HIPAA 2022

What will HIPAA 2022 bring? Picture the end of 2020. A raging COVID pandemic, for which vaccinations had only started. An outgoing Presidential administration giving the reins to a new one. And, in the middle of all of this, some seeds planted by the federal government seemed bound to blossom into changes in HIPAA law and regulations. 

At the end of 2020, a proposal from the Department of Health and Human Services (HHS) to revamp the HIPAA Privacy Rule to make it more patient-friendly, was put on the table. A new Information Blocking Rule, implemented to prevent information blocking by healthcare providers, technology companies, and exchanges, had just become effective. An end-of-the-year HHS proposal to put more teeth into the HIPAA right of access had also just been announced.

2021, from a HIPAA perspective, very much was shaping up to be The Year of the Patient. Flash forward to the end of 2021. The proposed revamp of the Privacy Rule, designed to put patients in the driver’s seat, is still that – a proposal. The proposed changes to the right of access have yet to be implemented. HHS HIPAA activity in 2021 reflected very much the news of that year: In January, a new presidential administration came to power. The COVID-19 pandemic raged on, but vaccines were finally available, along with increased access to telehealth. What we got from HHS in 2021, then: installation of a new Director for the Office for Civil Rights, expansion of COVID-19-related enforcement discretion, and issuance of guidance on HIPAA, COVID-19 vaccinations, and the workplace. Some HIPAA 2022 predictions are offered below.

HIPAA 2022 Predictions: Securing the Blessings of HR 7898

In early January of 2021, HR 7898, which has been nicknamed the “HIPAA Cybersecurity Recognized Best Practices Bill,” was signed into law. The bill amends the HITECH Act to require the Department of Health of Human Services to consider whether a covered entity or business associate has met recognized security practices when HHS makes certain determinations, such as whether to bring an enforcement action, select an entity for an audit, or issue a monetary penalty.

Let’s Simplify Compliance

Don’t let HIPAA 2022 changes trip you up. Let Compliancy Group help!

Learn More!
HIPAA Seal of Compliance

The bill requires HHS to consider whether the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit. 

Under this legislation, “recognized security practices” include:

  • Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
  • The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015.
  • Programs and practices that are developed in, recognized by, or outlined in, federal laws other than HIPAA.

Yeah, that’s helpful.

The HIPAA cybersecurity world waited all year for HR 7898 regulations that would have provided more details and fewer acronyms. The regulations have yet to be issued. All the same, HHS has given us a pretty decent hint of what constitutes Section 405(d) “recognized security practices.” HHS put its cards on the table in early December of 2021, by issuing its “HHS 405(d) Aligning Health Care Industry Security Approaches” guidance.

This guidance offers a main document, two technical volumes, and resources and templates, for small, medium, and large healthcare organizations.  A key component of the guidance is its “10  Best Practices” to improve cybersecurity. 

These best practices cover the following areas:

  • Access Management
  • Asset Management
  • Cybersecurity Policies
  • Data Protection & Loss Prevention
  • Email Protection Systems
  • Endpoint Protection Systems
  • Incident Response
  • Medical Device Security