past present future

HIPAA Changes Ahead

This blog has been updated and you can read the January, 2023 version here – Prepare for HIPAA Changes Ahead

Proposed changes to the HIPAA Privacy Rule are not final yet, but change is coming. The changes may not be final for months, or more than a year, but now is a good time to learn about what’s ahead and take steps to be ready.

HIPAA is Constantly Changing

HIPAA has never been static but has adjusted in response to changing times since it began in 1996. Two of the biggest changes happened in 2009 and 2013. In response to changes in healthcare and technology, the HITECH Act (Health Information Technology for Economic and Clinical Health Act) was passed in 2009 which:

The last big change occurred in 2013 with passage of the Final Omnibus Rule which updated HIPAA to reflect requirements mandated by the HITECH Act.

The Final Omnibus Rule, among other things:

  • specified the encryption standards required to make electronic protected health information (PHI) unusable, undecipherable and unreadable in the event of a breach,
  • clarified that “workforce” under HIPAA includes employees, volunteers and trainees,
  • clarified that mobile devices, like smartphones and tablets are included within HIPAA security requirements,
  • added requirements to the Notice of Privacy Practices, and
  • clarified that subcontractor Business Associates must also comply with HIPAA.

Today, two of the biggest trends in healthcare are patient rights and coordinated care. The two are linked and complementary and the proposed HIPAA changes support both.

Information Sharing and Enhanced Patients’ Rights

Care coordination is not new and has been growing over the past several years. Healthcare has become so specialized that patients are seeing multiple providers with no one in charge, and patients don’t have all the information they need.

The basic idea is that healthcare can be better – better outcomes, lower costs, and better meeting of patients’ needs when patients have more information and control, and their providers share information with one another and with patients.

The proposed changes expand the definition of the term “healthcare” to include other elements related to an individual’s care, such as support for housing, legal issues, employment, transportation, safety, literacy, language, and hunger. With this change, covered entities will be allowed to disclose PHI to social service agencies and other third parties that may not themselves be healthcare providers but do provide health-related services.

Prepare for Change and Strengthen Your Compliance

  1. Review your process for responding to a patient’s request for access to their records. Make sure everyone in the organization understands the rules, and make it easy, prompt and at no or minimal cost.
  2. Ensure you have a complete set of current policies and procedures for the Privacy, Security and Breach Notification Rules, and you conduct regular Risk Analysis and Risk Management.
  3. Evaluate your HIPAA compliance culture and think about how to share information rather than assuming you cannot.
  4. Prepare for the enhanced role of patients in managing their own care – be as transparent and responsive as possible.

When any changes become final, we will let you know. In the meantime, if you have questions, ask The HIPAA E-Tool®.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU