In a recent HIMSS TV interview with Bill Siwicki, Features Editor, Healthcare IT News, I had an opportunity to discuss the potential impact of new HIPAA privacy rules on healthcare provider organizations. The proposed changes are intended to improve patient access to protected health information (PHI) and promote compliant interoperability.
Current HIPAA Privacy Rules versus Proposed New Rules
The transition from the old HIPAA Privacy rule to the new proposed rule turns HIPAA upside down. The Omnibus Final Rule, the most recent addition to HIPAA, was passed in 2013 to strengthen the protection of protected health information, especially in electronic form, and give patients more access to their PHI. However, the proposed new rules have led to conflict due to lack of alignment with interoperability.
In MRO’s response to the Notice of Proposed Rule Making (NPRM) request for comment, we emphasized the need for proper protection of information balanced with the patient’s right to their information. Patients need to understand that when a request is directed to a third or fourth party, that party might not assume the same responsibility as a covered entity or business associate to protect the information. Patient awareness of this lack of obligation is critical to ensuring the privacy and security of their PHI.
Gaps in Interoperability
From my perspective, the biggest gap in 2021 is the lack of a consistent description of an electronic designated record set. As we evolve over time, any electronic health information should be made available to the patient, and it is important to clarify what that means.
One option under consideration is the United States Core Data for Interoperability (USCDI), a standardized set of health data classes and constituent data elements for nationwide, interoperable health information exchange. In addition, HIMSS, CHIME, AHIMA and others are working collectively to suggest core content for the designated record set, which will help establish consistency across facilities and support interoperability.
Operational Impact of New Rules on HIM, IT, Compliance and Privacy
We hope that the comments submitted regarding the NPRM averted some issues that might have occurred had the proposed rules come to fruition as written. For example, the interoperability rule states that fees can be charged for providing information when manual effort is required, which will cause confusion. Do you set limits, or do you share all information?
It is important to give interoperability time to mature over the next several years. If patients can easily obtain their information and download it to another device, is there really a need for an update to the HIPAA privacy rules? Perhaps not. Quite a few larger provider organizations have indicated that they do not think the proposed changes are necessary. Once interoperability is fully achieved, the suggestions in the NPRM are not needed. As we continue to monitor forward movement based on responses to the NPRM, we will watch and see what happens.
To watch the full HIMSS TV interview, click here.