The Health and Human Services Office for Civil Rights has proposed changes to the HIPAA Privacy Rule that could be substantial. The Notice of Proposed Rulemaking (NPRM) proposal stated it was to “remove barriers to, coordinated care and individual engagement” and was issued last week. Addressing standards of the rule may limit and/or discourage care coordination and case management, but at the same time maintaining the individual’s protected health information.
The OCR is proposing that the disclosures which are permitted of PHI today would expand. These proposed changes would increase the right to access by an individual of their own digital health information. Thus, increasing the effectiveness of case sharing and management and giving caregivers and family members more involvement. This would be critical during emergency situations or during a health crisis. The OCR feels that “regulatory barriers may impede the transformation of the health care system from a system that pays for procedures and services to a system of value-based health care that pays for quality care” and this modification would remove them from the current structure.
According to the NPRM, some of the proposed major provisions are:
• strengthening the individuals’ right to inspect their PHI in person
• shortening the required response time from covered entities to 15 days (from 30)
• clarify the form and format that responds to an individual’s request for their PHI
• reducing the burden of an individual of identity verification when exercising access rights
• creating a pathway for sharing PHI in electronic health records among providers
• implementing response requirements among providers and health plans when directed by individuals
• addressing fee structures for PHI requests
While there are many more details to the outline proposed, and additional line items, the one modification that is likely a result of the recent pandemic is “expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety”.
We expect more changes to arise from the onset of COVID-19 both specific to healthcare and to the world of cybersecurity practices as well. The threat to the healthcare industry continues to rise, and we’ll be watching closely (and hoping) for more awareness and response efforts among healthcare businesses.