HIPAA UPDATE – Final Rule Finally Released

There are a number of major changes to HIPAA.

Among the changes:

Public Reporting and Reporting to protect Patients

Reporting to public health registries and reporting incidents of Child Abuse is now more clearly defined as an allowed disclosure without patient consent.  

There are prohibitions against providing patient information that can be used to prosecute a patient related to their health care.

There is a specific exclusion for reporting reproductive health information to public health authorities.

the Privacy Rule permission to use or disclose PHI without an individual's authorization for the reporting of disease or injury, birth, or death would not permit the use or disclosure of PHI for a criminal, civil, or administrative investigation into or proceeding against a person in connection with seeking, obtaining, providing, or facilitating reproductive health care.

Basically, this means that disclosures to authorities that could be used against the patient are not allowed.

Substance Use Disorders

Organizations that provide ‘Part 2’ care – that is treatment for substance use disorders (SUD) can now obtain a single consent that relates to HIPAA releases and releases of information related to SUD.  This eases the burden for those practices.

Changes to the Notice of Privacy Practices

The Notice of Privacy Practices must be modified to reflect the changes in reporting and clearly inform the patients as to when the practice may share information with Public Health Authorities and when the practice may not share information with Public Health Authorities, as well as updated to reflect the new rules that relate to the treatment of SUD.

What does this mean for your practice?

The changes are significant if your medical records contain information related to SUD or Reproductive Health.

The changes are significant for all practices when it comes to Public Health Reporting for all other health conditions.

Your practice will need to update the Notice of Privacy Practices prior to June of 2025 when provisions of this final rule become effective.

Clients of TLD Systems will see an updated Notice of Privacy Practices available in their account.

It is also recommended that all Business Associate Agreements be modified to reflect the responsibilities of Business Associates under the changes in the rule.