HIPAA is 25 years old this year. Is it outdated? Will it be enforced? Is it on hold?
HIPAA compliance still matters. In fact it’s more relevant than ever before, as technology advances and healthcare continues to change. HIPAA may need to change to accommodate a changing world, but the basics still apply.
The fundamental principle of HIPAA, that patient information should remain private, has been understood for thousands of years. In ancient Greece Hippocrates included this principle in the Hippocratic Oath – the famous Health Care code of ethics.
HIPAA doesn’t go in and out of fashion; instead it has been modified, expanded and reaffirmed, in response to technology and changes in healthcare under four Presidents and fourteen Congresses since 1996. HIPAA is not political.
HIPAA Compliance in 2021
In December, 2020 the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) proposed a new rule that would modify HIPAA privacy standards for individually identifiable health information. According to HHS the proposed changes to the HIPAA Privacy Rule will:
- strengthen individuals’ rights to access their own health information;
- improve information sharing for care coordination and case management for individuals;
- facilitate greater family and caregiver involvement for individuals experiencing emergencies or health crises;
- enhance flexibilities for disclosures in emergency or threatening circumstances, such as the Opioid and COVID-19 public health emergencies; and
- reduce administrative burdens on HIPAA covered health care providers and health plans, while continuing to protect individuals’ health information privacy interests.
Normally, proposed rules are open to public comment for 6o days after they’re first published, however on January 20, 2021 the Biden administration froze rulemaking across the board pending review by the new administration, and the comment period may be extended.
OCR is Still Working During the Transition
The Office for Civil Rights which enforces HIPAA does not yet have a permanent Director. The Acting Director is Robinsue Frohboese, a longstanding and experienced OCR staff member who has served as Acting OCR Director during four Administration transitions. OCR staff is still at work and investigations are still underway, although activity may have slowed due to the transition.
Individuals’ Right of Access to Medical Information
One of OCR’s highest priorities in recent years has been the individual’s right of access to their own medical records. Between mid-2019 and January 2021, OCR settled fourteen investigations involving covered entities’ failure to comply with HIPAA’s right of access requirements. This has been a longstanding OCR priority and will likely continue to be. Patients who have access to their own medical records are better informed, more involved and committed to their own care, and have healthier outcomes.
Federal Court Case Challenged HIPAA Enforcement
Last week we wrote about a recent decision in the 5th U.S. Circuit Court of Appeals that questioned OCR’s definition of “disclosure” of protected health information. The Court sided with MD Anderson and against OCR when it held that PHI isn’t unlawfully “disclosed” unless OCR can prove it was received by an unauthorized person outside of the hospital. The court also sided with MD Anderson when it agreed that the hospital’s internal policy requiring electronic encryption was a good enough “mechanism” to comply with the HIPAA Security Rule, even when employees didn’t follow the policy.
Even though this court case challenges how OCR may enforce certain HIPAA requirements, we do not see the decision as a major setback to enforcement. OCR will adjust its approach to investigations. There may be a rule change to clarify the definition of disclosure. In the meantime, fundamental HIPAA rules are still in place.
Signs of Change in HIPAA Compliance
Lawsuits are Filling the Gap
OCR is still primarily responsible for enforcing HIPAA against covered entities and business associates, but court cases are becoming more common. Although HIPAA does not give individuals a right to sue, creative lawyers representing individuals whose health privacy has been breached are filing lawsuits claiming breach of contract or negligence. HIPAA is indirectly involved because the lawyers argue that HIPAA rules provide a baseline standard of care. If an organization doesn’t provide that baseline standard of care, a judge or jury may treat them more harshly.
All fifty states have privacy laws similar to HIPAA and some lawsuits are brought under state law. Class action lawsuits in federal court and cases in state courts are all increasing. Lawsuits are on the rise.
Cybersecurity Risks are Growing
In every field, in the private sector, in government and the non-profit world, the risks of cybersecurity have skyrocketed. Ransomware continues to rise, threatening organizations of every size across the globe. In healthcare, Ransomware can be crippling if it succeeds in making health records inaccessible to the provider. The COVID-19 crisis provided opportunities for hackers to exploit some of the confusion and fear around the pandemic, making 2020 one of the worst years in cybercrime to date. Ransomware is also presumed to be a breach under HIPAA, triggering the Breach Notification Rule.
Future Trends in Healthcare
Health Information Exchanges are electronic platforms that move clinical information among different health care information systems. The goal of an HIE is to enhance access to and retrieval of clinical data to provide safer and more efficient, and equitable patient-centered care. They are relatively new but are becoming more widely used by both the private and public sectors.
The COVID-19 pandemic accelerated the use of HIE’s among public health entities to help manage the crisis, causing OCR to issue HIPAA compliance guidance on HIE’s in December, 2020. The Privacy Rule changes proposed in December include modifications to support HIE’s.
Artificial Intelligence is transforming healthcare now, from data analytics, to diagnosis, drug dosages and vaccine development. The Washington Post recently convened a panel to discuss Artificial Intelligence in Healthcare, touching on the various technologies in use today, and some of the policy and ethical challenges raised by artificial intelligence.
Following HIPAA is More Important than Ever
- Privacy is fundamental to quality healthcare
- HIPAA is still the law at the federal level, and all 50 states have their own health privacy laws, most of which mirror HIPAA
- Lawsuits are on the rise, and following HIPAA helps defend against those
- Preserving patient privacy and maintaining patient trust is the right thing to do
- The HIPAA Security Rule is a blueprint for defense against the growing risk of cyber crime