Recently, the Department of Health and Human Services (HHS), the agency that creates and enforces HIPAA regulations, Proposed Changes to the HIPAA Privacy Rule. HIPAA is a landmark piece of legislation that has helped patients better protect their private health information. HIPAA has been amended numerous times since it was enacted to include additions such as the Privacy Rule and the Enforcement Rule, and the Department of Health and Human Services (HHS) has recently issued a Notice of Proposed Rulemaking, proposing major revisions to the HIPAA Privacy Rule.
Proposed Changes to HIPAA Privacy Rule:
Reducing Identity Verification Burdens
Reducing identity verification burdens on individuals exercising their access rights. Under the proposed changes, providers and health plans would be required to submit individual access requests to another provider, and to receive back the requested electronic copies of the individual’s PHI in an electronic health record (EHR). Providers and health plans would be required to respond to certain records requests received by other providers and health plans when directed by individuals under the right of access.
Improving Information Sharing
Improving information sharing for care coordination and case management for individuals. This improvement would be made by making an exception to the “minimum necessary” standard. Under the proposed changes, covered entities need not limit uses and disclosures of PHI to the minimum necessary to accomplish the purpose of each use or disclosure, ‘when’ the use by, disclosure to, or request by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or healthcare operations.
Disclosure of PHI to Third-parties
Expansion of the scope of covered entities’ ability to disclose PHI to third parties (social services agencies, community-based organizations, home, and community-based service providers) that provide health-related services in order to facilitate coordination of care and case management for individuals.
Disclosures Based on Professional Judgment
Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard that permits such uses or disclosures based on a covered entity’s good-faith brief that the use or disclosure is in the best interests of the individual.
Disclosures to Prevent Threat to Health or Safety
Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when harm is “serious and reasonably foreseeable,” instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety. This expansion would give providers greater latitude in deciding when to disclose PHI in an emergency or life-threatening circumstances, such as the opioid and COVID-19 public health emergencies.
Notice of Privacy Practices
Elimination of the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices. Modification of the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
Reducing Administrative Burdens on HIPAA
Reducing administrative burdens on HIPAA-covered healthcare providers and health plans while continuing to protect individuals’ health information privacy interests.
From 21st January to 22nd March OCR encouraged comments to its proposed changes to HIPAA. Comments were encouraged from all stakeholders, including patients and their families, HIPAA-covered entities (health plans, healthcare clearinghouses, and most healthcare providers) and their business associates, consumer advocates, healthcare professional associations, health information management professionals, health information technology vendors, and government entities.
We conduct regular training to keep our medical billing team update on changes and to address challenges that they may be facing in using certain bills or reporting certain procedures. To know more about Our billing services, please get in touch with us!
FAQs
1. What are the key proposed changes to the HIPAA Privacy Rule?
The changes aim to improve care coordination, ease PHI access, expand third-party disclosures, and reduce administrative burdens while safeguarding privacy.
2. How will identity verification be simplified under the proposed rule?
Providers and health plans must process individual requests for electronic PHI without overly burdensome identity verification steps.
3. What is the change to the “minimum necessary” standard?
PHI use and disclosures for care coordination and case management will no longer require strict adherence to the “minimum necessary” standard.
4. How does the proposal handle emergency disclosures of PHI?
It broadens the scope to allow PHI disclosures for threats that are “serious and reasonably foreseeable,” instead of requiring a “serious and imminent” threat.
5. Will individuals still need to acknowledge the Notice of Privacy Practices (NPP)?
No, the proposal eliminates the requirement for written acknowledgment, simplifying the process while enhancing clarity on PHI rights.
