Changes Proposed to Healthcare Privacy Rules
AAFCPAs would like to make healthcare clients aware that the Department of Health & Human Services’ Office for Civil Rights (DHHS OCR) proposed new regulations to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals address these burdens while continuing to protect the privacy and security of individuals’ protected health information.
The current HIPAA Rules have not been updated since 2013, when the HIPAA Omnibus Rule was enacted.
The Notice of Proposed Rulemaking (NPRM) issued by DHHS includes, but is not limited to, changes for:
- Individual Right of Access
- Reducing Identity Verification Burden for Individuals Exercising the Right of Access
- Clarifying the Scope of Covered Entities’ Abilities to Disclose PHI to Certain Third Parties for Individual-Level Care Coordination and Case Management that Constitutes Treatment or Health Care Operations
- Encouraging Disclosures of PHI When Needed to Help Individuals Experiencing Substance Use Disorder
- Eliminating Notice of Privacy Practices Requirements Related to Obtaining Written Acknowledgment of Receipt, Establishing an Individual Right to Discuss the NPP with a Designated Person, Modifying the NPP Content Requirements, and Adding an Optional Element
These proposed changes include exceptions related to the penalties that are given for HIPAA, specifically the sharing of PHI for telehealth during COVID-19.
In addition, new guidelines on the sharing of Protected Health Information (PHI) data and the violation penalties that were proposed in 2019 are expected to take effect sometime in 2021 according to HIPAA Journal.
AAFCPAs advises clients to review the proposed changes and determine how these may impact your current processes for patient care.