Health & WellnessUS News

New Year’s HIPAA Privacy Rule Updates | Verrill

128

TL/DR –

In 2021, the Department of Health and Human Services (HHS) proposed changes to the Privacy Rule under the Health Insurance Portability and Accessibility Act of 1996 (HIPAA), which are expected to be finalized in 2023. The changes mainly center around increasing individuals’ access to their Protected Health Information (PHI) and making it easier for covered entities and business associates to share PHI while ensuring against breaches. Examples of these changes include reducing the deadline for individuals to access their PHI from 30 days to 15 days, requiring entities to respond to certain record requests made by other health care providers and health plans, creating a new exception to the minimum necessary standard for disclosures for care coordination and case management, and altering the standard for disclosures of PHI to avert a threat to health and safety.

2023 HIPAA Privacy Rule Changes: A Comprehensive Guide

In 2021, the Department of Health and Human Services (HHS) proposed significant updates to the Privacy Rule under the Health Insurance Portability and Accessibility Act (HIPAA). These Proposed Rules are scheduled to be finalized in 2023, giving covered entities such as group health plans and healthcare providers only 180 days to implement changes. This document provides an essential summary of the proposed alterations most likely to impact group health plan sponsors.

Understanding the HIPAA Privacy Rule

The HIPAA Privacy Rule offers federal protection for personal health information (PHI), which encompasses an individual’s medical records and payment history. The Office for Civil Rights (OCR) and HHS, via Notice of Proposed Rulemaking (NPRM), outlined the Proposed Rules in January 2021. Following a comment period, which ended in March 2021, the Office of Management and Budget (OMB) announced finalization for March 2023. As of late 2023, no official announcement regarding these changes has been made, meaning they could be finalized at any moment.

Key Changes to the HIPAA Privacy Rule

The Proposed Rules, which aim to align with HHS’s “Regulatory Sprint to Coordinated Care,” mainly involve two categories: (1) improved individual access to their PHI and (2) facilitated sharing of PHI among covered entities and business associates while preventing breaches.

Proposed changes to increase individual access to PHI consist of:

  • Quicker individual access to their PHI, shrinking the timeline from 30 days with a possible 30-day extension, to 15 days with a possible 15-day extension.
  • Enforcing response from covered entities to record requests directed by an individual exercising their right to access PHI.
  • Requiring covered entities and business associates to publish fee schedules for PHI copies on their websites, and provide fee estimates on request.
  • Prohibiting fees for individuals viewing their PHI in person or online.
  • Modifying the Notice of Privacy Practices (NPP) to add information on how individuals can access, question, and file complaints about their PHI.

Changes meant to encourage coordinated care include:

  • Amending the definition of “health care operations” to clarify that PHI may be disclosed for care coordination and case management activities.
  • Creating a new exception to the minimum necessary standard for care coordination and case management disclosures involving specific individuals.
  • Replacing the “exercise of professional judgment” standard with a lower “good faith belief” standard to allow for certain disclosures in the best interest of individuals.
  • Changing the standard concerning disclosures of PHI to avert a threat to health and safety from “serious and imminent” to “serious and reasonably foreseeable.”

Preparing for the Proposed Rules

Group health plan sponsors should follow these steps to ensure compliance with the forthcoming rules:

  • Contact internal resources and vendors assisting with HIPAA compliance to stay informed about final rule dates and timely implementation.
  • Communicate with business associates to verify they will implement the necessary changes promptly.
  • Plan to amend HIPAA privacy policies, NPPs, and template forms to reflect anticipated changes.
  • Update HIPAA training materials and provide retraining on new policies and procedures within a “reasonable time” following the effective date of the changes.


Read More Health & Wellness News ; US News

You might also like More from author