2021 marks the 25th year of the Health Insurance Portability and Accountability Act, or HIPAA — the legislation that provides security provisions and data privacy for safeguarding medical information. As security threats evolve and adapt, HIPAA is in a constant state of flux. We will look at some of the most recent HIPAA trends that will impact your organization as we approach the silver jubilee of this landmark law.
#1. HIPAA Trend – The Right of Access Initiative
Last year, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services announced the Right to Access Initiative. It is a significant policy change that promises to enforce the rights of patients who want to receive copies of their medical records quickly and without being overcharged.
For nearly a quarter of a century, HIPAA trends have vowed to keep protected health information (PHI) secure and private, but many critics of the legislation argue that it’s just too complicated and expensive to access one’s personal medical records. The new changes could combat these challenges.
In September 2019, the OCR fined a hospital in Florida $85,000 for failing to provide PHI to a patient in a timely matter — the first-ever settlement of a HIPAA right of access claim. In addition to this fine, the hospital had to agree to a corrective action plan that promised to develop, maintain, and revise, where necessary, its “right of access” policies and procedures. More organizations will be facing these new HIPAA trends and need to be prepared.
“The case itself was fairly routine,” notes the American Society for Clinical Pathology. “It began in October 2017 when the mom sent Bayshore a timely written request for access for the fetal heart monitor records from her delivery. We can’t find the records, Bayfront replied. The mom then went to an attorney and filed a complaint with the OCR, which initiated an investigation.” Patients are sharing more of the cost in their healthcare than ever before, and are rightfully requesting comprehensive documentation. Organizations must be thinking of the right of access for patients and how they will handle these requests.
What does this all mean for your organization? Going forward, this will be the new HIPAA trend and the OCR will clamp down on other hospitals and organizations that fail to comply with the Right of Access Initiative. To avoid hefty penalties, it’s a good idea to revise policies and procedures that pertain to right of access, which allows patients to access medical records quickly and cheaply. Luckily, technology and a well-implemented and interconnected EHR can assist with this.
#2. HIPAA Trend – OCR Increases Penalties for Non-Compliance
In November 2019, the OCR announced that it would increase penalties for HIPAA non-compliance in accordance with the Inflation Adjustment Act. The new rules will cover civil monetary penalties for HIPAA violations that occurred on or after February 18, 2009.
Penalties have increased significantly per violation, with a new annual cap per violation category. The maximum penalties for each of the four tiers — based on the severity fo the violation — are as follows:
- Tier 1: $58,490
- Tier 2: $58,490
- Tier 3: $58,490
- Tier 4: $1,754,698
As you can see, the maximum penalty for a violation in the highest tier — reserved for the most serious breaches — could cost up to $1.755 million. Full details of the penalty structures above were published in the Federal Register for all agencies, including the ACF, FDA, and OCR. Organizations must be vigilant in maintaining robust HIPAA protocols.
“It should be noted that the maximum annual financial penalties differ considerably from OCR’s April 30, 2019 notice of enforcement discretion,” says The HIPAA Guide. “OCR had reassessed how the new penalties mandated by the HITECH Act had been interpreted and determined they did not reflect the intentions of Congress.”
Most organizations just can’t afford to pay these HIPAA penalties, so receiving a fine for non-compliance could seriously jeopardize their entire operations. This is why it’s crucial providers review their compliance procedures on a regular basis. This includes regular audits to technology systems, including your practice management & EHR software.
#3. HIPAA Trend – New Patient Identifier for Medicare Patients
A National Patient Identifier (NPI) — a unique identification number for health care providers — has been part of HIPAA’s plans since 1996. For one reason or another, it has never been properly implemented. Until now. In June 2019, Congress ruled in favor of the legislation, arguing that identifiers will solve challenges with patient matching and minimize medical errors and misidentification.
The American Health Information Management Association (AHIMA) supports Congress’ decision. “AHIMA believes a voluntary Patient Safety Identifier, created and controlled by patients, is key to correctly identifying patients and matching their records across health systems,” they said back in 2016. Anyone who has worked trying to integrate systems and match patient information understands what a challenge a unique patient identifier is.
There are many critics of this legislation, though. Politicians such as Senator Rand Paul have argued that identifiers will threaten patient privacy. Paul said in September 2019, “As a physician, I know firsthand how the doctor-patient relationship relies on trust and privacy, which will be thrown into jeopardy by a National Patient ID.”
Still, identifiers have been approved and will impact Medicare patients from January 1, 2020 onwards. There will be 18 identifiers in total, covering everything from names to Social Security numbers, phone numbers to email addresses, and health plan beneficiary numbers to biometric identifiers.
“There are also additional standards and criteria to protect individual’s privacy from re-identification,” says the Human Research Protection Program at UC Berkley. “Any code used to replace the identifiers in datasets cannot be derived from any information related to the individual and the master codes, nor can the method to derive the codes be disclosed.”
You will need to know which PHI you can transmit when implementing these new changes for Medicare patients and follow HIPAA guidance for complying with the regulations. Failure to do so, of course, could result in receiving one of the penalties discussed earlier.
These are three recent changes to HIPAA that you need to know about in 2020. As the legislation approaches its 25 years, it continues to evolve, so medical practitioners need to keep up with the latest changes in order to improve compliance and avoid penalties.
Superior patient care and privacy must always be the focus of your medical organization. You can improve your privacy and security processes when you enlist the help of TempDev, who specializes in NextGen consulting services. As expert consultants in NextGen Healthcare software, they can help you comply with ever-changing HIPAA trends, regulations, and procedures. Click here or call TempDev at 888.TEMP.DEV now.