The Health Insurance Portability and Accountability Act, better known as HIPAA, has been with us for more than a quarter century now. Enacted in 1996, HIPAA’s original intent was to increase the number of Americans with health coverage and to make health care delivery more efficient.
Much of that original intent, of course, was supplanted or supplemented by the Affordable Care Act (ACA) in 2010. HIPAA remains in effect, however, with a focus on security and privacy. Any organization dealing with medical information is well familiar with HIPAA’s compliance requirements, and on that front, changes are on the way.
Given the current cybersecurity climate, the coming changes are probably a bit overdue. The last major update to HIPAA rules was in 2013 as part of the HIPAA Omnibus Rule. This next set of changes was first proposed in late 2020, with a final rule expected to be published sometime this year. Here’s what to expect:
One significant change involves substance abuse disorder (SUD) and mental health information. Records related to these have understandably been treated with high confidentiality, but stakeholder groups have argued the importance of viewing a patient’s complete medical history, especially in light of the current opioid crisis. In one obvious example, the knowledge of a patient’s history of substance abuse would likely prevent a doctor from prescribing opioids. The CARES Act passed during the pandemic addressed this issue to some degree while still providing privacy protection for SUD patients in civil or criminal proceedings.
Another change came in 2021 with the HIPAA Safe Harbor Law. This instructed Health and Human Services (HHS) to take into account an organization’s cybersecurity best practices for the 12 months preceding a data breach. Despite its name, it does not protect organizations completely from enforcement actions or fines, but does dictate that HHS decrease the extent and length of any audits in response to a breach if the organization implemented recognized security practices.
The following items are among a much longer list of HIPAA rule changes proposed in December 2020, and most if not all are expected to be incorporated in the 2023 release:
- Patients to be allowed to inspect their personal health information (PHI) in person, and to take notes or photographs.
- Reduce the maximum time to provide access to PHI from 30 to 15 days.
- HIPAA entities providing PHI access and disclosures will be required to post estimated fee schedules on their websites.
- Eliminate the requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy Practices has been provided.
- Allow covered entities to disclose PHI to avert a threat to health or safety under certain circumstances.
While many of the proposed changes are designed to ease the administrative burdens of compliance and to make information flow more freely, they will require updating of HIPAA-related policies and procedures, and in all likelihood will necessitate additional training for employees. The definition of “electronic health record” has been expanded to include billing records, which are typically housed in a different system than PHI, another challenge for providers.
Note also that enforcement of HIPAA violations by the Office of Civil Rights (OCR) has stepped up somewhat in recent years. 2022 marked a new high in the number of penalties, with an average amount of nearly $100,000, so organizations should be prepared to make every effort to be prepared for the coming changes and to remain in compliance.
Questions about HIPAA compliance or the coming rule changes? Contact Hill Tech Solutions