New HIPAA Regulations in 2021
It has been several years since new HIPAA regulations have been introduced but that is likely to change very soon. The last update to the HIPAA Rules was the HIPAA Omnibus Rule changes in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. There are, however, expected to be several 2021 HIPAA changes as OCR has issued a Notice of Proposed Rulemaking in December 2020 that outlines several changes to the HIPAA Privacy Rule.
The Trump Administration’s policy of two regulations out for every new one introduced was always likely to mean any new HIPAA regulations in 2020 would be limited, as first there would need to be some removal of regulations.
In 2019 and 2020, updates under consideration included changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.
There have been calls from many healthcare stakeholder groups to align Part 2 regulations more closely with HIPAA to allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery.
There was progress on this front in 2020, not through HHS or OCR rulemaking, but instead as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
2020 CARES Act Aligns 42 CFR Part 2 Regulations More Closely with HIPAA
The CARES Act was passed by Congress on March 27, 2020 to ensure that every American has access to the care they need during the COVID-19 pandemic and to address the economic fallout from the 2019 Novel Coronavirus and COVID-19.
Individuals suffering from substance abuse disorder (SUD) must also be able to get the treatment they need during the COVID-19 pandemic, which has meant changes needed to be made to 42 CFR Part 2 regulations.
The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with SUD, but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA.
The change to 42 CFR Part 2 regulations is based on the Legacy Act, which was introduced by Sens. Capito (R-WV) and Manchin (D-WV). Rather than having to obtain consent from a SUD patient for each use or disclosure, and for consent forms to state the specific parties with whom the information will be shared named in the consent form, patients can give broad consent for their SUD records to be shared for the purposes of treatment, payment, and healthcare operations.
The SUD records can then be shared by a covered entity or business associate for all TPO reasons, as is the case with HIPAA. Uses and disclosures must be limited to the minimum necessary information and consent can be withdrawn (in writing) by the patient at any time. The CARES Act also allows SUD information to be shared with a public health authority if it is de-identified in accordance with HIPAA Rules.
Protections have been put in place for SUD patients, which place limitations on the use of SUD records in criminal, civil, or administrative investigations or proceedings, and there are prohibitions on discrimination against patients suffering from SUD. The same breach notification requirements as HIPAA will apply, so any data breach will require the patient to be notified without unnecessary delay, and no later than 60 days from the discovery of the breach.
How are New HIPAA Regulations Introduced?
The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2019/20 has shown. It has now been more than 7 years since there was a major update to HIPAA Rules and many believe changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services seeks feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.
After considering the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule is issued. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes are enforceable.
Proposed Changes to HIPAA in 2020
Changes to HIPAA regulations in 2020 under consideration included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate with other caregivers to deliver better care to patients at a lower cost. Also being considered were some aspects of the HIPAA Rules that have been proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members, and those that can help with the transition to value-based healthcare.
Steps were taken in 2020 to improve data sharing and interoperability, and prohibit information blocking. Two companion Rules were issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health Information Technology (ONC), and final interoperability and information blocking rules were released in March 2020.
New HIPAA Regulations in 2021
OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.
The period for comments closed on February 11, 2019. OCR considered the responses received and a notice of proposed rulemaking was issued on December 10, 2020 introducing several new requirements.
OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.
The changes to HIPAA include easing of restrictions on disclosures of PHI that require authorizations from patients and several HIPAA changes to strengthen patient rights to access their own PHI. One proposed change that has attracted some criticism is the requirement to make the sharing of ePHI with other providers mandatory. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about mandatory sharing of healthcare data, and also against another proposed change that shortens the timescale for responding to patient requests for copies of their medical records.
HHS Deputy Secretary Eric Hargan had previously explained that complaints had been received that some provisions of the HIPAA Privacy Rule are stopping patients and their families from getting the help they need, and that changes are necessary to help with the fight against the current opioid crisis in the United States. HIPAA changes have also been proposed to reduce the administrative burden on HIPAA covered entities.
The comment period for the Notice of Proposed Rulemaking comes to an end in February. OCR will then consider the comments and will issue a final rule, which may see HIPAA changes implemented in 2021.
Proposed Changes to the HIPAA Privacy Rule
The proposed new HIPAA regulations announced by OCR in December 2020 are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
- Individuals will be permitted to request their PHI be transferred to a personal health application.
- States when individuals should be provided with ePHI at no cost.
- Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
- The requirement for HIPAA covered entities to obtain written confirmation that a Notice of Privacy practices has been provided has been dropped.
- Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- The Armed Forces permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health record.
Recent Changes to HIPAA Enforcement
Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of compliance with the HIPAA Rules. However, OCR announced many more settlements in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018. 2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.
OCR’s enforcement activities continued at a high level in 2019 and closed the year with 10 settlements and civil monetary penalties, totaling $12,274,000. In late 2019, OCR announced it was embarking on a new enforcement drive focused on compliance with the HIPAA Right of Access, which requires individuals to be provided with timely access to their medical records access for only a reasonable, cost-based fee.
OCR settled two cases in 2019 under this initiative – – both for $85,000 – and a further 11 settlements were announced in 2020 to resolve potential violations of the HIPAA Right of Access. In addition to noncompliance with the HIPAA Right of Access, OCR imposed financial penalties for particularly egregious cases of noncompliance – HIPAA-covered entities that disregarded the duty of care to patients with respect to safeguarding their protected health information.
The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards all attracted HIPAA fines in 2020.
2020 saw more financial penalties imposed for potential violations of the HIPAA Rules than any other year, with the year closing with 19 settlements totaling $13,554,900.
On January 5, 2020, President Trump signed bill HR 7898 into law which amended the HITECH Act to introduce a ‘safe harbor’ for HIPAA-covered entities and business associates that adopt recognized security best practices such as common security frameworks, but still experience a data breach. The bill requires OCR to consider the security best practices that have been in place for the 12 months prior to a breach when considering financial penalties and sanctions. the bill also calls for OCR to shorten the length and extent of audits following a breach if recognized security best practices had been adopted. The HITECH ACT change will not prevent OCR from imposing financial penalties for HIPAA violations discovered during breach investigations, but should see lower financial penalties than would otherwise have been imposed, and could, in some cases see financial penalties avoided.
Penalties for HIPAA Violations Changed in 2019
One notable HIPAA change that happened in 2019 was an update to the penalties for noncompliance, which were reduced in three of the four penalty tiers. The HITECH Act called for an increase in penalties for noncompliance with HIPAA. At the time, the HHS interpreted the language of the HITECH Act as requiring a cap of $1.5 million for HIPAA violations across all four penalty tiers. In 2019, the requirements of the HITECH Act were reassessed and interpreted differently. Rather than capping the penalties at $1.5 million across all four tiers, different maximum fines were set for each of the four tiers, as detailed in the infographic below.
This change was addressed through a Notice of Enforcement Discretion, which is not legally binding. OCR is expected to add the changes to the federal register and make the new penalty amounts official. That is one HIPAA change that may take place in 2021.
HIPAA Changes in 2020/2021 Due to the COVID-19 Pandemic
The COVID-19 pandemic has not resulted in any permanent changes to HIPAA, but it has seen unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates on the front line in the fight against COVID-19.
During emergency situations such as disease outbreaks, HIPAA Rules remain in effect and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased.
OCR has announced three Notices of Enforcement Discretion in 2020 and one in 2021 in response to the COVID-19 pandemic, which will see penalties and sanctions for certain HIPAA violations waived for the duration of the COVID-19 nationwide public health emergency.
The Notices of Enforcement Discretion are as follows:
Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
The first Notice of Enforcement Discretion in relation to COVID-19 was announced by OCR on March 17, 2020 and concerns the good faith provision of telehealth services. OCR is waiving potential penalties for HIPAA violations by healthcare providers that provide virtual care to patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This means healthcare providers are permitted to use everyday communications tools to provide telehealth services to patients, even if those tools would not normally be considered fully HIPAA compliant.
Platforms such as FaceTime, Skype, Zoom, and Google Hangouts video can be used in the good faith provision of telehealth services to patients without penalty for the duration of the public health emergency. However, public-facing platforms such as TikTok and Facebook Live must not be used
Good Faith Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
On April 2, 2020, OCR announced it will be exercising enforcement discretion and will not impose sanctions and penalties on business associates of HIPAA covered entities for uses and disclosures of PHI for public health and health oversight activities. HIPAA prohibits these uses and disclosures unless it is stated in a business associate agreement (BAA) that the disclosures are permitted. For the duration of the public health emergency, business associates will not face penalties for these uses and disclosure, provided they notify the covered entity after the event, within 10 days of the use or disclosure occurring.
Participation in the Operation of Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020, OCR announced it will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites and will refrain from imposing sanctions and penalties on covered entities and business associates at drive through, walk-up, and mobile sites.
The Notice of Enforcement Discretion covers the operation of these sites and all activities that support the collection of specimens from individuals for COVID-19 testing only. While penalties will not be applied, “OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI.”
The Notice of Enforcement Discretion is retroactive to March 13, 2020.
Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
OCR announced a further Notice of Enforcement Discretion on January 19, 2021 to help HIPAA-covered entities with the rollout of COVID-19 vaccines.
OCR said HIPAA sanctions and penalties will not be imposed on HIPAA-covered entities or their business associates in relation the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.
WBSAs can be used for scheduling COVID-19 vaccination appointments, even if their use would not normally be considered fully compliant with the HIPAA Rules (e.g., no business associate agreement).
The Notice of Enforcement Discretion does not cover the use of WBSAs for scheduling vaccination appointments if the WBSA provider has prohibited the use of its WBSA for making healthcare appointments. Enforcement discretion will not apply if the WBSA is used for anything other than booking COVID-19 appointments, such as arranging appointments for other medical services or for conducting screening for COVID-19 prior to arranging an in-person healthcare visit.
Any WBSA must have privacy and security safeguards that can be activated to ensure the privacy and confidentiality of healthcare data, and OCR encourages HIPAA covered entities and their business associates to ensure that safeguards are implemented, such as the use of encryption, if possible, adhering to the minimum necessary standard, and activating all privacy controls.
The Notice of Enforcement Discretion took effect on January 19, 2021 and is retroactive to December 11, 2020.
