The most talked about issue in 2020 has become the public health crisis that is COVID-19. Along with this came several complications that affected the healthcare industry as a whole. From the practice of healthcare to the manufacturing of healthcare-related products, to the security of healthcare information. News or shortages and the overloading of hospitals and other healthcare facilities have taken over different platforms of media. Alongside these is the increased focus and changing restrictions around the use, transportation, and permissible access around healthcare information.With the new circumstances that the world is thrusted into, circumstances around HIPAA, its regulations, enforcement, and rule are changing. These are all especially important to know about when running establishments where HIPAA compliance is crucial.
What are the new HIPAA regulations that are going to be introduced?
The influx of patients in the era of a pandemic outbreak has clearly stalled several processes centered around the transfer of patient data. This can be crucial in emergency situations as access to these types of information is key to several medical processes such as diagnosis, and generally being able to admit and treat a patient. Hence, movement towards the laxing of several restrictions around the access to Protected Health Information (PHI) has been pretty prominent as of late.
The list of proposed regulations to HIPAA by the Office of Civil Rights that were announced in late 2020 are:
- Enabling patients to personally inspect their PHI and allow the use of cameras or notes to take note of their own PHI.
- Shorten the maximum period of time by which a person will be provided access to PHI from 30 days to 15 days.
- The transfer of PHI towards a third party at the request of a patient will be only available through the electronic PHI that is being kept in an electronic health record.
- For the ease of application processes across different healthcare facilities, it was recommended that patients should now be able to request for their PHI to be directly transferred to a personal health application
- ePHI that are given for free must be clearly stated by covered entities that distribute these types of information. The clarification on statement also applies to the estimate of prices when it comes to the provision of PHI copies for PHI copies that are not free.
- Covered entities must also let patients know about their right to secure a direct copy of their health information to a third party especially in instances when said third parties merely offer a summary of their PHI.
- Covered entities are now mandated to respond to the requests for records coming from other covered entities such as healthcare providers and health plans/insurance and must communicate under the compliance to HIPAA’s Right of Access.
- Notice of Privacy requirements has been laxed in such a way that covered entities are no longer required to gain a written confirmation.
- In instances where there is an imminent harm or “seriously and reasonably foreseeable” risk, covered entities will be authorized to disclose PHI. This is in order to mitigate threats that can fit the said qualification.
- As long as it is also within the best interest of a patient and disclosed in good faith, the minimum necessary disclosure of PHI by covered entities shall be allowable.
What are other changes to HIPAA’s enforcement protocols?
Ensuring the guidelines and rules are followed comes hand in hand with the creation and modification of HIPAA rules and regulations. It is widely known in the healthcare industry that the violation of HIPAA protocols is not a walk in the park. Mass violations can result in millions of dollars in settlement, especially in consideration that HIPAA has been earnest with the enforcement of its rules. A lot of prominent cases that amassed multimillion dollars’ worth of settlements happened during 2019. The year closed with about 19 settlements that totaled to about 13.5 million dollars.
Of course, it is to note that these are important reminders for covered entities to conduct sufficient risk analyses and deploy proper safeguards against breaches. The easiest way to access these safeguards is through looking through HIPAA training. Other services even go as far as offering a competitive HIPAA online course.
Given the extremely accessible nature of compliance, oversight is still a problem. As breaches were expected to increase in 2020, the Trump administration lowered the financial penalties that are discovered during investigations.
So far, since the onset of HIPAA investigations, the total amount of settlement gained from the enforcement of HIPAA regulations is at $135,058,482.00 across 95 cases of violations. The most prominent issues being:
- The unauthorized disclosure of PHI
- Insufficient safeguards to protect against the breach or impermissible access of PHI
- Inability for patients to access their own PHI
- Disclosures of PHI that are beyond the minimum necessary qualification
These violations are also most often done by:
- General Hospitals
- Private Practices and Physicians
- Outpatient Facilities
- Pharmacies
- Health Plans
What are other issues that are related to HIPAA that covered entities might encounter?
HIPAA and Vaccination
As vaccines are slowly rolled out, it is easy to be enthused and optimistic about the revival of the workforce and economy. It is important to remember though that there are still processes in place that may slightly slow down. Immunization is considered as an aspect that goes under the category of Protected Health Information. COVID-19 vaccines therefore can only be disclosed by healthcare providers to employers through written authorizations.
The good news is that this process should not take too long!
Emphasis on Cybersecurity
Data is already proliferated around the internet prior to the “new normal”. However, with consecutive lockdowns, the globe saw a new way of communicating, working, and studying. Now, almost everything is online. Hence, it merits the increased vigilance of HIPAA towards cybersecurity threats. So, when auditing covered entities, it is likely that agents of HIPAA will look deeper into safeguards against cyber breaches.This is also given the fact that a variety of cyber threats appeared early in 2020 against hospitals and healthcare providers.