As we head into summer, the Health Insurance Portability and Accountability Act (HIPAA) will have its first major revisions in ten years. HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA has three major components: the Privacy Rule, the Security Rule and the Breach Notification Rule. Each of these will be updated as part of these major revisions.
Many of the changes are aimed at increasing patient access to their own electronic health records containing protected health information, or ePHI. Under the newly revised HIPPA:
- Patients will have the right to inspect their PHI in person, including taking notes and images.
- The time for healthcare providers to respond to requests for records and PHI has been shortened from 30 days to 15 days.
- Responses to record requests must also now include billing records in addition to treatment records.
- Healthcare providers must provide ePHI for free when possible and otherwise post a fee schedule on their websites for records requests. Further, when an individual requests his or her records, the provider must provide a personalized cost estimate.
- Healthcare providers will still need to provide their notices of privacy practices but will not need to obtain a signed version from the patient.
There are some new flexibilities for when and how providers may share ePHI with other healthcare providers. Providers will be permitted to make certain uses and disclosures of ePHI based on their good-faith belief that it is in the best interest of the patient, such as sharing information with other providers or those within a treatment network. They will also be allowed to share information for better care-coordination and cases management between and among providers.
Despite these new flexibilities, providers need to be cautious as the new rules may soon allow impacted patients to collect part of the fines that may be associated with a HIPAA breach. In the past, patients could report a HIPAA breach to the Department of Health and Human Services’ Office of Civil Rights, but they were not compensated for their efforts and there was no private right of action. That appears to be changing and will likely be clarified in late 2023/2024.
In addition, there will be a tiered structure for HIPAA penalties:
- Tier 1: The individual did not know that he or she violated HIPAA and tried to otherwise adhere to the rules: $100 per violation, capped at $25,000 annually.
- Tier 2: The violation had a “reasonable cause,” and the individual should have been aware of the potential risk: $1,000 per violation, capped at $100,000 annually.
- Tier 3: The violation is due to a “willful neglect” of the rules, but the violation is corrected within the required time period: $10,000 per violation, capped at $250,000 annually.
- Tier 4: The violation is due to willful or wanton neglect and there is no attempt to correct: $50,000 per violation, capped at $1.5 million annually.
These fines can add up quickly and, with the potential new incentives for reporters, breach reporting is likely to increase. Providers need to make sure that their privacy and security practices are up to date and adequate, that they are prepared to respond to an incident and that their workforce is educated on cybersecurity and the associated risks.
Finally, the new changes are aimed at aligning HIPAA better with HIPPA Part 2, which creates additional protections specifically for mental health and substance use disorder records. The changes are intended to help create a single patient consent for all uses and disclosures of records that contain mental health and substance use disorder information, such as for treatment, payment and additional healthcare, and to allow patients to obtain an accounting of those disclosures. These changes are especially important as HHS will be able to impose civil money penalties for violations of HIPAA Part 2, in line with the tiered system outlined above.
Once the new rules are published this spring, there should be a “grace period” for enforcement. However, please note, this article does not cover all the changes that are forthcoming. Providers and patients should be aware of these changes and educate themselves on this new privacy landscape.
Heather Macre is an attorney with Fennemore, where she is the Healthcare Practice Group leader. Macre’s healthcare practice encompasses healthcare agreements, non-compete covenants and disciplinary proceedings, CMS compliance, HIPAA and Stark and False Claims Act compliance, among other matters.
Speak Your Mind
You must be logged in to post a comment.