The Health and Human Services Office for Civil Rights has proposed changes to the HIPAA Privacy Rule that could be substantial. The Notice of Proposed Rulemaking (NPRM) proposal stated it was to “remove barriers to, coordinated care and individual engagement” and was issued recently. Addressing standards of the rule may limit and/or discourage care coordination and case management, but at the same time maintaining the individual’s protected health information (PHI).
The OCR is proposing that the disclosures which are permitted of PHI today would expand. These proposed changes would increase the right to access by an individual of their own digital health information. Thus, increasing the effectiveness of case sharing and management and giving caregivers and family members more involvement. This would be critical during emergency situations or during a health crisis. The OCR feels that “regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care” and this modification would remove them from the current structure.
According to the NPRM, some of the proposed major provisions are:
- strengthening the individuals’ right to inspect their PHI in person
- shortening the required response time from covered entities to 15 days (from 30)
- clarify the form and format that responds to an individual’s request for their PHI
- reducing the burden of an individual of identity verification when exercising access rights
- creating a pathway for sharing PHI in electronic health records among providers
- implementing response requirements among providers and health plans when directed by individuals
- addressing fee structures for PHI requests
While there are many more details to the outline proposed, and additional line items, the one modification that is likely a result of the recent pandemic is “expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety”.
We expect more changes to arise from the onset of COVID-19 both specific to healthcare and to the world of cybersecurity practices as well. The threat to the healthcare industry continues to rise, and we’ll be watching closely (and hoping) for more awareness and response efforts among healthcare businesses.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE