HIPAA Compliance in 2021

It’s been the bulk of a decade since there have been any changes made to HIPAA regulations. In fact, it was in 2013 that the Act was last amended, by the addition of regulations relating to Information Technology and its role in clinical health. However, 2021 seems set to see substantive change. With 2020 having been both a pandemic and election year, a new administration in Washington may be minded to acknowledge a new healthcare reality.

As the Office for Civil Rights prepares to announce which of the proposed changes are to be taken forward, after a consultation which ended in May of this year, speculation persists as to what might change. One of the most prominent potential change surrounds the possible changes to use of Substance Abuse Data (SUD) where it may have relevance to a patient’s ongoing treatment. This, among other potential new regulations, will be the focus of much discussion both in advance of, and in the aftermath of, any announcement from the OCR.

How Would the Proposed Changes Affect Patients with a History of Substance Use?

The right to privacy for a patient has until now meant that sensitive information with relevance to historic substance use has been hidden from the majority of health professionals. However, as a means of seeking to deal with the opioid crisis, proposed changes to HIPAA compliance would mean that doctors could refer to SUD records before prescribing pain medication to a patient with an injury or in the aftermath of surgery. A recovering addict being prescribed opioid-based painkillers could find their recovery destroyed. This amendment has itself been amended – if passed, the privacy of SUD would still be protected from access by law enforcement and use in criminal proceedings.

Expansion of Patients’ Rights to Access Their Own Information

Under another proposed rule change, patients could soon be able to access their own Protected Health Information (PHI) with a great deal less delay and with minimized restrictions. Covered entities – such as healthcare providers in this case – would be required to post a schedule of fees on their website with relation to patient access, and on request would be required to make any such information accessible within the minimum possible delay, but within 15 days at the longest. A further 15-day extension would be allowable in certain circumstances, but these periods of delay have come down from 30 days to 15 in both cases.

Further Disclosures Possible in Cases of Health Emergency

Under the same changes that may allow wider access to SUD, the definition of circumstances under which covered entities would be allowed or required to release private health information would be expanded. Where HIPAA presently states that disclosure may be made if its release is deemed an “exercise of professional judgment”, it will be changed to state that there was a “good faith belief” that disclosure is in the best interest of a patient, particularly where there may be a “serious and reasonable threat”. This would apply in cases of substance use disorder, mental health issues and other clear health emergencies.