Are You in Compliance With HIPAA?

The law has evolved over the years, and it’s about to change again.

HIPAA compliance is an ever-moving target. To get a better grasp on what HIPAA regulations mean to the healthcare industry, you need to understand why the federal law was enacted and how it has been expanded over the years. After a quick review of existing regulations, we’ll explore how proposed modifications to the HIPAA Privacy Rule may affect you.

HIPAA Basics

The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 and mandated industry-wide standards for using patients’ protected health information (PHI) for the purposes of electronic billing and other processes.

PHI is any information concerning an individual’s health status, provision of healthcare, or payment for healthcare that can be linked to that individual. There are 18 fields, or identifiers, of PHI that need to be considered including name, address, diagnosis, date of birth, and Social Security number. Generally, PHI includes any part of an individual’s medical record or payment history.

HIPAA includes privacy protections under the Privacy and Security Rules. The rules primarily place importance on how to protect PHI from fraud and theft, and also place some limitations on insurance coverage:

• The Privacy Rule sets national standards for how covered entities and business associates can use and disclose individuals’ medical records and other PHI.
• The Security Rule sets national standards for administrative, physical, and technical protections to safeguard the confidentiality, integrity, and availability of electronic PHI (ePHI).

Both rules apply to covered entities and business associates. By definition:

• Covered entities include health plans, clearinghouses, and healthcare providers:
  • Health plans are individual and group plans that provide for and pay the cost of medical care for members.
  • Clearinghouses are entities that process nonstandard information they receive from another entity into standard data elements (i.e., standard format or data content).
  • Healthcare providers share PHI with other covered entities and business associates for various types of transactions. These organizations, such as doctors, clinics, and hospitals, generally have direct contact with patients and their PHI.
• Business associates are organizations or individuals that perform work or activities on behalf of a covered entity that may involve the use or disclosure of PHI. In other words, if a third party might potentially access PHI in the normal course of their delegated work, they are a business associate. Even though business associates don’t generally see patients, they may maintain or have access to their healthcare data. There are far more business associates than there are covered entities in the healthcare space, as the entire industry relies on outsourcing critical parts of their business services, such as billing, storage, software, and collections, to outside vendors.

HIPAA set the groundwork to stop covered entities and business associates from disclosing PHI to anyone other than the patient and/or an authorized representative without the patient’s consent.

HIPAA Changes

There have been amendments to HIPAA protections over the last 25 years. The most significant is the HIPAA Omnibus Final Rule in 2013, in which new requirements were added to enhance the Health Information Technology for Economic and Clinical Health (HITECH) Act and to clarify when breaches of unsecured PHI need to be reported. The Omnibus Rule also added significant expansion of individual rights.

For example, patients can now choose how their PHI is handled, including the right to request their medical records in electronic form, and to keep certain treatment information private from their health plan. The rule also set newly defined guidelines on how information can be used and disclosed for marketing and fundraising purposes and prohibits the sale of an individual’s health information without their permission. The HIPAA Omnibus Rule also extended the HIPAA Privacy Rule to include independent contractors of covered entities in the definition of a business associate.

The CARES Act was passed on March 27, 2020, in response to the COVID-19 pandemic and subsequent economic fallout. The change this act made to 42 CFR Part 2 permits individuals suffering from substance use disorder (SUD) to give broad consent for their SUD records to be shared for the purposes of treatment, payment, and healthcare operations. The CARES Act also expands the ability of healthcare providers to share the records of individuals with SUD, but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA. The legislation also introduced provisions relating to cybersecurity and HIPAA enforcement under the HIPAA Privacy and Security Rules.

On Jan. 5, 2021, Congress signed the HIPAA Safe Harbor Bill into law and amended the HITECH Act. HHS must now consider cybersecurity best practices that a covered entity adopted in the 12 months preceding any data breach in its HIPAA enforcement actions and calculations of financial penalties related to the breach. The purpose of this bill is to provide healthcare organizations incentive to adopt cybersecurity practices that are effective in improving their defenses against cyberattacks.

The HIPAA Safe Harbor Bill also requires HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented. Organizations that have adopted effective cybersecurity best practices and have completed a HIPAA Security Risk Analysis could potentially be treated more leniently by the Office for Civil Rights (OCR). The intended result is an early and favorable termination of an audit, reduction in the extent of a compliance investigation, or mitigation remedies that would otherwise have been agreed to resolve any violations of the HIPAA Security Rule.

Proposed Rule Will Enhance Patient Access

There are more HIPAA changes to come, reportedly this year. OCR issued a Notice of Proposed Rulemaking on Dec. 10, 2020, that outlines several proposed changes to the Privacy Rule. The proposed rule will amend the Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. When these modifications are finalized, they will require updates to policies and procedures, as well as notices of privacy practices, forms, business associate agreements, and other HIPAA-related compliance issues.

According to OCR, the proposed changes to the HIPAA Privacy Rule are intended to improve the coordination of care and to reduce regulatory burden on the healthcare industry, with enhanced patient access being the primary focus. A patient’s right to access their PHI will be enhanced under the proposed rule by:

• allowing patients to inspect their PHI either by taking notes or capturing images;
• reducing the requirement that covered entities respond to patient access requests within 30 calendar days to 15 and shortening the possible extension time from 30 to 15 calendar days;
• creating pathways that allow individuals to request covered entities share their electronic health records (EHRs) with a third party;
• changing the requirements to fees charged by a covered entity to access PHI;
• modifying the access fee provisions to establish a fee structure based on the type of access request:
  • individuals can inspect and obtain copies of PHI for free in person or when requesting electronic copies through the internet, or
  • individuals can be charged a reasonable cost-based fee when receiving a non-electronic copy of PHI, receiving electronic PHI through a non-internet-based method, or directing an electronic copy of PHI in an EHR to a third party; and
• requiring covered entities to post estimated fee schedules on their websites for access and disclosure.

Covered entities also will have to take reasonable steps to verify the identity of a person requesting PHI before disclosing it. A covered entity will be prohibited from imposing unreasonable identity verification measures, such as having to obtain notarization of requests or providing proof of identity, when other methods are practicable.

Additionally, there are several revisions that will be required from a covered entity’s notice of privacy practices (NPP), including changes to the introductory statement and the right of access provision. You might also have to add a statement indicating that a patient may discuss the notice with a designated contact person and provide such person’s email address and phone number. One positive note is that providers will no longer need to obtain a written acknowledgment of receipt of the NPP.

Lastly, the proposed rule will permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider (or health plan). Such disclosures will not require patient authorization, thus creating an exception to the minimum necessary standard for individual-level care coordination and case management uses and disclosures. This clarifies the scope of covered entities’ ability to disclose PHI to third parties that provide health-related services in order to facilitate coordination of care and case management for individuals.

The proposed rule also replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual.

Language in the rule also expands the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.

Prepare for Change

While some of the proposed changes to the HIPAA Privacy Rule are meant to reduce administrative burden on the healthcare industry, considerable effort will be required to implement these changes. It’s important for covered entities to focus on updating their HIPAA policies and procedures and communicate those changes to their workforce and patients. It’s imperative to provide in-house and remote employees with further HIPAA training, as required, whenever there are material changes to HIPAA laws, regulations, or policies.

Resource:

www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care

• Author
• Recent Posts

Astara N. Crews

Astara N. Crews, MJ, CPC, CPEDC, CHC, CHPC, CHIAP, is a member of executive leadership at Essen Health Care where she is responsible for overseeing the corporate compliance program. Crews began her 20-year career as a medical coder for a small radiology practice, then quickly rose to senior healthcare administration positions at several prominent hospitals and tertiary institutions. She prides herself on her vast knowledge of health and regulatory laws. She has a Master of Jurisprudence in Health Law from Loyola University Chicago School of Law. Crews joined AAPC in 2007 and has served as secretary, vice president, and president of the Lower Westchester, N.Y., local chapter. She is currently serving her second consecutive term on the National Advisory Board.

Latest posts by Astara N. Crews (see all)

• Are You in Compliance With HIPAA? - July 1, 2022
• Best Practices to Achieve Clinical Documentation Improvement - September 1, 2019