Issue link: https://beckershealthcare.uberflip.com/i/1341133
45 CIO / HEALTH IT Are proposed HIPAA changes good for healthcare? 3 hospital execs weigh in By Jackie Drees W hile the proposed HHS updates to the HIPAA Privacy Rule aim to help patients get more digital access to their health information, some of the proposed changes pose concerns for healthcare providers. e HHS Office for Civil Rights released the proposed modifications Dec. 10, 2020, as part of the department's Regulatory Sprint to Co- ordinated Care initiative, which analyzes federal regulations that in- terfere with healthcare providers and health plans' efforts to better coordinate care for patients. Some of the proposed changes include strengthening patients' access to their own health information and reducing administrative burdens on HIPAA-covered providers and health plans. Here, three hospital and health system executives share their thoughts on the proposed changes and what innovation opportunities and concerns they pose for the industry. Question: Are the proposed modifications to the HIPAA privacy rule good or bad for healthcare? What would you say is the most exciting and/or most concerning pro- posed change? Kathleen Ojala, RN, Administrative Director of Compliance and Integrity and HIPAA Privacy Officer at e Ohio State Universi- ty Wexner Medical Center (Columbus): Covered entities have been implementing the HIPAA regulations for almost 20 years. Although well intended, the proposed changes diminish some controls covered entities use to ensure provision of PHI to the right patient. For exam- ple, allowing a verbal release of information to suffice for a disclosure under limited circumstances imposes identity the risks. Many of the proposals seem geared to entities which may not be patient-centric. OCR could achieve favorable outcomes by coaching those entities instead of revising well established regulations. e most favorable of the proposals is the elimination of obtaining pa- tient acknowledgment of receipt of a Notice of Privacy Practices. e rule should go further: prominent posting of the NPP on the entity's website should suffice for physical posting in the entity. In addition to the associated costs for reproducing the NPPs, the practical value of posting on the wall is outdated. e most concerning change is a proposed definition of EHR in efforts to improve on the well-established designated record set. If nonproviders, such as health plans, intend to create document repos- itories to record determinants of health data, a definition specific for the specific type of covered entity should be created. Hospitals and physicians should be managing medical records information created by the medical professionals. e EHR definition contemplates that a covered entity would manage a patient's health app. e information garnered in a health app has limited use for medical care. Last count was that there were more than 160,000 health apps available and 200 new ones daily. e proposals also miss the mark with coordinating adherence to other regulatory schemes, including information blocking from ONC and part 2 regulations for substance use disorder patients. Raymond Lowe, Senior Vice President and CIO of AltaMed Health Services (Los Angeles): The premise for the change is to help expand individuals' rights to access their own digital health information. Thus, more access will greatly enhance the process of information sharing and improve case management across the entire care continuum. Another advantage given, considering COVID-19's disruptive nature, is that it would allow more family and caregiver interaction. We will know more as the final changes are implemented. Darrell Bodnar, CIO of North Country Healthcare (Lancaster, N.H.): • e proposed changes aim to strengthen patients' access to their PHI by permitting individuals to inspect their PHI in per- son, including taking notes or using other personal resources to view and capture images of their records. If we are talking about in-person viewing of a screen, taking pictures, or hand writing notes … my answer is no. Even beyond the short-term challenges of social distancing and restricted access to facilities, this makes no sense. Accessing it electronically is fine and that should be our obligation. I would liken it to asking your bank to see your mon- ey in person. I live in New Hampshire, where state law states a patient owns the records and not the provider or caregiver, so let them access and use it in any way they want, electronically. • HIPAA-covered entities' current 30-day required response time to give individuals access to their PHI would be cut to 15 days. I see nothing wrong with setting the bar to 15 days. Another com- parison to the banking industry — you have to wait 30 days to set up your bank account. I can get a mortgage in less than 30 days. ere is no reason that we cannot provide access to a patient's records in 15 days. • e modifications would create a pathway for individuals to direct sharing of their PHI in the EHR among covered healthcare providers and health plans. As mentioned above, I think the pa- tient owns the record and can do what they want with it. • e proposed rule would require specifications for when elec- tronic PHI must be provided to the individual at no charge. I don't think there should ever be a charge unless the request is for historic or legacy information stored outside of the EHR. • e changes would require HIPAA-covered entities to post es- timated fee schedules on their websites for both PHI access and disclosures with an individual's valid authorization as well as provide individualized estimates of fees for an individual's re- quest for copies of PHI. Once again, I believe price transparency is part of the overall shi of patient consumerism and the need to improve the patent experience. • e modifications would eliminate the requirement of obtain- ing an individual's written acknowledgment of receiving a pro- vider's Notice of Privacy Practices. Excellent. I have not signed a bank document in years … all electronic acceptance. n