Over many years, the heads of the US DHHS have indicated that patient access of information is a key priority in order to improve the health of the nation. Patient rights under HIPAA have been expanded to include several rights of access, and detailed guidance has been issued on the access of records.  And more than a dozen of the most recent HIPAA enforcement actions were against entities that did not provide patient access to records properly. HHS is now using HIPAA Individual Access Rights to effectively implement new rules on prohibitions to Data Blocking. Over many years, the heads of the US DHHS have indicated that patient access of information is a key priority in order to improve the health of the nation.  Patient rights under HIPAA have been expanded to include several rights of access, and detailed guidance has been issued on the access of records. And more than a dozen of the most recent HIPAA enforcement actions were against entities that did not provide patient access to records properly.  HHS is now using HIPAA Individual Access Rights to effectively implement new rules on prohibitions to Data Blocking.

The rules having to do with patient access to records need to be reflected in every healthcare-related organization’s policies and procedures.  The guidance provides clear and detailed information on how to provide access, what can be charged for in fees, and what the individual’s rights are when it comes to access to information. The rallying cry for easy patient access and transfer of information increases daily and is no longer escapable.

At the same time, a recent Federal court decision has changed some of the aspects of the individual access rules pertaining to transmitting records to third parties at the request of the individual.  Additionally, HHS has issued guidance when HIPAA Business Associates are involved, regarding the responsibility for the timing, and form, and format of replies to requests for access, and the responsibilities for compliance with the fee requirements.  To top it off, individual access rules may be modified under the proposed HIPAA rule changes, reducing the time to provide requested information, and making access easier for individuals.

The COVID-19 Emergency has created new demands on communications and has made clear the need to provide services remotely to the extent possible.  Providers need to communicate more, between themselves and with their patients, and the time to implementation of new services to meet these needs is almost zero, leaving no room for the usual processes of approval and adoption that health care is used to.  In order to facilitate the delivery of services and necessary communications during the emergency, the US Department of Health and Human Services has issued guidance relaxing some HIPAA requirements pertaining to teleconferencing tools and reiterating HIPAA allowances for communication with family and friends of patients.

Social distancing to help prevent the spread of the novel coronavirus is effective, but patient care has typically required a face-to-face encounter, which can cause the spread of the virus as infected individuals travel to and from appointments.  It is essential to be able to provide telemedicine services in order to reach most individuals without risking more harm.  HHS has announced the relaxation of enforcement pertaining to the use of teleconferencing technologies to provide remote medical services, allowing the use of such services to expand quickly, but limits on "public-facing" conferencing technologies remain. Providers need to adopt the necessary technologies without fear of HIPAA violation enforcement actions during the COVID-19 Emergency and must understand the limits of what is permitted in order to best serve patients and their families.

HHS has also issued guidance to remind healthcare providers of the allowances for communications with family and friends, with disaster relief organizations, and to prevent a serious and imminent threat to the health or safety of individuals or the public.

This session will discuss the issues surrounding the use of various communication technologies under HIPAA controls, and the recent guidance and declarations from HHS about HIPAA, and the response to COVID-19, including a discussion of Business Associate responsibilities for compliance under new guidance from HHS.

HIPAA has seen a lot of activity recently, from a new push to provide individual access to records, new limits on those rules from the courts, new enforcement actions pertaining to access, and new regulations to complement the HIPAA rules for access.  Business Associate responsibilities for compliance have been better defined, and requirements for establishment of those relationships has been relaxed in some cases for the COVID-19 emergency, but relaxations end when the emergency ends.  Emergency circumstances have permitted numerous communications not normally conducted in order to most effectively provide services during the pandemic.  And now new changes to HIPAA have been proposed, to ease access by individuals and sharing of Protected Health Information where appropriate, and try to relieve some of the administrative burdens of the rules.  These proposed changes may go into effect in 2021.

This session will look at the current state of HIPAA and identify recent guidance and court decisions affecting HIPAA, as well as expected changes in the rules in the coming year, and the focus and results of various HIPAA enforcement actions.