On January 21, 2021, OCR published a Notice of Proposed Rulemaking (NPRM) to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. OCR says, the goal is to “support individuals’ engagement in their health care, remove barriers to coordinated care, and decrease regulatory burdens on the health care industry, while continuing to protect individuals’ health information privacy interests.” New regulations under consideration are centered around how substance abuse and mental health information records are protected. In addition, the HITECH Act called for an increase in penalties for non-compliance with the HIPAA.
In this article we will address the most recent changes to HIPAA and discuss which rules may have an impact on 2022 and beyond.
2020 CARES Act
2020 CARES Act aligned 42 CFR Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations more closely with HIPAA as well. The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with substance abuse disorder, but also tightens the requirements in the event of a breach of confidentiality.
In short, rather than having to obtain a consent form for the SUD patient, and state the specific parties of whom information will be shared, patients can now give broad consent. It’s been suggested that HHS is considering changes to 42 CFR Part 2 regulations in 2022 to “to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.”
2021 HIPAA Safe Harbor Law
The HIPAA Safe Harbor Bill now instructs HHS to take into account the cybersecurity best practices that a HIPAA-regulated entity has adopted in the 12 months preceding any data breach.
“The bill also requires the HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented” says HHS.
21st Century Cures Act
The Cures Act called for the HHS to create a new Rule that would improve the flow of healthcare data between providers, patients, and developers of Health IT. Implementing reasonable and necessary activities that do not constitute information blocking, the implementation of these provisions will advance interoperability and support the access, exchange, and use of electronic health information.
Final Rule Expected on Proposed Changes to the HIPAA Privacy Rule
According to HHS, “the proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information, including electronic information; improving information sharing for care coordination and case management for individuals; facilitating greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises; enhancing flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and reducing administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.”
The proposed new HIPAA regulations announced by OCR in December 2020 are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
- Individuals will be permitted to request their PHI be transferred to a personal health application.
- States when individuals should be provided with ePHI at no cost.
- Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
…to name a few.
At Live Compliance, we make checking off your compliance requirements extremely simple.
- Reliable and Effective Compliance
- Completely online, our role-based courses make training easy for remote or in-office employees.
- Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.
- Policies and Procedures curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real time.
- Electronic, prepared document sending and signing to employees and business associates.
Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status. Call us at (980) 999-1585, or email Support@LiveCompliance.com or visit www.LiveCompliance.com