Is Your Healthcare Organization Ready for the Proposed Changes to the HIPAA Privacy Rule?
In January 2021, the OCR published a Notice of Proposed Rule Making (NPRM) to modify the HIPAA Privacy Rule. One proposed change is a recommendation to strengthen an individual’s right to access their health information.
Among other proposed updates to the Individual Right of Access, this proposed modification will adjust the Covered Entities response timeliness to an individual’s medical record request from 30 days to 15 calendar days, with the possibility of one 15 calendar-day extensions.
This is a significant change for many Covered Entities as we are continuing to see an increased focus from the U.S Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on Patient Right of Access.
The OCR announced this week three additional settlements with Covered Entities bringing the total cases to 41, specific to Patient Right of Access, in an effort to increase compliance. The primary complaint from individuals is a lack of timeliness in receiving records. As evidenced by continuing investigations, numerous Covered Entities are not providing access within the current 30-day requirement.
The three most recent enforcement actions range from $25,000 to $80,000 fine, and in each case, the Covered Entity has implemented a Corrective Action Plan.
We encourage health care providers to familiarize themselves with the proposed changes and begin preparing workflows and policy updates in order to be compliant with the current HIPAA requirements and proposed changes.
Learn more about the resolution of three investigations concerning potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s patient right of access provision here: https://www.hhs.gov/about/news/2022/09/20/ocr-settles-three-cases-dental-practices-patient-right-access-under-hipaa.html