Share this article on:
The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.
OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.
As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.
The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.
Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.
Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.
OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.
One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.
One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.
Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.
While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.
While these HIPAA changes are being considered, it could take until 2019 before they are implemented.