December 28, 2021 Break out your pen and paper because if you haven’t already started your list of new year’s resolutions, the past 12 months have given us plenty of ‘New Year, new me’ examples to take note of. From ratified legislation and appointed government officials to trending cyberthreat tactics (and binge-worthy Netflix series), there have been plenty of ways that 2021 has said, “out with the old, and in with the new”. But while the world around us continues to evolve, the importance of protecting your patients is something that has not and will never falter. So as we wrap up yet another eventful year – let’s take a look at what’s changed, what’s stayed the same and what we can expect to see from HIPAA as we take on 2022. Proposed HIPAA Privacy Rule Modifications 2021’s transformations began even before the new year countdown started with the announcement of proposed HIPAA Privacy Rule modifications made back in December 2020. The government’s proposed modifications help bring the HIPAA Privacy Rule up to current technology standards and address things like removing the barriers to value-based health care, reducing “unnecessary regulatory burdens” and improving the privacy of protected health information (PHI). These highlights only brush the surface of what the 357-page document aims to amend but until the ruling is officially finalized, it’s important for your practice to ensure your HIPAA compliance program is up to date and easy to manageas we should anticipate the new requirements coming into effect in the new year. HIPAA Safe Harbor Law 2021 checked off another one of its resolution list items back in early January by officially signing the HIPAA Safe Harbor Bill into law. The amendment of the HITECH Act takes into account whether healthcare organizations have “recognized cybersecurity practices” in place and allows for some leniency in fines and other enforcement actions in the case of a data breach. While there’s a bit of fine print to follow, the biggest thing for your practice to know is that as long as you have a Security Risk Analysis (SRA), technical safeguards, and other HIPAA Security Rule basics down – you can not only reduce the penalties associated with a data breach but lessen your chances of falling victim in the first place. 21st Century Cures Act Following the Safe Harbor Law’s lead, the 21st Century Cures Act came into effect just a few months later in April of 2021. The new legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is centered around the ongoing balancing act that healthcare providers and app developers face in giving patients easy access to their ePHI while still maintaining data privacy and security. With patients at the focus, the Cures Act requirements enable things like transparency into the cost and outcomes of patient care, easier access to health data through apps that meet modern patient needs and the prevention of information blocking. Now, this law also requires a bit of further reading to see just how it impacts your practice but having a complete HIPAA program lays the foundation for meeting these additional requirements and ultimately protecting patient data. Proposed Budget & New Appointed OCR Director If all the new legislation wasn’t enough of a tell-tale sign that 2021 was the year of protecting patient rights along with healthcare and technology – the proposed 2022 HHS budget that increases its funding for those areas specifically sure is. In early June, the Biden Administration released their proposed budget calling for additional spending to better safeguard the healthcare industry from evolving cyber threats and support government efforts in compliance enforcement. This additional spending comes in the form of over $200 million for several different cybersecurity measures and $67 million in funding for the HHS and their HIPAA enforcement efforts. Much of this proposed budget includes an increase in hiring for these specific government agencies with the hope to add 39 staff members to the Office for Civil Rights (OCR) specifically. But the initiatives don’t just stop at the dollar signs – this past September the HHS officially appointed Lisa J. Pino as the new Director of the OCR, marking another step in the right direction of continuing their mission. HIPAA Waivers Extended In the midst of all the change, there have been some things that have stayed the same – one of them being the extension of the HIPAA Waivers and Enforcement Discretions. At the onset of COVID-19, the government issued a National Public Health Emergency. With it came several waivers and flexibilities that work in mitigating the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to continue caring for their patients. So after several extensions to the waiver’s expiration date, we are starting off our second new year with the Public Health Emergency status with the hopes that the current end date of January 16, 2022 sticks. But even with the current flexibilities still in place, it’s important to adhere to HIPAA requirements for telehealth and PHI disclosure to avoid any violations once the enforcement discretion is lifted. Patient Right of Access Enforcement Now a seasoned veteran to the regulatory priority list, Patient Right of Access violations has had yet another impactful year in HIPAA enforcement. 2021’s Right of Access settlements has brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019. And just a few weeks ago, the OCR announced 5 Right of Access settlements in one day alone. So as the government’s focus on timely medical record access continues to reign, your practice should be adding HIPAA right of access standards to the top of your 2022 to-do list too. Data Breaches Last but certainly not least comes another trend that has shown little to no signs of stopping – data breaches. Between ransomware threats, phishing schemes, accidental disclosures and business associate incidents, 2021 has put up record numbers. And just in the past year alone, a total of 550 covered entities had experienced a data breach putting the PHI of over 40 million individuals at risk. So while maintaining strong cybersecurity within your organization is easier said than done, knowing how to identify a cyber threat and having
2020 HIPAA In Review
January 7, 2021 Sound the air horns, blare your favorite pump-up jam, let loose your last few New Year’s streamers – we made it through 2020! Some of us picked up a new hobby, some just made ‘staying sane’ a hobby (raising our hands over here), but the fact is we made it through the year and have come out ready to weather what 2021 will throw our way. We know, we know – we want to close the book on last year, put it away in a very heavily locked box, and tuck that box in a corner of the attic we’ll quickly forget exists too (just us?). So why on earth do we want to recap 2020 instead? Well, record-breaking HIPAA enforcement, emerging cyber threats, new audit data, and ongoing trends in HIPAA are probably worth remembering – especially if keeping up to speed means protecting your practice in 2021. So here’s a recap of what happened with HIPAA this past year, and what we can expect to continue moving forward: 1. HIPAA Waivers and Enforcement Discretions You probably remember February/March as an era of toilet paper hoarding and “sorry I was on mute” as we collectively figured out Zoom meetings. But it was right around this time the Department of Health and Human Services (HHS) officially declared a National Public Health Emergency (PHE) and implemented HIPAA waivers with limited enforcement discretions. These waivers provided additional leniencies for providers and their business associates to use and share patients protected health information (PHI) for very specific purposes related to the PHE, and allowed for greater flexibility with telehealth services. After several extensions of the declared PHE, these limited waivers are still in effect until January 20, 2021 – but that doesn’t mean your practice is off the hook. Ensuring that you are up to normal HIPAA standards, such as implementing compliant telehealth solutions before the PHE expires, is the best, and perhaps the ONLY way to protect your practice from a hefty fine. 2. Rising Cyberattacks In the midst of all the COVID-19 hysteria, the healthcare industry faced yet another plague – cyberattacks. Cyberthreats have reached all-time highs over the past year, with hackers leveraging public vulnerability and remote operations to their advantage. Healthcare data is ten times more valuable on the black market than credit card information and makes your practice a prime target for hackers. Many of 2020’s fines were the result of data breaches, most of which revealed a “systemic lack of [HIPAA] compliance” (as the OCR put it), and one of which resulted in the second-largest HIPAA fine to date of $6.85 million. While a cyberattack may be impossible to fully prevent, having a complete HIPAA program and reasonable safeguard in place is still expected. In short, if your practice doesn’t have basic HIPAA requirements like a Security Risk Analysis (SRA), the OCR will show no mercy in using a breach incident to slap your practice with a HIPAA fine. In addition, many business associates were hit heavily with cyberattacks, ransomware, and breaches in 2020. Having proper Business Associate Agreements, a HIPAA requirement is essential to protect your practice from liability if a cyberthreat were to impact one of your vendors. A missing agreement could leave your practice with a fine – even if the breach was completely beyond your control. Review or complete business associate agreements with any vendor who may fall in this category as soon as possible to protect yourself, and make sure your HIPAA program basics (including training, your SRA, and proper documentation) are all up to speed. 3. Patient Right of Access Featuring heavily in 2020’s enforcement efforts was the patient right of access initiative. This hot topic accounted for over 50% of 2020’s total settlements, ranging from $3,500 (the smallest HIPAA fine to date) to $160,000. Each practice affected failed to provide patients or their authorized personal representatives with access to requested medical records within the HIPAA-mandated time frame. In fact, two instances were only resolved after the individuals involved complained a second time to the OCR, and one covered entity didn’t provide the requested records until almost three years after the initial request was submitted. To put that in perspective, most state and federal regulations require records to be provided within 30 days of the patient request. This enforcement trend will only continue, especially as the Department of Health and Human Services looks to update HIPAA Privacy Rule provisions and enhance patient access to their health data in 2021. 4. 2021 and Beyond With increased enforcement, the likelihood of a HIPAA investigation has become a matter of ‘when’ instead of ‘if’. If your practice is a smaller one, the OCR has emphasized that you’re not immune – in fact, OCR Director Roger Severino recently urged the importance of compliance for “offices, large and small” as part of the OCR’s patient right of access initiatives. 2021 brings the opportunity to do more than just ‘make it’ through the year – the most important thing you can do for your practice is to get a complete HIPAA program in place now, before an incident occurs, to prove your compliance and avoid any costly HIPAA fines. Worried you might be missing something? Don’t stress! Register for a consultation with one of our HIPAA experts to learn what your practice must have in place when it comes to HIPAA compliance.