The Health Insurance Portability and Accountability Act of 1996, or HIPAA, has not undergone significant regulatory change since 2013. Since then, HHS privacy and security initiatives have been proposed. These HHS privacy and security initiatives remain stalled, for the most part. HHS has announced that it intends to tackle some of these HHS privacy and security regulatory initiatives in 2020.
Are you following HIPAA law?
Find out if your compliance program would hold up against an OCR investigation!
HHS Privacy and Security Regulatory Priorities: Accounting of Disclosures
The HIPAA Privacy Rule requires certain information to be included in a HIPAA accounting made by a covered entity. This information must include disclosures of protected health information that occurred during the six years prior to the date of the request of the accounting. The accounting must include disclosures to or by business associates of the covered entity.
The 2009 HITECH ACT called for HHS’ Office for Civil Rights to implement a HIPAA rule specifically addressing accounting of disclosures of electronic protected health information (the current accounting of disclosures rule does not address electronic protected health information). The HITECH ACT proposal called for an “ePHI access report” provision. Under this provision, healthcare providers would be required to provide patients, upon request, with a complete list of every person and entity who has electronically viewed their PHI. Since this proposal significantly expanded the number of entities whose names would have to be disclosed, the proposal was met with negative feedback by providers and other entities, and has remained largely unaddressed since 2011.
HHS’ regulatory agenda for 2020 puts this proposal back on the agenda. The HHS Privacy and Security regulatory agenda notes that HHS intends to begin working on a new notice of proposed rule making (NPRM) for accounting of disclosures this year, with a goal of an April 2021 final rule.
HHS Privacy and Security Regulatory Priorities: Monetary Payments to Victims
Another HHS Privacy and Security regulatory priority on the agenda, that has been stalled since 2011, is a proposed rule requiring OCR to determine a method for how to distribute HIPAA civil money penalties and settlements to individuals harmed by privacy and security violations.
Currently, civil monetary penalties (CMPs) are paid to OCR. Since HIPAA does not contain a private right of action (i.e., individuals cannot file a lawsuit to recover damages under HIPAA), this proposed rule, if implemented, would provide monetary relief to individuals and entities actually harmed by a HIPAA violation.
If these proposed changes are made final, the changes would not become effective overnight. Typically, the time between issuance of a notice of proposed rule making and issuance of the final rule is a year or more. During the time between the notice and the final rule, the public is allowed to comment on the proposed rule. HHS takes public commentary into account when deciding whether to establish the new rule.