Three Legislation Changes on HIPAA Regulations in 2018 Under Consideration by OCR

Because of the policy of two out for every new regulation, it is likely that there will be few new HIPAA regulations in 2018. Nevertheless, it doesn’t mean that the healthcare industry will not see any changes to HIPAA Rules in 2018. HHS’ Office for Civil Rights (OCR) director Roger Severino has said OCR has a few HIPAA changes in mind.

OCR is preparing to remove a number of out-of-date and labor-intensive aspects of HIPAA that give very little benefit to patients, although prior to making HIPAA changes in 2018, OCR will first seek comments from healthcare industry stakeholders.

As with earlier updates, OCR is going to submit notifications of proposed rulemaking and is going to solicit comments regarding the proposed modifications. Feedback will be assessed prior to any changes to HIPAA Rules.  The complete list of suggested modifications to the HIPAA Privacy Rule have not yet been made public, but Roger Severino has provided a few insights into what can be expected in terms of HIPAA changes in 2018 at a HIPAA summit in Virginia.

Severino discussed three possible HIPAA Rule changes in 2018. The first pertains to enforcement. The Enforcement Rule gave OCR the authority to issue financial penalties to HIPAA covered entities that are found to have broken HIPAA Rules or have not made adequate efforts to comply with all facets of HIPAA. Since the HITECH Act was incorporated into HIPAA in 2009, OCR has been allowed to maintain a portion of its collected settlements and CMPs gathered through its enforcement actions. The funds are utilized partly to pay for the expenses of future enforcement actions and also to provide some restitution to the breach victims. Up to now, OCR has not done the latter.

OCR is contemplating how a percentage of the collected settlements and civil monetary penalties could be redirected to help healthcare data breaches victims and victims of other HIPAA violations.

Another area that OCR is considering is modifying is the requirement for covered entities to maintain forms that patients signed confirming they have received a copy of the covered entity’s notice of privacy practices. Patients who want to see a physician simply sign the forms and do not actually read them. OCR is considering removing the requirement for healthcare providers to acquire and keep signed forms and, as an alternative, just inform patients of privacy practices through a notice displayed in a prominent place.

Roger Severino also said OCR is thinking about modifying HIPAA regulations in 2018 with regards to good faith PHI disclosures. OCR is thinking about officially clarifying that PHI disclosure in some situations is allowed without the need for consent from patients. An example is the sharing of PHI with family members and close friends if a patient is incapacitated or in cases of opioid drug abuse. While HIPAA allows healthcare providers to share PHI if a patient is at risk of harm, more rulemaking is needed to to cover these good faith disclosures.

These HIPAA changes are still under consideration and it may take until 2019 or longer before they are actually implemented.