Explosive growth in digital health over the last few years means there are many developers and managers who haven’t worked under HIPAA before. This guide is written for startups (and small businesses operating online) who could use some help with the basics of HIPAA compliance.
(a) Requests for an exception. An organization may request an exception from the use of a standard from the Secretary to test a proposed modification to that standard. For each proposed modification, the organization must meet the following requirements:
(1) Comparison to a current standard. Provide a detailed explanation, no more than 10 pages in length, of how the proposed modification would be a significant improvement to the current standard in terms of the following principles:
(i) Improve the efficiency and effectiveness of the health care system by leading to cost reductions for, or improvements in benefits from, electronic health care transactions.
(ii) Meet the needs of the health data standards user community, particularly health care providers, health plans, and health care clearinghouses.
(iii) Be uniform and consistent with the other standards adopted under this part and, as appropriate, with other private and public sector health data standards.
(iv) Have low additional development and implementation costs relative to the benefits of using the standard.
(v) Be supported by an ANSI- accredited SSO or other private or public organization that would maintain the standard over time.
(vi) Have timely development, testing, implementation, and updating procedures to achieve administrative simplification benefits faster.
(vii) Be technologically independent of the computer platforms and transmission protocols used in electronic health transactions, unless they are explicitly part of the standard.
(viii) Be precise, unambiguous, and as simple as possible.
(ix) Result in minimum data collection and paperwork burdens on users.
(x) Incorporate flexibility to adapt more easily to changes in the health care infrastructure (such as new services, organizations, and provider types) and information technology.
(2) Specifications for the proposed modification. Provide specifications for the proposed modification, including any additional system requirements.
(3) Testing of the proposed modification. Provide an explanation, no more than 5 pages in length, of how the organization intends to test the standard, including the number and types of health plans and health care providers expected to be involved in the test, geographical areas, and beginning and ending dates of the test.
(4) Trading partner concurrences. Provide written concurrences from trading partners who would agree to participate in the test.
(b) Basis for granting an exception. The Secretary may grant an initial exception, for a period not to exceed 3 years, based on, but not limited to, the following criteria:
(1) An assessment of whether the proposed modification demonstrates a significant improvement to the current standard.
(2) The extent and length of time of the exception.
(3) Consultations with DSMOs.
(c) Secretary's decision on exception. The Secretary makes a decision and notifies the organization requesting the exception whether the request is granted or denied.
(1) Exception granted. If the Secretary grants an exception, the notification includes the following information:
(i) The length of time for which the exception applies.
(ii) The trading partners and geographical areas the Secretary approves for testing.
(iii) Any other conditions for approving the exception.
(2) Exception denied. If the Secretary does not grant an exception, the notification explains the reasons the Secretary considers the proposed modification would not be a significant improvement to the current standard and any other rationale for the denial.
(d) Organization's report on test results. Within 90 days after the test is completed, an organization that receives an exception must submit a report on the results of the test, including a cost-benefit analysis, to a location specified by the Secretary by notice in the FEDERAL REGISTER.
(e) Extension allowed. If the report submitted in accordance with paragraph (d) of this section recommends a modification to the standard, the Secretary, on request, may grant an extension to the period granted for the exception.