Proposed HIPAA Updates

This update primarily impacts our colleagues in the Healthcare Industry, but history has shown that once one standard is updated, they all follow suit.  To that end, in 2022 there is proposed rule making that will alter some of the HIPAA rules.  HIPAA has now been in place for over 25 years and there are many who believe it should have a serious makeover to accommodate the changing threat and vulnerability landscape.

Here are a few highlights of the proposed rules:

1.      The definition of an “Electronic Health Record.”  Today, there is no formal definition.  In the future, this term will be officially defined so that it may be separated from other sensitive information.

2.      The definition of a “Personal Health Application.”  This term is also not formally defined.  With the use of mobile and web apps (i.e., your fitness tracker), there is health related information about us everywhere.  It is important that we differentiate these types of applications.

3.      The rights of an individual to obtain a copy of their personal medical record will be expanded to allow patients to use their phone or camera to record a copy of the medical record, as an example.

4.      The timeline to respond to a request for access to one’s medical record will be reduced from 30 days today, to 15 days in the future.

5.      The means in which a medical record can be produced to a patient will expand to allow for API access.  This proposed rule adds the right for individuals to direct health care providers to transmit ePHI to a third-party within 15 days of request, oral or otherwise.

6.      The proposed rulemaking would expressly prohibit a covered entity from imposing unreasonable measures on an individual’s right to access their records.

7.      New fee structures and limitations will be established with regards to an individual’s access of their own records.

8.      There will be revised disclosure boundaries related to the disclosure of information for coordination of care.

9.      The new HIPAA rules will redefine the term “professional judgement” and “serious and imminent” when making a disclosure without authorization in situations where health and safety are at risk.