Proposed HIPAA Changes Promote Patient-Friendly Environment
The regulatory change proposed by the Department of Health and Human Services (HHS) in the recent HIPAA Notice of Proposed Rulemaking (NPRM) is another step toward HHS’s objective to encourage a patient-centric healthcare environment. The HIPAA NPRM proposes to tilt the balance of protecting privacy and facilitating the availability of information toward loosening restrictions on disclosures of patient information. In this case, the big winner in the government’s regulatory reformation race is likely to be the patient.
HIPAA and the Cures Act
In combination with the 21stCentury Cures Act Information Blocking and Interoperability Rules, the proposed HIPAA regulations are intended to empower patients with greater access to information. To facilitate this, the revised HIPAA regulations would remove barriers to care coordination by facilitating greater flow of information among healthcare providers and others participating in a patient’s care, and they would make information readily available in the event of emergencies and as related to mental health and substance use disorder treatment.
HHS made serious efforts to align HIPAA regulations with Cures Act regulations. Many of the defined HIPAA terms were updated to reflect terms used in the Cures Act and regulations were updated to account for anticipated increased utilization by patients of personal health records and the availability of standards-based application programming interfaces (“APIs”) for easier transmission of electronic records.
Related to the patient’s right of access and in response to a 2020 Federal Court decision (Ciox v. Azar), HHS proposes changes to direct access or copies of records to third parties and the fees which may be charged for such copies. The proposed regulations codify much of the guidance and provide clarity around a covered entity’s obligations and the fees which may be charged.
However, there still remain some discrepancies in the two related sets of regulations. The time period in which a provider must make information accessible to a patient in compliance with both regulations is uncertain. Under the proposed HIPAA Rule, the deadline is 15 days. The Cures Act Information Blocking Rule infers that electronically available information should be made accessible by patients in near real-time but refers to the HIPAA regulation. The HIPAA proposed rule will also require that providers who have a standards-based API make patient records available in the form and format permitted through the API.
While transition in the federal administration will certainly slow adoption of final HIPAA regulatory revisions and may result in curtailing the proposed loosening of disclosure restrictions, compliance with the Cures Act regulatory prohibition on information blocking is imminent. This impending compliance deadline may drive a more prompt but piece-meal finalization of Cures Act related sections of the proposed HIPAA regulations.
What can providers do right now?
It is premature for Providers to consider making policy revisions based on the proposed HIPAA rules, but in light of the relationship between HIPAA and the Cures Act, providers should begin reviewing HIPAA policies for compliance gaps that relate to the Cures Act Information Blocking Rule as well as patient access policies and procedures. Providers who utilize an electronic health record system (which is the large majority at this point) should begin discussions with their EMR vendors to determine the technology’s ability to meet the Cures Act requirements as well as any of the HIPAA NPRM API-related provisions.
Notably, the NPRM requests a comment on whether, if available through an EMR or at little cost, providers should be required to adopt an API for transmission of electronic records to patients and others. Under the Cures Act, only certified healthcare technologies are required to offer a standards-based API. Not all healthcare providers, such as many dental providers and speech therapists, use a certified technology.
For additional information on the NPRM, the 21st Century Cures Act, or any other HIPAA matters, please contact the authors.