An article in the December issue of HIPAA Regulatory Alert, “HIPAA Changes Coming in 2022 Might Require Policy Revisions,” discussed how proposed changes to HIPAA and the HITECH Act may affect covered entities and business associates. Rivkin Radler’s Eric Fader was quoted in the article.

Eric pointed out that the proposed changes will require that healthcare providers retrain their employees. “Training of employees has been one of the things that providers have fallen down on in the past 20 years. HIPAA has never been fully complied with by providers because they purchase a HIPAA manual, put it on the shelf, and think they are in compliance,” he said. “Or, they have employees watch a HIPAA video when they’re first onboarded, and that’s it. You’re really supposed to train and retrain your employees every year at least.”

He added that the proposed rules are intended to shift HIPAA’s focus from restricting disclosures of protected health information (PHI) toward sharing PHI as necessary to encourage care coordination. “Part of the problem with patients trying to get access to their PHI has been that the organization, or individual employees, would use HIPAA as a crutch, an excuse not to go to the trouble of providing the information,” Eric said. “They would say they can’t give the patient these data because HIPAA prohibits it, or you have jump through all these hoops before we will give you your own records.”

However, increased patient access to records may present other problems, Eric predicted. “Now, patients are going to have the ability to inspect their PHI in person and take records or photographs. That is potentially a nightmare scenario for some providers, who could have a parade of patients coming in the office to view their records. You’ll need to give them a private and secure place to do that, with someone sitting with them to make sure they don’t get into things they’re not supposed to.”

The new federal rules may also trigger corresponding changes under state laws that require that patients be given timely access to their records. “In addition to violating HIPAA if you don’t get that data to patients in time, you may have to worry about violating state laws as well,” Eric said. “This can all create a burden for covered entities that are not ready for some of the logistical challenges here.”