Since the major HIPAA overhaul implemented in 2013, there have been few changes
to HIPAA privacy, security, and breach notification regulations. However, several
HIPAA regulatory changes may now be on the way. The Trump Administration recently
published its Unified Agenda, formally called the Spring 2018 Unified Agenda of
Regulatory and Deregulatory Actions, which includes the following potential changes to
HIPAA:

ACCOUNTING OF DISCLOSURES

First, a bit of background. Under HIPAA, health care providers and certain other
covered entities have an obligation to maintain an “accounting” of some of their
disclosures of patient information and to provide an accounting to patients upon
request. Although most health care providers do not frequently receive disclosure
accounting requests from patients, this requirement exists to give patients the ability to
obtain basic information about disclosures of their information by their health care
providers. Accordingly, providers and other covered entities must be prepared to
respond to such requests.

Prior to the 2009 HITECH Act, the accounting requirement contained a number of
exceptions. In particular under what is commonly referred to as the TPO Exception,
health care providers were not required to maintain an accounting of disclosures made
for TPO purposes – certain treatment, payment, and health care operations purposes.
The HITECH Act changed that by applying the accounting requirement to TPO
disclosures made through an electronic health record, although this change has not yet
been added to the HIPAA accounting regulation.

In a 2011 proposed rule aimed at this issue, the U.S. Department of Health and
Human Services (“HHS”) proposed to go even further and apply the accounting
requirement to any access to an electronic designated records set. Because this
proposal was so broad and potentially burdensome, it proved to be controversial and
was never implemented.

Now in the Unified Agenda presented this spring, HHS indicated that it will be
withdrawing the 2011 proposed rule. HHS has also announced its intent to issue an
advance notice of proposed rulemaking in late 2018, which may subsequently lead to a
rule implementing the HITECH Act’s accounting requirement. It remains to be seen
what the new proposal will entail, but providers and other covered entities should stay
tuned.

DISTRIBUTING A PERCENTAGE OF HIPAA PENALTIES/SETTLEMENTS TO
HARMED INDIVIDUALS

The HITECH Act required a methodology be developed for distribution of a percentage
of civil monetary penalties and settlement proceeds collected by HHS in connection
with HIPAA violations to individuals harmed by such violations. This requirement was
never implemented, although the Unified Agenda indicates that HHS intends to request
public comments on a distribution methodology later in 2018. Parties interested in
commenting should stay tuned for the release of the notice.

OBTAINING PATIENT ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF
PRIVACY PRACTICES

HIPAA generally requires that providers issue notices of their privacy practices to
patients and requires providers to obtain an acknowledgment of receipt of the notice
from each patient or, alternatively, document their good faith efforts to do so and the
reason an acknowledgment was not obtained. In the Unified Agenda, HHS has
indicated its intent to issue a notice of proposed rulemaking around September 2018 to
change the acknowledgment requirement. Although it is not yet clear what this change
will entail, this development may change some notice of privacy practices
requirements.

PRESUMPTION OF GOOD FAITH OF HEALTH CARE PROVIDERS

Under the HIPAA Privacy Rule, a health care provider is permitted to disclose certain
limited information of a patient to a patient’s family members, among other parties,
when the patient is incapacitated. The provider must first determine, based upon
professional judgment, that the disclosure is in the best interest of the patient. In the
Unified Agenda, HHS has indicated its intent to issue a notice of proposed rulemaking
around September 2018 to clarify that a provider sharing patient information in such a
situation is presumed to be acting in the patient’s best interests in disclosing
information to family members, unless there is evidence that the provider has acted in
bad faith. Such a presumption will likely benefit health care providers and allow them to
more readily share information with family members in difficult care situations, although
the exact details of this clarification are not yet available.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Share This