By: Linda HarveyMS, RDH
Note to reader: This blog is excerpted from an article originally published on DentistryIQ†
In case you didn’t know, there are a number of HIPAA updates on the way. That’s because patient rights, data security and digital transformations are mutating just as quickly as the COVID variants.
Interoperability & Open Notes
As the pandemic continues, reduce the risk of non-compliance by staying on top of these two regulatory updates that coincide with HIPAA:
Interoperability and digital transformations
Interoperability will be critical to the future of integrated healthcare, allowing patient data to flow freely and securely between payers, providers and patients. Most medical providers have already implemented this.
In addition, it may be time for you to seriously consider implementing and integrating a compatible tele-dental solution or patient portal to keep up with changing regulations and patient expectations.
Open Clinical Notes and Dental Practices
On December 13, 2016, President Obama signed the 21st Century Cures Act that ensures patients have unrestricted access to their electronic health information, in a format that is “easy to understand, secure and automatically updated.”
Below the Cures Actit’s now up to you to share eight defined categories of clinical notes and not block electronic health information between health systems, apps and devices.
The deadline for healthcare provider and healthcare system compliance was April 5, 2021. It’s also important to note that by the end of 2022, you should also be able to share your notes with the patient’s third-party application or app.
Not ready for open note yet? The law has eight different exemptions. These changes also cross HIPAA compliance and patient access rights.
Privacy and patient rights
The United States Department of Health and Human Services (HHS) has planned extensive updates to the HIPAA privacy rule, expected to be released this year, all of which support the patient’s enhanced right to access their Protected Health Information (PHI).
Updates to the HIPAA Privacy Rule and Patient Rights
At a high level, here are five components of the HIPAA update that we can expect:
- Strengthening the right of individuals to personally inspect their PHI, including allowing individuals to take notes or use other personal resources to view and record images of their PHI.
- Shortening required response time of the Covered Entities up to no later than fifteen calendar days (from the current 30 days) with the possibility of an extension of not more than 15 calendar days (from the current 30 days extension). But beware, your state law may be stricter.
- Specify when electronic PHI (ePHI) is to be provided to the person free of charge. For example, covered entities are not allowed to charge patients when they consult their file in person or via the internet.
- clarify the form and format necessary to respond to a person’s request for their PHI† For example, providing a digital copy of X-rays and CT scans and not a paper copy.
- Necessary covered entities to post estimated benefit schedules on their websites for access to records. And provide individualized fee estimates for requests for copies of PHI and itemized bills for completed requests upon request.
As a result of these proposed changes, you must change the content of your Privacy Practices Notice (NPP) to include all proposed changes. Also keep in mind that your NPP cannot just be buried in your online patient registration forms, but must also be easily found and visible on your website.
How to Prepare for HIPAA Updates
With all the HIPAA regulatory updates expected for 2022, you may be feeling overwhelmed and wondering, “Where do I start?”
5 Ways to Prepare for the HIPAA Changes
Position yourself for the rapidly changing landscape of HIPAA and patient rights by taking these five areas to the next level:
- Look for reliable, accurate regulatory information. It may be wise to consult a qualified healthcare consultant or attorney, as well as your software vendor.
- Remember that your policies and procedures should reflect your office processes and also meet the specific requirements of a particular regulation.
- Just checking a box for free compliance training doesn’t fulfill all of your legal obligations. You need an active effort that includes ongoing compliance tasks; not one and one yearly training done.
- Conduct a credible security risk assessment (SRA). Your IT partner can help you collect some of the technology data; however, it could be considered a conflict of interest if they do the full review. In addition, they are unable to assess your entire practice against the administrative requirements of the Security Rule.
- Schedule time in your calendar. Similar to blocking time for patient emergencies, blocking time – even short periods of time – to work on compliance. Ultimately, you are legally responsible for the privacy and security of your patient data.
Need help getting started? HealthIT.gov, in partnership with the Office of Civil Rights (OCR), offers a: free review tool†
Reduce your risk of non-compliance penalties by proactively positioning your team and practice for all new and pending regulatory standards.
About the author: Linda Harvey, MS, RDH, is a nationally recognized expert in dental risk management and regulatory compliance. She is the founder and president of the Institute of Dental Compliance which provides online train-the-trainer education and certification for HIPAA and OSHA regulatory compliance and dental risk management and the Linda Harvey Group which specializes in on-site HIPAA and OSHA regulatory and dental risk management coaching for dental practices. Contact Linda at Linda@LindaHarvey.net.
Next one: The importance of keeping accurate dental records