By: Linda Harvey, MS, RDH
Note to Reader: This blog is an excerpt of an article originally published on DentistryIQ.
In case you weren’t aware, there are a number of HIPAA updates on the horizon. That’s because patient rights, data security, and digital transformations are mutating as quickly as the COVID variants.
Table of Contents:
Interoperability & Open Notes
As the pandemic continues, reduce your risk of non-compliance by staying abreast of these two regulatory updates that intersect with HIPAA:
Interoperability and Digital Transformations
Interoperability will be pivotal to the future of integrated healthcare in order for patient data to flow freely and securely between payers, providers, and patients. Most medical providers have already implemented this.
What’s more, it may be time for you to seriously consider implementing and integrating a compatible tele-dentistry solution or patient portal in order to keep up with changing regulations and patient expectations.
Open Clinical Notes and Dental Practices
On December 13, 2016, President Obama signed the 21st Century Cures Act which endures that patients have unrestrained access to their electronic health information, in a format that is “easy to understand, secure, and updated automatically.”
Under the Cures Act, it will now be up to you to have the capability to share eight defined categories of clinical notes and to not block electronic health information between health systems, apps, and devices.
The deadline for compliance by provider and health systems was April 5, 2021. It’s also important to note that by the end of 2022, you must also be able to share your notes with the patient’s third-party application or app.
Not yet ready for open note? The Act does allow for eight different exemptions. These changes also intersect with HIPAA compliance and patient rights to access.
Privacy & Patient Rights
The U.S. Department of Health and Human Services (HHS) has extensive updates planned for the HIPAA Privacy Rule with expected release this year, all of which support the enhanced right of the patient to access their protected health information (PHI).
Updates to the HIPAA Privacy Rule and Patient Rights
At a high level, here are five components of the HIPAA update that we can expect to see:
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
- Shortening covered entities’ required response time to no later than fifteen calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension). But beware, your state law may be more stringent.
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge. For example, covered entities will not be allowed to charge patients when accessing their record in person or via the Internet.
- Clarifying the form and format required for responding to individual’s request for their PHI. For example, providing a digital copy of X-rays and CT scans and not a paper copy.
- Requiring covered entities to post estimated fee schedules on their websites for access to records. And upon request, provide individualized estimates of fees for requests for copies of PHI, and itemized bills for completed requests.
As a result of these proposed changes, you will be required to modify the content of your Notice of Privacy Practices (NPP) to include all the proposed changes. Also take note, your NPP cannot simply be buried within your online patient registration forms, it must also be easily found and viewable on your website.
How to Prepare for HIPAA Updates
With all the HIPAA regulatory updates expected for 2022, you may feel overwhelmed wondering, “Where do I start?”
5 Ways to Prepare for the HIPAA Changes
Position yourself for the rapidly changing HIPAA and patient’s rights landscape by leveling up these five areas:
- Seek out reliable, accurate regulatory information. It might be wise to consult with a qualified consultant or healthcare attorney as well as your software vendor.
- Remember, your policies and procedures should reflect your office processes as well as fulfill the specific requirements of any given regulation.
- Merely checking a box for free compliance training does not fulfill all your regulatory obligations. You will need an active effort that includes ongoing compliance tasks; not a one and done annual training.
- Conduct a credible Security Risk Analysis (SRA). Your IT partner can assist you in gathering some of the technology data; however, it may be viewed as a conflict of interest if they conduct the full assessment. In addition, they are not able to assess your entire practice from the administrative requirements of the Security Rule.
- Budget time in your schedule. Similar to blocking out time for patient emergencies, block out time—even short windows of time—to work on compliance. Ultimately, you are legally responsible for the privacy and security of your patient data.
Need help getting started? HealthIT.gov in conjunction with the Office of Civil Rights (OCR) offers a free assessment tool.
Reduce your risk of penalties from non-compliance by proactively positioning your team and your practice for all the new and pending regulatory standards.
About the Author: Linda Harvey, MS, RDH, is a nationally recognized dental risk management and regulatory compliance expert. She is the founder and president of the Dental Compliance Institute that provides online train-the-trainer education and certification for HIPAA and OSHA regulatory compliance and dental risk management and the Linda Harvey Group which specializes in on-site HIPAA and OSHA regulatory and dental risk management coaching for dental practices. Contact Linda at Linda@LindaHarvey.net.