© Zimmytws | Dreamstime.com
hipaa updates 2022

HIPAA in 2022: Privacy, patient rights, and security

Jan. 19, 2022
Of the proposed HIPAA changes, the one likely to have the most effect on dentistry is patients' enhanced right to access their protected health information (PHI). Linda Harvey explains what this could mean for your practice.

Editor's note: This is the second of three articles on HIPAA updates in 2022. Read the first, HIPAA in 2022: What's on the horizon?

The U.S. Department of Health and Human Services (HHS) has some extensive updates planned for the HIPAA Privacy Rule and is expected to be published in 2022. The public comment period closed in May 2021. Once the review of public comments is complete, the approved proposed changes will continue through the required rule-making process. Of the all the proposed changes, the one likely to have the most effect on dentistry is the enhanced right of the patient to access their protected health information (PHI). One reason for this is ability—or inability—to meet the interoperability requirements.

At a high level, here are five of the many changes we can expect to see:

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI. Imagine patients taking pictures or videos of their x-rays or dental records.
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension). Of course, you must still bear in mind if your state law is more stringent that’s the timeframe you’d have to follow.
  • Specifying when electronic PHI (ePHI) must be provided to the individual at no charge. For example, covered entities will not be allowed to charge patients when accessing their record in person or via the Internet.
  • Clarifying the form and format required for responding to individual’s request for their PHIfor example, providing a digital copy of x-rays and CT scans and not a paper copy. Patients would also be able to request that you send a copy of their ePHI to their personal health application.
  • Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests. Do you currently have different fees for attorney requests versus patient requests? In the future, this would be public record.

As a result of all the proposed changes, you will be required to modify the content requirements of your Notice of Privacy Practices (NPP) to clarify for individuals their rights with respect to their PHI and how to exercise those rights. Revisions to your NPP must include all the proposed changes. You may recall you are already required to prominently display your NPP on your website and in your office. Your NPP cannot simply be buried within your online patient registration forms; it must also be easily found and viewable on your website.

Similar to the changes with the HITECH/Omnibus Rule, which required redistributing your NPP to existing patients, you will be required to do so again. The HIPAA law requires that you redistribute your NPP anytime there are material changes including updates to the laws and rules.

Stay tuned for the publication date of these revisions. But the best way to prepare is by ensuring you are already in full compliance with the existing Privacy and Security Rules.

Why the security rule matters

Bear in mind that the HIPAA Safe Harbor Act was signed into law January 2011. This act incentivizes compliance with the HIPAA Security Rule. In short, this means that if you have implemented government-recognized security measures and still have breach, the Office of Civil Rights (OCR) will be more lenient with their fines or other enforcement actions.

Here’s the big question—don’t assume your IT partner is responsible for ensuring you’re HIPAA compliant. That’s your job! Here’s a partial list of what you are responsible for:

  • Subscribing to managed IT services with your IT partner
  • Encrypting PHI that you send to other providers
  • Conducting a thorough security risk analysis and taking action when security weaknesses are identified
  • Training your team upon hire and annually thereafter as well as providing periodic security awareness training
  • Maintaining privacy and security policies and procedures that have been customized to your office

If you fail to complete just one of these criteria, you are not complaint with the HIPAA Security Rule and are at risk for incurring fines and penalties.