Since the major HIPAA overhaul implemented in 2013, there have been few changes to HIPAA privacy, security, and breach notification regulations. However, several HIPAA regulatory changes may now be on the way. The Trump Administration recently published its Unified Agenda, formally called the Spring 2018 Unified Agenda of Regulatory and Deregulatory Actions, which includes the following potential changes to HIPAA:
ACCOUNTING OF DISCLOSURES
First, a bit of background. Under HIPAA, health care providers and certain other covered entities have an obligation to maintain an "accounting" of some of their disclosures of patient information and to provide an accounting to patients upon request. Although most health care providers do not frequently receive disclosure accounting requests from patients, this requirement exists to give patients the ability to obtain basic information about disclosures of their information by their health care providers. Accordingly, providers and other covered entities must be prepared to respond to such requests.
Prior to the 2009 HITECH Act, the accounting requirement contained a number of exceptions. In particular under what is commonly referred to as the TPO Exception, health care providers were not required to maintain an accounting of disclosures made for TPO purposes – certain treatment, payment, and health care operations purposes. The HITECH Act changed that by applying the accounting requirement to TPO disclosures made through an electronic health record, although this change has not yet been added to the HIPAA accounting regulation.
In a 2011 proposed rule aimed at this issue, the U.S. Department of Health and Human Services ("HHS") proposed to go even further and apply the accounting requirement to any access to an electronic designated records set. Because this proposal was so broad and potentially burdensome, it proved to be controversial and was never implemented.
Now in the Unified Agenda presented this spring, HHS indicated that it will be withdrawing the 2011 proposed rule. HHS has also announced its intent to issue an advance notice of proposed rulemaking in late 2018, which may subsequently lead to a rule implementing the HITECH Act's accounting requirement. It remains to be seen what the new proposal will entail, but providers and other covered entities should stay tuned.
DISTRIBUTING A PERCENTAGE OF HIPAA PENALTIES/SETTLEMENTS TO HARMED INDIVIDUALS
The HITECH Act required a methodology be developed for distribution of a percentage of civil monetary penalties and settlement proceeds collected by HHS in connection with HIPAA violations to individuals harmed by such violations. This requirement was never implemented, although the Unified Agenda indicates that HHS intends to request public comments on a distribution methodology later in 2018. Parties interested in commenting should stay tuned for the release of the notice.
OBTAINING PATIENT ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES
HIPAA generally requires that providers issue notices of their privacy practices to patients and requires providers to obtain an acknowledgment of receipt of the notice from each patient or, alternatively, document their good faith efforts to do so and the reason an acknowledgment was not obtained. In the Unified Agenda, HHS has indicated its intent to issue a notice of proposed rulemaking around September 2018 to change the acknowledgment requirement. Although it is not yet clear what this change will entail, this development may change some notice of privacy practices requirements.
PRESUMPTION OF GOOD FAITH OF HEALTH CARE PROVIDERS
Under the HIPAA Privacy Rule, a health care provider is permitted to disclose certain limited information of a patient to a patient's family members, among other parties, when the patient is incapacitated. The provider must first determine, based upon professional judgment, that the disclosure is in the best interest of the patient. In the Unified Agenda, HHS has indicated its intent to issue a notice of proposed rulemaking around September 2018 to clarify that a provider sharing patient information in such a situation is presumed to be acting in the patient's best interests in disclosing information to family members, unless there is evidence that the provider has acted in bad faith. Such a presumption will likely benefit health care providers and allow them to more readily share information with family members in difficult care situations, although the exact details of this clarification are not yet available.