Keeping up with Clinical Risk Management
By Danielle Donovan
Clinical Risk Manager
Parker Smith Feek
Original Publish Date: April 6, 2021
Are you Prepared for Potential Changes to the Privacy Rule?
Under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy of Individually Identifiable Health Information (Privacy Rule), covered entities (payers, insurers, hospitals, physicians, and other healthcare providers) must act on an individual’s request for access to their health records within 30 days. However, in December of 2020, the United States Department of Health and Human Services (HHS) issued a notice of proposed changes to modify multiple standards within the Privacy Rule, including shortening covered entities’ required response time to fulfilling a patient’s request for copies of their Protected Health Information (PHI) to no later than 15 calendar days.
Although this proposal aims to increase permissible disclosures of PHI and improve patients’ care coordination and case management, these changes may drastically change healthcare entities’ current health information management procedures and workflow. Those that do not adapt quickly (entities will have 180 days to make necessary modifications) to comply with the potential Privacy Rule changes could be at increased risk of HIPAA fines and settlements.
Reasons for the Changes
In April 2019, HIPAA launched an initiative to enforce the Privacy Rule, focusing on patients’ rights to timely access to their medical records. The initiative resulted in over 13 fines and HIPAA settlements to various healthcare organizations, with penalties ranging from $3,000 to the most recent settlement of $200,000 against Arizonabased Banner Health. Banner was cited after finding two patients’ record requests that took over four months to complete. Federal regulators documented that the healthcare facility fulfilled the patients’ requests for protected health information; however, the time it took to provide the data was greater than that permitted by the Privacy Rule.
The Office of Civil Rights (OCR) also conducted an audit of covered entities and business associates for compliance with HIPAA privacy and security rules and compiled their findings into a December 2020 report. Results of the audit found that 89% of covered entities failed to ensure individual right of access. Some covered entities did not maintain adequate records of how and when they responded to a request, appearing to breach the 30-day response requirement and failing to provide the patient with a written notice informing them of their rights to request a review of any denial decision.
Preparing to Comply
To stay compliant with the Privacy Rule changes that may be forthcoming, healthcare organizations may want to consider preparing by evaluating the following practices:
- Authorization to Disclose − Review current written policies and procedures surrounding the release of information to a patient or designated third party, focusing on changes to required timelines for response and appeal processes
- Authorization for Release − Review access request templates/extension forms, ensuring they provide the patient with a choice of format for receiving their PHI and notice of your duty as a covered entity to fulfill that request.
- Fee Structure − Ensure your organization’s fee structure for providing access to records in different forms/formats and within the new timeframe is reasonable and cost-based (including labor, postage, supplies, etc.).
- Notice of Privacy Practices − Create a modified draft of the organization’s notice of privacy practices that includes new required language, timeframes, and organizational contact that is ready to be prominently posted on your organization’s homepage when necessary.
- Training – Develop a staff training plan on changes to organizational policies and procedures surrounding the Privacy Rules.
Patient access to health records is expected to continue to be a top enforcement priority of the HHS under the Biden administration. With the 60-day window of comments on the proposed regulation coming to a close, final regulatory changes will likely be announced soon. See the original Notice of Proposed Rulemaking for more information. If you have more questions on how to prepare your healthcare organization for these potential changes, contact Parker, Smith & Feek.
Danielle Donovan is Parker, Smith & Feek’s Clinical Risk Manager, dedicated to helping improve our healthcare clients’ operations and mitigate risks. She publishes regular articles to support this effort and provide unbiased advice on issues facing all types of healthcare organizations. Stay tuned for her next installment, and contact Parker, Smith & Feek’s Healthcare Practice Group if you would like to learn more