Share this article on:
While there were expected to be several 2019 HIPAA updates, the wheels of change move slowly and there was little in the way of change last year, but what about new HIPAA regulations in 2020? What HIPAA changes can be expected this year?
The Trump Administration’s policy of two regulations out for every new one introduced has meant new HIPAA regulations in 2020 are likely to be limited. First, there will need to be some easing of existing HIPAA provisions before any additional requirements are introduced.
HIPAA updates in 2019 that were under consideration included changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.
There have been calls from many healthcare stakeholder groups to align Part 2 regulations more closely with HIPAA to allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery.
2020 CARES Act Aligns 42 CFR Part 2 Regulations More Closely with HIPAA
There has been some progress on this front in 2020, not through HHS or OCR rulemaking, but instead as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. The CARES Act was passed by Congress on March 27, 2020 to ensure that every American has access to the care they need during the COVID-19 pandemic and to address the economic fallout from the 2019 Novel Coronavirus and COVID-19.
Individuals suffering from substance abuse disorder (SUD) must also be able to get the treatment they need during the COVID-19 pandemic, which has meant changes needed to be made to 42 CFR Part 2 regulations.
The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with SUD, but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA.
The change to 42 CFR Part 2 regulations is based on the Legacy Act, which was introduced by Sens. Capito (R-WV) and Manchin (D-WV). Rather than having to obtain consent from a SUD patient for each use or disclosure, and for consent forms to state the specific parties with whom the information will be shared named in the consent form, patients can give broad consent for their SUD records to be shared for the purposes of treatment, payment, and healthcare operations. The SUD records can then be shared by a covered entity or business associate for all TPO reasons, as is the case with HIPAA. Uses and disclosures must be limited to the minimum necessary information and consent can be withdrawn (in writing) by the patient at any time. The CARES Act also allows SUD information to be shared with a public health authority if it is de-identified in accordance with HIPAA Rules.
Protections have been put in place for SUD patients, which place limitations on the use of SUD records in criminal, civil, or administrative investigations or proceedings, and there are prohibitions on discrimination against patients suffering from SUD. The same breach notification requirements as HIPAA will apply, so any data breach will require the patient to be notified without unnecessary delay, and no later than 60 days from the discovery of the breach.
Proposed Changes to HIPAA in 2020
Other potential changes to HIPAA regulations in 2020 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver better care at a lower cost. This is the most likely area for HIPAA 2020 changes: Aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members, and those that can help with the transition to value-based healthcare.
How are New HIPAA Regulations Introduced?
The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2019 has shown. It has now been 7 years since there was a major update to HIPAA Rules and many believe changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services seeks feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.
After considering the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule change occurs. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and enforceable.
New HIPAA Regulations in 2020
OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.
The period for comments closed on February 11, 2019 and OCR is now considering the responses received. A notice of proposed rulemaking will follow after careful consideration of all comments and feedback, although no timescale has been provided on when the NPRM will be issued. It is reasonable to assume however, that there will be some at least some new HIPAA regulations in 2020 in response to the RFI, although that may be somewhat dependent on the COVID-19 public health emergency. It is unlikely that in the midst of the public health emergency, updates to HIPAA will be announced.
OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.
Under consideration are changes to HIPAA restrictions on disclosures of PHI that require authorizations from patients. Those requirements may be loosened as they are considered by many to hamper the transformation to value-based healthcare.
OCR is considering whether the Privacy Rule should be changed to make the sharing of patient data with other providers mandatory rather than simply allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both organizations are also against any shortening of the timescale for responding to patient requests for copies of their medical records. Steps have been taken with regards to data sharing and data blocking in two companion Rules issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health Information Technology (ONC). More than a year after they were proposed, the final interoperability and information blocking rules were released in March 2020.
OCR is also considering HIPAA changes in 2020 that will help with the fight against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are stopping patients and their families from getting the help they need. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further guidance from OCR would be a better solution.
One likely area where HIPAA will be updated is the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be dropped in the next round of HIPAA changes.
What is certain is new HIPAA regulations are just around the corner, but whether there will be any major 2020 HIPAA changes remains to be seen. It may take until 2021 for any changes to HIPAA regulations to be rolled out due to the COVID-19 pandemic.
Recent Changes to HIPAA Enforcement
Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of HIPAA Rules. However, OCR picked up pace in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018. 2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.
At HIMSS 2019, Roger Severino gave no indications that HIPAA enforcement in 2019 would be eased and the year ended with 10 settlements and civil monetary penalties, totaling $12,274,000.
Severino did provide an update on the specific areas of HIPAA compliance that the OCR would be focused on in 2019 and beyond. OCR launched a new HIPAA Right of Access initiative in 2019. Under this initiative, fines are being issued when patients are denied access to their medical records, when there has been a failure to provide copies of medical records in a reasonable time frame, and when there has been overcharging for copies of medical records. OCR issued two such penalties in 2019 – both for $85,000.
In addition to continuing to fine covered entities for HIPAA Right of Access failures in 2020, OCR will focus on particularly egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care to patients with respect to safeguarding their protected health information. OCR will come down heavy on entities that have a culture of noncompliance and when little to no effort has been put into complying with the HIPAA Rules.
The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards typically attract financial penalties. OCR is also concerned about the volume of email data breaches. Phishing is a major problem area in healthcare and failures to address email security risks are likely to attract OCR’s attention in 2020.
Penalties for HIPAA Violations Changed in 2019
One notable HIPAA change that happened in 2019 was an update to the penalties for noncompliance, which were reduced in three of the four penalty tiers. The HITECH Act called for an increase in penalties for noncompliance with HIPAA. In 2013, the HHS interpreted the language of the HITECH Act as requiring a cap of $1.5 million for HIPAA violations across all four penalty tiers. In 2019, the requirements of the HITECH Act were reassessed and interpreted differently. Rather than capping the penalties at $1.5 million across all four tiers, different maximum fines were set for each of the four tiers, as detailed in the infographic below.
This change was addressed through a Notice of Enforcement Discretion, which is not legally binding. OCR is expected to add the changes to the federal register and make the new penalty amounts official. That is one HIPAA change that may take place in 2020.
HIPAA Changes in 2020 Due to the COVID-19 Pandemic
The COVID-19 pandemic has not resulted in any permanent changes to HIPAA, but it has seen unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates on the front line in the fight against COVID-19.
During emergency situations such as disease outbreaks, HIPAA Rules remain in effect and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased.
OCR has announced three Notices of Enforcement Discretion in 2020 in response to the COVID-19 pandemic, which will see penalties and sanctions for certain HIPAA violations waived for the duration of the COVID-19 nationwide public health emergency.
The Notices of Enforcement Discretion are as follows:
Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
The first Notice of Enforcement Discretion in relation to COVID-19 was announced by OCR on March 17, 2020 and concerns the good faith provision of telehealth services. OCR is waiving potential penalties for HIPAA violations by healthcare providers that provide virtual care to patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This means healthcare providers are permitted to use everyday communications tools to provide telehealth services to patients, even if those tools would not normally be considered fully HIPAA compliant.
Platforms such as FaceTime, Skype, Zoom, and Google Hangouts video can be used in the good faith provision of telehealth services to patients without penalty for the duration of the public health emergency. However, public-facing platforms such as TikTok and Facebook Live must not be used.
Good Faith Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
On April 2, 2020, OCR announced it will be exercising enforcement discretion and will not impose sanctions and penalties on business associates of HIPAA covered entities for uses and disclosures of PHI for public health and health oversight activities. HIPAA prohibits these uses and disclosures unless it is stated in a business associate agreement (BAA) that the disclosures are permitted. For the duration of the public health emergency, business associates will not face penalties for these uses and disclosure, provided they notify the covered entity after the event, within 10 days of the use or disclosure occurring.
Participation in the Operation of Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020, OCR announced it will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites, and will refrain from imposing sanctions and penalties on covered entities and business associates at these drive through, walk-up, and mobile sites.
The Notice of Enforcement Discretion covers the operation of these sites and all activities that support the collection of specimens from individuals for COVID-19 testing only. While penalties will not be applied, “OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI.”
The Notice of Enforcement Discretion is retroactive to March 13, 2020.