HIPAA Changes in 2021 that Affect You: What Health Providers Should know

The COVID-19 crisis has taken our healthcare system for a ride and has compelled providers to adapt to a new set of conditions. These challenges have emphasized the need for immediate improvements in how patient data is shared and accessed. Many of these changes are here to stay, including a range of adjustments to the Health Insurance Portability and Accountability Act (HIPAA).

The newly proposed amendments have attracted the attention of both doctors’ and patients' alike as they significantly alter the way PHI can be accessed and distributed.

Continue reading to learn about the proposed HIPAA regulations, how they’ll affect your healthcare business, and how you can embrace them.

Why are HIPAA changes being introduced?

The pandemic has shown that the current data sharing regulations for PHI are too rigid and slow down a rapid response during an emergency. The HIPAA updates reflect a shift towards telemedicine and online healthcare.  They give patients more control over their health information and increase interoperability and data sharing between healthcare providers.

Shorter medical records request response time

Under present rules, entities have 30 calendar days to act on an individual's request for EHI access, with the option to prolong this period by an additional 30 calendar days. The proposed updates cut both these mandated timeframes in half, giving providers 15 calendar days to respond to such a request, with an opportunity for an extension of no more than an additional 15 days. The same timeframe applies to requests to share PHI with a third party.

On one hand, this means that already busy practices will have a shorter timeframe to process patient requests. This will require improved internal data access procedures to meet the newly-imposed deadlines. On the other hand, patient data will be available to physicians faster which will speed up treatment to patients and expedite communication between providers.

Easier patient access to health information

The new regulations offer patients more flexibility in accessing their medical data while easing certain restrictions on the disclosure of protected health information. They introduce several modifications that significantly cut the red tape and make the disclosure process smoother for patients and providers.

For example, covered entities will be prohibited from enforcing any “unreasonable measures” on patient's requests. This includes as asking patients to visit a provider in-person to obtain their own EHI data. A similar rule will apply to all authorization processes that are deemed “unreasonable.” Such procedures include those involving third parties other than associates, notary-approved requests, or in-person authorization (if another method is available).

If any such procedures are in place in your practice, consider offering additional PHI access and authorization methods. The introduction of new compliance rules creates a good opportunity to implement new solutions, such as a patient portal, mobile app, HIPAA compliant medical phone answering, or outsourced patient services. Each of these solutions makes adapting to the suggested changes much easier.

Additionally, to reduce paperwork and facilitate healthcare delivery, the proposed rules specify that:

• Patients will be allowed to take photos and notes of their EHR.
• Patients can request their data to be transferred to an online healthcare application.
• Covered entities can disclose PHI to Telecommunications Relay Services used by deaf and hard-of-hearing patients.
• Patients will no longer be asked to provide written confirmation of receiving a Notice of Privacy Practices when accessing their records.

Enhanced data sharing and interoperability

The pandemic has exposed the critical role of efficient cooperation between particular healthcare institutions.
The new HIPAA rules on interoperability becoming effective in April 2021 were designed to tackle interoperability issues and prevent information blocking. They will mostly empower patients to easy access to their medical records while also establishing effective healthcare information exchange between providers.

In their final shape, the interoperability and information blocking rules will require medical providers to share medical records and healthcare cost information with payers, providers, and third-party apps – at the patient’s request. The information will need to be shared in the format that is preferred and specified by the patient. This will require the implementation of secure APIs to enable smooth information exchange between various systems and software.

When the rules come into force, providers will no longer be allowed to refuse patients to take screenshots
or images of their EHI. Additionally, all hospitals will now have to provide electronic notifications at patient’s admission, discharge, and transfer.

These changes are expected to improve patient outcomes and reduce the burden on payers and providers. However, they did stir up some controversies among healthcare providers and industry organizations who point to the inherent security risks of sharing health information with external parties. As we continue into 2021, we don't 100% know where the road will take us, but we do know that to comply with the new HIPAA compliance guidelines providers will need to implement safeguards to ensure that PHI data is duly protected while still be accessible at the patient's request.

Streamlined value-based care coordination

In December last year, HHS issued a Notice of Proposed Rulemaking that aims to amend the HIPAA Privacy Rule in a way that removes barriers to coordinated care and care management. The key part of the notice is that it acknowledges the importance of third-party providers, allowing PHI transfer between healthcare facilities and institutions such as social service agencies.  Among the proposed changes, the definition of “healthcare operations” would be modified to include healthcare-related organizations involved in care coordination and case management for individual patients.

The update also introduces several wording changes in PHI disclosure recommendations concerning incapacitated patients and persons with serious mental illnesses or substance abuse disorders. For example, under current law, data disclosure is up to physicians’ “professional judgment”; the new recommendation would allow them to decide “based on a ‘good faith belief’ about an individual’s best interests.” These adjustments will make it easier to involve friends, family, and caregivers in the patient’s care.

Again, we should remember that these improvements will work both ways — it will soon be easier to receive your necessary patient data from another covered entity as well.  In the meantime, expect more requests from institutions newly recognized as health care operators and be aware that your practice is responsible for securing the released data.

Bottom Line

The proposed HIPAA updates will facilitate PHI’s flow for the combined benefit of both the patients and physicians alike. While undeniably convenient in the long-term, they will require providers to adjust selected documentation and policies to comply with the new rules in the near-term.

Remember that all your employees, from physicians to administration staff, will have to be familiar with the amended regulations if you’re a covered entity. Fortunately, you can rely on a range of HIPAA-compliant partners that will help you meet the new requirements. The Doctors Answer is one of them.