New legislation and proposed rules will affect HIPAA compliance. Both actions are good news for covered entities and business associates.

  • Investigators now must give credit for good-faith attempts to adopt recognized security practices.
  • The Department of Health and Human Services is trying to align HIPAA regulations with Cures Act regulations.
  • The proposed rule changes provide clarity around a covered entity’s obligations and the fees that may be charged.

New legislation and proposed changes to HIPAA are aimed at resolving issues that created difficulties for both patients and covered entities.

On Jan. 5, President Trump signed HR 7898 into law, requiring the Department of Health and Human Services (HHS) to give covered entities credit for using best-practice security systems and processes for meeting HIPAA requirements.

The law amends the HITECH Act so HHS must consider whether a covered entity or business associate met recognized security practices when making enforcement decisions. (The text of the bill can be found online at: https://www.govtrack.us/congress/bills/116/hr7898.)

The law incentivizes covered entities and business associates for making their best effort at ensuring HIPAA compliance, says Brad Rostolsky, JD, a partner with Reed Smith in Philadelphia.

“This provides [reassurance to] covered entities that if they take certain meaningful steps for HIPAA security, there is going to be meaningful consideration given to it,” he says. “On the ground when you’re dealing with OCR [HHS Office for Civil Rights], these are the conversations you have with the investigators. They want to know what your approach has been to compliance historically, whether you’ve been ignoring it and have policies in place just for saying you have them, or have you been doing the things you can do to keep everything secure.”

The revision codifies and standardizes what was practice among some investigators. “It reinforces what we always tell clients, which is that the breach or other reason you’re investigated can result in a back-door audit,” Rostolsky says. “The best way to protect yourself is to show that you have historically been doing things the right way, and this legislation means [investigators] will consider that.”

Also, OCR recently announced proposed additions to HIPAA intended to “support individuals’ engagement in their care, remove barriers to coordinated care, and reduce regulatory burdens on the healthcare industry.” The Notice of Proposed Rulemaking (NPRM) is part of HHS’ effort to promote value-based healthcare by examining “federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.”

OCR says the proposed changes would reduce administrative burdens on HIPAA-covered healthcare providers and health plans while strengthening individuals’ rights to access their own health information, including electronic information, among other improvements. The proposed rule changes are available online at: https://www.hhs.gov/about/news/2020/12/10/hhs-proposes-modifications-hipaa-privacy-rule-empower-patients-improve-coordinated-care-reduce-regulatory-burdens.html.

The regulatory change proposed by HHS in the recent HIPAA NPRM is another step in the HHS objective to encourage a patient-centric healthcare environment and reduce regulatory burdens on providers, says Beth Pitman, JD, partner with Waller Lansden Dortch & Davis in Birmingham, AL.

“The HIPAA NPRM tilts the balance of protecting privacy and facilitating availability of information toward loosening restrictions on disclosures of patient information. The big winner in the government’s regulatory reformation race is the patient,” she says. “In combination with the 21st Century Cures Act Information Blocking and Interoperability Rules, the proposed HIPAA regulations are intended to empower patients with greater access to information, remove barriers to care coordination by facilitating greater flow of information among healthcare providers and others participating in a patient’s care, and make information readily available in the event of emergencies and as related to mental health and substance use disorder treatment.”

HHS made serious efforts to align HIPAA regulations with Cures Act regulations, Pitman says. Many of the defined HIPAA terms were updated to reflect terms used in the Cures Act, and regulations were updated to account for anticipated increased use of personal health records and the availability of standards-based application programming interfaces (APIs) for transmission of electronic records, she says.

However, there remain some discrepancies in the two related sets of regulations, Pitman says. The period during which a provider must make information accessible to a patient in compliance with both regulations is uncertain. Under the proposed HIPAA Rule, the deadline is 15 days. The Cures Act Information Blocking Rule implies that electronically available information should be made accessible by patients in near real-time but refers to the HIPAA regulation, she notes.

The HIPAA proposed rule will also require that providers who have a standards-based API make patient records available in the form and format permitted through the API, Pitman says.

“While transition in the federal administration will certainly slow adoption of final HIPAA regulatory revisions and may result in curtailing the proposed loosening of disclosure restrictions, compliance with the Cures Act regulatory prohibition on information blocking is imminent,” she says. “This impending compliance deadline may drive a more prompt but piecemeal finalization of Cures Act-related sections of the proposed HIPAA regulations.”

It is premature for providers to consider making policy revisions based on the proposed HIPAA rules, Pitman says. But considering the relationship between HIPAA and the Cures Act, providers should begin reviewing HIPAA policies for compliance gaps that relate to the Cures Act Information Blocking Rule.

Providers who use an electronic medical record (EMR) system (which is the large majority at this point) should begin discussions with their EMR vendors to determine the technology’s ability to meet the Cures Act requirements as well as any of the HIPAA NPRM API-related provisions, Pitman says.

“Notably, the NPRM requests a comment on whether, if available through an EMR or at little cost, providers should be required to adopt an API for transmission of electronic records to patients and others. Under the Cures Act, only certified healthcare technologies are required to offer a standards-based API,” she says. “Not all healthcare providers, such as many dental providers and speech therapists, use a certified technology.”

Related to the patient’s right of access, HHS tried to correct an administrative error highlighted in a case that implicated HHS guidance regarding patient’s right to direct access or copies of records to third parties and the fees that may be charged, Pitman says. The proposed regulations codify much of the guidance and provide clarity around a covered entity’s obligations and fees, she says.

Pitman notes these highlights of the proposed changes to HIPAA:

  • Expands patient rights of access and aligns with 21st Century Cures Act Information Blocking provisions;
  • Shortens deadline for providing access to 15 days;
  • Right of access to electronic health record can be met by transmission to patient’s personal health app;
  • Requires access in form and format available through a standards-based API (to the same extent as required by the Cures Act) if the covered entity has adopted an API;
  • Seeks comment on requiring use of an API by the covered entity if the cost is minimal;
  • Fees can vary based on the type of access or copy, electronic vs. paper;
  • Codifies guidance (which had been removed) related to a patient’s right to direct delivery of records to a third party;
  • Reduces paperwork and burden on patients and providers by no longer requiring patients to acknowledge receipt of the notice of privacy practices;
  • Expands disclosures permitted for care coordination and case management and permitting disclosures to community-based, home care and others providing health-related services to individuals.

It is unclear how long it will take HHS to move from the comment period to the final regulations stage, says Nathan A. Kottkamp, JD, partner with Waller Lansden Dortch & Davis in Nashville, TN. Given the demands for public health communication in the era of COVID-19 and with HHS’ recent emphasis on a patient’s right to access their health information, it appears likely the timeline will be shorter than the roughly four years it took for the most recent revisions to be issued, he says. The Omnibus Final Rule was issued in 2013 in response to the 2009 HITECH Act.

The core concept of the current NPRM is increasing access rights for patients and facilitating information exchange for public health and health crisis purposes, Kottkamp says.

“From a public health perspective, the NPRM would facilitate information exchanges for public health matters such as a pandemic, responses to drug overdoses, and other situations in which health information may need to be shared with someone other than the patient,” he says. “Significantly, the NPRM leaves the HIPAA Security Rule untouched. However, this does not mean that security practices will not be affected by revisions to the Privacy Rule.”

From a cybersecurity perspective, it is almost certain that covered entities and business associates will need to revise their technology, vendors, and internal policies to implement any changes to the Privacy Rule, Kottkamp says. Of course, any operational modifications would call for reconsideration of security issues and updating of Security Rule Risk assessments.

“As we await next steps from HHS, providers should pay special attention to their patient access practices. Indeed, the OCR has recently issued its 13th Right of Access enforcement settlement,” Kottkamp says. “Between the settlements and the NPRM, the OCR is very clearly signaling that patient access is a major priority, and providers should not wait until new rules are issued to be sure their current practices are consistent with the HIPAA regulations as they exist today.”