• The HIPAA Privacy Rule | Tier3MD

There are some changes in the HIPAA privacy rule that I wanted to make you aware of.  As you know, Tier3MD works on the technical/security side of the HIPAA rules but wanted to just pass this along to you.  Let me give you a little excerpt on what those changes are.  You can also find them on the Health Information website.

CORRECTION PRINCIPLE: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.

Changes in the HIPAA Privacy Rule

The changes to the HIPAA Privacy Rule, drafted as part of HHS’ Regulatory Sprint to Coordinated Care initiative, aim to remove regulations that might impede communication and data exchange between provider organizations and health plans. The changes expand individuals’ rights to access their own digital health information, boost information-sharing and case management, and enable greater family and caregiver involvement during emergencies or health crises.

The changes also offer more flexibilities for disclosures in situations such as opioid overdoses and the COVID-19 public health emergency, and the hope is that a streamlined new rule would reduce administrative burdens on HIPAA-covered entities while continuing to protect patient privacy.

OCR proposes amending the Privacy Rule to increase permissible disclosures of protected health information and improve care coordination and case management by “adding definitions for the terms electronic health record and personal health application.”.

Additionally, provisions relating to individuals’ right of access would be modified in several ways, according to the NPRM:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and require covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.

The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management.  The goal is to expand the scope of cover entities’ abilities to disclose PHI to “social services agencies, community-based organizations, home.