2022 could shape up to be a monumental year as far as HIPAA and PHI are concerned on both the federal and state levels. Passed in 1996, the Health Insurance Portability and Accountability Act is a federal law that consists of five titles. Title II, known as the Administrative Simplification (AS) provisions, required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. With limited exceptions, it does not restrict patients from receiving information about themselves.
Of course, this was quite an undertaking for the healthcare industry. While HIPAA passed in 1996, it was far from set in stone. Since then the Privacy Rule, Security Rule and Omnibus Rule were issued in 2003, 2005 and 2015, respectively. These Rules explain how to implement the laws, rules and standards.
HIPAA Privacy Rule and Care Coordination
On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the 2003 Privacy Rule to support individuals’ engagement in their health care, remove barriers to coordinated care and decrease regulatory burdens on the healthcare industry, while continuing to protect individuals’ health information privacy interests.
OCR developed many of the proposals in the NPRM in response to public comments received in response to its 2018 Request for Information (RFI) on Modifying the HIPAA Rules to Improve Coordinated Care.
The NPRM requested public comment on proposed changes to the Privacy Rule, including proposals to:
· Strengthen individuals’ rights to access their own health information, including electronic information.
· Improve information sharing for care coordination and case management for individuals.
· Facilitate family and caregiver involvement in the care of individuals experiencing emergencies or health crises.
· Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies.
· Reduce administrative burdens on HIPAA covered health care providers and health plans.
Conversations are in progress regarding the implications of the current proposal’s terms for achieving these goals. Although the U.S. Department of Health and Human Services (HHS) estimates a $3.2 billion cost saving for healthcare organizations over five years due to this proposed reform, other cost studies have indicated that elements of the proposed changes would actually place a significant financial burden on healthcare organizations.
Industry members are encouraged to educate themselves on the proposed changes and reach out to their local representatives to communicate a potential negative impact on the healthcare industry. You can begin by watching the full recording of ScanSTAT’s recent educational webinar here, and keep an eye out for continued resources provided by ScanSTAT.
“Be prepared to see changes to the Privacy Rule this year. Already, our compliance team is performing education outreach to our clients regarding how the changes affect HIM ranging from ROI and notice of privacy practices to patients looking over providers’ shoulders at charts,” says Elizabeth McElhiney, ScanSTAT’s Director of Compliance and Government Affairs. “Interoperability will be another aspect to address when changes take effect. Not all standards are out regarding how providers will comply if their certified EHR companies do not adopt changes simultaneously.”
Legislation Introduced to Form a Commission That Would Begin to Modernize Health Privacy Laws
“HIPAA is 26 years old this year, and it does not cover what everyone thinks it does,” says McElhiney. In February, U.S. Senators Tammy Baldwin (D-WI) and Bill Cassidy, M.D. (R-LA) introduced the Health Data Use and Privacy Commission Act to kick off the modernization of health privacy laws and regulations. Technology companies are integrated in health care, and handling protected health information (PHI) must be addressed in HIPAA, which protects all interactions between patients and their providers, but does not protect PHI obtained from technologies.
If passed, the bipartisan legislation forms a health and privacy commission to research and give official recommendations to Congress on how to modernize the use of health data and privacy laws to ensure patient privacy and trust without sacrificing innovation and health data that can be used in a way that advances patient care.
McElhiney states, “The U.S. doesn’t have a set privacy law. HIPAA Rules cover some areas, but there is nothing universal. For example, the Federal Trade Commission (FTC) covers privacy for medical apps. With the hodge podge between federal and state laws, we’re hoping the legislation would lead to a national-level law, clarifying who is responsible for protecting what.”
Meanwhile, Keep an Eye on Changes to PHI at the State Level
Data privacy legislation is on the docket for state legislators who are now halfway through their sessions. If changes are to be made, expect them to happen within the next couple of months.
Keep an eye on the following topics:
· Access to minors’ medical records
· What and when healthcare systems or providers can charge for medical records
· Fulfilling Social Security disability claimants’ requests for complete sets of their medical records
Let’s Make This Easier for Everyone
ScanSTAT makes it easier for hospitals, healthcare systems, and medical practices to manage health information. Whether you are considering making a complete transition or merely supplementing your Release of Information and Health Information Management in-house operation, we can help. We place as much importance on privacy, security, and customer service as you do. We can assume the HIPAA liability involved in transferring information and remove the burden of reporting from your staff or support it as needed.