[BreachExchange] HIPAA Changes May Be on the Way

[Audrey McNeil]

https://www.jdsupra.com/legalnews/hipaa-changes-may-be-on-the-way-82349/

Since the major HIPAA overhaul implemented in 2013, there have been few
changes to HIPAA privacy, security, and breach notification regulations.
However, several HIPAA regulatory changes may now be on the way. The Trump
Administration recently published its Unified Agenda, formally called the
Spring 2018 Unified Agenda of Regulatory and Deregulatory Actions, which
includes the following potential changes to HIPAA:

ACCOUNTING OF DISCLOSURES
First, a bit of background. Under HIPAA, health care providers and certain
other covered entities have an obligation to maintain an "accounting" of
some of their disclosures of patient information and to provide an
accounting to patients upon request. Although most health care providers do
not frequently receive disclosure accounting requests from patients, this
requirement exists to give patients the ability to obtain basic information
about disclosures of their information by their health care providers.
Accordingly, providers and other covered entities must be prepared to
respond to such requests.

Prior to the 2009 HITECH Act, the accounting requirement contained a number
of exceptions. In particular under what is commonly referred to as the TPO
Exception, health care providers were not required to maintain an
accounting of disclosures made for TPO purposes – certain treatment,
payment, and health care operations purposes. The HITECH Act changed that
by applying the accounting requirement to TPO disclosures made through an
electronic health record, although this change has not yet been added to
the HIPAA accounting regulation.

In a 2011 proposed rule aimed at this issue, the U.S. Department of Health
and Human Services ("HHS") proposed to go even further and apply the
accounting requirement to any access to an electronic designated records
set. Because this proposal was so broad and potentially burdensome, it
proved to be controversial and was never implemented.

Now in the Unified Agenda presented this spring, HHS indicated that it will
be withdrawing the 2011 proposed rule. HHS has also announced its intent to
issue an advance notice of proposed rulemaking in late 2018, which may
subsequently lead to a rule implementing the HITECH Act's accounting
requirement. It remains to be seen what the new proposal will entail, but
providers and other covered entities should stay tuned.

DISTRIBUTING A PERCENTAGE OF HIPAA PENALTIES/SETTLEMENTS TO HARMED
INDIVIDUALS
The HITECH Act required a methodology be developed for distribution of a
percentage of civil monetary penalties and settlement proceeds collected by
HHS in connection with HIPAA violations to individuals harmed by such
violations. This requirement was never implemented, although the Unified
Agenda indicates that HHS intends to request public comments on a
distribution methodology later in 2018. Parties interested in commenting
should stay tuned for the release of the notice.

OBTAINING PATIENT ACKNOWLEDGEMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES
HIPAA generally requires that providers issue notices of their privacy
practices to patients and requires providers to obtain an acknowledgment of
receipt of the notice from each patient or, alternatively, document their
good faith efforts to do so and the reason an acknowledgment was not
obtained. In the Unified Agenda, HHS has indicated its intent to issue a
notice of proposed rulemaking around September 2018 to change the
acknowledgment requirement. Although it is not yet clear what this change
will entail, this development may change some notice of privacy practices
requirements.

PRESUMPTION OF GOOD FAITH OF HEALTH CARE PROVIDERS
Under the HIPAA Privacy Rule, a health care provider is permitted to
disclose certain limited information of a patient to a patient's family
members, among other parties, when the patient is incapacitated. The
provider must first determine, based upon professional judgment, that the
disclosure is in the best interest of the patient. In the Unified Agenda,
HHS has indicated its intent to issue a notice of proposed rulemaking
around September 2018 to clarify that a provider sharing patient
information in such a situation is presumed to be acting in the patient's
best interests in disclosing information to family members, unless there is
evidence that the provider has acted in bad faith. Such a presumption will
likely benefit health care providers and allow them to more readily share
information with family members in difficult care situations, although the
exact details of this clarification are not yet available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180716/5a7f8a3f/attachment.html>