are you ready?

The proposed rule will amend the Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. When these modifications are finalized, they will require updates to policies and procedures, as well as notices of privacy practices, forms, business associate agreements, and other HIPAA-related compliance issues.

According to OCR, the proposed changes to the HIPAA Privacy Rule are intended to improve the coordination of care and to reduce regulatory burden on the healthcare industry, with enhanced patient access being the primary focus. A patient’s right to access their PHI will be enhanced under the proposed rule by:

  • allowing patients to inspect their PHI either by taking notes or capturing images;
  • reducing the requirement that covered entities respond to patient access requests within 30 calendar days to 15 and shortening the possible extension time from 30 to 15 calendar days;
  • creating pathways that allow individuals to request covered entities share their electronic health records (EHRs) with a third party;
  • changing the requirements to fees charged by a covered entity to access PHI;
  • modifying the access fee provisions to establish a fee structure based on the type of access request:
    • individuals can inspect and obtain copies of PHI for free in person or when requesting electronic copies through the internet, or
    • individuals can be charged a reasonable cost-based fee when receiving a non-electronic copy of PHI, receiving electronic PHI through a non-internet-based method, or directing an electronic copy of PHI in an EHR to a third party; and
  • requiring covered entities to post estimated fee schedules on their websites for access and disclosure.
Covered entities also will have to take reasonable steps to verify the identity of a person requesting PHI before disclosing it. A covered entity will be prohibited from imposing unreasonable identity verification measures, such as having to obtain notarization of requests or providing proof of identity, when other methods are practicable.

There are several revisions that will be required from a covered entity’s notice of privacy practices (NPP), including changes to the introductory statement and the right of access provision. You might also have to add a statement indicating that a patient may discuss the notice with a designated contact person and provide such person’s email address and phone number. One positive note is that providers will no longer need to obtain a written acknowledgment of receipt of the NPP.

The proposed rule will permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider (or health plan). Such disclosures will not require patient authorization, thus creating an exception to the minimum necessary standard for individual-level care coordination and case management uses and disclosures. This clarifies the scope of covered entities’ ability to disclose PHI to third parties that provide health-related services in order to facilitate coordination of care and case management for individuals. It also replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual.

Language in the rule also expands the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.

 
Back
Top