HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration in 2018. The OCR has plans to remove some of the outdated and labour-intensive elements of HIPAA that provide little benefit to patients. However, OCR will seek feedback from healthcare industry stakeholders before HIPAA changes are made.
OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes, as was done with previous updates. Any comments given on these proposed changes will be considered carefully before any updates are applied to HIPAA legislation.
At a recent HIPAA summit in Virginia, OCR director Severino gave some insight into what types of changes can be expected for the HIPAA Privacy Rule in 2018. According to Severino, there were three possible changes
to HIPAA regulations in 2018. The first is in relation to the enforcement of HIPAA Rules by OCR.
The introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. The OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions, since the incorporation of HITECH Act into HIPAA in 2009. The collected funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. However, to this date, OCR has not done the latter. In order to correct this, the OCR is considering requesting information on how a proportion of the settlements can be directed to the victims of healthcare data breaches and HIPAA violations.
The OCR is also considering changing the area of authority that requires covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. A conclusion has been reached that the forms are not read due to the patient often wanting to see a doctor as soon as possible and therefore just signing the forms. In its place, a suggestion has been made to remove the requirement to obtain and store signed forms and instead inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.
The OCR is also considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. In relation to this, Severino said that the OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients. An example of this can be seen with the sharing of PHI with family members and close friends when a patient is incapacitated.
Although HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.
These various changes will take some time to be considered. Therefore, it could take until 2019 before they are implemented.