Propel provides innovative insurance solutions to thousands of companies across the country. We make it our business to know your world inside and out.
Simplification for some often creates complication for many.
A synopsis of the main points under consideration for regulation revision of the Health Insurance Portability and Accountability Act (HIPAA) are bulleted below with some risk reduction comments, and proactive risk ready tips. Although the changes are yet to be transferred into final wording and law, the protection of personal health information (PHI) and electronic personal health information (ePHI) in general, and security vulnerability assessments remain a current requirement for covered entities.
Many of the drafted proposed changes will just necessitate revision of policy, but some will require assessment of number of staff, focused education, and collaboration with other departments.
The changes to the HITECH Act requiring accounting for PHI disclosures of treatment or payment will require detailed recordkeeping for all providers as well as verifying business systems can befriend one another.
Most of these proposed changes will require updated business associate agreements, expanded privacy practices, forms revision, and new dedicated situational education for decision making. Although several of these have been under consideration for some time and will likely be written with some edits and clarifications into the act in 2022, they will more than likely increase accusations of non-compliance going forward.
The draft wording and direction will require a mindset change for many providers who have been the gatekeeper of the health information. These proposed changes will broaden the role into one of facilitator, and this new role of keeper and facilitator will bring risk challenges for handling the more open access approach to health information.
The risk challenge of “if it is free, take advantage of it” will increase the number of residents and legal accessory clients who will want access to the information, and photographing and videoing of a section of the record without the benefit of the big picture may lead to resource consuming allegations.
There may also be requests for information review over a platform which is not HIPAA compliant, and this will take patience and understanding from everyone as life has evolved with Facetime, Facebook, and other types of social media.
This is clearly an ideal time to confirm you do or do not meet the definition of a covered entity. The lines have become blurred now with adoption of electronic medical records, what is transferred for continuation of care, and third parties involved in care and billing.
While all providers wait for the final changes, consider these proactive actions you can take to assist with a smooth transition.
PRELIMINARY RISK READY STEPS
- Evaluate and assess for functionality of the current policy. It should be easy to use and give direction to staff. If the one you have in place does not work for all, it will increase the difficulty factor for revisions.
- Draft action teams and outline a plan with action steps for compliance. You may also want to budget for possible staff additions and training.
- Review current business associate agreements for business entity name and if additional information will be needed from third parties. The security transfer methods will be case by case in the future.
- Identify staff members who now, and will in the future, need to be trained for new timeframe of delivery and access decisions.
- Plan your access room/space and draft monitoring procedures, this interaction of resident or client and staff should be complimentary.
- Plan your notifications for residents, families, and staff when changes go into effect.
- Develop the third party security and at risk notifications for increased request for transfer, including the health application transfers.
- Evaluate your fee schedule anticipating the request for record review which will fall into the no charge category.
- Draft changes for possible upcoming website notifications of fee schedule.
THE MAIN PROPOSED CHANGES WITH RISK TIPS:
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Tip: Review the current policy and then cross reference with the last medical records request to determine if this is currently working as intended. Reduce any bottlenecks which will slow the process. Once the new requirements go into effect, Office for Civil Rights (OCR) will be focused on providers who fail to meet the request within the timeframe, although there will be one extension of 15 days. Continuous use of and requests for an extension will be a red flag.
- Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
- Tip: Policy revision will be required as well as an at risk statement with no clear understanding of the security risk of receiving party.
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Tip: Policy revision once final with inclusion of a designated place for record review privately and taking photographs or videos. This location will have to be provided without interruptions but can have a monitor to confirm security of the information.
- Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an electronic health record.
- Outlining for all providers when individuals should be provided with ePHI without charge.
- Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
- Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable”. (Currently it is when harm is “serious and imminent”.)
- Tip: Policy revision for wording and training for medical records designated staff defining scenarios.
- A pathway has been created for individuals to direct the sharing of PHI maintained in an electronic health record among covered entities.
- Covered entities will not be required to obtain written acknowledgment from an individual that they have received a Notice of Privacy Practices.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- Tip: Policy clarification for when PHI is offered at no charge and reasonable charges, outlining how and when estimates of cost are required.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- The definition of healthcare operations will be broadened to cover care coordination and case management.
- Covered health care providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- Tip: Training may require definitions of situations of best interest as individuals will have varying degrees of good faith.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.