HIPAA has become more important now than ever before as more people are relying on telemedicine and other forms of online care. In March 2020, the U.S. Office for Civil Rights (OCR) division of the Department of Health and Human Services (HHS) announced that it would not apply penalties for "non-compliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency." This mandate will continue into 2022 as more people utilize Telehealth services across the nation.
Despite relaxed measures, 2020 still saw some record-breaking fines handed out for HIPAA violations. As outlined by Jessica Davis at Health IT Security, Banner Health, which is one of the largest US health systems, reached an agreement with the OCR for $200,000. This penalty and subsequent corrective action plan were brought forth to resolve potential violations of the HIPAA Privacy Rule Right of Access standard. The action was taken after two patients experienced severe delays in receiving their health records from the organization. In one instance, it is alleged an individual requested access to medical records in December 2017 but didn't receive the information until five months later in May 2018. When working in healthcare, time is of the essence, and delaying records can indirectly result in missed diagnoses among other serious complications.
More changes may be coming to HIPAA. What should you expect? Keep reading and we'll let you know.
What is HIPAA?
In case you are in need of a simple reminder, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
What are the Proposed Changes?
- Notice of Privacy Practices (NPP): A covered entity would no longer need to obtain a patient's approval by way of acknowledgement or signature with regard to receipt of the NPP (a document a HIPAA-covered provider must distribute to its patients). This proposal would also change the header on an NPP document to include information on how patients can access their healthcare information, who their designated contact is and how to file complaints regarding HIPAA infractions.
- Allows covered entities more disclosure capabilities: Proposed changes would allow the covered entity to more easily disclose a patient's personal health information (PHI) with other providers. This would be done to more easily coordinate care and other services related to the patient's treatment. Allowable disclosures can happen amongst other organizations that offer healthcare-related services.
- Removing the minimum necessary standard in certain scenarios: In this proposal, when a request for PHI disclosure is made by a healthcare plan or provider, information can be sent without meeting the minimum necessary standard.
For example, if a health plan requests that a healthcare provider disclose a patient's PHI for coordination of care, with regard to an individual's participation in the plan's wellness program, the healthcare provider could disclose the PHI without looking into whether the disclosure actually meets the minimum necessary standard. (Lexology)
- Lenient disclosure of PHI: When a patient is experiencing substance abuse disorders, significant mental health problems or other related issues, a healthcare provider would be able to disclose their PHI more easily based on the notion of "reasonable threat". Prior to the proposed change, a healthcare provider would have had to note that a threat to a patient's health was "imminent", in order to disclose PHI to other providers.
- Quicker access to PHI for patients: Patients have always had a right to retrieve their PHI if requested. However, the methods to do so were often limited, with requests taking long periods of time to complete. New rules proposed would allow patients to gather their PHI in more ways, while also speeding up the process. Changes would allow patients to take notes, photos and videos to capture their PHI. Obtaining PHI via a USB stick would still be prohibited.
Penalties For Disobeying HIPAA Guidelines
So, what happens if you don't comply? This infographic gives healthcare providers a general idea of what penalties for HIPAA non-compliance can look like. The penalty administered is dependent on numerous factors including the scale of the offense.
Image courtesy of Secure Drive
The newly proposed changes aim to relax rules and improve the flow of information between patients and providers, while maintaining data security.
With the risk of patient data being compromised and the severe penalties that go along with that scenario, it is important that all healthcare organizations stay on top of changes to HIPAA.