Preparing for HIPAA Changes in IT, HIM, Compliance and Privacy

June 29, 2021
MRO Privacy

In a recent HIMSS TV interview with Bill Siwicki, Features Editor, Healthcare IT News, I had an opportunity to discuss the potential impact of new HIPAA privacy rules on healthcare provider organizations. The proposed changes are intended to improve patient access to protected health information (PHI) and promote compliant interoperability.

Current HIPAA Privacy Rules versus Proposed New Rules

The transition from the old HIPAA Privacy rule to the new proposed rule turns HIPAA upside down. The Omnibus Final Rule, the most recent addition to HIPAA, was passed in 2013 to strengthen the protection of protected health information, especially in electronic form, and give patients more access to their PHI. However, the proposed new rules have led to conflict due to lack of alignment with interoperability.

In MRO’s response to the Notice of Proposed Rule Making (NPRM) request for comment, we emphasized the need for proper protection of information balanced with the patient’s right to their information. Patients need to understand that when a request is directed to a third or fourth party, that party might not assume the same responsibility as a covered entity or business associate to protect the information. Patient awareness of this lack of obligation is critical to ensuring the privacy and security of their PHI.

Gaps in Interoperability 

From my perspective, the biggest gap in 2021 is the lack of a consistent description of an electronic designated record set. As we evolve over time, any electronic health information should be made available to the patient, and it is important to clarify what that means.

One option under consideration is the United States Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. In addition, HIMSS, CHIME, AHIMA and others are working collectively to suggest core content for the designated record set, which will help establish consistency across facilities and support interoperability.

Operational Impact of New Rules on HIM, IT, Compliance and Privacy 

We hope that the comments submitted regarding the NPRM averted some issues that might have occurred had the proposed rules come to fruition as written. For example, the interoperability rule states that fees can be charged for providing information when manual effort is required, which will cause confusion. Do you set limits, or do you share all information?

It is important to give interoperability time to mature over the next several years. If patients can easily obtain their information and download it to another device, is there really a need for an update to the HIPAA privacy rules? Perhaps not. Quite a few larger provider organizations have indicated that they do not think the proposed changes are necessary. Once interoperability is fully achieved, the suggestions in the NPRM are not needed. As we continue to monitor forward movement based on responses to the NPRM, we will watch and see what happens.

To watch the full HIMSS TV interview, click here.

Newsletter Sign-Up

Recent Posts

Navigating the CMS 2025 Physician Fee Schedule Final Rule

Navigating the CMS 2025 Physician Fee Schedule Final Rule

The Centers for Medicare & Medicaid Services (CMS) 2025 Physician Fee Schedule (PFS) Final Rule brings notable updates to the Quality Payment Program (QPP), which will impact eligible clinicians, groups, virtual groups, subgroups, and APM entities. Whether you’re...

What is HEDIS? The Basics, Objectives and Significance

What is HEDIS? The Basics, Objectives and Significance

One of the most important tools utilized by payers across the country is the Health Effectiveness Data and Information Set (HEDIS), which is maintained by the National Committee for Quality Assurance (NCQA). HEDIS is a measurement set used to determine the efficacy of...