Health Information Compliance Alert

Published on Fri Mar 13, 2020 PDF

Hint: Keep abreast of new rules and regs.

When the feds change HIPAA, it’s usually to clarify rules and add protection for patients. Sometimes the changes have a negative effect on the industry at large — and that leads to massive headaches for providers.

Case in point: In January, Washington, D.C. Federal District Court Judge Amit Mehta released a 55-page decision on the 2018 case Ciox Health LLC brought against the Department of Health and Human Services (HHS).

Details: The court agreed with Ciox that the 2013 Omnibus Rule concerning the transfer of protected health information (PHI) to third parties was “arbitrary and capricious,” and should be changed. The ruling also noted that the “2016 Patient Rate” changes violated the Administrative Procedures Act (APA); moreover, the feds didn’t use the correct regulatory measures including providing notices and allowing public commentary on the update.

Review the court materials at www.hhs.gov/hipaa/court-order-right-of-access/index.html.

The court’s decision on HIPAA’s Right of Access rules may cause more confusion for covered entities (CEs) and their business associates (BAs) than previously thought (see Health Information Compliance Alert, Vol. 20, No. 2).

Why? In response to the court, the HHS Office for Civil Rights (OCR) issued a notice that explains the ruling and how this will impact the HIPAA rules referenced in the case. Specifically, CEs must understand that the ruling vacates the “third-party directive,” suggests the notice. Plus, in the future, fee limits “will apply only to an individual’s request for access to their own records,” and will not affect “an individual’s request to transmit records to a third party,” cautions the OCR.

See the notice at www.hhs.gov/hipaa/court-order-right-of-access/index.html.

Considering the case and other HHS changes, practices should prepare for patients’ requests as well as third-party concerns, suggests HIPAA expert Jim Sheldon-Dean, founder and director of compliance services at Lewis Creek Systems LLC in Charlotte, Vermont. He offers four tips to keep you on the right side of the regulation change:

1. Remember the HIPAA rules. “Make sure you provide access to individuals according to the rules for individual access only,” Sheldon-Dean cautions.

2. Update your authorization policies. “Be ready to redirect requests from third parties to your authorization process for releases,” he advises.

3. Stay on top of federal mandates. “Keep your eyes out for the final rules on data blocking and be ready to change processes again,” he says.

4. Pay attention to your patients. “Always do your best to satisfy reasonable requests from individuals and do what is best for their healthcare; happy patients don’t complain to HHS,” warns Sheldon-Dean.