Last year marked 25 years since the Health Insurance Portability and Accountability Act (HIPAA) was established, and this year HIPAA may be undergoing changes related to patient access to protected health information (PHI).
In a recent webinar, Lynne Rinehimer, Esq., GRC Solution Engineer for symplr’s Compliance solution, discussed the changes, as well as other recent HIPAA-related developments, and provided alarming statistics related to data breaches.
Eye-opening HIPAA statistics
Currently, there are hundreds of covered entities on the Department of Health & Services’ Office for Civil Rights (OCR) so-called “wall of shame,” which lists data breaches over a period of 24 months that are under investigation by the OCR.
According to HIPAA Journal, 712 healthcare data breaches (an average of 59 per month) were reported in 2021, affecting 45.7 million individuals. That marked the largest number of data breaches since 2015. Some 82% of the breaches in December alone of last year were hacking or other IT incidents, and the largest healthcare data breach settlement of 2021 involved a $5.1 million penalty and a corrective action plan. In this breach, hackers installed malware and conducted reconnaissance activities that went undetected for 16 months—and which affected more than 9.3 million individuals.
Separately, the HIPAA Right of Access enforcement initiative was launched in fall 2019 in response to a significant number of complaints from patients who had not been provided with timely access to their medical records. Statistics related to individuals’ right to access their health information include the following:
- There were 25 enforcement actions as of December 2021
- In 2021 alone, there were 12 Right of Access violations with fines levied on healthcare organizations ranging from $5,000 to $200,000, depending on the organization’s size and the severity of the violation
Proposed HIPAA Privacy Rule changes
The proposed changes to the HIPAA Privacy Rule aim to eliminate barriers to care coordination and value-based care, reduce burden on providers, and expand the ability for patients to access their medical information. Following the OCR’s December 2020 issuance of the Notice of Proposed Rulemaking (NPRM), the NPRM was published in the Federal Register in January 2021, and the first deadline for comment submission (March 22, 2021) was extended to May 6, 2021.
There are a significant number of proposed changes to the HIPAA Privacy Rule. For example, covered entities:
- Will be required to post estimated fees on their websites for access and disclosures to PHI with a patient’s authorization
- Must provide, on request, individualized estimates of the fees for a patient’s request of a copy of their PHI. Itemized bills must be issued for completed requests
- Must respond to record requests from other providers and health plans when patients direct those entities to do so
- Can waive fees in certain situations such as emergencies or instances of financial hardship
- Must provide a designated area for patients to inspect their PHI. Patients will be allowed to inspect their PHI in person and take notes, photos, or videos
- Must respond to a patient’s request to receive PHI within 15 days (shortened from 30 days)
- Must provide a pathway for patients to direct the sharing of their PHI (housed in the electronic health record) among covered entities
The proposed changes allow covered entities to continue to require that patients request access to PHI in writing, but they cannot do so in a way that impedes access. For example, the changes will prohibit:
- Unreasonable identity verification requirements for patients attempting to access their PHI
- Imposing other unreasonable measures on a patient exercising the right to access their data
The Notice of Proposed Rulemaking includes new and revised definitions as part of the proposed HIPAA Privacy Rule changes. It defines electronic health records as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized healthcare clinicians and staff.”
Personal health application is “an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual and not by or primarily for a covered entity or another party such as the application developer.”
The NPRM modified the definition of healthcare operations to clarify that disclosure of PHI for patient-level care coordination and case management activities without patient authorization is an allowable disclosure.
Under the new Notice of Privacy Practice (NPP) rules, there will no longer be a requirement that covered entities obtain written confirmation that the NPP was provided to the patient. Exceptions were made to the minimum necessary standard for patient-level care coordination and case management uses and disclosures. The new good faith standard now replaces “exercise of professional judgment” with “good faith belief” with regard to the use or disclosure of PHI being in the patient’s best interest.
There is a new standard that allows covered entities to disclose PHI to avert a threat to health or safety when that harm is “seriously and reasonably foreseeable.” This applies to cases when the patient is a harm to themselves or others. The current standard is “serious and imminent.”
The new proposed changes permit disclosure of patient-level PHI for care coordination and case management to social service agencies, community-based organizations, home community-based service providers, and similar third parties that provide health-related services.
How to respond to proposed HIPAA changes
Covered entities can begin now to make changes to their current environment to respond to the proposed HIPAA requirements and guidelines. Further, they should be prepared to review and update their current policies, procedures, and NPPs. As noted, under the proposed modifications, a covered entity would be required to designate a specific area where patients can review their PHI in person, which may require resourcing additional physical space.
In addition, covered entities should review and compare newly revised HIPAA requirements with individual state laws and audit Business Associate Agreement (BAA) language. Staff should be trained on the new requirements, policies, and procedures. And once the Privacy Rule modifications are finalized, covered entities should conduct a risk assessment of the new requirements.
HIPAA Safe Harbor Act
The HIPAA Safe Harbor Act was signed into law on January 5, 2021. The new act amends the HITECH Act and requires the Department of Health and Human Services (HHS) to incentivize cybersecurity best practices for covered entities and business associates. When investigating a data breach and taking enforcement actions, the new act directs HHS to consider whether covered entities and business associates used industry standard security practices over the prior 12 months. HHS is required to decrease the length and extent of any audits in response to a breach if security best practices have been implemented.
Covered entities would need to perform an annual security risk analysis and address identified weaknesses. Under the HIPAA Safe Harbor Act, every organization must have its security risk analysis and accompanying mitigation efforts documented. If the organization follows the “recognized cybersecurity practices,” fines and penalties may be reduced should a data breach occur.
OCR guidance on HIPAA, COVID-19 vaccination, and the workplace
On September 30, 2021, OCR issued guidance on HIPAA in relation to COVID-19 vaccinations and the workplace. This guidance clarifies that the Privacy Rule applies to covered entities and business associates only in their roles as providers/payers, not as employers. The Privacy Rule does not prohibit providers or health plans from asking patients whether they have received a particular vaccination, including the COVID-19 vaccine, nor does it apply to employment records held by covered entities and business associates in their capacity as employers.
The guidance also establishes that documentation or other confirmation of vaccination must be kept confidential and stored separately from the employee’s personnel files.
Additionally, the guidance establishes that a covered provider is permitted to disclose PHI related to an individual’s vaccination status to their employer for purposes of surveillance of the spread of COVID-19 in the workforce only if certain conditions are met:
- Healthcare services were provided to the employee at the request of the employer or as a member of its workforce
- The PHI disclosed consists of findings concerning work-related illness or workplace-related medical surveillance
- The employer is required to have the information to comply with legal obligations under Occupational Safety and Health Administration, Mine Safety and Health Administration, or state law
- There is written notice that PHI-related to the work-related illness and medical surveillance of the workplace will be disclosed to the employer
HIPAA and extreme risk protection orders
On December 20, 2021, HSS issued guidance on HIPAA and disclosures of PHI for extreme risk protection orders (ERPO). The guidance establishes that in certain circumstances, a covered provider is permitted to disclose PHI about a patient without the patient’s authorization to support an application for an ERPO against the patient. Some of these circumstances include when the disclosure is required by law; when the disclosure is in response to a court order or administrative tribunal, subpoena, discovery request, or other lawful process; or when the disclosure is necessary to prevent or decrease a serious and imminent threat to the health or safety of another person or the general public.
H2>Improving the cybersecurity posture of healthcare in 2022
In a recent blog post, Lisa Pino, Director of the OCR, recommends that HIPAA-regulated entities strengthen their cybersecurity measures in 2022. Some best practices include:
- Maintaining offline, encrypted backups of data and regularly testing these backups
- Conducting routine scans to identify vulnerabilities, especially those on internet-facing devices
- Having regular updates of software and operating systems
- Training employees on phishing and other common IT attacks
symplr can help covered entities with their HIPAA compliance by providing:
- Issue and action management
- Incident management
- Risk assessment management
- Survey manager
- Compliance hotline integration
- Document and policy management
- Implementation, service, and support
Ensure that your healthcare organization can confidently manage risk and drive healthcare compliance by contacting symplr today.
Access our free, on-demand webinar: HIPAA Privacy – Looking Back and Planning Ahead.