Share this article on:
The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA have been long overdue and steps were finally made to update HIPAA win December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several changes to the HIPAA Privacy Rule.
Major HIPAA Updates in the Past 20 Years
Since HIPAA was signed into law there have been some major HIPAA updates. The HIPAA Privacy and Security Rules were followed by the incorporation of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA covered entities and considerable time and effort was required to introduce new policies and procedures to ensure continued compliance.
It is now 7 years since the last major HIPAA update took effect. Over the past 7 years various issues have arisen with HIPAA due to changes in working practices and the advancement of technology. Rather than tackle issues with rule changes, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidance to clear up misunderstandings over the requirements of HIPAA, but we are now at a point when changes to HIPAA Rules are about to be made.
Expected HIPAA Changes in 2021
Over the past few years there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA covered entities, but HIPAA 2021 rules and regulations are essentially the same as they were in 2013.
OCR responded to these calls by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with the easing of certain administrative requirements and the removal of certain provisions of the HIPAA Privacy Rule which are limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.
OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:
- Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
- Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
- Promotion of parent and caregiver roles in care
- Easing of restrictions on disclosures of PHI without authorization
- Possible exceptions to the minimum necessary standard for disclosures of PHI
- Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment and healthcare operations
- Encouragement of information sharing for treatment and care coordination
- Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
- Expansion of healthcare clearinghouses’ access to PHI
- Addressing the opioid crisis and serious mental illness
In 2019, OCR Director Roger Severino said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”
The aim of the HHS is to make changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI), so HIPAA Security Rule changes are unlikely to be made, but several HIPAA Privacy Rule changes have now been proposed now that the responses to the RFI have been considered.
It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Further HIPAA guidelines in 2020 could help to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of HIPAA requirements. That said, some changes to HIPAA in 2021 may be implemented once comments on the Notice of Proposed Rulemaking have been reviewed.
Proposed HIPAA Privacy Rule Changes
OCR issued a Notice of Proposed Rulemaking on December 10, 2020 that outlined several HIPAA changes to the Privacy Rule in response to the comments received from its December 2018 RFI. The proposed changes are limited and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included and most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to their PHI, facilitate data sharing, and ease the administrative burden on HIPAA covered entities.
OCR is seeking feedback on the proposed changes to the HIPAA Privacy rule for 60 days from the data of publication in the Federal register, after which comments will be considered and a final rule will be issued.
The proposed updates to the HIPAA Privacy Rule are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
- Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
- Stating when individuals should be provided with ePHI without charge.
- Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party, when a summary of PHI is offered instead of a copy.
- The Armed Forces permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health record.
- Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety, when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
- A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Covered entities will not be required to obtain written acknowledgment from an individual that they have received a Notice of Privacy Practices.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- Covered health care providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, when individuals direct those entities to do so when they exercise the HIPAA right of access.
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
2021 Sees Cybersecurity Safe Harbor Provision Added to the HITECH Act
Many healthcare industry stakeholders have been campaigning for the addition of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and have implemented industry-standard security best practices, but still experienced a data breach. A bill was proposed in 2020 that called for the HHS to consider the security best practices that have been in place for the 12 months prior to a data breach occurring when deciding on financial penalties and sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.
The purpose of the bill is to encourage healthcare organizations to invest in security and adopt security frameworks, as doing so will reduce financial penalties in the event of a data breach. The bill amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and requires OCR to decrease the length and extent of audits and investigations of data breaches when recognized security best practices, such as common security frameworks, have been adopted prior to a data breach occurring and to consider reducing any financial penalties in relation to those breaches.
HIPAA Changes Due to the 2019 Novel Coronavirus (SARS-CoV-2) and COVID-19
In response to the 2019 Novel Coronavirus pandemic, the HHS announced major changes to the enforcement of HIPAA compliance in 2020, which will remain in place for the duration of the nationwide COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. These “unprecedented HIPAA flexibilities” were announced bin March and April by means of Notices of Enforcement Discretion and are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. The changes to HIPAA enforcement have been introduced to ensure that HIPAA compliance does not get in the way of the provision of high quality patient care.
Notification of Enforcement Discretion for Telehealth Remote Communications
The first Notice of Enforcement Discretion was announced by OCR on March 17, 2020. The coronavirus pandemic has seen social distancing measures introduced, and with hospitals dealing with huge numbers of cases, Americans are being encouraged to remain indoors. In order to continue to provide quality care to patients while reducing the risk of patients transmitting or contracting COVID-19, telehealth services have been expanded. The CMS has also expanded telehealth to include all Medicare and Medicaid beneficiaries.
To help ensure that patients receive the care they need, OCR has announced that it will not impose sanctions and penalties on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment, regardless of whether the telehealth services are directly related to COVID-19. OCR will not impose penalties on healthcare providers in relation to the use of everyday communication technologies for providing those services, even if the platforms used would are not completely compliant with HIPAA. For instance, it is permissible to use Skype (rather than Skype for Business), FaceTime, Google Hangouts Video, and Zoom. It is not permitted to use public-facing platforms to provide these services, such as Facebook Live and TikTok.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
The second Notice of Enforcement Discretion was announced by OCR on April 2, 2020 and concerns uses and disclosures of PHI by business associates of HIPAA covered entities for reasons related to public health and health oversight activities. HIPAA does not permit business associates to disclose PHI for public health and health oversight activities unless it is stated that they can do so in their business associate agreement (BAA) with a HIPAA covered entity.
Under the Notice of Enforcement Discretion, OCR will not impose sanctions and penalties on business associates or their covered entities for these uses and disclosures to the likes of Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers. Should such a use or disclosure occur, the business associate must notify the covered entity within 10 days of the use or disclosure.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
Notification of Enforcement Discretion for Community-Based Testing Sites
The third Notice of Enforcement Discretion was announced by OCR on April 9, 2020 – backdated to March 13, 2020 – and concerns the good faith participation in the operation of COVID-19 testing centers. OCR will be exercising enforcement discretion and will not impose sanctions and penalties on healthcare providers, including pharmacies,, and business associates that participate in the operation of COVID-19 testing sites such as mobile testing centers, walk-up facilities and drive-through testing centers that only provide COVID-19 specimen collection or testing services to the public.
“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino. “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”
Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
OCR announced a further Notice of Enforcement Discretion on January 19, 2021 that concerns the scheduling of appointments for COVID-19 vaccinations. OCR said financial penalties and sanctions would not be imposed on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling appointments for COVID-19 vaccinations.
WBSAs that would not be fully compliant with the HIPAA Rules under normal circumstances can be used for scheduling COVID-19 vaccination appointments without penalty, although it is not permitted to use a WBSA that does not incorporate reasonable security safeguards to ensure the privacy and security of ePHI and the Notice of Enforcement Discretion does not apply if the solution provider has prohibited the use of the WBSA for scheduling healthcare appointments.
OCR explained that the Notice of Enforcement Discretion does not apply to the use of a WBSA for anything other than scheduling COVID-19 vaccination appointments, such as arranging appointments for other medical services or for screening individuals for COVID-19 prior to arranging an in-person healthcare visit.
OCR encourages HIPAA-covered entities and their business associates to implement reasonable safeguards to ensure the privacy and security of healthcare data, such as adhering to the minimum necessary standard when inputting data, using encryption if available, and ensuring all privacy settings in the WBSA are activated.
OCR will be exercising enforcement discretion retroactive to December 11, 2020.
HIPAA Penalties Could Officially Change in 2021
A HIPAA change that occurred in 2019 concerned the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion in 2019 which stated that OCR has adopted a new penalty structure for noncompliance with HIPAA Rules after a reevaluation of the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers, based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”
Rather than a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers. The new penalty structure is detailed in the infographic below:
Currently, OCR is using the new penalty structure, but until the change is made in the Federal Register, the new penalty structure is not legally binding. It is possible that this change to HIPAA will be made official in 2021.