Are You Hip to the New Changes to the HIPAA Privacy Rule?
Trivia Question for you, True or False: HIPAA and its related acts and provisions never change. Once written, they are carved in stone and set in a glass case in the National Archives. Right? (It is my sincere hope that as you read this blog, you, of course, said emphatically, "FALSE!". If you said Truth—lease get in touch with Mayer Law right away!).
So, yes. In fact, HIPAA and most laws—federal and state—change over time; some are even repealed. While we don't foresee HIPAA being repealed (if ever), we know it can and does get amended over time. Well, now is one of those times that HIPAA has been, once again, amended: the rules regarding the time limits required to comply with a client's request for records have been updated.
Now, hold on; before you panic, please keep reading! Let's talk about what's changing; if you want to touch base with us after reading, we welcome you to do so! As a refresher, let's start with what the current law is.
A covered entity, as a reminder, is any person or organization that must follow HIPAA regulations; thus, mental health practitioners and practices are "covered entities."
Under current HIPAA Privacy Rules (as of 11/2022), patients who request their Protected Health Information (PHI) from covered entities are required, by federal law, to receive access to their medical records within 30 calendar days, with the first day being the day the covered entity receives the request for access from said patient (Office for Civil Rights, 2016). If a covered entity cannot grant access to a patient's PHI within those 30 days, a written statement explaining the reason for the delay must be provided, and 30 additional days can be granted for action (OCR, 2016). This is the federal rule.
However, Maryland currently mandates that providers disclose a patient's PHI within a period of no more than 21 working days, 9 days less than the federal mandate (Maryland Department of Health, n.d.). As Maryland's law is more restrictive than the federal rule, Maryland's law was the one that practitioners and practices in Maryland were obligated to comply with—o 21 days, rather than the 30, provided for under federal law.
So, the Office of Civil Rights (OCR) has decided to change the federally required period to provide clients access to their records; they have now proposed updates to the HIPAA Privacy Rule regarding this time period requirement.
So, here is the change: As of November 2022, the new HIPAA updates have since been finalized by the OCR, reducing the maximum time for a provider to allow a patient access to their PHI from 30 days to 15 days. The goal is to strengthen patients' access to their PHI (2016).
An extension can still be made as long as providers provide their patient with a written reason for the delay; however, the time frame for this extension will also be shortened from an additional 30 days to 15 days, giving providers a total of 30 days to provide access to requested records, including extension (OCR, 2016; HIPAA Journal, 2022). Patients will be able to access this information in person and take notes and/or photographs of this medical information.
The reality in 2022 for mental health practices, though, is that you will likely continue to provide these records to clients electronically. But, a client could theoretically ask for a paper copy, and you must comply.
It is important to note that this update now will supersede Maryland's rule of 21 days, as 15 days is less. As a practice, and/or practitioner in Maryland, therefore, you will be required to abide by the 15 day timeframe for providing patients with their requested medical records. Thus, in our opinion, the federal rule applies again.
One thing to note, though: Practitioners and practices should know that they will not immediately need to implement this change. Although the sooner you can do so, the better! In the past, covered entities were given a year to make system adjustments to their policies and procedures, while small health plans were given two years.
The OCR will allow a similar timeframe to make necessary adjustments, which are dated as such:
Covered entities will have until approximately November 2023
Small health plans will have until approximately November 2024
Providers should consider the following additional steps they will need to take:
Updates will be required to policies and procedures. It will be important for you to ensure that you have efficient procedures for providing clients with their records. For most, this likely is already the case.
Retraining employees and staff as needed. It will be important for your staff to know that this new change is a federal requirement, so 15 days will now be the mandatory time to provide clients with a copy of their records. As a reminder, while all staff should know of this change and the time required, you should be diligent about who has access and authority to release records. You should absolutely be using a records release form that clients must sign.
Prioritization of clients' requests and ensuring that urgent requests are reviewed and granted in a timely fashion, when applicable. Sometimes, a client is involved in an outside legal matter, such as custody, divorce, or civil lawsuit. If you get notice of an attorney needing a copy of client records or your client asks for records because of such a situation, contact Mayer Law immediately so we can determine what needs to happen.
Designation of a private location for patients to review, inspect, and photograph their PHI privately. This safeguard ensures that patients "are not taking photographs of PHI that they are not authorized to copy" (HIPAA Journal, 2022). Note that for most practices, this will still not be a major issue, as most times, your client's file may likely be transmitted to the client electronically. This shouldn't be a huge concern for practices. If it is, contact us to discuss.
So, now that you have been apprised of this impending change, the next steps are on you. It is time to go back and review your policies and procedures and update the training of your staff and employees. While you have time to implement this change, why wait? The sooner you and your team get in the habit of complying with the new regulations, the less disruption you will have when the time requirements become imminently mandated.
For more information, other legal considerations regarding these changes, or if you should need assistance with anything else related to your Practice, we welcome you to contact us at (443) 595-M-Law or by email at contact_us@danielmayerlaw.com.
-
HIPAA Journal. (2022, January 10). HIPAA Updates and HIPAA Changes in 2022. HIPAA Journal. Retrieved November 28, 2022, from https://www.hipaajournal.com/hipaa-updates-hipaa-changes/
Maryland Department of Health (n.d.). Maryland Department of Health, Board of Podiatric Medical Examiners. Maryland.gov. Retrieved November 28, 2022, from https://health.maryland.gov/mbpme/Pages/records.aspx
(OCR), O. for C. R. (2016, June 24). 2050-how timely must a covered entity be in responding to individuals' requests for access to their phi? HHS.gov. Retrieved November 28, 2022, from https://www.hhs.gov/hipaa/for-professionals/faq/2050/how-timely-must-a-covered-entity-be/index.html
DISCLAIMER:
This article is legal information and is not provided as a source for legal advice. It is made available by Mayer Law, LLC for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By reading this blog, you understand that no attorney-client relationship is established between you and Mayer Law, LLC. This blog should not be used as a substitute for competent legal advice; you should consult with an attorney before relying on this information.