The direction in which the government and healthcare providers are heading with regard to HIPAA and data security is becoming more clear. It has been approximately five years since the last major HIPAA update and while some believe that this is because HIPAA does not require any drastic amendments, others expect that the Department of Health and Human Services (HHS) will finally embrace a range of new changes.
In late 2018, the Office for Civil Rights (OCR) issued a request for information on possible updates to HIPAA. The changes mainly revolve around data sharing and care coordination. In February of 2019, OCR closed the commenting period and is expected to issue a notice of proposed rule making before the end of 2019.
However, change does not only occur in the form of amendments and updates, but also in the way the law itself is enforced. In 2018, OCR seemed to almost cease its enforcement of HIPAA, having only settled with three covered entities to resolve violations. But, halfway through the year, OCR began coming down heavily on violations and is not expected to ease up in 2019 and beyond. In fact, an increasing number of covered entities have been fined for non-compliance and news relating to this issue breaks almost every day.
Other aspects of HIPAA that will most likely change include the protection of substance abuse and mental health records. In an effort to diffuse the opioid crisis, HHS seeks to amend HIPAA to better protect the privacy of substance abuse patients in federal programs.
Moreover, HHS is looking to move towards a less burdensome HIPAA Rule that can help data flow through covered entities when needed rather than be an obstacle in its path. Legal obstacles often stand in the way of value-based care and coordinated care, two areas in healthcare that HHS aims to promote.
The rising awareness towards HIPAA and data sharing has made even non-compliant entities such as Facebook more wary of their privacy rules in order to accommodate users. After the social media giant was criticized for allegedly sharing data from closed health support groups with third parties for advertising purposes, a complaint was lodged with the Federal Trade Commission. As a result, Facebook has modified its application to allow users to make anonymous posts in the specially designed Health Support Groups.