HIPAA 2021: Eight Expectations for the Year Ahead

In 2021, HIPAA covered entities and business associates can expect a variety of changes with respect to how HIPAA is regulated and enforced. Eight specific HIPAA 2021 changes are discussed below.

HIPAA 2021: 1. Cybersecurity Safe Harbor

HIPAA 2021

In early January of 2021, President Trump signed into law H.R. 7898, which has been nicknamed as the “HIPAA Cybersecurity Recognized Best Practices Bill.” The bill amends the  HITECH Act to require the Department of Health of Human Services to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action, select an entity for an audit, or issue a monetary penalty.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

The bill requires HHS to consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit. 

“Recognized security practices” include:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA. 

HIPAA 2021: 2. Proposed Regulatory Changes to Privacy Rule

HIPAA 2021 changes may be coming to the HIPAA Privacy Rule. Recently, HHS proposed significant changes to the Privacy Rule, which include the following. 

Reducing Identity Verification Burdens.

Under the proposed changes, providers and health plans would be required to submit individual access requests to another provider, and to receive back the requested electronic copies of the individual’s PHI in an electronic health record (EHR). Providers and health plans would be required to respond to certain records requests received by other providers and health plans when directed by individuals under the right of access.

Improving Information Sharing.

To improve information sharing, HHS has proposed to modify the Privacy Rule to state that under the proposed changes, covered entities need not limit certain uses and disclosures of PHI to the minimum necessary to accomplish the purpose of each use or disclosure. Covered entities would not need to follow the minimum necessary standard with respect to uses by, disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual.

Disclosure of PHI to Third-Parties.

HHS has proposed to expand the scope of covered entities’ ability to disclose PHI to third-parties (social services agencies, community-based organizations, home and community-based service providers) that provide health-related services, to facilitate coordination of care and case management for individuals.

Disclosures Based on Professional Judgment.

Currently, providers may make certain uses and disclosures of PHI based on their “professional judgment.” HHS has proposed to replace this standard with a more lenient one that permits such uses or disclosures based on a covered entity’s good-faith brief that the use or disclosure is in the best interests of the individual.

Disclosures to Prevent Threat to Health or Safety.

HHS has proposed to expand the ability of providers to disclose PHI to avert a threat to health or safety, when a harm is “serious and reasonably foreseeable.” The current standard for disclosure of such PHI requires instead of the current stricter standard, which requires a “serious and imminent” threat to health or safety. This expansion would give providers greater latitude in deciding when to disclose PHI in emergency or life-threatening circumstances, such as the opioid and COVID-19 public health emergencies.

HIPAA 2021: 3. Proposed Changes to the Privacy Rule’s Right of Access

HHS’ proposed changes to the Privacy Rule include a significant revision of the HIPAA Privacy Rule’s right of access provision. The proposed HIPAA changes 2021 to the right of access provision include: 

  • Strengthening individuals’ rights to inspect their PHI in person, which includes allowing individuals to take notes or use other personal resources to view and capture images of their PHI;
  • Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension);
  • Clarifying the form and format required for responding to individuals’ requests for their PHI;
  • Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third-party when a summary of PHI is offered in lieu of a copy;
  • Reducing the identity verification burden on individuals exercising their access rights; 
  • Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered healthcare providers and health plans, by requiring covered healthcare providers and health plans to submit an individual’s access request to another healthcare provider and to receive back the requested electronic copies of the individual’s PHI in an EHR;
  • Requiring covered healthcare providers and health plans to respond to certain records requests received from other covered healthcare providers and health plans when directed by individuals pursuant to the right of access;
  • Limiting the individual right of access to direct the transmission of PHI to a third-party to electronic copies of PHI in an EHR;
  • Requiring providers to specify when electronic PHI (ePHI) must be provided to the individual at no charge;
  • Amending the permissible fee structure for responding to requests to direct records to a third-party; and
  • Requiring covered entities to post estimated fee schedules on their websites for access and for disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests.

HIPAA 2021: 4. Telemedicine Enforcement Discretion To Continue

At the onset of COVID-19, the Office for Civil Rights (OCR) announced that it would exercise enforcement discretion, by not penalizing providers and their business associates who provide telehealth services through non-public-facing apps that are not fully HIPAA compliant. Some experts had predicted that OCR would revoke the enforcement discretion when patients started to visit their doctors in person last fall. 

2021 HIPAA Changes

However, as the number of COVID-19 cases has sharply risen since then, causing patients to revert to telehealth, it does not appear likely that the enforcement discretion will be revoked in the immediate future. Nonetheless, covered entities and business associates providing telehealth services should remain vigilant with their overall HIPAA Privacy Rule and Security Rule.

HIPAA 2021: 5. No More Health Information Blocking

One of the more significant HIPAA updates for 2021 is the CMS interoperability and information blocking rule will go into effect on April 5, 2021. This rule requires Medicare and Medicaid providers to give patients greater access to their ePHI. Specifically, the rule requires Medicare and Medicaid providers to: 

  • Implement and maintain a secure, standards-based (HL7 FHIR Release 4.0.1) API (Application Programming Interface) that allows patients to easily access their claims and receive information, including cost, through a third-party app of their choice. 
  • Make provider directory information publicly available via a standards-based API. 
  • Send electronic patient event notifications of a patient’s admission, discharge and/or transfer to another healthcare facility or to another community provider or practitioner. 

Providers who restrict authorized access, exchange, or use of ePHI for permitted purposes, such as treatment, will be publicly reported by CMS as having engaged in information blocking,  under applicable state or federal laws of electronic health information for treatment and other permitted purposes.

HIPAA 2021: 6. Business Associates Beware

No discussion of a HIPAA 2021 update would be complete without mention of the fact that, in 2020, OCR issued a record 19 fines for HIPAA noncompliance. One notable fine was of a business associate, CHSPSC LLC (CHSPSC), which provides business associate services to hospitals and clinics. CHSPSC was infiltrated by a cyberattack. The attackers gained access to the ePHI of over six million patients over a period of several months. OCR fined CHSPSC in the amount of $2.3 million for longstanding, systemic noncompliance with the HIPAA Security Rule. 

OCR specifically cited CHSPSC’s failure to conduct a security risk analysis. The 2016-2017 HIPAA Audits Industry reports findings should serve as a wakeup call to business associates. The audit results indicated that only 17% of business associates were substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities. The audit findings indicated that business associates generally failed to:

  • Identify and assess the risks to all of the ePHI in their possession.
  • Develop and implement policies and procedures for conducting a risk analysis.
  • Identify threats and vulnerabilities, to consider their potential likelihoods and impacts, and to rate the risk to ePHI.
  • Review and periodically update a risk analysis in response to changes in the environment and/or operations, security incidents, or occurrence of a significant event.
  • Conduct risk analyses consistent with policies and procedures.

Several malicious cyberattacks this year, including the Trickbot attack aimed at hospitals and providers, and the SolarWinds breach, which compromised the security of at least ten federal agencies, exposed the vulnerability of the healthcare sector to cyberattacks. As these attacks continue, OCR enforcement activity focusing on business associates’ failure to comply with the Security Rule is likely to continue.

HIPAA 2021: 7. Health Information Exchanges and Public Health Authorities

Another one of the 2021 HIPAA updates to the Privacy Rule centers around health information exchanges. Health information exchanges (HIEs) are organizations that enable the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities. These entities include healthcare providers, health plans, and business associates. HIEs played an essential role in the pandemic in aggregating public health data and providing alerts to public health officials

In December of 2020, OCR issued guidance supporting the use of HIEs to report data to public health authorities. The guidance provides that even when a provider does not authorize an HIE to disclose information to public health authorities, and even when there is not a direct request from a public health authority, the HIE may share the data. Experts expect OCR to continue supporting HIEs’ role in both public health emergencies and in care coordination generally.

HIPAA 2021: 8. NPPs and Breach Notification: The Devil is in the Details

The report of the findings of OCR’s 2016-17 audits of covered entities was released in December of 2020. Two of the findings should cause providers to take notice. According to the report, most covered entities failed to provide all of the required content for a Notice of Privacy Practices. In addition, most covered entities failed to provide all of the required content for breach notification to individuals. When it comes to audit findings, the past is prologue: given that OCR has identified these two issues as widespread, OCR will no doubt be on the lookout for NPPs and breach notifications that lack required specific content.

Modernize Your Compliance

Say goodbye to spreadsheets and hello to automated software!

Global CTAs Image