The newly proposed HIPAA electronic private health information (ePHI) rule from the U.S. Department of Health and Human Services may place more stringent requirements and compliance issues upon providers.
One of the primary goals the U.S. Department of Health and Human Services (HHS) identified for the Meaningful Use (MU) initiative was a more consumer-driven healthcare delivery model. Electronic health information interoperability was a key element in achieving that goal. Codification of ePHI and adoption of standards that defined transport and message structures have provided the technical pillars for successful ePHI interoperability, but expanded requirements are ongoing.
To further meet HHS’s stated consumer-driven goals, policy changes are being enacted to strengthen patients' rights to access ePHI.
Initial changes in HIPAA policies regarding access to ePHI include shortened timeframes to respond to a patient’s request for their medical record. Currently, HIPAA requires that providers fulfill patient requests for their medical records within 30 days of making the request. HHS is proposing the maximum time be shortened to 15 days. HHS cites several states that have successfully adopted timeframes shorter than the proposed 15 days.
The Office for Civil Rights (OCR) is also conducting complaint-based audits on medical record fulfillment requests. So far in 2021, OCR has levied over a dozen fines related to providers not responding in a timely manner to a patient’s request for their medical records.
Near real-time access to ePHI is also being promoted by HHS through patient portals, APIs, and patient-led ePHI capture via smartphone tools. Acknowledging the advances in consumer technology, HHS proposes new guidelines which specifically allow patients to access and capture ePHI in photos, videos, and audio through the capabilities embedded in their personal devices. Proposed policy changes will allow patients to make a separate appointment to review ePHI where they can use these capture tools. This policy change would also allow the patient to review and collect procedural ePHI when the procedure is performed. Many, if not most providers, discourage or prohibit digital recording today by policy or practice.
Emerging API technologies will blur the “form and format” of ePHI from the “manner” of producing and transmitting the data. As stated in OCR’s Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement rule:
“if a covered entity or its EHR developer business associate has chosen to implement a secure, standards-based API—such as one consistent with ONC’s Cures Act certification criteria…that is capable of providing access to ePHI in the form and format used by an individual’s personal health application, that ePHI is considered to be readily producible in that form and format, and that is also the manner by which the ePHI is transmitted. Where ePHI is readily producible in the electronic form and format requested by the individual, the covered health care provider must provide that access, including when the individual requests access to the ePHI through a secure, standards-based API via the individual’s personal health application.”
These policies are being introduced in the quest to actively engage patients in the decision-making process of their healthcare. The resulting policy changes will require new provider workflows to account for the realization of patients receiving ePHI results simultaneously or even before the provider has reviewed the information.
To find out how MEDHOST can help you prepare and respond to the newly proposed rule, reach out to us at firstname.lastname@example.org or call 1.800.383.6278