Changes Coming to HIPAA in 2022
Some time has passed since there have been new HIPAA regulations signed into law, but there are a couple of changes that are expected during the current year.
As a quick refresher, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
According to the United States Department of Health and Human Services, the Office for Civil Rights published a Notice of Proposed Rulemaking in January of 2021 to “modify the HIPAA Privacy Rule in order to support individuals’ engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry while continuing to protect individuals’ health information privacy interests”.
As of now, there is no set date for a Final Rule to be issued, but it is expected to be issued sometime this year so the 2022 HIPAA changes can go into effect and begin being enforced. Here are the proposed changes to the HIPAA Privacy Rule.
The Rights of Patients Regarding Their PHI
All patients have an assortment of rights when it comes to their PHI, or their Protected Health Information. There are a couple of proposed changes regarding patient rights and Protected Health Information in general:
- Patients will be allowed to inspect their Protected Health Information in person and take notes or photographs.
- Patients will be allowed to request that their Protected Health Information be transferred to a personal health application.
- Patients should be provided electronic Protected Health Information at no cost.
- Requests by individuals to transfer electronic Protected Health Information will be limited to the ePHI maintained in an Electronic Health Record.
- The maximum time to provide access to PHI will change from 30 days to 15 days.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
These changes will lower restrictions on Protected Health Information disclosures that require authorizations from patients and strengthen the rights of patients to access their Personal Health Information.
Administrative Changes for HIPAA-Covered Entities
HIPAA covers both individuals and organizations, which are known as HIPAA-covered entities. These entities are comprised of health plans (e.g. health insurance companies, Medicare, Medicaid, HMOs, etc.), clearinghouses, and certain health care providers (e.g. doctors, clinics, psychologists, dentists, etc.).
Here are the proposed changes regarding HIPAA-covered entities:
- The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy practices has been provided has been dropped.
- A pathway will be created for individuals to direct the sharing of PHI maintained in an Electronic Health Record among covered entities
- Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable”. The current definition is when harm is “serious and imminent”.
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered healthcare providers and health plans, in cases when an individual directs those entities to do so under the HIPAA right of access.
- A minimum necessary standard exception will be added for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or healthcare operations.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- Permission will be expanded for the U.S. armed forces to use or disclose PHI to all uniformed services.
- A definition will be added for EHR.
These changes will ease the administrative burden on HIPAA-covered entities.
Violation Penalties
Along with the previously mentioned proposed changes, the Office for Civil Rights is also expected to make the new penalty levels permanent with a Notice of Proposed Rulemaking, which could be published sometime this year.
The HIPAA violation penalties are shown in the image below:
“New HIPAA Regulations in 2022.” HIPAA Journal, 23 Feb. 2022, https://www.hipaajournal.com/new-hipaa-regulations/.
Check Your Local Guidelines
With technology being as accessible as it is in today’s world, it’s highly important to stay HIPAA compliant. Having correct and updated measures in place is crucial when it comes to protecting your patients’ data. Along with this, remaining HIPAA compliant is important when it comes to building trust with your patients. If you stay compliant, your patients will have peace of mind and will continue to trust you to provide for them.
These changes to HIPAA could overall improve care coordination and data sharing and are in response to feedback from HIPAA-covered entities regarding parts of HIPAA rules that were overly obstructive or burdensome.
However, it’s important that you make sure to check your local HIPAA guidelines in order to stay in the loop. It would also be beneficial to consult an attorney for any legal advice. This article is not intended as legal advice and you should not rely on anything in the article as a final position, especially as information may change after the date of this publication.
Make sure to be on the lookout for when the Office for Civil Rights publishes the final rule on these proposed changes!
SOURCES:
1. https://www.cdc.gov/phlp/publications/topic/hipaa.html
2. https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html
3. https://www.hhs.gov/answers/hipaa/what-is-phi/index.html
4. https://www.hipaajournal.com/new-hipaa-regulations/
6. https://securityboulevard.com/2022/03/new-hipaa-regulations-in-2022/