A number of healthcare organizations have shown concern concerning the HIPAA Privacy Rule modifications recommended by the Department of Health and Human Services (HHS) last December 2020 and publicized in the Federal Register last January. The HHS has gotten feedback from over 1,400 people and companies and will now evaluate all responses prior to releasing a final rule or another proposed rule.
There were requests for improvements to the HIPAA Privacy Rule to align it better with the other policies, like the 21st Century Cures Act, the 42 CFR Part 2 regulations that cover federally aided substance use disorder (SUD) treatment services, and so there would be increased alignment with state health data privacy regulations. A few of the recommended HIPAA Privacy Rule changes are meant to get rid of obstacles to data disclosure for care coordination, however, the modifications may continue to contradict state regulations, particularly in regards to SUD treatment. There’s concern regarding the bad alignment with other rules that may be a substantial cause of misunderstandings and can produce new privacy and security challenges.
One more issue pertains to personal health applications (PHA). The HHS has explained PHAs, however, a lot of groups and companies have expressed concern regarding the privacy and security problems linked to sharing protected health information (PHI) to these unregulated applications. PHAs are not covered by HIPAA, therefore any PHI sent by a covered entity to a PHA as requested by a patient could cause a patient’s PHI to be employed in methods not intended by the patient. The PHI of a patient can also quickly be viewed and employed by third parties.
PHAs might not have strong privacy and security settings given that compliance with the HIPAA Security Rule wouldn’t be mandated. Covered entities are not required to sign into business associate agreements with PHA providers, as well as secondary disclosures of PHI won’t be limited by the HIPAA Privacy Law.
The American Hospital Association’s feedback to the HHS states that personal health applications ought to be restricted to apps that don’t allow third-party access to the data, include proper privacy protections and sufficient security and are created to accurately provide health data that is obtained from electronic health records.
The College of Healthcare Information Management Executives (CHIME) has expressed ideas regarding the proposition for covered entities to necessitate PHAs to register prior to giving patient information, and how covered entities will be asked to take action when a patient asked for their health data to be provided to a PHA that doesn’t have proper privacy and security protections. For example, when a patient asked for their PHI to be provided to a PHA created by a nation-state actor, whether companies would continue to be asked to provide PHI as requested by a patient. Concern was likewise brought up regarding the increasing number of platforms that trade PHI that fall beyond the coverage of HIPAA.
One of the recommended modifications pertains to bettering patients’ access to their health information and reducing the time period to give that data from 30 to just 15 days. CHIME and the Association for Behavioral Health and Wellness (ABHW) have both expressed concerns regarding the reduction of the period of time for responding to patient requests for their healthcare information because this is going to put more administrative load on healthcare companies, particularly during the COVID pandemic. CHIME stated it may not be able to deliver PHI in this reduced time period and this may likely increase expenditures to the healthcare system. CHIME has asked for the HHS document when exclusions are permitted, for example in instances of legal conflicts and custody cases. ABHW is convinced the time period mustn’t be altered and must stay 30 days.
It’s probable that when the final rule is given this year, it’ll be required for companies to guarantee compliance throughout the pandemic, which may be very difficult. ABHW has proposed stalling the proposed rule for one more year to lessen the responsibility on covered entities. CHIME recommended the HHS shouldn’t release a final rule according to the responses obtained, but rather reissue the questions brought up in the offered rule as requested for data and to hold a listening session to get additional granular responses and then get into a conversation concerning the proposed modifications.