Recent HIPAA Changes

Recent HIPAA Changes

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act . Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996.

Within the recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is monitored.

These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access. In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.

One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.

However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – resulting in a low probability that patient data was compromised. The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the recent HIPAA changes. Covered entities have to keep HIPAA documentation for a minimum of six years, and secure email archiving not only stores documents and communications in an encrypted format, but also indexes emails and their content for easy retrieval in the event of an eDiscovery request or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been, to date, human error. Employees mislaying USB flash drives, unencrypted laptops stolen from the back seat of a car and the improper disposal of ePHI have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity´s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.

One of the strongest defenses against cyber threats is the implementation of a web filter. With a suitably robust web filter, covered entities can prevent employees being directed to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity´s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

Further Recent HIPAA Developments

Since the recent changes to HIPAA and HITECH, the OCR has increased its enforcement actions with more investigations and three rounds of HIPAA audits. The consequence is that many more Covered Entities and Business Associates are being investigated over data breaches and complaints and are having tp pay financial penalties for noncompliance with the HIPAA Rules.

The largest data breaches are punished accordingly:

  • In March 2016, the Feinstein Institute was fined $3.9 million when a laptop containing the unprotected PHI of 13,000 research participants was stolen.
  • Also in March 2016, North Memorial Health Care of Minnesota was fined $1.55 million after multiple failings led to the unauthorized disclosure of 9,497 health records.
  • In August 2016, Advocate Health Care Network was fined $5.55 million for the unauthorized disclosure of almost 4 million patient health care records due to theft of a portable electronic device.
  • In October 2018, the largest ever settlement to resolve HIPAA violations was agreed with Anthem Inc, which paid $16 million to resolve an OCR investigation into a breach of the ePHI of 78.8 million individuals.
  • In September 2020, Premera Blue Cross resolved potential HIPAA violations discovered during an investigation of a hacking incident in which the ePHI of 10,466,692 individuals was compromised. Premera paid $6,850,000 in penalties.
  • In January 2021, Excellus Health Plan settled its case with OCR that stemmed from a 2015 hacking incident that resulted in the impermissible disclosure of the ePHI of 9,358,891 individuals.

Fines are also being issued for smaller data breaches and a wide range of HIPAA violations:

  • In April 2015, Cornell Pharmacy was fined $125,000 for the improper disposal of paper health records that could have resulted in a breach of PHI.
  • In January 2017, Presence Health was fined $475,000 for failing to report a breach of PHI within the sixty days allowed by the HIPAA Breach Notification Rule.
  • In April 2017, CardioNet was fined $2.5 million after a potential breach of PHI occurred due to a misunderstanding of HIPAA risk assessment requirements.
  • In 2021, Banner Health was fined $200,000 for failing to provide two patients with a copy of their medical records within 30 days of a request being received.

Further HIPAA Changes can be Expected in 2021

There has not been an update to the HIPAA Rules since 2013’s HIPAA Omnibus Rule, but changes are about to be made. In December 2020, following a Request for Information on possible changes to the HIPAA Rules, OCR issued a Notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule. The changes are open for comment for 60 days, after which OCR will consider all feedback received and will publish a final rule that will see the changes implemented. The comment period ends in February 2021, so the new changes may be implemented in 2021.

The proposed HIPAA changes are primarily concerned with reducing the administrative burden on HIPAA-covered entities, strengthening patient rights to access their own healthcare data, and to improve data sharing between HIPAA-covered entities and care coordination. Notable changes include:

  • Shorting the time for responding to a request from an individual to access their own healthcare data from 30 to 15 days
  • Allowing patients inspect their PHI in person and take photographs of their medical records or take notes
  • Ensuring patients can request their PHI be sent to a personal health application
  • Restricting the right to be provided with an electronic copy of ePHI to only the ePHI that is stored in an electronic health record
  • HIPAA-covered entities will be required to publish fee schedules for obtaining a copy of ePHI on their website, and will be required to provide individualized estimates for patients
  • Specifying when ePHI must be provided free of charge
  • The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • A definition of electronic health record has been added an the scope of “healthcare operations” has been broadened to include care coordination and case management

Changes have also been made to make it easier for healthcare data to be shared, such as expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “seriously and reasonably foreseeable,” rather than the current definition of “serious and imminent.” Covered entities will also be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.

One notable change that has been requested for some time is it will no longer be necessary to obtain written confirmation that an individual has been provided with the organization’s notice of privacy practices.

A bill was also signed into law in January 2021 by President Trump that amended the HITECH Act and created a safe harbor for covered entities and business associates that have adopted recognized security best practices, such as common security frameworks, prior to experiencing a data breach. The bill calls for OCR to consider the security practices that have been in place for the 12 months before a breach when deciding financial penalties for HIPAA violations in relation to the breach.

There have also been several temporary measures introduced in response to the 2019 Novel Coronavirus pandemic and COVID-19. OCR has issued four Notices of Enforcement Discretion to ensure the HIPAA Rules do not hamper the ability of healthcare organizations to respond to the pandemic, provide treatment, conduct COVID-19 tests, and administer vaccines. You can read about these temporary changes that apply during the Nationwide Public Health Emergency in this post.

No Excuse for Failing to Comply with the Recent HIPAA Changes

Complying with the recent HIPAA changes is not resource intensive, time-consuming or expensive. In the case of secure messaging, apps for secure messaging are free to download and most healthcare employees will be familiar with the text-like interface already. Administrators conducting a search for an old email will find secure text archiving a simpler process than currently available to them; while only employees visiting inappropriate websites will notice the presence of a web filter.

All three solutions have minimal maintenance overheads, require little training and are inexpensive to run. In terms of the efficiency savings they generate, the solutions for complying with the recent HIPAA changes are a worthwhile investment – and will cost covered entities far less than a fine from the OCR in the event of an avoidable data breach.

You can read more about the new HIPAA rules  and solutions for compliance, in our “HIPAA Compliance Guide”.