While the recently proposed HHS updates to the HIPAA Privacy Rule aim to help patients get more digital access to their health information, some of the proposed changes pose concerns for healthcare providers.
The HHS Office for Civil Rights released the proposed modifications Dec. 10, 2020, as part of the department's Regulatory Sprint to Coordinated Care initiative, which analyzes federal regulations that interfere with healthcare providers and health plans' efforts to better coordinate care for patients. Some of the proposed changes include strengthening patients' access to their own health information and reducing administrative burdens on HIPAA-covered providers and health plans.
Public comments on the Notice of Proposed Rulemaking will be due 60 days after it is published in the Federal Register.
Here, three hospital and health system executives share their thoughts on the proposed changes and what innovation opportunities and concerns they pose for the industry.
Question: Are the proposed modifications to the HIPAA privacy rule good or bad for healthcare? What would you say is the most exciting and/or most concerning proposed change?
Kathleen Ojala, JD, RN, CHC, CPC, Administrative Director, Compliance and Integrity, Privacy Officer at The Ohio State University Wexner Medical Center (Columbus): Covered entities have been implementing the HIPAA regulations for almost 20 years. Although well intended, the proposed changes diminish some controls covered entities use to ensure provision of PHI to the right patient. For example, allowing a verbal release of information to suffice for a disclosure under limited circumstances imposes identity theft risks. Many of the proposals seem geared to entities which may not be patient-centric. OCR could achieve favorable outcomes by coaching those entities instead of revising well established regulations.
The most favorable of the proposals is the elimination of obtaining patient acknowledgment of receipt of a Notice of Privacy practices. The rule should go further: prominent posting of the NPP on the entity’s website should suffice for physical posting in the entity. In addition to the associated costs for reproducing the NPPs, the practical value of posting on the wall is outdated.
The most concerning change is a proposed definition of EHR in efforts to improve on the well-established designated record set. If nonproviders, such as health plans, intend to create document repositories to record determinants of health data, a definition specific for the specific type of covered entity should be created. Hospitals and physicians should be managing medical records-information created by the medical professionals. The EHR definition contemplates that a covered entity would manage a patient’s health app. The information garnered in a health app has limited use for medical care. Last count was that there were more than 160,000 health apps available and 200 new ones daily.
The proposals also miss the mark with coordinating adherence to other regulatory schemes, including information blocking from ONC and part 2 regulations for substance use disorder patients.
Raymond Lowe, Senior Vice President and CIO of AltaMed Health Services (Los Angeles): The premise for the change is to help expand individuals' rights to access their own digital health information. Thus, more access will greatly enhance the process of information- sharing and improve case management across the entire care continuum. Another advantage given, considering COVID-19's disruptive nature, is that it would allow more family and caregiver interaction. We will know more as the final changes are implemented.
Darrell Bodnar, CIO of North Country Healthcare (Lancaster, N.H.):
- The proposed changes aim to strengthen patients' access to their PHI by permitting individuals to inspect their PHI in person, including taking notes or using other personal resources to view and capture images of their records. If we are talking about in-person viewing of a screen, taking pictures, or hand writing notes … my answer is no. Even beyond the short-erm challenges of social distancing and restricted access to facilities, this makes no sense. Accessing it electronically is fine and that should be our obligation. I would liken it to asking your bank to see your money in person. I live in New Hampshire, where state law states a patient owns the records and not the provider or caregiver, so let them access and use it in any way they want, electronically.
- HIPAA-covered entities' current 30-day required response time to give individuals access to their PHI would be cut to 15 days.' I see nothing wrong with setting the bar to 15 days. Another comparison to the banking industry — you have to wait 30 days to set up your bank account. I can get a mortgage in less than 30 days. There is no reason that we cannot provide access to a patient's records in 15 days.
- The modifications would create a pathway for individuals to direct sharing of their PHI in the EHR among covered healthcare providers and health plans. As mentioned above, I think the patient owns the record and can do what they want with it.
- The proposed rule would require specifications for when electronic PHI must be provided to the individual at no charge. I don’t think there should ever be a charge unless the request is for historic or legacy information stored outside of the EHR.
- The changes would require HIPAA-covered entities to post estimated fee schedules on their websites for both PHI access and disclosures with an individual's valid authorization as well as provide individualized estimates of fees for an individual's request for copies of PHI. Once again, I believe price transparency is part of the overall shift of patient consumerism and the need to improve the patent experience.
- The modifications would eliminate the requirement of obtaining an individual's written acknowledgment of receiving a provider's Notice of Privacy Practices. Excellent. I have not signed a bank document in years … all electronic acceptance.