Upcoming Changes to HIPAA – What You Need to Know Now

It has been some time since there were any major updates to the Health Insurance Portability and Accountability Act (HIPAA), but it is expected that the Department of Health and Human Services will announce some of the most sweeping changes seen since its 1996 enactment. The law created national standards that protect sensitive patient health information from being disclosed without the patient’s knowledge or consent.

The new final rule is expected to be published in March. The effective date will be 60 days after the publication of the final rule, but regulated organizations will then have another 180 days before enforcement will begin. (This will put actual enforcement somewhere between late October and late November of 2023 depending on when the final rule is published.)

What is Changing?

Healthcare leaders are very familiar with the current provisions of this law, but what is likely to change when the final rule is published? What follows are some of the highlights.

1. In one of the more significant changes, individuals would have increased access to their protected health information (PHI). The proposed update includes multiple changes including the following:

• Covered entities would have no more than 15 calendar days from the receipt of a request for PHI from a patient to provide the information.
• Individuals would be able to share PHI found in an electronic health record (EHR) with other providers and health plans.
• It would strengthen the rights of patients to inspect their PHI in person including the right to take notes and photograph the information.

2. The proposed update includes a provision that would allow the disclosure of PHI of individuals experiencing health crises including serious mental illness or substance use disorder crises when that is in the best interest of the patient.
3. It also expands the provision for covered entities to disclose PHI to avert a threat to public health or safety when that harm is serious and reasonably foreseeable.
4. The proposed new rule would eliminate the requirement to obtain an individual’s acknowledgement of receipt of a provider’s Notice of Privacy Practices (NPP).

What To Do Now – Preparing for the Proposed Changes

There are quite a few changes in the proposed rule and the enforcement process would likely begin before the end of the calendar year. So… what should leaders do to prepare themselves and their staff for these proposed changes?

• You can begin now by developing a clear and comprehensive understanding of the proposed new requirements by reading either the complete rule in the federal register or the fact sheet provided by the Department of Health and Human Services.
• Attend HealthStream’s upcoming HIPAA webinar and let HealthStream’s experts share their insights into the new legislation and recommend solutions that will keep your organization in full compliance with any new requirements. Webinar details will be coming soon.
• The right of patient access currently appears to be a priority and may be a priority in terms of enforcement as well. Ensure that your staff understands the importance of responding to patient requests promptly. Take the time to review any gaps in your current process, procedures, and training.
• Update training materials and train staff.
• Review HIPAA-related policy and procedures and update as necessary.
• Review and/or update current Notice of Privacy Practices (NPP) materials and policies to ensure that they match the changes in the proposed new rule.
• Familiarize your organization’s policy and process owners with the upcoming changes so that they can provide insight on the challenges that the new rules may present along with their likely impact on the organization.
• If there are gaps in your current policies and procedures, begin now to identify them and address training needs as appropriate.

HealthStream’s Policy Manager can help your organization stay up-to-date by ensuring that this and other policies are always current and readily available to your staff. In addition, ComplyQ provides an engaging and adaptive approach to compliance training. Both solutions are kept up-to-date which eliminates the administrative time spent on tracking the nearly-constant regulatory changes and the updated training requirements that follow. Having current information on this and other mandates can help your organization remain in compliance and avoid fines and litigation.