On January 21, 2021, an important development in cybersecurity news was released.
The United States Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) issued Notice of Proposed Rulemaking (NPRM) to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act).
These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens.
The proposals in this NPRM address these burdens while continuing to protect the privacy and security of individuals’ protected health information. The proposed changes can be grouped in two areas:
- Give patients greater access to their protected health information or electronically protected health information (PHI/ePHI)
- Make it easier for providers to coordinate treatment, respond to emergencies, and transition to value-based care through safe/protected sharing of patients’ PHI
The proposed changes will allow patients to view, photograph, and take notes on their health/healthcare information and will reduce the burden of identification to combat information blocking.
The proposed changes aim to remove some of the barriers that would otherwise allow patients more reasonable/prompt access to their medical records.
Under the proposed rule the following:
- Patients are no longer required to receive Protected Health Information (PHI) in person. This means compliant security measures will need to be in place for electronic sharing of that information.
- Patients are no longer required to request extensive information via forms/web apps. This could reduce cyber security risks, depending on how involved clinicians’ existing forms and app request fields are.
- Patients are no longer required to submit a notarized signature to release PHI. It is imperative, therefore, that their personal/electronic signatures be protected.
These proposed changes will not go into effect until a final rule is issued by HHS. However, taking a proactive approach ensures your office, clinic, hospital, or practice is properly prepared when it comes to protecting patient information under these new guidelines.
The earlier your team is made aware of proposed or pending changes and can get acclimated to new standards, the better they can prepare to comply with HIPAA standards during the 180-day grace period. With some recent HIPAA violation fines reaching $200,000, proactive preparation is your best course of action.
Three Areas That Organizations Can Leverage to Implement New HIPAA Standards
#1: Patient Access to ePHI
HIPAA changes relate to electronic protected health information, and the media and devices used to store and update that data. These changes will streamline the process associated with records request for patients. They include:
- A reduced timeframe for fulfilling medical records requests (from 30 calendar days to 15 calendar days)
- A new set of limits on individuals’ right to direct you to transmit their ePHI to a third party in an electronic health record (EHR)
- Revised notice of privacy practices
- New notification requirements for collecting fees
- Updated standards for permitted disclosures in emergency situations
The proposed changes will allow electronic document requests to qualify as “written document requests” under the pending HIPAA changes. Any processes for escalating ePHI requests and/or exporting that data into a portable format should be safe and secure according to HIPAA standards.
“Covered entities that receive and/or respond to access requests electronically should revisit their verification and documentation policies and procedures to ensure that they are reasonable in light of the electronic environment within which they are operating.” (HIPAA 45 C.F.R. § 164.524(b)(1))
#2: Telehealth
In response to COVID-19, telehealth has become a viable option for greater patient and physician safety. However, it presents unique challenges related to cyber security, as well as opportunities for a stronger response for both in-person office visits and telehealth.
Since protections extend to electronic platforms, any changes to HIPAA that impact office visits will impact telehealth.
Regardless of the video platform being used for telehealth, (Zoom, Teams, Facetime, etc.), don’t hesitate to incorporate additional protections for patients’ privacy. Here are some recommendations:
- Increased security and encryption across the patient intake and consultation
- Gathering patient consent for transmitting or transferring patient information
- Performing HIPAA risk analysis of various telehealth tools and platforms to increase security
All HIPAA risk assessment and/or cyber security risk analysis your organization conducts should encompass aspects of telehealth and the secure sharing of patient ePHI.
#3: NIST
The latest proposed HIPAA changes for 2021 bring a new emphasis on National Institute of Standards and Technology (NIST), specifically recognizing security practices when conducting HIPAA audits and/or levying penalties for HIPAA violations.
Incorporating the NIST framework in your annual risk analysis and making it a priority when selecting vendors and IT partners will be guided by HIPAA-compliant practices. The NIST framework includes five steps:
1. Identify
Explore your environment in-depth, focusing on all systems and assets that contain and/or access ePHI. Be sure your data governance and asset management policies are strong and are effectively supported by a clear HIPAA risk assessment/risk management plan.
2. Protect
Once you have a detailed understanding of your cyber security risks, it’s time to design access controls, information protection processes, and training programs to minimize and mitigate those risks, including incorporating additional security technologies into your processes, procedures, and devices.
3. Detect
Being aware of existing risks is a good strategy, but with the constantly changing tech landscape, ongoing monitoring/detection of new risks across systems is important. Tools and procedures should be in place to detect network anomalies and continuously alert you to new and potential threats to ePHI.
4. Respond
You’ll need a response plan in place for when privacy risks and HIPAA violations occur that includes thoroughly documented procedures for analyzing and communicating HIPAA violations, giving you and your team more solid footing for continuous cyber security improvements.
5. Recover
A post-breach or post-HIPAA-violation recovery plan helps you build resilience and continue to improve your technological security, stability, and adaptability in an ever-changing landscape.
Next steps
Considering these pending changes, it’s prudent to update your HIPAA risk analysis practices, policies and implementation guidance ahead of revised HIPAA requirements.