It is likely, given the Trump Administration’s policy of two regulations out for every new one introduced, that any new HIPAA regulations in 2019 will be minimal. There will need to be softening of existing HIPAA requirements.
HIPAA updates in 2018 that were under review, but never introduced, were changes to how substance abuse and mental health information records are protected. As part of attempts to tackle the opioid crisis, the HHS was thinking about making changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to enhance the level of care that can be provided. Other possible changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that hinder the ability of doctors and hospitals to coordinate to deliver improved care at a lower cost.
These are the most likely areas for HIPAA 2019 amendments: Aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and add little benefit to patients and health plan members, and those that can help with the change to value-based healthcare.
How are New HIPAA Regulations brought in?
The process of making HIPAA updates is cumbersome, as the lack of HIPAA changes in 2018 shows. It has now been five years since there was a major amendment to HIPAA Rules and many believe changes have long been needed. Before any regulations are amended, the Department of Health and Human Services will normally seek feedback on aspects of HIPAA regulations which are proving troublesome or, due to the evolution of technologies or practices, are no longer as important as when they were signed into law.
After thinking about the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments sent in from healthcare sector stakeholders are considered before a final rule change takes place. HIPAA-covered entities are then given a grace period to make the required changes before compliance with the new HIPAA regulations becomes obligatory and enforceable.
2019 New HIPAA Regulations
OCR released a request for information in December 2018 seeking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly troublesome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.
The time period for comments came to an end on February 11, 2019 and OCR is now reviewing the responses received. A notice of proposed rulemaking will come after careful consideration of all comments and feedback, although no timescale has been given as to when the NPRM will be issued. It is reasonable to expect however, that there will be some at least some new HIPAA regulations in 2019.
OCR was specifically looking at making amendments to aspects of the HIPAA Privacy Rule that hinder the switch to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.
Currently under consideration are changes to HIPAA restrictions on sharing PHI which requires authorizations from patients. Those requirements may be softened as they are considered by many to hamper the transformation to value-based healthcare.
OCR is thinking about whether the Privacy Rule should be amended to make the sharing of patient data with other providers mandatory rather than just allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have aired their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both groups are also opposed to any shortening of the timescale for responding to patient requests for copies of their medical records.
OCR is also reviewing HIPAA changes in 2019 that will help with the battle against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are preventing patients and their families from getting the help they require. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further advice from OCR would be a better solution.
One likely area where HIPAA will be refreshed is the requirement for healthcare providers to make a good faith effort to get hold of individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be taken away in the next round of HIPAA changes.
What is for sure is that new HIPAA regulations are around the corner, but whether there will be any 2019 HIPAA changes is still not certain. It may take until 2020 for any changes to HIPAA regulations to be unveiled.
The Evolution of HIPAA Enforcement in 2019
Halfway through 2018, OCR had only agreed three settlements with HIPAA covered groups to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was beginning to look like OCR was easing up on its policing of HIPAA Rules. However, OCR picked up pace in the second half of the year and ended 2018 on 10 settlements and one civil monetary penalty – one additional penalty than in 2018.
2018 ended up being a record year for HIPAA enforcement. The overall total for fines and settlements was $28,683,400, which was more than the previous record set in 2016 by 22%.
At HIMSS 2019, Roger Severino gave no suggestion that HIPAA enforcement in 2019 would be eased. Fines and settlements are likely to remain at the same level or even rise.
Severino did give an update on the specific areas of HIPAA compliance that the OCR would be targeted in 2019. OCR is planning to ramp up enforcement of patient access rights. The details have yet to be finalised, but denying patients access to their medical records, failures to supply copies of medical records in a reasonable time frame, and overcharging are all likely to be scrutinized and could lead to financial penalties.
OCR will also go on focus on very egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care afforded to patients with respect to securing their protected health information. OCR will come down heavy on groups that have a culture of noncompliance and when little to no effort has been put into adhering with the HIPAA Rules.
The failure to carry out comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and processes, no business associate agreements, impermissible PHI sharing, and a lack of security measures usually attracts fines. OCR is also worried about the volume of email data breaches. Phishing is a major issue in healthcare and failures to address email security risks are likely to warrant OCR’s attention in 2019.