The Department of Health and Human Services (HHS) proposed changes to the HIPAA Privacy Rule in a Notice of Proposed Rulemaking released in January 2021, leaving it open to public comment until May 6, 2021. One of the proposed changes is set to modify the right of access standard, requiring providers to release a patient’s health records to personal health applications upon the patient’s request. Healthcare groups have objected to this change.
Why Did the HHS Propose HIPAA Privacy Rule Change?
In its notice, the HHS provided the reasoning behind the proposed change, “More and more individuals use personal health applications to access and manage their personal health information, and in this proposed rule, the Department proposes to revise the right of access to clarify that it includes the right of an individual to access electronic copies of the individual’s Protected Health Information (PHI) and that one of the mechanisms by which an access request can be fulfilled is by transmitting an electronic copy of an individual’s PHI to a personal health application used by the individual.”
Should the change be approved, there will also be a change to the HIPAA Rules to define personal health application (PHA) as ‘‘an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application Developer.’’ Read the full Notice here.
Why Do Healthcare Groups Oppose This Modification?
Although requiring providers to release a patient’s information to a PHA is convenient for the patient, it poses a risk to the privacy and security of the information, which healthcare providers and advocacy organizations have pointed out. Under HIPAA, PHAs are not considered either covered entities or business associates and are not regulated by HIPAA. Under the proposed changes to the HIPAA Privacy Rule, PHAs would still be unregulated.
By requiring providers to share a patient’s protected health information with unregulated PHAs, there would be nothing stopping them from sharing information with third parties, risking patient privacy. Additionally, the unregulated PHAs may lack sufficient security controls, leaving them vulnerable to hacking incidents. Lastly, the PHAs would not have to sign a business associate agreement (BAA). Without a BAA, PHAs could sell patient PHI for marketing or advertising purposes. The American Hospital Association has stated, “Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records.”
Will the Proposed HIPAA Privacy Rule Changes be Enacted?
Currently, the HHS is in the process of reviewing the 1,200 comments that were submitted by the public. Once the comments have been reviewed, the HHS will decide whether to finalize, either part or entirety, the proposed rule. They may also choose to reopen the proposed changes to furthering commenting, should they deem it necessary.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!