OCR Submits Proposed HIPAA Changes for 2021

The Department of Health & Human Services Office for Civil Rights (OCR) proposed modifications to the HIPAA Privacy Rule. The OCR drafted these HIPAA changes to improve patient data access, caregiver engagement, and care coordination. OCR sees some aspects of the current law as inhibitors to value-based care. Those inhibitors, OCR says, create unnecessary burdens around communication and coordination. 

In this post, we’ll review the proposed changes and what they mean for healthcare data. 

What Are the Proposed HIPAA Changes?

The 357-page document packs in lots of language, so let’s break it down to the following main points:

• Clarification around patient data access rights, including the right to inspect a patient’s medical records in-person. 
• Shortening of the mandated medical records request response from 30 to 15 days while also reducing the patient identity verification process and defining the format a patient can receive his or her medical records and transparency regarding fees for such.
• Third-party access changes requiring providers to enable a more seamless funneling of medical records to other providers or parties at the patient’s request. 
• Removal of “minimum necessary” provisions to strengthen care coordination, enabling disparate providers to have broader access to patient files. 
• Covered entity sharing of patient health information with non-clinical third parties, including social services or community-based services, making it easier to address social determinants of health (SDOH). 

In short, the OCR wants to eliminate regulatory barriers that often disrupt healthcare data exchange. Those in charge believe the existing provisions create “unnecessary burdens.” 

HIPAA Changes in Line with Interoperability Rule

The rhetoric and reasoning behind HIPAA changes sound familiar. It’s the same message the HHS and CMS sent with the interoperability rule earlier this year. Those rules were patient access focused and defined better paths to accessibility. Interoperability and accessibility have long been the bane of healthcare data. These changes, if confirmed, could make more in-roads to this problem. 

The Impact on the Healthcare Ecosystem

Ultimately, it appears these modifications to HIPAA could improve the patient experience and care. Should they become rule, providers will need to adjust how they provide information to patients, accelerating timelines, and informing patients of formats and costs. 

For the healthcare system, holistically, it should improve data sharing. Without regulatory speedbumps, providers could have the information they need sooner. This access could mean the patient receives the right care at the right time. It could also reduce duplicative testing or treatments, which are a huge cost burden that is avoidable.

Challenges, even with new rules, persist in data sharing to third parties or other providers. While meeting the regulatory requirements causes delays, other things do as well. Often patient record exchange doesn’t happen timely because of bandwidth issues or lack of ownership. Healthcare IT teams and clinicians have responsibility here, and formal processes may not exist. Healthcare organizations often partner with data management companies like InfoWerks to develop secure, compliant data sharing processes. 

Next Steps

The next step for the proposed changes is the period for public comments from stakeholders. We’ll monitor the process and bring you updates on the finalization of HIPAA changes and what they mean to you.