Data privacy and protection are essential in modern business. The amount of personal data stored in various databases is enormous, and poses numerous threats to the privacy of individuals. This is particularly true in the healthcare industry.
To guard against privacy failures in that field, privacy laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), were enacted by U.S. lawmakers. These laws enforce strict privacy rules and impose rigorous cybersecurity standards for healthcare providers, insurance companies, clearinghouses, and health plans that have access to sensitive health data.
Given the rapid evolution in health IT services, the laws also undergo changes from time to time to assure that the standards of cybersecurity and data protection keep pace with ever-changing cybersecurity threats.
One such revision to the HIPAA Privacy Rules is happening now. Below, you will find the most recent updates and additions.
The Proposed HIPAA Modifications
In January 2021 the U.S. Department of Health and Human Services (HHS) issued a proposed rule to modify the HIPAA Privacy Rules to facilitate “the transition to value-based health care.” The main changes are:
Changes to the NPP
In the proposed new rule, covered entities (that is, businesses subject to HIPAA) will not be required to obtain signature or acknowledgment of the Notices of Privacy Practices (NPP), allowing individuals to choose whether to discuss the NPP with a person appointed by the covered entity.
In addition, the new regulation will require that the Notices of Privacy Practices include in their heading information the ways available for individuals to:
- Access recorded information,
- Fill out a HIPAA complaint form,
- Contact their designated representative.
Coordinated Care and Care Management Support
The proposed modification will also allow Protected Health Information (PHI) disclosure to entities of health-related coordination services, like community-based service providers, organizations, or social service agencies, to expand support for individuals.
In addition, the amendment substantially lowers the barriers for individuals to authorize and consent to the use of their patient data to non-HIPAA entities.
Broadened Disclosures of PHI
The amendment will allow covered entities to provide patient records in the care and treatment of individuals for substance abuse disorders, severe mental illness, and other medical emergencies related to the patient’s mental health.
The basis for sharing, however, must be a “serious and reasonable threat” to the individual. Covered entities must provide PHI if there is a “good faith belief” that it will be in the individual’s best interest, contrary to previous security standards for patient privacy.
More Rights for Individuals to Access Their PHI
The proposed rule will allow individuals greater access to their protected health information. People would be able to take notes, photos, or videos, along with other “personal means” to view and record their PHI in person.
This amendment will also reduce the deadline for covered entities to provide individuals access to their PHI to no more than 15 days (and a single extension for the same amount).
This service will be provided free of charge, and the fees for redirecting PHI to third parties will be modified, along with the obligation to publish its fee schedules on their websites.
Added Definitions
The proposed rule also added two new definitions:
Electronic Health Record
Based on the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act), the HHS re-defined the Electronic Health Records (EHR) as “an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.”
Personal Health Application
Additionally, the Department of Health and Human Services defined personal health applications as:
an electronic application used by an individual to access health information about that individual in electronic form, which can be drawn from multiple sources, provided that such information is managed, shared, and controlled by or primarily for the individual, and not by or primarily for a covered entity or another party such as the application developer.
Concerns Over Healthcare Privacy
Overall, the modification of the HIPAA Privacy Rule was well received by its key stakeholders. It also, however, raised several concerns that can be summed up as follows:
Provides Non-HIPAA Entities Access to Sensitive Information
The Association of American Medical Colleges (AAMC), in its response to the proposed rule, expressed concern about the weakening of security measures for third-party non-HIPAA entities’ to access patient data without adequate HIPAA safeguards and protections.
Loosens Safeguards
The American Medical Association (AMA) expressed great concern over reducing formalities for sharing information with third parties by decision or consent of individuals. The absence of a written request requirement for sharing information with third parties could lead to wrongful forwarding and unauthorized access to PHI.
The proposed modification of the HIPAA Security Rule raises another series of vulnerabilities regarding the PHI gathered by individuals. The reduction in security measures may generate severe data risks breaches of covered entities’ information.
Added Regulation Complexity
Most healthcare organizations and insurers that have submitted feedback on the proposed amendment agreed on one primary concern: the substantial increase in the complexity of the new requirements with other federal or state law enforcement.
The California Hospital Association (CHA), the American Hospital Association (AHA), and the AAMC highlighted the increased difficulty in implementing the new HIPAA policies in line with the Interoperability Rules, the CARES Act, and other federal laws, plus other data protection state laws.
Stay Current on the Latest HIPAA Regulations With ZenGRC
Managing the ever-changing data protection regulations, especially within the healthcare sector, can be nearly impossible. Dealing with daily risks and keeping up with regulatory changes can get unmanageable quickly when done manually.
This is why Reciprocity has designed ZenGRC, a governance, compliance, and risk management tool designed to facilitate the monitoring of various internal and external regulatory policies for companies.
ZenGRC can map a single control to multiple data protection regulations, so you only have to do the work once. Additionally, ZenGRC updates in real-time to changing laws, so you always know where you stand.
Powered by multiple national and international frameworks, ZenGRC will provide you with a variety of essential tools for any data protection, risk management, or compliance office with the support of experts.
To learn more, book a free demo today.