[authors: Frank Ruelas Jr., Frank Ruelas Sr., and J. Veronica Xu*]
According to the Office of Information and Regulatory Affairs, Office of Management and Budget, final action on the proposed rules—published in the Federal Register—to modify the HIPAA Privacy Rule is scheduled to occur in March 2023. Compliance professionals may want to take advantage of the lead time to prepare for possible changes to the Privacy Rule before the final rules are published in the Federal Register and, in particular, designated privacy officials responsible for developing and implementing policies with respect to the Privacy Rule. This lead time can allow privacy officials to take important steps to help transition their organizations from their current state of compliance with the Privacy Rule to the future state of compliance with the new requirements.
Even though we will not know precisely the specific changes to the Privacy Rule until the final rule is published in the Federal Register, the Notice of Proposed Rulemaking issued in January 2021 provides a useful perspective on what changes we may expect to see in the final rule. This advance notice can provide a convenient and manageable time frame for individuals to assess and develop processes and workflows without the high pressure of working under a short timeline.
With respect to time, it is imperative that privacy officials also know that whenever the final rule is published, covered entities will have 240 days after the publication of the final rule before enforcement begins. Despite that, starting preparation as soon as possible provides more time to address the challenges we will face once the final rule takes effect. And although the government agency has yet to publish the final rule, such uncertainty should not be used as an excuse to do nothing, and covered entities should take preparatory actions early since previously proposed HIPAA rules often closely resemble the finalized ones with minor or no revisions. To help privacy officials plan and prepare for the upcoming changes, the following steps are provided for fellow compliance professionals’ consideration.
Identify the possible future state
To begin preparation, it is vital to first review the proposed changes to the HIPAA Privacy Rule and identify the gaps between the proposed rules and your current processes, policies, and practices. The January 21, 2021, Federal Register and the notice of proposed rulemaking detailed the specific changes that will come our way. To help navigate through the different sections describing the proposed rules, there is a table of contents on the first page, which is organized into five main sections. The third section, titled “III. Need for the Proposed Rule and Proposed Modifications,” outlines detailed revisions that are expected to be finalized in March 2023.
Interestingly, one can make an anecdotal conclusion on which of the sections of the Privacy Rule may be affected most significantly. Using this approach, the section dealing with an individual’s access to protected health information (PHI) is the most extensive section where proposed changes appear in the Notice of Proposed Rulemaking (NPRM). When considering the ongoing focus and communications by the U.S. Department of Health & Human Services Office for Civil Rights (OCR) on the importance of providing an individual with access to PHI maintained in a designated record set, it is likely that this is also the section within the Privacy Rule that will be affected the most by the proposed changes listed in the notice of proposed rulemaking.
Second, become familiar with the changes in the NPRM; take advantage of the fact sheet related to the proposed rules, which OCR posted on December 10, 2020. This six-page document is a summary of the proposed changes listed in the NPRM. The fact sheet also makes it easier to cross-reference the summary of proposed changes to the more detailed content of the proposed changes that appear in the Federal Register. This is also a good reason why having both documents—the Federal Register and fact sheet—can be instrumental in developing a comprehensive and detailed understanding of the proposed changes.
Connecting the current state to the future state
By becoming acquainted with the proposed changes, privacy officials can then take steps to identify how the current state compares with some of the specific and possible modifications presented in the final rule. Because of certain significant modifications proposed in the final rule, all pertinent policies and procedures must be reviewed and updated accordingly. It is essential to start the review process and begin the dialogue with policy owners so that they become aware of and familiar with the upcoming changes. By collaborating with them, privacy officials can receive valuable feedback and insights on the potential challenges and impact the new rule may impose on the organization’s processes and practices. The following are a few examples of the proposed new rule, its potential impact, and its respective workflows.
In the current rule, under the requirements for PHI access, a covered entity must act upon a request for access no later than 30 days after receipt of the request. In the proposed rule, the suggested change is to shorten the time frame from 30 to 15 days after receipt of the request for PHI access. Essentially, this proposed change is moving from a current state of 30 days to respond to a request for access to a future state of 15 days.
Given this proposed change, the privacy official may decide to connect and discuss with those process owners who manage the response time to requests to access PHI. For instance, is there data to show the current number of days that the covered entity responds to requests for access to PHI? Do the process and policy owners see the change from a 30-day response time to a 15-day response time as problematic? If so, what are some strategies that may need to be considered so that the covered entity can comply with the proposed 15-day time frame in responding to requests to access PHI? These are just a few questions that need to be asked and answered. Collaborating with those responsible for handling requests for access to PHI and completing this thought exercise can help covered entities identify possible options and maximize the time needed for necessary changes to the current process.
Policy management
If the covered entity’s access to the PHI process is also codified in a policy and procedure, this is another “to-do” item on the task list that the privacy official may need to prepare for. For example, some organizations may review their Privacy Rule-related policies and procedures every two or three years. When the final rule is published, it will be crucial that the current policies and procedures be reviewed and updated promptly to ensure their consistency with the law. What is important to do in such a situation is to also make sure that whatever system is used to track and monitor when policies are reviewed is updated to reflect when the next review of these policies will occur. Many policy management systems include functions that allow for policies and procedures to be logged and send a notification to policy owners and reviewers when a particular policy and procedure is due for review. This may also be a good time to verify that the list of current policy owners responsible for the review and policies is still accurate, as personnel changes may have occurred since the last time various policies and procedures were reviewed.
Reviewing and revising policies also presents another opportunity for privacy officials. They can use this opportunity to assess how easy it is for the workforce to access the affected policies. To maintain an effective compliance program, it is important that the policies are made readily available, and the workforce can easily access policies whenever needed, which will, in turn, increase the chance of timely application of policies in practice as well as the level of compliance.
New requirements
Along with changes to various sections within the current HIPAA Privacy Rule, the proposed rules also introduce new requirements related to new sections that may become finalized when the final rule is published. Now is an excellent time to look at some of these requirements and start identifying who would be good partners to begin assessing what actions will be needed to meet the new requirements. Consider the example of the newly proposed section 45 C.F.R. § 164.525, which deals with medical record requests.
The proposed rules introduce a new section in the Privacy Rule that lists several new requirements if a covered entity has decided to impose fees related to specific requests for medical records. These requirements include posting a fee schedule on the covered entity’s website and making the fee schedule available upon request and at the point of service.
Looking closely at the requirements of this new proposed section on medical records fees, a privacy official may identify other people within the organization who need to be involved in planning for these changes. It would include the individuals who maintain the covered entity’s website, medical records staff that are aware of and apply fee schedules related to medical record requests, and the staff that interacts with patients who may request a copy of their medical records. In addition, processes will need to be developed to respond timely to fee schedules requests, provide an individualized estimate of the approximate fees related to a specific request for medical records, and determine when it is allowable to impose a cost-based fee associated with the type of request received for medical records. Since the fees are based on specific cost items related to labor, supplies, and postage, there will also need to be a process to calculate these costs so that the estimated fees are a good approximation of what may be imposed upon an individual. As such, this is a good example of how the proposed rules will require a team effort to work toward reaching compliance; it is unlikely that any one person would be expected to perform the necessary changes that the proposed rules may bring about.
Third-party partners or resources
The third suggested area to consider in preparing for the proposed changes involves connecting with third-party partners or resources. For this, the example of revising and reprinting the covered entity’s Notice of Privacy Practices (NoPP) is used, given that the proposed rules will introduce material changes to the covered entity’s privacy practices. As such, covered entities will need to replace their current versions of their NoPPs prominently displayed in areas where individuals receiving care are expected to see them.
For some covered entities, this may be as straightforward as working with an internal department, such as a print shop, to request new NoPPs. For other others, an external resource may be what is used to order and receive revised NoPPs. In either case, the privacy official or another person responsible for obtaining the NoPPs for display should identify the contact person to arrange for ordering new NoPPs. This provides an opportunity to determine what costs will be involved, the turnaround time for the new NoPPs to be delivered, and the process of ordering new NoPPs. However, there is another opportunity that the need for ordering revised NoPPs also presents, which can be very useful in promoting compliance with the HIPAA Privacy Rule.
It is not uncommon for NoPPs to go missing or unaccounted for. For instance, if the waiting room where a NoPP is posted goes through any remodeling, it may mean that the NoPPs are taken down but sometimes not replaced—for whatever reason—after the remodeling is completed. In addition, the privacy official can also ensure that since the last NoPPs were distributed and posted, there are no new areas to consider for placing a copy of the NoPP. For example, a new NoPP may be needed for the waiting room in a newly established outpatient department that was put into operation since the last time NoPPs were installed. This enables the privacy official to confirm the locations of NoPPs that need to be replaced and also gives them the opportunity to identify new spots for NoPPs that may not have existed in the past.
Conclusion
Changes to the HIPAA Privacy Rule requirements do not occur very often. So, when changes are expected, it is imperative to take advantage of a plan to identify possible changes and how they will impact current processes or introduce the need for new processes. Fortunately, concerning the proposed changes to the Privacy Rule, compliance professionals can take advantage of the time available from the date that the final rules are published to the day that enforcement of the final rules will begin.
Takeaways
-
Currently, the final rule for modifications to HIPAA is expected to be published in March 2023.
-
The proposed rules strengthen several key aspects related to an individual’s right to access protected health information.
-
New requirements that may be finalized include providing individuals with estimates on fees regarding requests for copies of medical records.
-
Individuals designated with the responsibility of implementing HIPAA privacy policies may want to consider creating work teams to begin assessing the impact of the proposed changes to the Privacy Rule.
-
Covered entities will have 240 days from when the final rule on modifications to the Privacy Rule is published in the Federal Register to prepare for enforcement.
*Frank Ruelas Jr., PCP, Frank Ruelas Sr., SJHMC/SJWMC CommonSpirit Health, and J. Veronica Xu, Saber Healthcare Group.