HHS Proposes Revisions to HIPAA Privacy Rule

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is seeking to revise the HIPAA Privacy Rule, a move it says will “remove barriers to coordinated care, and reduce regulatory burdens on the health care industry.â€

The proposed rule changes are part of HHS’ “Regulatory Sprint to Coordinated Care.â€

Among some of the recommendations:

• Strengthening individuals’ rights to inspect their personal health information (PHI) in person, which includes allowing patients to take notes or use other personal resources to view and capture images of that information.

• Shortening covered entities’ response time to no later than 15 calendar days (down from the current 30 days) with the opportunity for an extension of no more than 15 days (down from the current 30-day extension). As we have been writing about in recent months, the HHS Office for Civil Rights (OCR) has been conducting and settling numerous investigations into violations of the HIPAA requirement that patients be given access to their electronic medical records in a timely manner and at a reasonable cost. At last count 12 such cases had been settled.

• Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of their personal health information to a third party when a summary of the PHI is offered in place of a copy.

• Reduce the identity verification burden on individuals exercising their access rights.

• Create a way for individuals to direct the sharing of their personal health information in an electronic health record (EHR) among covered healthcare providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.

• Specify when personal health information in electronic form (ePHI) must be provided to the individual at no charge.

• Require covered entities to post estimated fee schedules on their websites relating for an individual’s request for copies of PHI, along with itemized bills for completed requests.

• The proposed rule addresses how the disclosures of PHI can be made during an emergency or health crisis by expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,†instead of the current stricter standard which requires a “serious and imminent†threat to health or safety.

• Addressing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘professional judgment’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual.†However, this presumption of good faith can be overcome with evidence of bad faith.

There are a number of other suggestions for modifications. The entire proposal can be seen here and feedback can be made through the federal rule-making portal within the next 60 days.

The Health Law Offices of Anthony C. Vitale can assist you with matters relating to HIPAA to ensure you are in compliance with the rules and regulations. Contact us for additional information at 305-358-4500 or send us an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.