OCR Warns of the Impact of HIPAA Changes on Electronic Health Records

The Department of Health and Human Services’ Office for Civil Rights is preparing for the largest update of HIPAA regulations since HIPAA’s introduction in 1996. The new changes are expected to have a major impact on electronic health records; how they are stored and who is allowed to access to them.

The DHHS has now sent its “Omnibus” Final Rule to the Office of Management and Budget for review, which should be completed over the course of the next three months. Once the review is complete it will be officially released and healthcare organizations will get the chance to see the extent of what has been referred to as the “HIPAA Mega Rule” due to the substantial changes being introduced.

At this week’s 20th National HIPAA Summit in Washington, D.C, Deputy Director for Health Information Privacy at OCR, Susan McAndrew, called the update “one big mother of a final regulation” and indicated there are extensive legislative changes on the way.

Once the new rule comes into force, the OCR is expected to start policing compliance more rigorously. According to OCR Director, Leon Rodriguez, “If the privacy and security of health information is not protected, it will change the way people use healthcare and affect outcomes.” The OCR is determined to make sure that doesn’t happen and will be rigorously policing the new privacy and security rules. Healthcare organizations will be held accountable for any failure to secure Protected Health Information.

There is likely to be an increased emphasis placed on electronic health records in the Omnibus Rule. While EHR’s are not being singled out as being the prime area of concern, the number of major HIPAA breaches involving EHRs over the course of the past 18 months has brought EHR’s to the forefront and IT data security is expected to be more strictly policed, especially now that only one in four data breaches involve paper records.

Susan McAndrew provided some insight at the conference about what the proposed legislative changes will include and what healthcare organizations can expect when the Omnibus Final Rule is released.

Business Associates are to be covered extensively in the Final Rule and agreements with all providers of services – especially those relating to EHRs – may have to be revised to incorporate greater data security controls.

Extensive changes are being introduced to limit the use of PHI for marketing purposes and the data that can be shared with third parties will be subject to stricter controls.

The final major change relates to patient data access rights. The Final Rule will make it easier for patients to obtain copies of their health records and they will be given greater controls over how their health information can be used.

While the Omnibus Rule will be officially released within the next 90 days, healthcare organizations will be given time to make the necessary changes before the Final Rule comes into effect and the OCR commences its compliance audits.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.