Businesses and organizations that interact with any medical records in the United States need to comply with HIPAA data privacy requirements. Originally defined in the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the regulations are designed to keep the keep Protected Health Information (PHI) of patients private.
When PHI is stored in electronic form on a computer or digital file, it is referred to as electronic Protected Health Information (ePHI). It is the responsibility of each organization’s selected compliance officer or head of compliance to ensure the safety and security of ePHI. This can be a dedicated compliance officer or another officer of the company that takes on this responsibility. Failure to comply with HIPAA regulations can result in substantial fines determined by the scope and severity of the violation.
Data breaches that expose ePHI are also extremely damaging to the reputation of the victimized organization and can result in the loss of consumer confidence and business opportunities. There is also immeasurable damage to patients whose confidential information has been compromised.
Related: Top 10 Questions from Our ePHI Cyber Risk Management Webinar
The Impact of COVID-19 on HIPAA Enforcement
The COVID-19 pandemic has led to a heightened awareness of the need to balance the delivery of quality healthcare with the desire to protect the privacy of individuals’ ePHI. To address these concerns, the Department of Health and Human Services (HHS) modified enforcement of HIPAA compliance in 2020. The changes will remain in place until the HHS Secretary declares that the public health emergency is over.
HHS announced the temporary flexibilities in March and April by the release of Notices of Enforcement Discretion. These notices are intended to make sure HIPAA compliance does not jeopardize the delivery of quality patient care. The aim is to help organizations handle the challenges of testing and treating COVID-19 patients.
The Notices of Enforcement Discretion address several specific areas of providing healthcare services including:
- Permitting flexibility in telehealth remote communications to empower providers to fully serve their patients
- Reducing restrictions on business partners from sharing PHI with agencies such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS) in an attempt to more effectively fight the pandemic
- Limiting HIPAA violation enforcement with organizations operating community-based COVID-19 testing centers
- Loosening the restrictions regarding the online and web-based scheduling of COVID-19 vaccinations while outlining what video services cannot be used.
- Explicitly stating that HIPAA violations can still occur. The loosening is strictly for video conferencing and web-based scheduling.
Hopefully, HHS will be able to declare the public health emergency is over shortly. Organizations subject to these notices need to be flexible in preparing to revert to pre-pandemic levels of adherence to HIPAA guidelines. In addition, they need to be prepared for proposed and implemented changes to HIPAA regulations this year.
Read Next: Pointers and Best Practices for Adopting Telehealth
Changes to HIPAA Regulations in 2021
The regulatory world does not standstill. HIPAA regulations are constantly evolving to meet the challenges of new technology and the privacy demands of the public. Best practices in the industry are the guiding light for changes on how your company will establish HIPAA controls along with additional regulations created by HHS’ Office for Civil Rights (OCR).
Proposed Updates to the HIPAA Privacy Rule
The HHS’ OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that addressed changes to the HIPAA Privacy Rule. The following categories are among the modifications under consideration:
- Definitions have been proposed for Electronic Health Records (EHRs) and Personal Health Applications to clarify inconsistencies in how the terms are used.
- Individuals’ right to access their PHI is strengthened by defining standards that providers must follow to make PHI readily available. Patients also have more control over which third parties have access to their PHI.
- Fees for providing copies of PHI and ePHI to patients have been adjusted. The updates also clarify when a patient is entitled to ePHI with no charge.
If and when these proposed updates are implemented, it may entail a major overhaul of the practices engaged in by healthcare providers and patients.
Healthcare expert JoAnne King explains her take on how the healthcare field must move forward into the digital age.
Cybersecurity Safe Harbor Provision Added to the HITECH Act
A Cybersecurity Safe Harbor Provision was added to the HITECH (Health Information Technology for Economic and Clinical Health) Act as a result of the passage of U.S. HR 7898. The law intends to ensure that all entities involved in handing PHI and ePHI are following HIPAA security standards currently in place. It defines these standards as recognized security practices.
The law requests that consideration be taken when fining organizations for HIPAA noncompliance based on the offender’s adherence to the recognized security practices. Entities following the guides will be subject to lesser fines than those who do not.
Updates to the Fine Structure for HIPAA Violations
Fines are calculated using a four-tiered model that considers the scope and severity of a privacy violation. Organizations that willfully neglect the protection of ePHI are subject to larger fines than those that have been breached despite their best efforts.
The maximum fine for all tiers was previously $1.5 million. That has been changed for the lesser three tiers of violations. Tier-four offenders who demonstrate willful neglect and lack of effort to address the violation are still subject to the old maximum fine.
The Future of HIPAA
HIPAA compliance standards will continue to evolve to address changes in technology, privacy concerns, and public health emergencies like the COVID-19 pandemic. Organizations in the healthcare industry need to stay apprised of changes to the regulations to avoid being in violation. Besides being subject to fines, non-compliance puts sensitive patient information at risk which should be a major consideration of all professionals working in the healthcare field.
Looking for a better way to securely collect, share, and store ePHI? Learn more about how Formstack adheres to HIPAA compliance so you can safely collect and manage patient information.
About the Author
Atlantic.Net contributed this content. Atlantic.Net is a HIPAA Compliant Cloud Provider. Connect with Atlantic.net @atlanticnet