As is often the case when the feds do something, there is probably at least one thing that is good in this notice of proposed rulemaking and probably others that are less good.
The HIPAA privacy rule is designed to protect the privacy of patient data, but other than stopping providers from selling your health information to the media, they already share it with most of the healthcare ecosystem anyway.
The only way to REDUCE (but not eliminate) the sharing of healthcare information is to pay cash and not make an insurance claim. Other than the rich, no one does this.
The Republican administration claims that this change will offer more flexibility for disclosures in cases such as opioid overdoses and Covid-19, but of course, these changes are not limited to that.
Among the changes they propose are:
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension).
- Clarifying the form and format required for responding to individuals’ requests for their PHI.
- Requiring covered entities to inform individuals that they retain their right to obtain or to direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
- Reducing the identity-verification burden on individuals exercising their access rights.
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive in return the requested electronic copies of the individual’s PHI in an EHR.
- Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access.
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR – specifying when electronic PHI must be provided to the individual at no charge.
- Amending the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization, and, upon request, to provide individualized estimates of fees for an individual’s request for copies of PHI and itemized bills for completed requests.
- The updated regs would also clarify the scope of permitted uses and disclosures for individual-level care coordination and case management, according to OCR – creating an exception to the “minimum necessary” standard. It would “relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations,” according to the proposed rule-making.
The goal, they say, is to allow your doctor to disclose your personal health information the the authorities (like social services) , community based organizations (whatever they are) and other similar third party providers without having to ask your permission.
Among other changes, OCR would replace the privacy standard that permits HIPAA-covered entities to make some uses and disclosures of PHI based on “professional judgment” with a standard permitting such uses or disclosures based on that entity’s “good faith belief that the use or disclosure is in the best interests of the individual,” according to the proposed rule.
But not to worry – you can sue your doctor, spend 5 years going through the court system and spend tens of thousands of dollars if you think your doctor didn’t have an (undefined term) “good faith belief”. How do you PROVE a lack of a belief in a doctor’s head?
There are probably some legitimate changes to be made to HIPAA. I am not sure that this is the list that I would propose. It seems like mostly it is designed to loosen restrictions on what the healthcare community can do with your digital health information without asking your permission or even telling you that they are doing it.
You can probably figure out what I think of these changes. Credit: Health Care IT News