Three Proposed Changes in HIPAA Regulations in 2018

For every new regulation introduced, two will be cut out. That is an administration policy that is in the works this 2018. Does it mean that there will be few, if any, new HIPAA regulations this year? There are indications from Director Roger Severino of HHS’ Office for Civil Rights (OCR) that some HIPAA changes are to be expected.

OCR is making plans to remove outdated and labor-intensive regulations that do not give significant benefits to people. Of course the healthcare industry stakeholders will be consulted first. As before, OCR will send out information on the proposed changes to seek feedback. Before implementing any HIPAA changes, all comments are carefully considered.

No list of HIPAA Privacy Rule changes is available to the public yet. But Severino gave some insights on the expected changes at the HIPAA summit in Virginia.  There are three possible HIPAA rule changes that are being considered this 2018 although the implementation would likely take effect in 2019.

The first is related to the HIPAA Enforcement Rule. Since this rule was implemented, OCR was able to financially penalize covered entities that violate HIPAA rules or those that do not exert enough effort to comply with HIPAA requirements. Since the HITECH Act was enacted in 2009, OCR was allowed to retain a percentage of the settlements and CMPs collected from enforcement actions. Part of the funds is used to cover the cost of future enforcement actions. Part of the funds is also allotted to the restitution of victims but OCR has not done that yet. OCR is still figuring out how a percentage of the settlements and civil financial penalties can be paid to the victims of breaches and HIPAA violations.

The second is related to the requirement for covered entities to keep forms that patients signed to signify their receipt of copies of the covered entity’s notice of privacy practices. OCR is looking at doing away with this requirement because patients who just want to see a physician do not actually read the forms they sign. A better alternative is perhaps to display a notice of privacy practices in a prominent place in the covered entity’s facilities to inform the patients.

The third proposed change is related to good faith disclosures of PHI. Director Severino told about OCR’s plans to clarify to the public the disclosure of PHI to family or close friends in particular circumstances without the need for patient consent. This is suggested in cases when a patient is incapacitated or involved in opioid drug abuse.  Although the HIPAA rules does allow the disclosure of PHI in cases when a patient is in imminent harm, there is a need for rulemaking to cover good faith disclosures.