Share this article on:
The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA are long overdue but steps were finally made to update HIPAA in December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule, and a Final Rule is now due which will likely see many HIPAA changes in 2022.
Major HIPAA Updates in the Past 20 Years
Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards.
Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA-covered entities and considerable time and effort were required to introduce new policies and procedures to ensure continued compliance.
It is now 8 years since the last major HIPAA update took effect. Over the past 8 years, various issues have arisen with HIPAA due to changes in working practices and the advancement of technology. Rather than tackle issues with rule changes, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidance to clear up misunderstandings over the requirements of HIPAA, but we are now at a point when changes to HIPAA Rules are about to be made.
HIPAA Changes in 2022
Over the past few years, there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA-covered entities, but HIPAA 2021 rules and regulations have remained the same as they were in 2013.
OCR responded to these calls by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with the easing of certain administrative requirements and the removal of certain provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.
OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:
- Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
- Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
- Promotion of parent and caregiver roles in care
- Easing of restrictions on disclosures of PHI without authorization
- Possible exceptions to the minimum necessary standard for disclosures of PHI
- Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment, and healthcare operations
- Encouragement of information sharing for treatment and care coordination
- Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
- Expansion of healthcare clearinghouses’ access to PHI
- Addressing the opioid crisis and serious mental illness
In 2019, then OCR Director Roger Severino said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”
The aim of the HHS is to implement changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI). There are no planned changes to the HIPAA Security Rule, but several HIPAA Privacy Rule changes have been proposed.
It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Further HIPAA guidelines in 2022 could help to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of HIPAA requirements. However, changes to HIPAA in 2022 are now likely to be implemented, although it may take until 2023 for those changes to become enforceable.
Proposed HIPAA Privacy Rule Changes in 2022
OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that outlined several HIPAA changes to the Privacy Rule in response to the comments received from its December 2018 RFI. The proposed changes are limited and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included. Most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to their PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities.
In 2021, OCR sought feedback on the proposed HIPAA changes for 60 days from the date of publication in the Federal Register, with the comment period extended for a further 45 days to give healthcare industry stakeholders more time to review the proposed changes and provide their feedback. OCR has read the comments and will take them into consideration before issuing a Final Rule. As of December 31, 2021, OCR has had almost 8 months to review the comments, but a date when the Final Rule will be published has yet to be provided. Given the large number of comments and the impact, these changes will have on all individuals who interact with the U.S. health systems this is understandable.
The proposed updates to the HIPAA Privacy Rule are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
- Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
- Stating when individuals should be provided with ePHI without charge.
- Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health records.
- Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
- A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Covered entities will not be required to obtain written acknowledgment from an individual that they have received a Notice of Privacy Practices.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- Covered health care providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
The Proposed HIPAA Changes Will Create Challenges for Healthcare Providers
The pending HIPAA updates are intended to ease the administration burden on HIPAA-covered entities, although in the short term the burden will be increased. Updates will need to be made to policies and procedures and changes will be required for notices of privacy practices, although there will not, at least, be the requirement to obtain written acknowledgment that the updated NPPs have been received.
What is certain is HIPAA officers and other compliance staff will have a busy few months when the Final Rule is published. The HHS will provide sufficient notice before the 2022 HIPAA changes take effect and become enforceable, but there will likely be a lot of work to be done. It will be important to create a plan for making all of the required changes.
When the final rule is issued, there will be a requirement to change policies and procedures and that will require retraining of employees. HIPAA requires training to be provided to the workforce during or soon after onboarding, and after any material change in policies and procedures. Training may not need to be provided to the entire workforce, but a significant number of employees will need to be trained, and that is likely to place a considerable burden on covered entities and has the potential to cause workflow disruptions.
Improved access to medical records could pose problems for healthcare providers, who will need to ensure they have sufficient staffing and efficient procedures for providing copies of records, as the time frame for providing those records will be shortened from 30 days to 15 days. The extension will also be shortened to 15 days, giving healthcare organizations a maximum of 30 days to provide the requested records.
The definition of EHRs has also been updated to include billing records, and these will need to be provided to patients who request a copy of their PHI. That has the potential to make it more time-consuming to provide copies, as billing records are often kept in different systems to healthcare records. It may be necessary to access two different systems in order to provide patients with a copy of their records.
It will be easy for bottlenecks to occur and important not to get in a situation where the 15 days extension is regularly required. There could well be a need to prioritize requests to make sure patients who urgently need a copy of their records get them in a timely manner. Bear in mind that OCR is laser-focused on healthcare providers that fail to provide patients with timely access to their medical records.
Another of the changes related to patient access is the requirement to allow patients to take notes and photographs of their PHI. There will need to be designated places where patients can inspect their PHI privately and, if required, take photographs of their PHI. Healthcare providers will need to implement safeguards to ensure patients are not taking photographs of PHI that they are not authorized to copy.
The proposed HIPAA changes prohibit covered entities from imposing unreasonable measures on individuals exercising their right of access, including unreasonable identity verification requirements. That has the potential to cause problems for healthcare providers.
A definition has also been added for a personal health application. Patients must be allowed to have their records sent to a personal health application of their choosing, but there may be privacy risks associated with doing so. Patients will need to be made aware of those risks. That will add an additional burden on healthcare providers, who may not necessarily have the required information to determine whether there is a privacy and security risk.
2021 Saw a Cybersecurity Safe Harbor Provision Added to the HITECH Act
Many healthcare industry stakeholders have been campaigning for the addition of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and have implemented industry-standard security best practices but still experienced a data breach. A bill was proposed in 2020 that called for the HHS to consider the security best practices that have been in place for the 12 months prior to a data breach occurring when deciding on financial penalties and sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.
The purpose of the bill is to encourage healthcare organizations to invest in security and adopt security frameworks, as doing so will reduce financial penalties in the event of a data breach. The bill amends the Health Information Technology for Economic and Clinical Health Act (HITECH Act) and requires OCR to decrease the length and extent of audits and investigations of data breaches when recognized security best practices, such as common security frameworks, have been adopted prior to a data breach occurring and to consider reducing any financial penalties in relation to those breaches.
HIPAA Changes Due to the 2019 Novel Coronavirus (SARS-CoV-2) and COVID-19
In response to the 2019 Novel Coronavirus pandemic, the HHS announced major changes to the enforcement of HIPAA compliance in 2020, which will remain in place for the duration of the nationwide COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. These “unprecedented HIPAA flexibilities” were announced in March and April by means of Notices of Enforcement Discretion and are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. The changes to HIPAA enforcement have been introduced to ensure that HIPAA compliance does not get in the way of the provision of high-quality patient care.
Notification of Enforcement Discretion for Telehealth Remote Communications
The first Notice of Enforcement Discretion was announced by OCR on March 17, 2020. The coronavirus pandemic has seen social distancing measures introduced, and with hospitals dealing with huge numbers of cases, Americans are being encouraged to remain indoors. In order to continue to provide quality care to patients while reducing the risk of patients transmitting or contracting COVID-19, telehealth services have been expanded. The CMS has also expanded telehealth to include all Medicare and Medicaid beneficiaries.
To help ensure that patients receive the care they need, OCR has announced that it will not impose sanctions and penalties on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment, regardless of whether the telehealth services are directly related to COVID-19. OCR will not impose penalties on healthcare providers in relation to the use of everyday communication technologies for providing those services, even if the platforms used would are not completely compliant with HIPAA. For instance, it is permissible to use Skype (rather than Skype for Business), FaceTime, Google Hangouts Video, and Zoom. It is not permitted to use public-facing platforms to provide these services, such as Facebook Live and TikTok.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
The second Notice of Enforcement Discretion was announced by OCR on April 2, 2020, and concerns uses and disclosures of PHI by business associates of HIPAA-covered entities for reasons related to public health and health oversight activities. HIPAA does not permit business associates to disclose PHI for public health and health oversight activities unless it is stated that they can do so in their business associate agreement (BAA) with a HIPAA-covered entity.
Under the Notice of Enforcement Discretion, OCR will not impose sanctions and penalties on business associates or their covered entities for these uses and disclosures to the likes of Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers. Should such a use or disclosure occur, the business associate must notify the covered entity within 10 days of the use or disclosure.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
Notification of Enforcement Discretion for Community-Based Testing Sites
The third Notice of Enforcement Discretion was announced by OCR on April 9, 2020 – backdated to March 13, 2020 – and concerns the good faith participation in the operation of COVID-19 testing centers. OCR will be exercising enforcement discretion and will not impose sanctions and penalties on healthcare providers, including pharmacies, and business associates that participate in the operation of COVID-19 testing sites such as mobile testing centers, walk-up facilities, and drive-through testing centers that only provide COVID-19 specimen collection or testing services to the public.
“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino. “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”
Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
OCR announced a further Notice of Enforcement Discretion on January 19, 2021, that concerns the scheduling of appointments for COVID-19 vaccinations. OCR said financial penalties and sanctions would not be imposed on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling appointments for COVID-19 vaccinations.
WBSAs that would not be fully compliant with the HIPAA Rules under normal circumstances can be used for scheduling COVID-19 vaccination appointments without penalty, although it is not permitted to use a WBSA that does not incorporate reasonable security safeguards to ensure the privacy and security of ePHI and the Notice of Enforcement Discretion does not apply if the solution provider has prohibited the use of the WBSA for scheduling healthcare appointments.
OCR explained that the Notice of Enforcement Discretion does not apply to the use of a WBSA for anything other than scheduling COVID-19 vaccination appointments, such as arranging appointments for other medical services or for screening individuals for COVID-19 prior to arranging an in-person healthcare visit.
OCR encourages HIPAA-covered entities and their business associates to implement reasonable safeguards to ensure the privacy and security of healthcare data, such as adhering to the minimum necessary standard when inputting data, using encryption if available, and ensuring all privacy settings in the WBSA are activated.
OCR will be exercising enforcement discretion retroactive to December 11, 2020.
HIPAA Penalties Could Officially Change in 2022
A HIPAA change that occurred in 2019 concerned the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion in 2019 which stated that OCR has adopted a new penalty structure for non-compliance with HIPAA Rules after a reevaluation of the requirements of the HITECH Act.
The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers, based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”
Rather than a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers. The new penalty structure is detailed in the infographic below. Note the figures below are the amounts in 2013 and are subject to inflation increases. The current minimum and maximum penalties, adjusted for inflation, can be found here.
Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is possible that this change to HIPAA will be made official in 2021 with a Notice of Proposed Rulemaking to officially update the penalties for HIPAA violations of the HITECH Act.
Given the expected HIPAA updates in 2022 outlined in the NPRM, further HIPAA changes in 2022 are not expected. OCR is however expected to continue to issue guidance to explain how HIPAA applies in certain situations to clear up confusion.