The last few years have provided the healthcare industry with new scenarios surrounding access to healthcare, including telemedicine, community Covid-19 testing clinics, and a greater need for patient data access. HIPAA regulations have been challenged by some of these changes, and as a result, rules and regulations are adapting to meet changes in technology, access, and patient expectations.
Updates to the Health Insurance Portability and Accountability Act (HIPAA) move slowly. The rules that provide privacy standards protecting medical records and protected health information (PHI) are overseen by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).
HIPAA regulations are reacting to changes in technology, access, and patient expectations. It’s important to know how your organization may be affected.
While Slow, HIPAA Rules Do Change
In 2020, changes were made to provide easier sharing of patient data through APIs, enabling healthcare providers to share patients’ electronic health records with healthcare organizations using other patient management software. Additionally, patients can allow their information to be shared with a third-party app and, when accessed electronically, the patient data contained in electronic health records will be provided to patients at no additional cost.
Adjustments were made to improve the interoperability and patient access to healthcare data, allowing patients greater ability to manage their healthcare data. This includes a rule for health insurers to share cost information with third-party apps, providing patients information about what kinds of expenses they may need to pay for out-of-pocket.
Allowances were also made related to the pandemic. The OCR issued a Notice of Enforcement Discretion that it would not impose penalties for providers using applications that do not fully comply with HIPAA, like Zoom, Skype, and Facetime. It also issued a Notice of Enforcement Discretion addressing community-based testing sites for the duration of the emergency. And it provided specific allowances regarding disclosure of protected health information to support public health oversight activities related to Covid-19.
Another federal upgrade is underway for HIPAA Regulations in 2021, including aligning the 2020 CARES Act with patient privacy regulations. Changes in response to COVID-19, especially to telehealth remote access, online scheduling programs, rules affecting community-based Covid-19 testing sites, and details surrounding business associate agreements and information disclosure, are included in the 2021 change.
HIPAA Compliance Checklist
While there are many changes to HIPAA, the directive to secure protected health information has not changed. Organizations have up-to-date information on HIPAA compliance.
This checklist details the rules concerning privacy, security, and breach. These rules help healthcare organizations maintain effectiveness and efficiency, while managing mandates and patient expectations.
Recognize If You’re a Covered Entity
While knowing if you are considered a covered entity sounds simple, many businesses deal with PHI and may not think of themselves as healthcare entities. Healthcare providers, insurance companies, and healthcare clearinghouses are all fairly obvious covered entities.
Consider a massage therapist, however. A massage therapist working in a yoga studio may not be a covered entity, whereas a massage therapist working in a healthcare mall may be a covered entity without realizing it. If you’re unsure if you’re a covered entity, seek guidance from a compliance partner.
Understand the HIPAA Privacy Rule
Staff training is a critical step in managing PHI privacy. Understanding both the rule and the reason for the rule help make sure that PHI is protected in your organization.
Healthcare and insurance organizations and other covered entities must undergo training, and some businesses that work with compliant organizations also need appropriate training. Training is often included in the disaster recovery and business continuity plan as part of a prevention strategy.
It can be helpful to have a compliance partner to help you understand the most recent regulations and their impact on your organization.
Use HIPAA Compliant Electronic Health Records (EHR & EMR)
In the past, providers stored patient medical records in onsite and offsite storage. While this form of PHI storing still exists, currently, most health providers use web-based EHR and EMR to store patient medical records. HIPAA regulates who can access and retrieve these records. They also manage how this information is electronically stored.
EHR was designed to minimize medical errors. Because of the risk of bad data, HIPAA requires providers to use HIPAA standard software.
The HITECH Act (Health Information Technology for Economic and Clinical Health) requires that the Secretary of Health and Human Services (HHS) consider “recognized cybersecurity practices” when deciding penalties for HIPAA violations.
Meet HIPAA Security Standards
Security defined by HIPAA breaks down into four technical standards. These levels align with administrative and physical safeguards, ensuring the protection of patient information.
- Access. Providers must implement procedures limiting access to electronic PHI to authorized personnel only.
- A/C (Audit Controls). Hardware or software must be available to document access in IS (Information Systems). All entries to electronic protected health information require recording.
- Integrity Controls. Controls that ensure electronic PHI is not manipulated or improperly destroyed.
- Transmission Security. Technical security procedures must be in place to protect unauthorized access to e-PHI.
These standards focus on the technology behind protective measures used to safeguard PHI.
Recognize a HIPAA Violation
Common breaches include
- Access to PHI by cyberattack (hacking, ransomware, or malware)
- Theft of equipment that stores PHI
- Discussion of PHI in non-private spaces
- Posting PHI accidentally or intentionally
- Sending PHI to the wrong person
- Printing documents with PHI on a publicly accessible printer
- Access by a former employee whose access wasn’t terminated
Know How to Provide a Breach Notice
In the event of a breach, covered entities must supply affected individuals with a notice of the breach.
A HIPAA Breach Notification Rule requires notifications to be issued to affected individuals within 60 days of discovering a breach. If the breach affects 500 or more individuals, the covered entity must notify OCR within 60 days. Additionally, the entity must also notify a prominent media outlet serving the state or jurisdiction in which the breach occurred. In some cases, an entity must also post about the breach on their website.
Be Aware of Penalties for Violations
HIPAA violations range from $100 to $50,000 per violation. In some cases, criminal charges are invoked by the Department of Justice. A covered entity could be fined and sentenced to 10 years in prison, depending on the severity of the breach.
Covered entities need to understand the complexities concerning protected health information. Patients have rights, and it is the duty of healthcare organizations to ensure they honor these rights as outlined in the HIPAA compliance checklist.
Post Topic(s): COMPLIANCE