Three Proposed Changes to HIPAA Regulations in 2018

HIPAA Violation Cases

The Trump Administration has introduced a new rule that requires two regulations to be removed for any new one that is introduced. So how does that play out with HIPAA changes? Does that mean that there will be few, if any, new HIPAA regulations this year?

There have been some noises from the HHS to suggest HIPAA changes are afoot. HHS’ Office for Civil Rights Director Roger Severino has said some HIPAA changes are to be expected, although no timescale has been provided on when those changes will take effect. In compliance with the Trump Administration’s directive, OCR is making plans to remove outdated and labor-intensive regulations that do not give significant benefits to patients and plan members and do not have a major impact on privacy and security.

Before any changes to HIPAA take place, healthcare industry stakeholders will be consulted on proposed changes and will be asked for their feedback. Feedback will be carefully considered, before implementing any HIPAA changes. 

Further information on proposed HIPAA Privacy Rule changes has not yet been made available, but Roger Severino has provided some insights into the expected changes at the recent HIPAA summit in Virginia. There are three possible HIPAA rule changes that are being considered in 2018, although since legislative changes take time it would be unlikely for them to take effect in 2018. It is probable that it will be 2019 before any changes are made to HIPAA. 

The first is related to the HIPAA Enforcement Rule. Since this rule was implemented, OCR has had the authority to financially penalize covered entities that violate HIPAA Rules or do not make sufficient efforts to comply with HIPAA requirements. Since the HITECH Act was enacted in 2009, OCR was allowed to retain a percentage of the settlements and CMPs collected from its enforcement actions. Part of the funds is used to cover the cost of future enforcement actions and some is allotted to providing restitution for victims of HIPAA violations. However, OCR has yet to provide those funds to victims of data breaches and HIPAA violations. OCR is still figuring out how a percentage of the settlements and civil monetary penalties can be paid to the victims of breaches and HIPAA violations. OCR intends to address this issue and formulate a way for those monies to be paid.

The second likely area for HIPAA changes is related to the requirement for covered entities to keep forms that patients have signed to confirm the receipt of a copy of the covered entity’s notice of privacy practices. OCR is looking at doing away with this requirement because patients who just want to see a physician often do not actually read the forms they sign. A better alternative is perhaps to display a notice of privacy practices in a prominent place within the covered entity’s facilities to inform patients of the privacy practices, to make a copy available on request, and to ensure it is posted on the company website. This should reduce the administrative burden on covered entities.

The third proposed change is related to good faith disclosures of PHI. Director Severino provided an outline of OCR’s plans to clarify to the public the disclosure of PHI to family or close friends, in particular circumstances that do not need patient consent, especially with respect to patients who are incapacitated or are abusing opioid drugs.  Although HIPAA rules do allow for the disclosure of PHI such as information about opioid drug abuse in cases when a patient is in imminent harm, there is a need for rulemaking in this area to cover good faith disclosures.