Maintaining compliance with the Healthcare Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) is a constant source of frustration and uncertainty for healthcare providers in Ohio. But for nearly nine years there’s been no significant updates to the regulation, which has made achieving compliance a relatively predictable task.

That’s likely to change in 2022, as the Department of Health and Human Services (HHS) prepares to release the first significant update to the regulation since 2013 when HITECH was first released. The updates come after years of proposing ideas and gathering feedback from healthcare stakeholders across the country.

While we can’t say for sure what the new HIPAA regulations will entail yet, there are some points that have received a great deal of attention and are likely inclusions. Here’s a guide to what Ohio providers need to know about the HIPAA changes.

The HIPAA Privacy Rule Will Get Stronger

In light of the COVID-19 pandemic, HHS is likely to make the ability for patients to access their PHI a greater focus. During the pandemic, many healthcare providers felt hamstrung to provide care to older adults without fast access to their medical records, which is why a significant portion of the proposed updates concern the HIPAA Privacy Rule.

Here are some specific proposals that HHS has indicated might be part of the new update:

• Shorten the response to patient access request to electronically protected health information (ePHI) from 30 to 15 days.
• Set new standards for permitted disclosure in emergency situations, where the needs are deemed either in good faith or in the best interest of the patient.
• Eliminate unreasonable verification procedures to allow patients easier access to their healthcare records.

In case you have any illusions about the Office of Civil Rights giving providers a pass on right to access, you should think again. Here are just some of the high-profile fines for right to access that were levied in just the last few years.

• Banner Health settled a HIPAA Right of Access investigation in mid-2021, agreeing to a $200,000 settlement in the case.
• At the end of 2021, Children’s Hospital & Medical Center (CHMC) in Omaha, Nebraska is struck by a Right to Access fine, in which the hospital was ordered to pay $80,000 in addition to corrective action, which includes 1 year of government monitoring. Notable is that in this case, the fine was levied for failing to provide access to one single health record.

Just in case you aren’t clear on what the HIPAA Right to Request entails, it means that all healthcare providers must provide patients with the ability to review or obtain a copy of any electronic protected health information (ePHI), and that covered entities be ready to submit a copy to an entity or individual at the patient’s request.

HIPAA Will Emphasize the Importance of NIST

Another area of the proposed HIPAA updates is an increased focus on “recognized security practices,” mirroring other recent action taken by the Federal Government, such as the passage of HR 7898, also known as the “Safe Harbor Act.”

Passed on January 5, 2021, by President Trump, the Safe Harbor Act is designed to incentivize healthcare organizations to adopt, “recognized cybersecurity practices to improve their defenses against attack,” while also providing the Office of Civil Rights (OCR) greater leeway when calculating HIPAA penalties.

This focus on best practices means that when OCR is investigating a HIPAA violation, they’re going to first determine if a provider has taken reasonable steps to implement cybersecurity best practices over the 12 months before the breach occur. It also means that HHS can reduce the length and depth of an audit, if those best practices were observed.

The concept of “best practices” refers to the National Institute for Standards and Technology (NIST) Cybersecurity Framework. First developed by the U.S. Federal Government for protecting critical national infrastructure, government agencies and healthcare providers now rely on NIST to ensure the efficacy of their cybersecurity efforts.

To keep your HIPAA program consistent with these updates, now is a good time to perform an audit of your technology, ensuring that it’s aligned with the security controls outlined in NIST. Broadly, that includes touching on NIST’s 5 core functions.

• Identify
  A deep analysis of your network environment, focusing on the systems and assets that contain or transmit ePHI. The identify phase helps ensure that policies around data governance and asset management are supported by a risk management plan that supports HIPAA compliance.
• Protect
  With a clear picture of your cyber risks, your team can design security controls, information protection processes, and training programs to help lower your compliance risk. This phase also means integrating the best security technologies into your defenses.
• Detect
  The ability to identify external threats to your organization’s ePHI involves having not just the tools, but also documented security procedures for detecting suspicious activity and monitoring the health of your systems.
• Respond
  Your organizations ability to identify and detect threats is critical to protecting ePHI, but you must also have a clear plan for containing the impact of a cybersecurity incident. This not only mitigates damage but provides information for making continuous improvements.
• Recover
  Your organization should also have a documented plan for recovering any systems that have been impaired by a cybersecurity incident and update those plans as your technology evolves.

According to the OCR, 94% of covered entities and 88% of business associates are failing the Risk Management section of the HIPAA audit.

HIPAA Paves the Way for Telehealth

During the COVID-19 pandemic, telehealth moved into the mainstream, as patients and providers alike sought to avoid the congestion and possible transmission related to office and hospital visits. In the early days of the COVID-19 pandemic, the Federal Government launched a historic expansion of telehealth, allowing providers to use applications like Zoom, Google Hangouts, and Facebook Messenger without a Business Associates Agreement (BAA).

As we emerge from the pandemic, now is a good time to review your telehealth systems and prepare for stricter regulation. Here are some steps you can take to ensure long-term HIPAA compliance during telehealth:

• Create processes for gathering patient consent.
• Implement encryption to secure ePHI transmitted during telehealth.
• Ensure all telehealth vendors are aware of HIPAA’s new stipulations.

Speak with Ohio’s HIPAA and Compliance Partner

For decades the Astute Technology Management team has been helping doctor’s offices, clinics, and ambulatory surgery centers in Columbus, Cincinnati, and central Ohio manage and streamline their HIPAA compliance programs. Have a question for our friendly team? We’re here to help any time.

 

Photo: The American Health Care Act with stethoscope by Marco Verch under Creative Commons 2.0.