New HIPAA Privacy NPRM
What You NEED to Know Primer!
Posted 6/3/2023
By: Susan A. Miller, JD
NEW: Read Susan Miller's "Joining of 2013 164.524 with the 2021 Proposed Changes"
The Notice For Proposed Rulemaking (NPRM) was published in the Federal Register (Fed. Reg.) at Vol. 86, No. 12 on Thursday, January 21, 2021. The Federal Agency issuing this NPRM is the Office for Civil Rights (OCR), Office of the Secretary, the Department of Health and Human Services (HHS). The NPRM uses the term Department outline specific areas. This term means OCR in almost all areas of the NPRM, as OCR both writes and enforces the HIPAA Privacy rule.
For the first time, the Department has cited definitions of care coordination and case management from areas of federal healthcare acts and regulations that are not the HIPAA Act of 1996 and its related rules and updates. This is a significant change. Any HIPAA entity that provides or uses care coordination and/or case management must analyze and understand, plus implement, the guidance drawn from non-HIPAA Acts and rules. The planning for this change can begin now.
The impact of non-HIPAA Privacy Rule and related OCR published guidance is growing, and with this NPRM can be considered substantial. Additionally, for the first time a Federal Court decision is impacting HIPAA Privacy Rule as outlined in the Summary Authority and Regulatory History in the Introduction.
I am sure that almost everyone who has to read and understands an NPRM provisions finds the prose turgid, and a slog to read. However, there are pearls among the preamble.
As you read the preamble you may think that some of the changes are "reasonable" as the industry has now over twenty years-experience implementing the provisions of the Privacy Rule.
No doubt everyone has tripped over a HIPAA problem or nuance that had not been anticipated when HIPAA was new, or even last year. Some of the proposals may help with these issues.
Many people are saying that the changes are minor and just tweaks, but it is going to land feet first in your policies and procedures mandating changes and updates, and thus will necessitate training, and more training.
So what is going to change: hum let see... there are some "tweaks" to the Individual Right of Access (164.524) that is going to roll over the areas of:
- Definitions (164.501, adding two new ones, for EHR (electronic health record) and PHR (personal health record),
- Strengthening the Access Right to Inspect and Obtain Copies of PHI (164.524(a)(1)),
- Modifying the Implementation Requirements for Request for Access and Timely Action in Response to Requests for Access (164.524(b)(1)),
- This area has impacts in the Timeline for Access, the Form of Access, Third Party Access and sharing, plus Fees (164.524(c)).
Of course there are other modifications, such as:
- Changes to Identity Verification (164.514(h))
- Amending the definition of Health Care Operations (164.501) to clarify the scope of Care Coordination and Case Management
- Creating an exception of the Minimum Necessary Standard (164.514(d)) for disclosures of Individual-Level Care Coordination and Case Management
- Disclosure to certain third parties for Individual-Level Care Coordination and Case Management (164.506)
- Encouraging disclosure to help in Substance Abuse Disorder, including Opioid Use Disorder, Serious Mental Illness, and Emergency Circumstances (164.502, and 164.510 - 514)
- Eliminating Notice of Privacy Practices (NPP)(164.520) requirement to obtain written acknowledgement of receipt
- Permitting disclosures for Telecommunications Relay Services for individuals who are Deaf, Hard of Hearing, or Deaf-Blind, and Speech Disability (164.512)
- Permission to use and disclose PHI for all Uniformed Services Personnel 164.512(k).(
Each of these areas outlined in the preamble has at the end numerous questions OCR has asked the industry to answer and comment upon. All these questions will the answered, outlined, explained, and in some areas offers examples in the preamble of the Final Rule.
Future articles will outline the modifications in depth. First up will the "tweaks" to the individual's Right of Access.
Join HIPAA Success.edu Today! Signup for free HIPAA webinars and training!
Check-out with Discount Code FREETRAINING in your Shopping Cart!