The U.S. Department of Health and Human Services has proposed changes to the Health Insurance Portability and Accountability Act Privacy Rule. If enacted, these would be the biggest changes to HIPAA in the last seven years, Randi Seigel, partner at law firm Manatt Health, said in an email.
The proposed changes, issued by HHS’ Office for Civil Rights, aim to improve information sharing for care coordination, strengthen individuals’ engagement in their care and reduce administrative burdens on providers and payers. But some of the most impactful provisions of the proposed changes may also be the most controversial, Seigel said.
Key provisions include allowing HIPAA-covered entities to disclose personal health information to social services agencies, community-based organizations and other third parties that provide health-related services.
“This is a significant change from a healthcare data-sharing perspective,” Seigel said. “These social service agencies are not covered entities and therefore, they are not subject to HIPAA, and the personal health information they receive is not protected by HIPAA. Healthcare providers and plans, as well as individuals, may be concerned regarding whether sharing this information could actually negatively impact an individual, or even cause them to lose social services, such as housing.”
Seigel expects a large number of stakeholder comments regarding this change. Public comments will be due within 60 days after the proposed changes are published in the federal register.
Another key change that has been proposed involves replacing the privacy standard that allows covered entities to make certain uses and disclosures of personal health information based on their “professional judgment.” The new standard would allow such uses or disclosures based on the covered entity’s “good faith belief” that it is in the best interest of an individual.
“[The proposed change] is more flexible than the current standard” said Reece Hirsch, co-head of law firm Morgan Lewis’ privacy and cybersecurity practice, via email. “And it would have a wide-ranging impact on many common situations, such as when a hospital is deciding whether to share medical information with family members or designated contacts during a health emergency.”
However, the presumption of an entity’s good faith “could be overcome with evidence of bad faith,” the HHS document states.
Overall, Hirsh believes that the healthcare industry will welcome the changes, but certain new standards will require further clarification and may create some uncertainty for covered entities.
Seigel shared a similar sentiment. Though some provisions — such as those that aim to reduce the risks of violating HIPAA when sharing information with health plans, family members and social service agencies — will be viewed favorably by covered healthcare entities, the changes also impose new administrative burdens, she said. For example, the proposed changes require covered entities to respond to patient access requests within 15 calendar days, as opposed to the current timeline of 30 days.
“Additionally, the providers will have to change their HIPAA policies, procedures, workflows, and notice of privacy practices significantly if these proposed rules are enacted,” she said.
Photo credit: Ildo Frazao, Getty Images