Recent HIPAA Changes

Most Recent HIPAA Changes

The most recent HIPAA changes extended the scope and extent of the Health Insurance Portability and Accountability Act by incorporating the requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Many of the new HIPAA rules for 2013 account for the changes in working practices and advances in technology since the original legislation was enacted in 1996.

Within the most recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training, and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security, and how access to and the communication of ePHI is monitored.

These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access. In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer, or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.

One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.

However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable, and unusable – resulting in a low probability that patient data was compromised. The encryption of data in databases, on servers, on flash drives, or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled, and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the most recent HIPAA changes. Covered entities have to keep HIPAA documentation for a minimum of six years, and secure email archiving not only stores documents and communications in an encrypted format but also indexes emails and their content for easy retrieval in the event of an eDiscovery request or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been human error such as employees mislaying USB drives, having unencrypted laptops stolen from the back seat of a car, and the improper disposal of ePHI. These failures have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity’s cybersecurity defenses, criminals are targeting them with phishing campaigns with a view to obtaining their credentials or downloading malware. With malware downloaded or credentials obtained, hackers can conduct more extensive compromises and can steal data and deploy ransomware.

Spam filters and web filters are key cybersecurity solutions that can prevent these attacks. Spam filters guard against the phishing emails that target employees and block them at the gateway to ensure they are not delivered. Coupled with security awareness training for the workforce, a requirement for HIPAA-covered entities, the risk of these attacks being successful is greatly reduced. A web filter works in tandem with a spam filter, blocking these attacks from another angle. A web filter can prevent employees from being directed to malicious websites where login credentials are harvested and malware is downloaded. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity’s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals, or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

Further Recent HIPAA Developments

Since the recent changes to HIPAA and the HITECH Act, OCR has increased its enforcement actions with more investigations and three rounds of HIPAA audits. The consequence is that many more covered entities and business associates are being investigated over data breaches and complaints and are having to pay financial penalties for non-compliance with the HIPAA Rules.

The largest data breaches are punished accordingly:

  • In March 2016, the Feinstein Institute was fined $3.9 million when a laptop containing the unprotected PHI of 13,000 research participants was stolen.
  • Also in March 2016, North Memorial Health Care of Minnesota was fined $1.55 million after multiple failings led to the unauthorized disclosure of 9,497 health records.
  • In August 2016, Advocate Health Care Network was fined $5.55 million for the unauthorized disclosure of almost 4 million patient health care records due to theft of a portable electronic device.
  • In October 2018, the largest ever settlement to resolve HIPAA violations was agreed with Anthem Inc, which paid $16 million to resolve an OCR investigation into a breach of the ePHI of 78.8 million individuals.
  • In September 2020, Premera Blue Cross resolved potential HIPAA violations discovered during an investigation of a hacking incident in which the ePHI of 10,466,692 individuals was compromised. Premera paid $6,850,000 in penalties.
  • In January 2021, Excellus Health Plan settled its case with OCR that stemmed from a 2015 hacking incident that resulted in the impermissible disclosure of the ePHI of 9,358,891 individuals and paid $5,100,000 to settle the HIPAA violations.

Fines are also being issued for smaller data breaches and a wide range of HIPAA violations, with the most recent enforcement drive targeting covered entities that have failed to comply with the HIPAA right of Access and have not provided patients with timely access to their medical records. As of December 2021, OCR has imposed 25 penalties for HIPAA Right of Access violations, and many of the enforcement actions were against small healthcare providers.

  • In April 2015, Cornell Pharmacy was fined $125,000 for the improper disposal of paper health records that could have resulted in a breach of PHI.
  • In January 2017, Presence Health was fined $475,000 for failing to report a breach of PHI within the sixty days allowed by the HIPAA Breach Notification Rule.
  • In April 2017, CardioNet was fined $2.5 million after a potential breach of PHI occurred due to a misunderstanding of HIPAA risk assessment requirements.
  • In 2020, the City of New Haven in Connecticut was fined “202,400 for failing to terminate the access rights of a former employee that resulted in a small breach of healthcare data.
  • In 2021, Banner Health was fined $200,000 for failing to provide two patients with a copy of their medical records within 30 days of a request being received.

Further HIPAA Changes Can be Expected in 2022

There has not been an update to the HIPAA Rules since 2013’s HIPAA Omnibus Rule, but changes are about to be made. In December 2020, following a Request for Information on possible changes to the HIPAA Rules, OCR issued a Notice of Proposed Rulemaking (NPR) that detailed several proposed changes to the HIPAA Privacy Rule. The NPR was open for comment for 60 days, and extended for a further 45 days,  to allow all stakeholders to review the changes and provide feedback. OCR has been considering all feedback received and will publish a final rule that will see the changes implemented. The Final Rule on the proposed HIPAA changes is expected to be issued in late 2022, per the Biden Administration’s Fall Unified Regulatory Agenda.

The proposed HIPAA changes are primarily concerned with reducing the administrative burden on HIPAA-covered entities, strengthening patient rights to access their own healthcare data, and improving data sharing between HIPAA-covered entities and care coordination.

Notable changes detailed in the NPR include:

  • Shorting the time for responding to a request from an individual to access their own healthcare data from 30 to 15 days
  • Allowing patients to inspect their PHI in person and take photographs of their medical records or take notes
  • Ensuring patients can request their PHI be sent to a personal health application, a definition of which is now included
  • Ensuring individuals are not faced with unreasonable measures when exercising their right of access
  • Restricting the right to be provided with an electronic copy of ePHI to only the ePHI that is stored in an electronic health record
  • HIPAA-covered entities will be required to publish fee schedules for obtaining a copy of ePHI on their website and will be required to provide individualized estimates for patients
  • Specifying when ePHI must be provided free of charge – such as when individuals inspect their PHI in person or use an Internet-based patient portal
  • The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • A definition of electronic health record has been added and the scope of “healthcare operations” has been broadened to include care coordination and case management

Changes have also been made to make it easier for healthcare data to be shared, such as expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable,” rather than the current definition of “serious and imminent.” Covered entities will also be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.

One notable change that has been requested for some time is it will no longer be necessary to obtain written confirmation that an individual has been provided with the organization’s notice of privacy practices.

While many of the proposed changes seem at first glance to be relatively minor, they have important implications for HIPAA-covered entities and are likely, in the short term at least, to come with a significant administrative burden. The HHS will give HIPAA-covered entities a reasonable amount of time to implement the changes before they become enforceable, but it is important not to underestimate the time, resources, and effort that will have to be devoted to compliance. In addition to updating policies and procedures, those changes will need to be communicated to patients, health plan members, and the workforce. Training will need to be provided to all workforce members impacted by the changes, including clinical and non-clinical staff. A plan will need to be developed to ensure that the HIPAA changes are implemented ahead of the compliance deadline, and given the implications of many of the changes, it will be important to start the planning and implementation process promptly after the Final Rule is issued.

Safe Harbor for HIPAA-Regulated Entities That Have Adopted Recognized Security Practices

Another recent change came in January 2021 when a bill was signed into law by President Trump that amended the HITECH Act and created a safe harbor for covered entities and business associates that have adopted recognized security best practices, such as common security frameworks, prior to experiencing a data breach. The bill calls for OCR to consider the security practices that have been in place for the 12 months before a breach when deciding financial penalties for HIPAA violations in relation to the breach. The bill also requires OCR to shorten audits in relation to breaches when cybersecurity best practices have been adopted. These changes are intended to encourage healthcare organizations to implement robust cybersecurity defenses and to encourage HIPAA Security Rule compliance.

There have also been several temporary measures introduced in response to the 2019 Novel Coronavirus pandemic and COVID-19. OCR has issued four Notices of Enforcement Discretion to ensure the HIPAA Rules do not hamper the ability of healthcare organizations to respond to the pandemic, provide treatment, conduct COVID-19 tests, and administer vaccines. You can read about these temporary changes that apply during the Nationwide Public Health Emergency in this post.

No Excuse for Failing to Comply with the Recent HIPAA Changes

Complying with the recent HIPAA changes is not resource-intensive, time-consuming, or expensive. In the case of secure messaging, apps for secure messaging are free to download and most healthcare employees will be familiar with the text-like interface already. Administrators conducting a search for an old email will find secure text archiving a simpler process than currently available to them; while only employees visiting inappropriate websites will notice the presence of a web filter.

These solutions have minimal maintenance overheads, require little training, and are inexpensive to run. In terms of the efficiency savings they generate, the solutions for complying with the recent HIPAA changes are a worthwhile investment – and will cost covered entities far less than a fine from the OCR in the event of an avoidable data breach.

You can read more about the new HIPAA rules and solutions for compliance, in our “HIPAA Compliance Guide”.