New Changes to the HIPAA Privacy Rule: Improving Access and Flow of Health Information

  • Course level: All Levels
  • Duration 1h 30m
  • Last Update October 20, 2021

Description

In January 2021, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) proposed new changes to the HIPAA Privacy Rule in the first major update since 2013. The changes affect many aspects of accessing and sharing patent information, as well as codify recent court decisions and guidance.  Many of the changes are subtle but essential to ease the proper flow of health information in today’s interconnected, multi-provider healthcare provision environment. In addition, there are many changes to details of the rules, intended to reduce the regulatory burden, such as the elimination of the requirement to get an acknowledgment of receipt of the notice of privacy practices when working with a new patient.

If you work in any of the affected areas of your organization, from health information management to the front desk, you need to be aware of these changes to ensure compliance and avoid penalties for violations that can be in the millions of dollars. This session will review the new rule and show what needs to be considered in order to stay compliant as it is adopted.

The changes to the HIPAA Privacy Rule, drafted as part of HHS’ Regulatory Sprint to Coordinated Care initiative, aim to remove regulations that might impede communication and data exchange between provider organizations and health plans. The changes expand individuals’ rights to access their own digital health information, boost information-sharing and case management, and enable greater family and caregiver involvement during emergencies or health crises.

The changes also offer more flexibilities for disclosures in situations such as opioid overdoses and the COVID-19 public health emergency, and, the hope is that a streamlined new rule would reduce administrative burdens on HIPAA-covered entities while continuing to protect patient privacy.

OCR proposes amending the Privacy Rule to increase permissible disclosures of protected health information and improve care coordination and case management by “adding definitions for the terms electronic health record and personal health application.”.

Additionally, provisions relating to individuals’ right of access would be modified in several ways, according to the NPRM:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
  • Clarifying the form and format required for responding to individuals’ requests for their PHI.
  • Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
  • Reducing the identity-verification burden on individuals exercising their access rights.
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
  • Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
  • Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.

The updated regulations would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management. The goal is to expand the scope of covered entities’ abilities to disclose PHI to “social services agencies, community-based organizations, home, and community-based service providers, and other similar third parties that provide health-related services.”

Among other changes, the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” is replaced with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual.” The rule also expands covered entities’ latitude for PHI disclosure when it’s meant to avert a “serious and reasonably foreseeable” risk to health or safety – as compared with the existing standard, which requires a “serious and imminent” threat.

It would also eliminate the requirement that providers obtain an individual’s written acknowledgment of receipt for Notice of Privacy Practices. And it would modify the content requirements of the NPP to “clarify for individuals their rights with respect to their PHI and how to exercise those rights.”

All of these issues will be touched on and an approach to updating your compliance will be presented. Being prepared for the new rule is essential in order to avoid penalties.

What Will I Learn?

  • Learn how the new changes improve communication of health information
  • Understand how to properly provide access to PHI for individuals under the new rule
  • Learn about how the rule codifies much of the guidance issued previously
  • Find out about how HIPAA and Information Blocking rules interact
  • Discover how subtle changes in some HIPAA language has created new flexibility in disclosures
  • Find out why and how your Notice of Privacy Practices must be updated
  • Learn about how changes in the rules may affect how you contact people by cell phone

Topics for this course

1 Lessons1h 30m

You can access all the webinar materials after successful payment

Webinar Link + Transcript

About the instructor

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of healthcare entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Jim Sheldon-Dean has more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.
0 (0 ratings)

7 Courses

2 students

$251.00

Material Includes

  • PDF
  • Full Webinar Video with unlimited access
  • Transcript

Requirements

  • Operating System: Windows any version preferably above Windows Vista & Mac any version above OS X 10.6
  • Internet Speed: Preferably above 1 MBPS
  • Headset: Any decent headset and microphone which can be used to talk and hear clearly

Target Audience

  • Healthcare CEO
  • Healthcare CFO
  • HIPAA Privacy Officers
  • HIPAA Security Officers
  • Information Security Officers
  • Risk Managers
  • Compliance director
  • Compliance Officers
  • Privacy Officers
  • Health Information Managers
  • Information Technology Managers
  • Information Systems Managers
  • Medical Office Managers
  • Chief Financial Officers
  • Systems Managers
  • Chief Information Officer
  • Healthcare Counsel/lawyer
  • Operations Directors
  • Medical offices
  • Practice groups
  • Hospitals academic medical centers
  • Insurers
  • Business associates (shredding, data storage, systems vendors, billing services, etc.)
  • HR Managers
  • Records Release Manager
  • HIM Manager
Shopping Cart
0