Understanding HIPAA Compliance and the Notice of Proposed Rule Making (NPRM) for the Privacy Rule
In recent years, we’ve seen an uptick in Office for Civil Rights (OCR) enforcement actions, primarily related to the HIPAA Privacy Rule and 45 CFR §164.524.
During a recent webinar, Bob Chaput, Clearwater’s founder and Executive Chairman, asked Roger Severino, former OCR director, what’s contributing to this uptick.
Severino explained that the HIPAA Privacy Rule and 45 CFR §164.524 have been some of the most under-enforced rules under HIPAA.
While until recently, there hasn’t been a lot of OCR attention on Right of Access enforcement, Severino emphasized how important it is for all people to have the ability to access their medical records in a timely manner. In some cases, it can be a matter of life and death.
“People should be empowered with their own medical information,” Severino said. It’s one of many ways individuals can take more control of their own health.
And while patients have had the right to access their medical records for years, providers have not always been compliant in responding to requests for those records. In some cases, Severino said healthcare organizations flat-out ignored requests and requirements simply because there were no significant enforcement activities related to the failure to comply.
In other cases, he indicated that providers have created unnecessary roadblocks, such as delays or cost requirements that made it difficult, if not impossible, for patients to access their protected health information (PHI).
That’s why OCR launched its HIPAA Right of Access Initiative to empower individuals to have more control of decisions related to their healthcare and overall well-being.
In June 2020, following OCR’s second Right of Access settlement, Severino was quoted saying, “For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law.”
Right of Access Settlements
In September 2019, OCR announced it settled its first Right of Access case with Bayfront Health St. Petersburg agreeing to pay $85,000 and adopt a corrective action plan related to an incident in which the organization did not provide a woman with timely access to protected health information (PHI) about her unborn child.
Since then, OCR has settled 25 Right of Access enforcement cases, ranging anywhere from $3,500 -$200,000, with the average settlement hitting about $65,000. To date, the combined total of these settlements exceeds $1.5 million.
The latest settlements came at the end of 2021, when OCR announced it had resolved five Right of Access investigations, with the most recent penalties ranging from $10,000 to $160,000.
Severino pointed out that before, even when there were OCR enforcement actions regarding Right of Access, the dollar amounts from the settlements weren’t catching the same type of attention as other HIPAA violations.
“We took massive enforcement actions, and I think we’ve made a tremendous difference,” Severino said. The hope is that as word continues to spread that OCR is making sure people comply with the law, we’ll see more entities taking Right of Access more seriously.
Notice of Proposed Rule Making for the Privacy Rule (NPRM)
Related to the Right of Access Initiative, we’ve also seen OCR shift toward shoring up other ways to reinforce timely access to medical records and improve continuity of care.
In December 2020, the Department of Health and Human Services issued its Notice of Proposed Rule Making (NPRM) to make some changes to HIPAA’s Privacy rule, with, once again, more commitment to helping individuals engage in their healthcare, eliminating some of the existing barriers to coordinated care and decreasing regulatory burdens on the industry.
What is the Privacy Rule of Proposed Rule Making (NPRM)?
Proposed Modifications to HIPAA Privacy Rule to support and remove barriers to coordinated care and individual engagement.
The NPRM reflects public comments OCR received during a 2018 Request for Information (RFI) related to improving coordinated care.
When finalized, some of the NPRM Proposed Changes to the Privacy Rule may include:
- Modifications to provisions related to individuals’ right to access their PHI
- Modifications to the “minimum necessary” requirements to allow for greater access to PHI by covered healthcare providers and health plans.
- Clarifying the scope of covered entities’ authority to disclose PHI to third parties, such as social service agencies, community-based organizations home and community-based services (HCBS) providers, to facilitate coordinated care and case management activities.
- Expanding covered entities’ ability to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current standard, which requires a “serious and imminent” threat to health or safety.
- Replacing the “professional judgment” standard for certain uses and disclosures with a more permissive but rebuttable “good faith” standard.
- Changes to the Notices of Privacy Practices (“NPP”) rules, including eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct provider’s NPP and modifying the NPP content requirements regarding patient rights to PHI.
- Expressly excluding Telecommunications Relay Services (“TRS”)from the definition of a “business associate” to allow disclosures of PHI to TRS communication assistance for persons who are deaf, hard of hearing, deaf and blind or have a speech disability.
- Expanding the Armed Forces permission to include the US Public Health Services Commissioned Corps (“USPHS”) and the National Oceanic and Atmospheric Administration (“NOAA”).
When NPRM is eventually finalized, it will be the first significant HIPAA change since the 2013 Omnibus Rule. While the process is ongoing, many industry professionals are optimistic that we’ll see finalization sometime this year.
While the proposal covers several vital areas that need attention, Severino highlighted elements related to Right of Access, especially those related to ensuring healthcare entities make the process as seamless as possible, including when records need to be shared with another healthcare provider to ensure continuity of care.
It’s essential to ensure that medical providers comply promptly. While the previous period was 30 days for a response, it has since been narrowed to 15 days with some conditions that may allow for an extension.
“So I think this, in combination with what we had done with the Right of Access enforcement initiative, would be mutually reinforcing to empower people with their own information to make that coordination of care,” Severino said. “We did everything we can to make sure we made the right of access and continuity of care smooth while balancing privacy.”
Balancing Administrative Burden
Some healthcare organizations may worry that approval will result in additional administrative burden with these changes.
Severino said the intent is to eliminate some administrative burden from previous requirements.
For example, healthcare organizations are currently required to get a written acknowledgment of receiving a provider’s Notice of Privacy Practices (NPP) and then retain copies of that documentation for six years.
That approach created a tremendous waste of time and effort for many healthcare organizations. In some cases, it caused confusion and led to disputes and tension in provider offices. Many people questioned if they were signing away their rights to privacy. There were even instances where providers refused treatment if a patient did not sign an NPP before services.
The goal of the original NPP requirements was to ensure that providers informed patients of their rights and disclosed the types of information that may be shared and how. However, because it required a signature, some people mistakenly considered it to be a contract, creating the potential to interfere with medical care.
The proposed NPP changes alter what’s included in the NPP to make it more user-friendly and less-legalese. It highlights the most important information at the top and covers information such as how to access PHI, how to file a HIPAA compliant, how to get a copy of PHI, and how to get a copy of electronic PHI sent to third parties.
Want to know more about NPRM and how the changes might affect your organization? Check out our blog, “Key Things to Know About Proposed HIPAA Privacy Rule Changes.” Or hear more from Severino in our on-demand webinar, “The Future of Data Privacy and Privacy Law in Healthcare.”
