On December 10, 2020, the Department of Health and Human Services published its proposed changes to the HIPAA (Health Insurance Portability and Accountability Act).
The changes, which would not be effective until March 22, 2021, concern the right of patients to access their own information and whether health care providers can share patient information with any other parties.
Under the proposals, the time for an organization to respond to a request from an individual to access their PHI (protected health information) would be reduced from 30 days to 15. Although this is substantially shorter than other data protection legislation such as the EU’s GDPR (General Data Protection Regulation), compliance can be achieved with a secure portal that allows a patient to see their records.
Another proposed change is to make it easier for patients to access their records. For example, they would no longer need to provide extensive, unnecessary information for the request to be fulfilled, nor need to submit a written request in paper form or only in person requiring the request to be notarized.
Health care providers will not be able to require individuals to provide proof of identity in person when a more convenient method for remote verification is available. However, this provision might create issues. The process for verification under the GDPR and the CCPA (California Consumer Privacy Act) has sometimes been abused for the purposes of fraud or e-discovery.
Like these two laws, the proposals would prohibit covered entities from charging a fee for access to certain categories of PHI, including in-person inspection of the electronic health record.
Other changes provide for easier sharing of information between health care providers and between family members or the authorities. If a patient wants the covered entity to transfer an electronic copy of their ePHI to another covered health care provider, it has 15 days to do so.
Sharing information with other close family members will also become easier. Under the current HIPAA rules, before the health care provider could share information with family members or caregivers, it had to meet the higher standard of professional judgment as to what was in the individual’s best interest. The proposals reduce that standard to ‘good faith.’
This new standard is also used for disclosing the ePHI in emergencies and other circumstances. The aim is to encourage covered entities to share information with those closest to the patient.
The requirements have also been reduced concerning the need to share ePHI over a threat to health or safety. The current standard requires that the threat be both serious and imminent before the covered entity can share any information. The proposals reduce the threat to ‘serious and reasonably foreseeable.’
The changes come amid the ongoing COVID-19 pandemic, during which a number of issues related to privacy and public health have taken on new significance, and follow the Department’s sweeping interoperability and information blocking rules. These rules endeavor to remove barriers to sharing PHI that the Department deemed counterproductive, support individuals’ engagement in their care, and reduce regulatory burdens.
The problem with the HIPAA rules is that, like so many rules, they are proposed. The best way to comply is not to micromanage the compliance process by trying to comply with every twist and turn of the regulatory environment. Instead, you should understand your risks, including legal risks, and create a flexible compliance framework.
The idea that a patient, a data subject in the EU, a consumer in California, or any other person may want to know what information an organization holds on them is not unique. It exists all over the world. Generally, regulations and people want organizations to disclose the categories of information they hold and allow individuals to find out exactly what specific information is held about them.
Implementing ISO 27001 can help
To accomplish this task, you need policies and procedures similar to the ones recommended in an ISO 27001 framework. Such a framework requires constant review to ensure that the systems put in place still accomplish their goals.
For example, if your health care provider has a secure portal, you can log on with a password to see your whole health care record. This way, your health care provider has complied with any of the laws including the proposed HIPAA rules. However, the important part is not compliance. The important part is that it encourages you to be a loyal customer who would never use any other provider.
The ISO frameworks are customer-centered – the most crucial starting point of any management process. If you focus on the right process that anticipates different compliance challenges by satisfying customers, you will have something far better than compliance: You will have a growing business.