United States:
HIPAA: A Winter Of Changes
To print this article, all you need is to be registered or login on Mondaq.com.
The past several months have seen a flurry of activity
surrounding the Health Insurance Portability and Accountability Act
of 1996 (HIPAA). Since HIPAA’s last significant update in 2013,
advancements in technology and in the health care industry have
left covered entities and business associates in need of more
specific guidance. In response to these calls for action, the
federal government has used the past several months to enact
reforms, including proposing substantial changes to HIPAA’s
Privacy Rule and amending the Health Information Technology for
Economic and Clinical Health Act of 2009 (HITECH Act).
Proposed Changes to the Privacy Rule
On December 10, 2020, the Department of Health and Human
Services’ (HHS) Office for Civil Rights released proposed
regulations updating HIPAA’s Privacy Rule. The final
regulations will be effective 60 days after publishing and covered
entities will have 180 days after the effective date to comply with
the new requirements. The proposed regulations have been placed on
hold pending further review by President Biden’s
administration. We will keep you updated on their status as more
information becomes available, but covered entities and business
associates may wish to begin planning now for implementation. While
the proposed regulations affect the entire health care industry,
some of the items specifically impacting health plan covered
entities and their business associates are described below.
1. Individual’s Right to Access PHI. The
proposed regulations are intended to increase an individual’s
ability access to his or her protected health information (PHI)
held in a designated record set. Health plans, and business
associates if so delegated, will need to:
- Permit individuals to personally inspect and take notes or
pictures of their PHI, free of charge; - Respond to an individual’s request to access his or her PHI
within 15 calendar days (reduced from the current 30 days), with an
option for a 15 day extension (reduced from the current 30-day
extension); - Permit individuals to receive electronic PHI free of
charge; - Post estimated fee schedules for PHI access on the health
plan’s website; and - Not impose unreasonable identity verification measures on an
individual requesting access to his or her PHI (e.g., by
requiring notarization or in-person visits).
2. Health Records. The proposed regulations
define the scope of a subset of health information, Electronic
Health Records (EHR), and state how EHR are to be used, disclosed
and documented. An individual will also have the right to have his
or her health plan direct a request to a health care provider for
electronic copies of PHI within an EHR.
3. Notice of Privacy Practices. The proposed
regulations require new statements in a health plan’s Notice of
Privacy Practices (aka Privacy Notice) describing an
individual’s rights with respect to his or her PHI.
4. Care Coordination and Case Management. As
the culmination of HHS’s Regulatory Sprint to Coordinated Care,
the proposed regulations also represent an administrative effort to
decrease regulatory impediments to care coordination and case
management communications. Accordingly, the proposed regulations
clarify that a health plan’s uses and disclosures of PHI for
care coordination and case management activities are not limited to
population-based activities, but also to individual-level care
coordination and case management activities. The proposed
regulations also add an exception to the Privacy Rule’s
“minimum necessary” standard for disclosures and requests
of PHI for care coordination and case management activities.
While the proposed regulations have not been finalized, health
plans will need to work with their business associates and legal
counsel to update their Notices of Privacy Practices, business
associate agreements and HIPAA policies and procedures to
incorporate the above requirements.
HITECH Act Amendment
Initially passed in 2009, with many provisions taking effect
between 2010 and 2013, the HITECH Act modified and expanded many of
HIPAA’s Privacy and Security Rule requirements. On January 5,
2021, President Trump signed into law an amendment to the HITECH
Act requiring HHS to consider whether a covered entity or business
associate has adopted “recognized security practices”
when assessing penalties or taking other enforcement action under
HIPAA. Unlike the Privacy Rule changes, which are still in the
proposal stage, the HITECH Act amendment is effective
immediately.
Specifically, the amendment directs HHS to reduce fines,
decrease the length of audits, and mitigate settlement remedies for
covered entities and business associates that have adopted existing
cybersecurity frameworks under the National Institute of Standards
and Technology (NIST), the approaches under section 405(d) of the
Cybersecurity Act of 2015, and other programs and processes that
are developed, recognized, or promulgated through regulations under
other statutory authorities.
With the passage of this amendment, health plans and business
associates should re-examine their cybersecurity and risk
management processes, policies and procedures to ensure they
conform to “recognized security practices.” Many of
HIPAA’s Security Rule requirements align closely with the
NIST’s publications (see, e.g., NIST Special
Publication 800-66 rev.1), so health plans and business associates
should already have some familiarity with the NIST framework and
may have policies and procedures that were informed by these
publications.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Food, Drugs, Healthcare, Life Sciences from United States
