In this 17-minute podcast, Zack Perry, CEO of RRS Medical and president of the Association of Health Information Outsourcing Services (AHIOS), and Rita Bowen, AHIOS legislative and government affairs coordinator, touch on their concerns about these proposed rule changes to HIPAA. A summary of the podcast:

Shortened fulfillment timeline adds to provider costs

Under the new rules, healthcare providers would have 15 instead of 30 days to fulfill patient requests for health data, adding administrative burden particularly to smaller provider groups. “This burden could be more acutely felt in the outpatient side of healthcare rather than the inpatient side,” Perry says in the podcast. “They will bear the burden of the labor that goes into the request, the compliance training and having the security elements in place to protect that data.”

Loosening of standards for providing protected health information to family members could give them access to sensitive information.

As an example, the conditions are relaxed for sharing such things as opioid abuse or COVID-19 treatment.

Loosening of patient notification could keep them unaware

In some cases, no one would have to inform the patient of special rights to their information when it is shared. This could lead to a deterioration of the current guardrails around patient notification.

Expanding the concept of “verbal request” opens the door to fraud

“If someone is calling on the phone for PHI, how do you know they are who they say they are?” Bowen asks. “The new rules say you ‘may’ fulfill verbal requests, and that could be a dangerous crack in the door around privacy.” Bowen agrees that requests shouldn’t be burdensome, such as asking for notarization, but there has to be more clarity to the proposed rules to avoid fraud. Adds Perry, “We don’t want to release information to the wrong party or release more information than the patient wants to go to another party. A documented request provides us with a record to justify what we release. Without it, we’re put in a potentially awkward position.”

The new rules don’t align with the interoperability of data transfer

Interoperability, or the transfer of protected health information from one electronic system to another, seems to be undercut by the proposed rules, according to Bowen. She adds, “Let’s scratch these proposed rules and start over to make something more productive in today’s environment as to how we deliver medicine and care.”

IT areas of health systems could be under threat for breach of data

“We fear that the new rules might be interpreted to mandate an IT area to integrate APIs into their EHR system, which could be a huge security threat,” Perry says. “As the draft rules are written today, there are no guardrails on APIs.”

A broader definition of data requestors could open the door to either data breaches or overwhelming the system

The new rules aren’t specific enough to balance access and patient privacy without experiencing data or privacy breaches, Perry and Bowen say. “The new proposed rules will decentralize the data request process,” Perry says. “This will increase the number of data requestors. Some healthcare practices will have staff without training trying to fulfill the requests. This could lead to inadvertent data breaches, even from well-intentioned people. This comes from how the new rules relax the burden of identity verification.”