Though there were HIPAA updates being considered by OCR in 2018, the pace of change is slow and it could well be late 2019 or even 2020 before HIPAA Rules are changed. The two regulations out for every new one in policy of the Trump Administration is also likely to mean that new HIPAA regulations in 2019 will limited. First, existing HIPAA requirements may need to be eased.
The HIPAA updates taken into consideration in 2018 involved changes related to the privacy of substance abuse and mental health records. To deal with the opioid crisis, the HHS was thinking about making changes to HIPAA and 42 CFR Part 2 regulations that protect the privacy of patients seeking treatment for substance abuse disorder through federally assisted programs. While privacy is important, changes could be made to enhance the quality of care and better protect patients from harm. Other prospective changes to HIPAA regulations in 2018 were the elimination of facets of HIPAA that are preventing physicians and hospitals from providing quality care to patients and Aspects of HIPAA that are hampering the coordination of care.
These are the most probable areas for HIPAA 2019 changes: Facets of HIPAA Rules which HIPAA covered entities find unnecessarily burdensome and give minimal advantage to patients and health plan members, as well as those that could help with the change to value-based medical care and improve interoperability.
Introducing New HIPAA Regulations
Introducing HIPAA updates is a slow process. The last major update to HIPAA Rules was 5 years ago and many people in the healthcare industry think that changes are now long overdue. However, prior to changing any aspects of HIPAA, the Department of Health and Human Services will first get recommendations on areas of the HIPAA regulations which are problematic or no longer necessary because of technological improvements or changing practices.
After taking into consideration the comments and recommendations, the HHS will then issue a notice of proposed rulemaking, which will be followed by a period for commenting. Comments acquired from healthcare sector stakeholders are taken into account prior the final rule change is issued. HIPAA-covered entities then have a grace period to make changes before compliance with the new HIPAA regulations will be mandatory.
New 2019 HIPAA Regulations
In December 2018, OCR made a request for information asking HIPAA covered entities to provide feedback on certain facets of HIPAA Rules that were excessively burdensome, impair the ability of healthcare providers to care for patients, or hamper the coordination of patient care and sharing of patient data.
The period to submit comments ended on February 11, 2019. OCR is currently reviewing the responses and after carefully considering the feedback, a notice of proposed rulemaking will be issued. Currently, no timescale has been provided on when new HIPAA regulations or HIPAA changes will be made.
OCR was considering making improvements to areas of the HIPAA Privacy Rule that slow down the change to value-based healthcare and parts where existing Privacy Rule requirements restrict coordinated patient care. Changes to HIPAA limitations on sharing PHI that necessitate patient authorizations are under consideration. There might be a loosening of the requirements as they are regarded by many to hinder the provision of value-based healthcare.
OCR is also considering whether the Privacy Rule ought to be altered to make patient data sharing with other healthcare providers obligatory instead of simply permitting data sharing. The American Medical Association (AMA) and the American Hospital Association (AHA) have stated their views regarding the recommended new HIPAA change and are not in favor. The two organizations are likewise not in favor of reducing the time period for responding to requests from patients for copies of their healthcare records and want to keep the time frame as 30 days.
OCR is likewise looking at HIPAA changes in 2019 that are going to support the efforts of Trump Administration to tackle the opioid crisis in the U.S. HHS Deputy Secretary Eric Hargan suggested that elements of the HIPAA Privacy Rule are keeping patients and their family members from receiving the needed help.
One possible area where there will be a likely HIPAA update is the need for healthcare organizations to make a good faith attempt to get the written acknowledgment of receipt of the providers’ Notice of Privacy Practices from individuals. It is expected that this requirement will be dropped.
What is sure is that new HIPAA regulations are inevitable, but if they come in 2019 remains to be seen. It might take until 2020 before changes to HIPAA regulations occur.
2019 Changes to HIPAA Enforcement
Midway through 2018, OCR had only agreed three settlements with covered entities to resolve HIPAA violation cases. This number was only a fraction of its enforcement actions in the last two years. It seemed that OCR was loosening up on HIPAA enforcement, but in the second half of 2018 there were several settlements agreed and the year was closed with 10 settlements and one civil monetary penalty. 2018 became a record year for OCR in its HIPAA enforcement actions. The total fines and settlements amount to $28,683,400, beating the old record established in 2016 by 22%.
Roger Severino, speaking at HIMSS 2019, gave no hint of any easing up on HIPAA enforcement in 2019. Severino explained that one area of focus for OCR in 2019 is ensuring that the access rights of patients are being honored. Any organizations that denies patients access to their medical records, fails to provide copies within 30 days, or charges too much for copies could face a penalty for a Privacy Rule violation.
OCR will likewise continue to target enforcement action on organizations that have shown total disregard for HIPAA Rules and for egregious cases of HIPAA noncompliance. OCR is also concerned about the number of email data breaches and penalties can be expected for email security failures.