January 7, 2021
Sound the air horns, blare your favorite pump-up jam, let loose your last few New Year’s streamers – we made it through 2020! Some of us picked up a new hobby, some just made ‘staying sane’ a hobby (raising our hands over here), but the fact is we made it through the year and have come out ready to weather what 2021 will throw our way.
We know, we know – we want to close the book on last year, put it away in a very heavily locked box, and tuck that box in a corner of the attic we’ll quickly forget exists too (just us?). So why on earth do we want to recap 2020 instead? Well, record-breaking HIPAA enforcement, emerging cyber threats, new audit data, and ongoing trends in HIPAA are probably worth remembering – especially if keeping up to speed means protecting your practice in 2021.
So here’s a recap of what happened with HIPAA this past year, and what we can expect to continue moving forward:
1. HIPAA Waivers and Enforcement Discretions
You probably remember February/March as an era of toilet paper hoarding and “sorry I was on mute” as we collectively figured out Zoom meetings. But it was right around this time the Department of Health and Human Services (HHS) officially declared a National Public Health Emergency (PHE) and implemented HIPAA waivers with limited enforcement discretions. These waivers provided additional leniencies for providers and their business associates to use and share patients protected health information (PHI) for very specific purposes related to the PHE, and allowed for greater flexibility with telehealth services.
After several extensions of the declared PHE, these limited waivers are still in effect until January 20, 2021 – but that doesn’t mean your practice is off the hook. Ensuring that you are up to normal HIPAA standards, such as implementing compliant telehealth solutions before the PHE expires, is the best, and perhaps the ONLY way to protect your practice from a hefty fine.
2. Rising Cyberattacks
In the midst of all the COVID-19 hysteria, the healthcare industry faced yet another plague – cyberattacks. Cyberthreats have reached all-time highs over the past year, with hackers leveraging public vulnerability and remote operations to their advantage. Healthcare data is ten times more valuable on the black market than credit card information and makes your practice a prime target for hackers.
Many of 2020’s fines were the result of data breaches, most of which revealed a “systemic lack of [HIPAA] compliance” (as the OCR put it), and one of which resulted in the second-largest HIPAA fine to date of $6.85 million. While a cyberattack may be impossible to fully prevent, having a complete HIPAA program and reasonable safeguard in place is still expected. In short, if your practice doesn’t have basic HIPAA requirements like a Security Risk Analysis (SRA), the OCR will show no mercy in using a breach incident to slap your practice with a HIPAA fine.
In addition, many business associates were hit heavily with cyberattacks, ransomware, and breaches in 2020. Having proper Business Associate Agreements, a HIPAA requirement is essential to protect your practice from liability if a cyberthreat were to impact one of your vendors. A missing agreement could leave your practice with a fine – even if the breach was completely beyond your control.
Review or complete business associate agreements with any vendor who may fall in this category as soon as possible to protect yourself, and make sure your HIPAA program basics (including training, your SRA, and proper documentation) are all up to speed.
3. Patient Right of Access
Featuring heavily in 2020’s enforcement efforts was the patient right of access initiative. This hot topic accounted for over 50% of 2020’s total settlements, ranging from $3,500 (the smallest HIPAA fine to date) to $160,000. Each practice affected failed to provide patients or their authorized personal representatives with access to requested medical records within the HIPAA-mandated time frame. In fact, two instances were only resolved after the individuals involved complained a second time to the OCR, and one covered entity didn’t provide the requested records until almost three years after the initial request was submitted.
To put that in perspective, most state and federal regulations require records to be provided within 30 days of the patient request. This enforcement trend will only continue, especially as the Department of Health and Human Services looks to update HIPAA Privacy Rule provisions and enhance patient access to their health data in 2021.
4. 2021 and Beyond
With increased enforcement, the likelihood of a HIPAA investigation has become a matter of ‘when’ instead of ‘if’. If your practice is a smaller one, the OCR has emphasized that you’re not immune – in fact, OCR Director Roger Severino recently urged the importance of compliance for “offices, large and small” as part of the OCR’s patient right of access initiatives.
2021 brings the opportunity to do more than just ‘make it’ through the year – the most important thing you can do for your practice is to get a complete HIPAA program in place now, before an incident occurs, to prove your compliance and avoid any costly HIPAA fines. Worried you might be missing something? Don’t stress! Register for a consultation with one of our HIPAA experts to learn what your practice must have in place when it comes to HIPAA compliance.