Share this article on:
The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Further updates to HIPAA are now long overdue, but what can be expected in terms of HIPAA changes in 2019?
Major HIPAA Updates in the Past 20 Years
Since HIPAA was signed into law there have been some major HIPAA updates. The HIPAA Privacy and Security Rules were followed by the incorporation of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA covered entities and considerable time and effort was required to introduce new policies and procedures to ensure continued compliance.
It is now almost 6 years since the last major HIPAA updates were enacted. Over those six years, various issues have arisen with HIPAA due to changes in working practices and the advancement of technology. Rather than tackle issues with rule changes, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidelines to clear up misunderstandings with HIPAA compliance requirements, but we are now at a point when changes to HIPAA Rules are about to be made.
Expected HIPAA Changes in 2019
HIPAA 2019 rules and regulations are essentially the same as they were in 2013. Over the past two years there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA covered entities.
OCR has responded to these calls by issuing a request for information (RFI) in December 2018. OCR is seeking comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 which would ease the administrative burden on healthcare organizations and remove provisions of the HIPAA Privacy Rule which are limiting or discouraging coordination of care. The comment period is open until February 12, 2019.
The aim is to make changes which would not meaningfully contribute to the protection of patient privacy or decrease security of individuals’ protected health information (PHI). There are unlikely to be any changes to the requirements of the HIPAA Security Rule, but HIPAA Privacy Rule changes are likely.
OCR asked 54 different questions in its RFI. Some of the main aspects being considered are in relation to:
- Patients’ right to access and obtain copies of their protected health information and the timeframe for responding to those requests (Currently 30 days)
- Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
- Promotion of parent and caregiver roles in care
- Easing of restrictions on disclosures of PHI without authorization
- Possible exceptions to the minimum necessary standard for disclosures of PHI
- Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment and healthcare operations
- Encouragement of information sharing for treatment and care coordination
- Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
- Expansion of healthcare clearinghouses’ access to PHI
- Addressing the opioid crisis and serious mental illness
Given the extent of the RFI, it is possible that there could be major changes made to HIPAA in the short to medium term, although OCR may opt to make some tweaks rather than issue major Privacy Rule updates. It is also a distinct possibility that any updates to current regulations may be delayed until 2020.
It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Further HIPAA guidelines in 2019 could help to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of HIPAA requirements.
That said, some changes HIPAA in 2019 can be expected, although the extent of those changes is unlikely to be known for some time as OCR must first thoroughly assessed the comments and feedback from its RFI.
OCR Director Roger Severino said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.” OCR has confirmed that a notice of proposed rulemaking (NPRM) will be issued, but a timescale for so doing has not been provided.