Our Security Risk Analysis includes a thorough review of your Administrative, Physical, and Technical Safeguards you have in place to protect Electronic Protected Health Information (ePHI).
What is HIPAA Compliance?
HIPAA (Health Insurance Portability and Accountability Act) was signed into law in 1996 to improve the portability of health insurance when people were changing jobs. The accountability portion of the law was designed to combat waste, fraud, and abuse in health insurance and the delivery of health care.
The Privacy Rule had an effective date for compliance by April 14, 2003 (April 14, 2004, for small health plans). Covered entities must have implemented standards to protect and guard against the misuse of individually identifiable health information. Failure to timely implement these standards, under certain circumstances, could trigger the imposition of civil or criminal penalties.
The privacy rule was designed to improve the efficiency and effectiveness of the health care system and included “Administrative Simplification” provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
The privacy rule explained how PHI should be disclosed and that authorizations from patients must be obtained before their personal information was disclosed.
Keep in mind, the Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.
The Security Rule was created to address the protection of electronic patient data. The Department of Health and Human Services (HHS) published a final Security Rule in February 2003. This Rule set national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans). In 2005 covered entities were not using electronic data very much so the Security Rule was ignored for many years.
The Enforcement Rule was enacted in 2006 due to the failure of many covered entities to fully comply with the HIPAA Privacy and Security Rules. The Enforcement Rule gave the Department of Health and Human Services (HHS) the power to investigate complaints against covered entities for failing to comply with the Privacy Rule, and to fine covered entities for breaches of ePHI due to not following the safeguards outlined in by the Security Rule.
The Office for Civil Rights was also given the power to bring criminal charges against offenders who fail to introduce corrective measures within 30 days.
The HITECH Act – The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. The HITECH Act addressed the privacy and security concerns associated with the electronic transmission of health information and that strengthened the civil and criminal enforcement of the HIPAA rules. The HITECH Act was also known as the “Interim Final Rule”.
The Omnibus Rule marked the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented. The Omnibus Rule was known as the “Final Rule”. This rule has been a game changer since the Office for Civil Rights (OCR) could hold Business Associates and Subcontractors of Business Associates liable for data breaches. Meaning, anyone who has contact with Protected Health Information (PHI or ePHI) can be fined and penalized. It also gave patients more rights over their information. It streamlined the ability for patients to authorize the use of their health information for research purposes and made it easier for parents and others to give permission to share proof of a child’s immunization with a school. This rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The 21st Century Cures Act in 2021 was the next big change for HIPAA. The Cures Act major goal is to empower Americans to have access to their health data, delivered to their computers, cell phones, and mobile applications of their choice.
With nationwide, patient centered health IT can deliver a variety of benefits to patients. Here are some of the prospective goals:
- Transparency into the cost and outcomes of patient care
- Competitive options in getting medical care
- Modern smartphone apps to provide convenient access to their records
Under HIPAA, patients already have a legal right to their data electronically. The ONC Cures Act Final Rule is one step in this process by enhancing access to clinical data. With new rules and penalties for information blocking, this affects more than just covered entities.
Information Blocking is also one of the major issues when it comes to exchanging and accessing patient data. Using the term Electronic Health Information (EHI), IT developers of certified health information technology (health IT), an entity offering certified health IT, a health information exchange, or a health information network that are responsible for the exchange or access of data can face fines for up to $1M per incident for those organizations refusing to share patient data upon request. Some areas that are required is the immediate release of health information. In other words when this information is available to the medical provider (lab, imaging, notes, etc.), it must be made available to the patient.
The penalty structure for covered entities has not been finalized as of April 05, 2021, when the Cures Act became law. This should give ample time for all organizations to implement policies and procedures and communicate with vendors to ensure all are compliant. It is important to note that the outline of this law is based on requests from the patient.
The Proposed Changes to the Privacy Rule, 2021 The Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals in the NPRM address these burdens while continuing to protect the privacy and security of individuals’ protected health information.
HHS, which delegated the authority to administer HIPAA privacy standards to the Office for Civil Rights (OCR), developed many of the proposals contained in the NPRM after careful consideration of public input received in response to the Department’s December 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care (2018 RFI).
Summary of Major Provisions
HHS has proposed to modify the Privacy Rule to increase permissible disclosures of PHI and to improve care coordination and case management by:
- Adding definitions for the terms electronic health record (EHR) and personal health application.
- Modifying provisions on the individuals’ right of access to PHI by:
- Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI.
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days. (from the current 30-day extension)
- Clarifying the form and format required for responding to individuals’ requests for their PHI.
- Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy.
- Reducing the identity verification burden on individuals exercising their access rights.
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR.
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access.
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR.
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge.
- Amending the permissible fee structure for responding to requests to direct records to a third party.
- Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.
- Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures. The minimum necessary standard generally requires covered entities to limit uses and disclosures of PHI to the minimum necessary needed to accomplish the purpose of each use or disclosure. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities with respect to an individual, regardless of whether such activities constitute treatment or health care operations.
- Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their “professional judgment” with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the best interests of the individual. The proposed standard is more permissive in that it would presume a covered entity’s good faith, but this presumption could be overcome with evidence of bad faith.
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “serious and reasonably foreseeable,” instead of the current stricter standard which requires a “serious and imminent” threat to health or safety.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
- Expressly permitting disclosures to Telecommunications Relay Services (TRS) communications assistants for persons who are deaf, hard of hearing, or deaf-blind, or who have a speech disability, and modifying the definition of business associate to exclude TRS providers.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services, which then would include the U.S. Public Health Service (USPHS) Commissioned Corps and the National Oceanic and Atmospheric Administration (NOAA) Commissioned Corps.
HHS carefully considered the extent to which each proposed modification would impact privacy protections compared to the likely benefit of making PHI more available for coordination of care or case management.
Effective and Compliance Dates
The effective date of a final rule would be 60 days after publication. Covered entities and their business associates would have until the “compliance date” to establish and implement policies and practices to achieve compliance with any new or modified standards. Except as otherwise provided, 45 CFR 160.105 provides that covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. HHS previously noted that the 180-day general compliance period for new or modified standards would not apply where a different compliance period is provided in the regulation for one or more provisions.
HHS believes that compliance with the proposed modifications should require no longer than the standard 180-day period provided in 45 CFR 160.105, and thus propose a compliance date of 180 days after the effective date of a final rule. Accordingly, OCR would begin enforcement of the new and revised standards 240 days after publication of a final rule.
HHS requests comment on whether the 180-day compliance period is sufficient for covered entities and business associates to revise existing policies and practices and complete training and implementation. For proposed modifications that would be difficult to accomplish within the 180-day timeframe, HHS requests information about the types of entities and proposed modifications that would necessitate a longer compliance period, how much longer such compliance period would need to be to address such issues, as well as the complexity and scope of changes and the impact on entities and individuals of a longer compliance period.
If you would like to read about this in its entirety, click this link:
HIPAA is no longer easy to understand or follow without proper Education and Support.
Aris protects their clients through Partnership, Education, and Support.