The Office for Civil Rights released proposed modifications to the HIPAA Privacy Rule in December to strengthen individuals' access to their own health information; however, there are five ways OCR can address inconsistencies and concern for patient well-being, according to a May 19 Op-Ed in Health Affairs.
Five recommendations for HIPAA's proposed regulation change:
- The OCR proposed that a personal health application could exercise an individual's right to HIPAA to access the patient's protected health information and access their protected health information with low fees quickly. However, the proposal is unclear on which mobile apps would qualify to do so.
- The OCR has proposed a definition for electronic health records that is different from the one used in the Health Information Technology for Economic and Clinical Health Act. However, it has not clarified the reason it needs a separate definition, which may confuse patients.
- The change would allow a covered entity to disclose PHI to a family member or caregiver. The current regulation only allows PHI to be shared if the patient is not present or is incapacitated and the disclosure is in their best interest. The proposal would change that to a "good faith belief," allowing PHI to be disclosed to friends and family if it's perceived as the patient's best interest. The new regulation lowers the standard for PHI disclosure without planning for the potential harm it may cause, the article said.
- The new regulation would impose new circumstances where a medical professional may disclose a patients' PHI to social services agencies or community organizations. The proposed regulation doesn't address the responsibility that organizations would have to protect the PHI they receive. It also doesn't address whether these disclosures will be sent out in bulk or on a one-by-one determination. Lastly, it doesn't consider if the patients want their information to be shared with a social service agency or community organization.
- The new OCR regulation would exemplify long-standing guidance that HIPAA business associates are not required to directly respond to patients seeking their PHI unless the business agreement with the HIPAA-covered entity requires them to. This isn't consistent with the 21st Century Cures Act, which creates expectations that certain businesses, such as an EHR vendor, respond directly to patients' requests for their health information. The OCR needs to align its HIPAA regulations with other information-blocking rules, the article said.