Are You in Compliance With HIPAA?
The law has evolved over the years, and it’s about to change again.
HIPAA compliance is an ever-moving target. To get a better grasp on what HIPAA regulations mean to the healthcare industry, you need to understand why the federal law was enacted and how it has been expanded over the years. After a quick review of existing regulations, we’ll explore how proposed modifications to the HIPAA Privacy Rule may affect you.
The Healthcare Insurance Portability and Accountability Act (HIPAA) was signed into law in 1996 and mandated industry-wide standards for using patients’ protected health information (PHI) for the purposes of electronic billing and other processes.
PHI is any information concerning an individual’s health status, provision of healthcare, or payment for healthcare that can be linked to that individual. There are 18 fields, or identifiers, of PHI that need to be considered including name, address, diagnosis, date of birth, and Social Security number. Generally, PHI includes any part of an individual’s medical record or payment history.
HIPAA includes privacy protections under the Privacy and Security Rules. The rules primarily place importance on how to protect PHI from fraud and theft, and also place some limitations on insurance coverage:
- The Privacy Rule sets national standards for how covered entities and business associates can use and disclose individuals’ medical records and other PHI.
- The Security Rule sets national standards for administrative, physical, and technical protections to safeguard the confidentiality, integrity, and availability of electronic PHI (ePHI).
Both rules apply to covered entities and business associates. By definition:
- Covered entities include health plans, clearinghouses, and healthcare providers:
- Health plans are individual and group plans that provide for and pay the cost of medical care for members.
- Clearinghouses are entities that process nonstandard information they receive from another entity into standard data elements (i.e., standard format or data content).
- Healthcare providers share PHI with other covered entities and business associates for various types of transactions. These organizations, such as doctors, clinics, and hospitals, generally have direct contact with patients and their PHI.
- Business associates are organizations or individuals that perform work or activities on behalf of a covered entity that may involve the use or disclosure of PHI. In other words, if a third party might potentially access PHI in the normal course of their delegated work, they are a business associate. Even though business associates don’t generally see patients, they may maintain or have access to their healthcare data. There are far more business associates than there are covered entities in the healthcare space, as the entire industry relies on outsourcing critical parts of their business services, such as billing, storage, software, and collections, to outside vendors.
HIPAA set the groundwork to stop covered entities and business associates from disclosing PHI to anyone other than the patient and/or an authorized representative without the patient’s consent.
There have been amendments to HIPAA protections over the last 25 years. The most significant is the HIPAA Omnibus Final Rule in 2013, in which new requirements were added to enhance the Health Information Technology for Economic and Clinical Health (HITECH) Act and to clarify when breaches of unsecured PHI need to be reported. The Omnibus Rule also added significant expansion of individual rights.
For example, patients can now choose how their PHI is handled, including the right to request their medical records in electronic form, and to keep certain treatment information private from their health plan. The rule also set newly defined guidelines on how information can be used and disclosed for marketing and fundraising purposes and prohibits the sale of an individual’s health information without their permission. The HIPAA Omnibus Rule also extended the HIPAA Privacy Rule to include independent contractors of covered entities in the definition of a business associate.
The CARES Act was passed on March 27, 2020, in response to the COVID-19 pandemic and subsequent economic fallout. The change this act made to 42 CFR Part 2 permits individuals suffering from substance use disorder (SUD) to give broad consent for their SUD records to be shared for the purposes of treatment, payment, and healthcare operations. The CARES Act also expands the ability of healthcare providers to share the records of individuals with SUD, but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA. The legislation also introduced provisions relating to cybersecurity and HIPAA enforcement under the HIPAA Privacy and Security Rules.
On Jan. 5, 2021, Congress signed the HIPAA Safe Harbor Bill into law and amended the HITECH Act. HHS must now consider cybersecurity best practices that a covered entity adopted in the 12 months preceding any data breach in its HIPAA enforcement actions and calculations of financial penalties related to the breach. The purpose of this bill is to provide healthcare organizations incentive to adopt cybersecurity practices that are effective in improving their defenses against cyberattacks.
The HIPAA Safe Harbor Bill also requires HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented. Organizations that have adopted effective cybersecurity best practices and have completed a HIPAA Security Risk Analysis could potentially be treated more leniently by the Office for Civil Rights (OCR). The intended result is an early and favorable termination of an audit, reduction in the extent of a compliance investigation, or mitigation remedies that would otherwise have been agreed to resolve any violations of the HIPAA Security Rule.
Protect Patient Privacy
The HIPAA Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Individually identifiable health information, which includes demographic data, relates to:
- the individual’s past, present, or future physical or mental health or condition;
- the provision of healthcare to the individual;
- the past, present, or future payment for the provision of healthcare to the individual; and
- information that identifies the individual or can be used to identify the individual.
A major purpose of the HIPAA Privacy Rule is to define and limit the circumstances in which an individual’s PHI may be used or disclosed by covered entities. A covered entity may not use or disclose PHI except either:
- as the Privacy Rule permits or requires, or
- as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
A covered entity must disclose PHI to individuals (or their personal representative), specifically when they request access to, or an accounting of, disclosures of their PHI, and to the United States Department of Health and Human Services (HHS) when it is undertaking a compliance investigation or review or enforcement action.
Each covered entity, with certain exceptions, also must provide patients with a notice of its privacy practices. The notice must contain certain elements and describe the ways in which the covered entity may use and disclose PHI. The notice must state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must describe individuals’ rights, including the right to complain to HHS and to the covered entity if they believe their privacy rights have been violated. The notice also must include a point of contact for further information and for making complaints to the covered entity. Covered entities must act in accordance with their notices.
Proposed Rule Will Enhance Patient Access
There are more HIPAA changes to come, reportedly this year. OCR issued a Notice of Proposed Rulemaking on Dec. 10, 2020, that outlines several proposed changes to the Privacy Rule. The proposed rule will amend the Privacy Rule to support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry. When these modifications are finalized, they will require updates to policies and procedures, as well as notices of privacy practices, forms, business associate agreements, and other HIPAA-related compliance issues.
According to OCR, the proposed changes to the HIPAA Privacy Rule are intended to improve the coordination of care and to reduce regulatory burden on the healthcare industry, with enhanced patient access being the primary focus. A patient’s right to access their PHI will be enhanced under the proposed rule by:
- allowing patients to inspect their PHI either by taking notes or capturing images;
- reducing the requirement that covered entities respond to patient access requests within 30 calendar days to 15 and shortening the possible extension time from 30 to 15 calendar days;
- creating pathways that allow individuals to request covered entities share their electronic health records (EHRs) with a third party;
- changing the requirements to fees charged by a covered entity to access PHI;
- modifying the access fee provisions to establish a fee structure based on the type of access request:
- individuals can inspect and obtain copies of PHI for free in person or when requesting electronic copies through the internet, or
- individuals can be charged a reasonable cost-based fee when receiving a non-electronic copy of PHI, receiving electronic PHI through a non-internet-based method, or directing an electronic copy of PHI in an EHR to a third party; and
- requiring covered entities to post estimated fee schedules on their websites for access and disclosure.
Covered entities also will have to take reasonable steps to verify the identity of a person requesting PHI before disclosing it. A covered entity will be prohibited from imposing unreasonable identity verification measures, such as having to obtain notarization of requests or providing proof of identity, when other methods are practicable.
Additionally, there are several revisions that will be required from a covered entity’s notice of privacy practices (NPP), including changes to the introductory statement and the right of access provision. You might also have to add a statement indicating that a patient may discuss the notice with a designated contact person and provide such person’s email address and phone number. One positive note is that providers will no longer need to obtain a written acknowledgment of receipt of the NPP.
Lastly, the proposed rule will permit covered entities to disclose PHI to social services agencies, community-based organizations, home- and community-based service providers, and other similar third parties, either as a treatment activity of a covered healthcare provider or as a healthcare operations activity of a covered healthcare provider (or health plan). Such disclosures will not require patient authorization, thus creating an exception to the minimum necessary standard for individual-level care coordination and case management uses and disclosures. This clarifies the scope of covered entities’ ability to disclose PHI to third parties that provide health-related services in order to facilitate coordination of care and case management for individuals.
The proposed rule also replaces the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s “good faith belief” that the use or disclosure is in the best interests of the individual.
Language in the rule also expands the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
Prepare for Change
While some of the proposed changes to the HIPAA Privacy Rule are meant to reduce administrative burden on the healthcare industry, considerable effort will be required to implement these changes. It’s important for covered entities to focus on updating their HIPAA policies and procedures and communicate those changes to their workforce and patients. It’s imperative to provide in-house and remote employees with further HIPAA training, as required, whenever there are material changes to HIPAA laws, regulations, or policies.
- Are You in Compliance With HIPAA? - July 1, 2022
- Best Practices to Achieve Clinical Documentation Improvement - September 1, 2019