Patients and providers would have more decision-making power over their health records under proposed changes to HIPAA. The Department of Health and Human Services’ Office for Civil Rights (OCR) last week recommended several changes that would make it easier for clinicians to share patient data with other providers, insurers and social service agencies for coordinating patient care.
“I give OCR a lot of credit for trying to come up with some proposals to really thread the needle in some difficult disclosure situations,” said Deven McGraw, a former deputy director for health information privacy at OCR.
Under the proposed rule, providers would be able to disclose patient data – to family members, for example — if they believe it’s in the patient’s best interest. It’s designed to allow more data sharing than current rules, which allow providers to base decisions only on “professional judgment.” The new standard would be more permissive, because it “presume(s) a covered entity’s good faith,” according to the proposed rule.
The changes also would make it easier for providers to disclose patient data to third-parties such as law enforcement when they believe a threat to health or safety is “serious and reasonably foreseeable,” rather than the current, stricter standard that allows disclosures only when there’s a “serious and imminent” threat to health or safety.
“These are not easy judgment calls to make,” McGraw said. “You don’t really want regulators making the call on this one. Ideally, you want medical professions to be sharing when they should share and not sharing when they shouldn’t, but it’s very hard to get the legal standard right.”
The proposed changes are in line with the Trump Administration’s focus on ensuring that regulations don’t stand in the way of patients being able to access their own health information, with updates such as shortening the period in which covered entities are required to respond to patients’ record requests from 30 to 15 days.
“It’s clear that there should not be barriers to individuals getting their own information into their own hands,” said Matthew Fisher, partner and chair of the health law group at Mirick O’Connell. “It’s long overdue, and feet are going to be held to the fire.”
Michelle De Mooy, a data privacy and ethics consultant, supports the proposal to stop requiring patient signatures for privacy notices because “it’s basically useless for everybody involved.” She said it’s smart to keep HIPAA notices “short and sweet” so patients can easily understand their rights and how to exercise them.
Industry watchers expect a Biden administration to pick up the proposed rule and continue work on a final version after the public comment period closes, particularly because data sharing and patient privacy are largely bipartisan issues that have also been touted by Biden. “I would anticipate that this (proposed rule) keeps moving forward,” said Tom Leary, senior vice president of government relations at the Healthcare Information and Management Systems Society.
However, many of the proposed changes, such as requiring providers to respond to patients’ record requests in 15 days and restructuring how to verify patient identities, will require hospitals to revisit procedures for sharing records and maybe even hire new staffers to avoid creating more burden for those workers.
Rand Seigel, an attorney and partner in Manatt Health, recommends that hospitals ensure health information management or medical records departments have enough staff to review and respond to patient requests within the required 15-day window and IT systems are up-to-date so they can hook up to third-party apps, as well as educating staff about possible changes. “This recent shift to thinking more about sharing (data) and not erring on the side of protecting is a very significant shift in the mindset of a provider,” she said.
The public comment period for the proposed rule closes in February.