March 18, 2023
The U.S. Department of Health and Human Services (HHS) decided to finalize the “Notice of Proposed Rule Making,” which was first issued in January 2021. The said rule change aims to reduce the administrative burdens of healthcare providers, including the costs of sharing health information.
Table of Contents
The Proposed HIPAA Rule Change
This proposed HIPAA rule change will make several changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to strengthen the patients’ right to access their health information. Furthermore, the NPRM will also remove barriers to coordinated care and facilitate the involvement of family members and caregivers when treating individuals during emergency situations.
Financial Burden of the Proposed Rule Change
According to a study conducted by Hemming Morse, the proposed rule change will force healthcare providers to shoulder the costs amounting to $1 billion annually. This could burden most hospitals, like those in rural areas that lack funds to continue their operations. Due to the proposed change, many hospital executives will find it difficult to include this new expense in their 2023 budgets.
Initially, these requests come at little to no cost to patients and providers. Before the proposed rule change, the requestors who access medical records for commercial purposes subsidized the fees. However, with the proposed amendment, third parties will pay lower than usual, and the excess amount will be passed on to providers and patients. As a result, these third parties will become more confident to request as many records as they like.
The policy change is expected to increase medical record requests, which could reduce processing times and increase waiting lines. This could eventually overwhelm the hospitals, resulting in overworked health information management staff.
Impact on Patient Care and Hospital Closures
Hospitals may face the burden of dealing with thousands of patient record requests. On top of that, they will need more healthcare staff to process these requests. Due to a lack of funding and staffing, providers could compromise thousands of patients who need urgent care and assistance.
As providers face the difficult decision to cut their annual budgets, they might also reduce their community outreach programs. Since they need to save their money and resources for this proposed rule, healthcare organizations might also stop doing innovative projects to make way for this change. Instead of investing in new facilities and equipment, hospitals may even end up closing their doors due to bankruptcy.
Increased patient record requests can eventually lead to more hacking incidents and data breaches. To ensure HIPAA compliance, healthcare providers must follow a step-by-step process to get patient consent and prevent unauthorized access. But due to the increasing demand, they couldn’t possibly handle these requests all at once, which could compromise data privacy and risk the security of sensitive patient information.
Timeline and Prioritization of the Proposed Rule
The Notice of Proposed Rulemaking may have been issued back in January 2021, but the final action on the proposed rule occurred last March 2023. To comply with the new requirements, healthcare providers and professionals must take important steps to start the transition. The advance notice gives them considerable time to assess and develop their current processes according to the proposed rule change.
Whenever the final rule is published, covered entities will have 240 days after the publication before the start of the implementation. However, it’s crucial to start preparing as early as now to know how to address the challenges once the final rule takes effect.
Here are five steps to prepare for this new rule:
1. Review the proposed changes
Start familiarizing yourself with the HIPAA privacy policies and identify the gaps in your current processes. Assign a privacy officer who will take charge of the HIPAA implementation. Your assigned staff members will be responsible for making necessary changes to the policies and procedures based on the final rule.
2. Prepare to implement the new Notices of Privacy Practices (NPPs)
According to the proposed HIPAA rule, there will be a revised NPP header regarding how individuals can access their medical records. Covered entities must know how to implement these changes, especially when working with third parties.
3. Identify what process changes need to occur
The final rule would reduce the allotted time (from 30 to 15 days) for covered entities to respond to individual PHI requests. Moreover, providers will need to provide patients and authorized individuals with faster access to their medical records.
4. Begin planning on how you will charge fees
As early as now, covered entities should review the amended charges in the proposed rule. Providers must post fee schedules on their websites and provide fee estimates for individuals requesting copies of their PHI.
5. Assign someone to monitor final rule developments
HHS may post final changes to the proposed rule at any time. Covered entities must regularly check the OMB’s regulatory agenda to see any changes. Make sure to subscribe to regulatory updates from HHS to get notified once the rule becomes final.
Challenges Ahead After This Proposed HIPAA Rule Change
One of the biggest challenges of this proposed HIPAA privacy rule change is the staggering operational and financial burden on healthcare providers and hospitals. Lack of funds and resources may also force hospitals to cut their budget for patient care services to focus on meeting the new requirements.
On top of that, hospitals will also need to hire more staff to deal with the overwhelming medical record requests. As a result, healthcare providers will face significant losses due to HIPAA rule changes. Hospitals will need to process and pay for tons of record requests. Moreover, the increased workload could lead to burnout among healthcare professionals, affecting the overall quality of patient care. Ultimately, this will lead to hospital closures and limited access to health care services.