Everything You Need To Know About 2021 HIPAA Law Updates
Since serious implementation in 2003, HIPAA has been the guideline for privacy in the medical field. Because of its importance, every healthcare professional must stay updated with current HIPAA regulations and rules. When HIPAA changes occur, there can be some confusion. This is the main reason that there have been 259,972 HIPAA complaints since its beginning. Since new HIPAA laws are going into effect in 2021, we think it's important to take the time to cover the significant changes. This will prevent you and your healthcare facility from making mistakes. Let's dive in.
Significant HIPAA Updates in the Past 20 Years
First, we should talk about some of the major changes over the past 20 years. These older changes have catapulted into some of the bigger changes that we've seen today. In fact, most of the recent changes have been revisions from older guidelines. The biggest change came with the implementation of the Health Informational Technology for Economic and Clinical Health (HITECH) Act. With the shift into electronic medical records, HIPAA had to expand to include non-physical records into its policies. From there, HIPAA policies and procedures have been renewing according to relevant medical trends. This includes the latest trends in telehealth due to the COVID-19 pandemic. With this in mind, we can expect a lot of the HIPAA changes for 2021 to come about because of the changes we witnessed during the pandemic. So, you'll notice some policies referencing telehealth visits, pandemic procedures, and the like.
Changes to HIPAA 2021
As we said, you can expect that many of the 2021 changes revolve around everything that the medical community learned from the COVID-19 pandemic. So, you'll notice several changes that talk about gaining control of virtual health options. The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) worked to address economic fallout during the pandemic as well. Let's look at some of the changes that came about because of these events.
2020 CARES Act Aligns With HIPAA
On March 27th in 2020, Congress passed the CARES Act. This was a quick push to ensure that every person living in the United States of America would have access to care. Given that the World Health Organization (WHO) had recently announced the start of the pandemic, the government wanted to ensure that each American would have coverage. The CARES Act also worked to ensure that people living in the US wouldn't be as harshly affected by the economic fallout from the pandemic. Unfortunately, before the CARES Act, there was no specific guidance for those individuals suffering from substance abuse disorder. Thus, experts called for changes to the 42 CFR Part II regulations. This is the location under which the writers should locate new stipulations like these. The CARES Act worked to make these changes. It allowed healthcare workers to share charts of patients with substance abuse disorders more widely. However, it also specified action in a suspected breach of confidentiality. These changes are important since these individuals need care in outpatient and/or inpatient facilities. Before, there wasn't much information provided to these organizations. Now, healthcare providers can share essential and relevant information with the right personnel. We should note that these confidentiality clauses followed HIPAA's prior guidance in similar situations. Specifications in healthcare personnel came about from HIPAA's rules and regulations. Specifications for Patients With Substance Abuse Disorders The 2021 changes to the 42 CFR Part II regulations set in place via the Legacy Act. Before this, patients with substance abuse disorders would have to every single disclosure of their information. While this is great for abiding by the patient's wishes, physicians often found this to be a tiring and lengthy process. This was especially when the patient was detoxing off of these substances. On top of this, the consent form for each patient with a substance abuse disorder would have to list the sharing parties specifically. If a physician's name was not specifically listed, they would have to approach the patient about sharing their information once more. All in all, the Legacy Act looks to change these problems. Now, patients with substance abuse disorder can give broad consent for the dissemination of their information. Rather than listing certain names, the consent documentation says that the patient gives consent for the information to travel based on the following criteria:
- Other healthcare operations
If the reason doesn't fall under one of these situations, then the patient will have to give specific consent.
Cybersecurity Safe Harbor Provision
Healthcare industry stakeholders have been looking for a safe harbor provision for a few years. They've been hoping to protect business associates that have experienced data breaches despite advanced security systems. In 2020, lawmakers proposed a bill asking the HHS to consider these situations. Even with the best technology in place, these health facilities still suffered. And, because they were breached, this violates HIPAA. But, this new law that the president finalized in 2021 would change the punishments for this kind of problem. The HHS didn't want to punish healthcare facilities for adopting advanced technologies. Instead, they want to encourage more businesses to adopt advanced technologies. To do this, this new bill reduces financial penalties for data breaches as long as the facility is in compliance with security standards. The bill requires the OCR to reduce the extent of any data breach investigations given that the healthcare facility is compliant with security standards.
HIPAA Changes in Response to COVID-19
The COVID-19 pandemic in 2020 sparked a whole set of provisions to HIPAA regulations. With a new normal for healthcare, many concerns for patient privacy arose. Some of these changes will stay past the end of the pandemic, but others will end once the state of emergency has ended. Some are going to last longer because these are fixing problems that we didn't know we had until the pandemic came along. To be clear, the pandemic showed experts a lot of weak spots in the healthcare industry. So, they revised and updated HIPAA regulations in an attempt to patch these spots. The intention of these changes is to ease the burden on healthcare facilities. They're already having to deal with an influx of patients. So, the last thing they should have to worry about is HIPAA compliance while they're focusing on patient care. This isn't to say that the provisions completely removed the need for HIPAA. Instead, lawmakers developed new rules surrounding patient care during the pandemic. Telehealth Remote Communications First, the OCR put out an Enforcement of Discretion for telehealth remote communications. This was to help encourage the further use of telehealth services. The pandemic saw the implementation of social distancing and home isolation. But, at the same time, patients were flocking to healthcare facilities to have treatment. This Enforcement for Discretion came at a time when healthcare professionals were trying to care for patients while minimizing their risk for contracting COVID-19. To help with these goals, lawmakers wanted to make telehealth services easier for healthcare professionals to offer. The CMS also ensured that Medicare and Medicaid beneficiaries could receive access to coverage for these services. To encourage healthcare providers to offer telehealth services, the OCR announced that it wouldn't penalize any healthcare providers who offered these services. This is in connection with the good faith provision of telehealth services as long as they are using them to provide diagnosis and/or treatment. The OCR also noted that this provision applies, even if the healthcare provider is caring for a patient without COVID-19. They implemented this policy to protect individuals who could be at risk for contracting COVID-19 if they were to go to the doctor's office in person. So, even if the platforms that these healthcare providers used weren't completely compliant with HIPAA, healthcare providers wouldn't get penalized. Although, physicians cannot use public-facing platforms that broadcast the conversation to others. The OCR is more concerned with ensuring that patients are treated. They brought special attention to underserved populations who may have even more trouble finding healthcare during this time. Disclosed of PHI By Business Associates The second Notice of Enforcement Discretion concerns how business associates use and/or disclose protected health information. HIPAA doesn't allow business associates to disclose protected health information (PHI) for public health or health oversight. This is unless there is a competing stipulation in their business associate agreement (BAA) with a HIPPA-covered entity. Under this addition, the OCR said that they will not penalize business associates or their facilities for health-related disclosures. However, they should only disclose the information to certain organizations:
- Centers for Disease Control (CDC)
- Centers for Medicare and Medicaid Services (CMS)
- The state health department
- The local health department
- Any state emergency operations center
If there is a disclosure of this kind of information, the business associate has to let their facility know within ten days of the disclosure. This new policy encourages facilities to report positive tests to the proper authorities. Traditionally, you may think that sharing this information is against HIPAA. But, because of policies like these, HIPAA does not apply to pandemics and similar states of emergency. Community-Based Testing Sites The OCR then announced its third Notice of Enforcement Discretion. This one applies to the operation of COVID-19 testing centers. It states that OCR will not penalize healthcare providers, pharmacies, and similar professionals for participating in COVID-19 testing. This is another great way to encourage these professionals to take advantage of everything that the government is doing to prevent the spread of COVID-19. By being tested, these individuals can protect themselves and others. Thus, the OCR and other government entities want to encourage this. So, they've removed the possibility of violating HIPAA by doing these kinds of things. Online Scheduling Applications The last pandemic-related Notice of Enforcement Discretion relates to online scheduling. Due to the ease of online scheduling, many vaccination sites took appointments strictly through online means. However, prior to the pandemic, these kinds of systems were few and far between. It was hard to oblige by HIPAA regulations while using these kinds of systems. When it came to the pandemic, OCR wanted to change this. They wanted to encourage more people to take advantage of these sites. So, they have to make vaccine scheduling as easy as possible. If they were to penalize people for taking advantage of online scheduling, it could result in a greater number of cases.
Changes to the HIPAA Privacy Rule
The HIPAA privacy rule is in place to restrict the use of personal information. It also protects this information from going to others. Specifically, the HIPAA privacy rule focuses on protected health information (PHI). PHI includes any kind of detail that can identify a specific person. This ranges from the person's address and height to their current diagnosis and treatment. It's important to advocate for the protection of this information as it could be used to access more personal details about a patient. For example, let's say that two physicians are talking in the hallway about a patient. While this is happening, the patient's friend who doesn't know that she is there walks by. But, because the physicians are using PHI, that friend can identify who the physicians are talking about. Thus, now the friend knows information that the patient may not have wanted him/her to know. Beyond circumstantial examples like that one, PHI is damaging in other ways. So, it's best not to communicate these kinds of details in an unsecured manner.
Why Does Right of Access Matter?
Right of access refers to the patient's ability to access their own medical records. The right to access became a problem as HIPAA's regulations became more advanced. Because security became so tight around medical files, it became difficult for patients to get access to their own files. Now, the OCR is working on ensuring that patients have easy, affordable access to their medical charts. Due to the want to protect PHI and other information, many medical facilities blocked off the ability to gain access to patient charts. But, now, patients are going to gain the right to access their charts. While it's not set in stone, medical facilities should be making the proper changes now. And, those facilities that do not meet the right of access requirements will incur penalties from the OCR.
New Patient Identifier for Medicare Patients
In relation to PHI, Congress released the national patient identifier (NPI). However, this number is only for Medicare patients currently. Congress ruled in favor of implementing this number because of issues with misidentifying patients based on PHI. This reduces medical errors as well. So, other organizations like the American Health Information Management Association (AHIMA) supported the policy. However, just like all policies, there are some criticisms. Some people argue that having an NPI actually threatens patients' privacy even more. Now, all someone needs are these numbers to gain more information about these patients. But, as of now, these numbers are still in place. However, the National Patient Identifier Repeal Act has formed.
How Are New HIPAA Regulations Introduced?
HIPAA updates happen slowly. After all, these organizations can't expect healthcare facilities to make these changes overnight. This is especially for extensive privacy and security updates. So, HIPAA regulations form over time. Before changing any regulations, the Department of Health and Human Services (HHS) looks for feedback on prior rules. So, people can submit their thoughts on problematic, irrelevant, or confusing rules. Then, the HHS looks into this feedback. They meet and discuss some of the changes that they'd like to make given these comments. After that, the HHS submits a notice of proposed rulemaking. This will state the changes that the HHS is considering making. Keep in mind that this is not an official rule change. Rather, this is a time for others to give their feedback on the proposed changes before they become approved. If the HHS goes through with the proposed change, then it becomes law. Now, healthcare facilities have a grace period to update their procedures and technologies as enforced by the new rule. Once this grace period is over, the OCR and HHS can begin enforcing the HIPAA law. This means that penalties can start against facilities that haven't made the necessary changes. The key here is the grace period. If you're working for a healthcare facility, you want to make sure that you're updated on the latest HIPAA news and training to ensure that you know the proposed laws. Then, you can do what you need to do during the grace period.
In order to prevent healthcare providers and facilities from breaking HIPAA regulations, the OCR has to put penalties into place. These penalties dictate what the punishments are for breaking HIPAA rules and regulations. As you already know, some of these penalties were minimized or completely removed during the pandemic. However, this doesn't mean that HIPAA compliance is no longer a thing. In fact, the OCR wants healthcare providers to stay vigilant about patient privacy, especially during the pandemic.
Changes to HIPAA Penalties in 2021
After all of the lessons that they've learned during the pandemic, the OCR is making some changes to preexisting HIPAA penalties. As they've made these changes, they've also put special emphasis on the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act pushed for HIPAA penalties to be stronger. So, the HHS developed tiers for HIPAA penalties. There are now four tiers and each tier has a minimum and a maximum penalty for HIPAA violations. The decided penalty is based on the violator's culpability. Non-Compliance Penalties Rise As we mentioned, there are four tiers for HIPAA penalties. Since a large number of changes in 2020, these tiers are different. In particular, the financial penalties have changed. They've increased according to the Inflation Adjustment Act. Here are the tiers of HIPAA penalties:
- The violator was unaware of the HIPAA rule and would not have been able to know that they violated the rules. ($100-$50,000 per violation)
- The violator claims to not know about the rule, but he/she should have known as determined by reasonable cause. ($1,000-$50,000 per violation)
- The violator practiced willful neglect of the rule but fixed the violation within thirty days. ($10,000-$50,000 per violation)
- The violator practiced willful neglect and did not try to fix the problem within thirty days. ($50,000 per violation)
Each tier also has a maximum price:
- Maximum $58,490 per year
- Maximum $58,490 per year
- Maximum $58,490 per year
- Maximum $1,754,698 per year
In short, the penalties of not complying can be expensive. It's not worth the price, so you should take the time to keep up with current HIPAA trends. No Non-Compliance Penalties for Telehealth You may be confused by the changes to non-compliance financial penalties. We should be clear. The OCR made these changes prior to the pandemic. So, the non-compliance penalties discussed above do not apply to telehealth services during the pandemic. This is because of the good faith provision of telehealth. As long as physicians are acting in the best interest of the patient and according to their best judgment, the OCR nor the HHS will penalize them. We've also discussed the one stipulation to this rule: public-facing platforms. Physicians are not allowed to use public-facing platforms for their telehealth appointments. This means that physicians are not allowed to use any live streams of any kind. The platform must support a private conversation between the physician and the patient. But, it does not have to be completely HIPAA-compliant as long as it is not public-facing.