There are likely to be new HIPAA rules in 2022 as soon as OCR publicizes the final rule on the proposed amendments to the HIPAA Privacy Rule. Although industry stakeholders wanted a number of HIPAA updates in 2022, it is unlikely that there will be other new HIPAA rules in 2022. Considering the scope of the HIPAA amendments in 2022 with the Privacy Rule update and their effect on HIPAA-covered entities, additional updates of proposed rulemaking on HIPAA updates are not likely in 2022.
Expected Final Rule on Proposed Changes to the HIPAA Privacy Law
OCR released a request for information last December 2018 asking HIPAA-regulated entities for suggestions on facets of HIPAA Rules that were excessively troublesome or block the availability of healthcare, and aspects that need HIPAA updates to enhance care coordination and information sharing.
OCR was particularly considering making modifications to facets of the HIPAA Privacy Rule that hinder the transformation to value-dependent healthcare and areas where present Privacy Rule prerequisites restrict or dissuade coordinated care. The enhancements to HIPAA include getting rid of limitations on disclosures of PHI that call for patient authorizations and a number of HIPAA changes to reinforce patient rights to get access to their personal PHI. One suggested change that has drawn some critique is the need to make ePHI disclosure with other providers obligatory. The American Medical Association (AMA) and the American Hospital Association (AHA) have been vocal with their issue regarding obligatory sharing of healthcare information, and likewise against another proposed amendment that shortens the time frame for delivering the patient’s requested copies of their healthcare records.
HHS Deputy Secretary Eric Hargan had earlier discussed that they received complaints about certain provisions of the HIPAA Privacy Rule, which are keeping patients and their families from obtaining the support they need and that improvements are required to help deal with the present opioid crisis in America. HIPAA amendments were also proposed to lessen the administrative problem on HIPAA-governed entities.
OCR announced the following proposed new HIPAA rules in December 2020:
- Permitting patients to check their PHI personally and take notes or pictures of their PHI.
- Modifying the maximum time to give access to PHI to 15 days instead of 30 days.
- Requests by persons to exchange ePHI to a third party will be restricted to the ePHI managed in an EHR.
- People will be allowed to ask for the transfer of their PHI to a personal health app.
- Says when people ought to be given their ePHI for free.
- Covered entities must notify people of their right to get or send copies of their PHI to a third party if a summary of PHI is provided rather than a copy.
- HIPAA-covered entities need to post approximated fee schedules for PHI access and disclosures on their website.
- HIPAA-covered entities need to give personalized quotes of the fees for furnishing a person with their own PHI copy.
- Pathway developed for people to direct the disclosure of PHI kept in an EHR to covered entities.
- Healthcare providers and health plans need to respond to other covered health care providers and health plans that requests for specific records in the event that a person tells those entities to do thus as per the HIPAA Right of Access.
- The requirement for HIPAA-governed entities to get written affirmation that a Notice of Privacy practices was given has been dropped.
- Covered entities are permitted to share PHI to avoid a threat to health or security when injury is seriously and realistically foreseeable. The present definition refers to when there is “serious and imminent” harm.
- Covered entities are allowed to make particular uses and disclosures of PHI according to their good faith belief that it is best for the person.
- The inclusion of a minimum required standard exemption for uses and disclosures in personal-level care coordination and case management, irrespective of whether the activities make up treatment or medical care procedures.
- The meaning of healthcare operations was extended to include care coordination and case management.
- The Armed Forces’ authorization to use or disclose PHI to all uniformed services was extended.
- A meaning has been included for electronic health records.
- The proposed adjustments are a reason of concern for a lot of patients, and patient privacy advocates, covered entities, and business associates because of the probable effect the proposed changes will make on the privacy and security of medical data, the economic problems the amendments may put on healthcare companies, and the disappointment to line up HIPAA more tightly with the Part 2 rules and the 21st Century Cures Act.