These strategies will help you stay ahead of HIPAA’s first significant update in 8 years.

HIPAA, or the Healthcare Information Portability and Accountability Act, hasn’t been updated since 2013, when its companion legislation, the Health Information Technology for Economic and Clinical Health (HITECH) was first released, but that’s set to change this year.

In January of 2021, the U.S. Department of Health and Human Services released several new proposed updates and guidelines and requested feedback from the healthcare community. When put into effect, the finalized regulations would have a significant impact on the policies, procedures, and security practices of both covered entities and business associates.

What do healthcare providers need to know to future-proof their HIPAA compliance program?

Prepare for Stronger Privacy Rule Enforcement

With the launch of the Right of Access Initiative in 2019, the Office of Civil Rights (OCR) has been rigorously enforcing the right of patients to access their medical records.

Among the proposed new HIPAA regulations is new verbiage that removes some of the obstacles that patients may encounter when trying to access their PHI. Here are a few of the proposed regulations that could impact your technology.

  • Reduce the amount of time in which a covered entity must provide patient ePHI from 30 days to 15 days.
  • Prohibit unreasonable verification procedures that limit an individual’s ability to access their healthcare records
  • Revise notice of privacy practices and impose new notification requirements for collecting fees related health information
  • Relax the standards that apply to permitted disclosures in emergency situations when the need is deemed in good faith, or in the best interest of the patient

According to the HIPAA Journal, 51% of healthcare providers are not fully compliant with the HIPAA right to access. In particular, small or understaffed providers often feel justified deprioritizing right to access. But, OCR has been aggressively enforcing those rules, settling more than 16 right to access violations in just a few short years.

 Here are just some of the notable penalties levied in the twelve months

  • In January, Banner Health agreed to take corrective actions and pay $200,000 to settle potential violations of the HIPAA right to access standard. Notably, Banner Health did eventually provide the records, but was fined for taking too long to do so.
  • Sharp Rees-Stealy Medical Center agreed to take corrective action and pay a $70,000 HIPAA fine for failing to properly respond to patient’s medical record access requests, after receiving technical assistance from OCR to settle a previous complaint.

What does this mean for your IT systems?

  • According to HIPAA 45 C.F.R. § 164.524(b)(1), electronic documents qualify as “written documents,” which means that your staff should have processes for prioritizing and escalating all ePHI requests and exporting that data into a portable format.
  • “Covered entities that receive and/or respond to access requests electronically should revisit their verification and documentation policies and procedures to ensure that they are reasonable in light of the electronic environment within which they are operating.”

Learn more about what defines a HIPAA Violation.

HIPAA and HITECH Place New Emphasis on NIST

Another proposed feature of the HIPAA update is to emphasize “recognized security practices” when conducting HIPAA audits or levying penalties. This refers directly to the National Institute for Standards and Practices (NIST) Cybersecurity Framework, an important set of compliance best practices that’s already used widely throughout government entities and private companies.

To ensure that your HIPAA controls remain consistent with the HIPAA updates, now is a good time to ensure your technology is aligned with the risk-based security approach outlined in NIST, as it provides specific workflows and standards lacking in HIPAA.

This NIST framework is organized around five core functions

  • Identify
    Start with a deep exploration of your environment, with an emphasis on all systems and assets that contain or access ePHI. Ensure that strong policies around data governance and asset management are in place and supported by a clear risk management plan.
  • Protect
    Armed with a deeper understanding of your cybersecurity risks, you should now design access controls, training programs, and information protection processes to help mitigate those risks. The protect phase also includes identifying and integrating appropriate security technologies into your defenses.
  • Detect
    To identify internal and external threats to ePHI in a timely fashion, you should have tools and procedures to detecting network anomalies and continuously monitoring the health of your systems.
  • Respond
    The goal of the first four steps is to improve your organization’s capacity to respond to threats to your ePHI. A clear response plan and documented procedures for analyzing and communicating HIPAA violations gives your team a solid footing for continuous improvements.
  • Recover
    Achieve organizational resilience by developing a recovery plan and making continuous updates as your network technology evolves.

HIPAA Paves the Way for Telehealth

The COVID-19 pandemic has propelled telehealth into the healthcare mainstream.

At the start of the pandemic, the Federal Government launched a historic expansion of telehealth access under Secretary Alex Azar, giving organizations operating in a good faith the chance to work with mainstream video apps like Zoom, Facebook Messenger, Google Hangouts and others without the standard business associates agreement (BAA).

Will the HIPAA update force providers back onto HIPAA-compliant platforms? While discretion is likely to continue into 2021, it’s also wise to review your telehealth systems and prepare for stricter regulation that will eventually come down from HHS.

Here are some strategies for improving telehealth security and ensure long-term HIPAA compliance:

  • Improve procedures for gathering patient consent
  • Enforce stronger risk analysis processes
  • Deploy encryption systems to secure ePHI in transit
  • Proactively seek out BAA or HIPAA compliant telehealth vendors

Work With a HIPAA and HITECH Compliance Consultant

An effective way to stay ahead of HIPAA’s latest changes is to partner with a HIPAA compliance consultant, like Complete Network. For 20 years, we’ve been helping healthcare organizations in Albany, New York, Charlotte, North Carolina, and Bluffton, South Carolina improve their cybersecurity protections and manage their HIPAA compliance exposure.

Continue reading more about our HIPAA consulting services. Or, if you have a question for our HIPAA experts, contact us any time at 877 877 1840 or [email protected].