The Health Insurance Portability and Accountability Act (HIPAA) was intentionally designed with broad definitions and scope to encompass future changes. However, throughout its history, there have been times when updates have been necessary. To set the stage for a new year in healthcare, let’s review legal and regulatory changes from the past couple of years, then examine the anticipated 2023 HIPAA changes, including updated penalties. Finally, it is critically important for organizations to spend time going through a compliance checklist and updating processes and policies as needed.
Recent HIPAA-related Compliance Laws
Many long-due changes and new laws had been postponed due to COVID-19 and have now become active. Healthcare organizations need to make sure they are back on track and prepared to comply by reviewing all of these changes and understanding how they impact the organization’s processes. These items are not direct HIPAA rule changes, but they all affect patient privacy and access to PHI.
- 2021 HITECH amendment called the “HIPAA Safe Harbor Bill”. It encouraged healthcare organizations to adopt “recognized cybersecurity practices.” Organizations that do so and have them in place for 12 months preceding any HIPAA data breach, are considered partially protected from penalties.
- The 21st Century Cures Act of 2016 (Cures Act) made it easier for patients to share their healthcare data with research institutions. To implement this, the HHS published its Interoperability and Information Blocking Final Rule in March 2020, however organizations were given until April 5, 2021 to comply, due to COVID-19.
- CMS interoperability rule published in March 2020, that was postponed to July 1, 2021. It applies to acute care hospitals, LTACs, rehab hospitals, psychiatric hospitals, children’s hospitals, and cancer hospitals that accept Medicare and Medicaid. These institutions must implement and maintain an API to allow patients to access their claims and receive that information through a selected third-party app.
Preview Expected 2023 HIPAA Changes
A decade has now passed since the last major changes to HIPAA law. The Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that included many direct changes to the HIPAA Privacy Rule. The Final Rule is expected to be published in the Federal Register in 2023, however the exact date is unknown.
The NPRM is lengthy, however the below list summarizes the focus of the new rules and changes:
- Anticipated HIPAA Rule changes deal with how substance use disorder (SUD) records are handled – with the goal of better addressing the opioid crisis.
- Other changes specify the amount of access patients have to their own PHI, associated costs, the time frame in which medical records must be provided, 3rd part access to records, and exactly what is included in the medical record.
- Definitions of the terms care coordination and case management will be broadened. The exact definition of electronic record will be added.
- CMS is putting forth a proposed rule (CMS-0053-P) in 2022 that would modify HIPAA. It would promote standards adoption for transactions with attachments for prior authorizations, including medical charts, X-rays, and provider notes that document physician referrals. It would also include a standard for the referral certification and authorization transaction.
Understand Violations and Penalties
HHS updates to permanently change the tier penalties and maximum annual penalties are expected. In April 2019 a new penalty schedule was issued, however the new tier penalties exceeded the maximum annual penalty per violation from previous rules. That discrepancy is expected to be corrected in the 2023 Federal Register. Some numbers for 2023 may be adjusted per inflation, so the below penalty list should be updated soon.
This is the current penalty structure as of 2022:
Renew
Each year, your organization’s HIPAA compliance checklist, risk assessment, audit process, and breach process should be reviewed for accuracy by appropriate personnel and internal policies renewed for the upcoming year. Any changes should be shared with staff and education documented.
The purpose of a HIPAA compliance checklist is to make sure that organizations are familiar with which HIPAA provisions they are required to comply with, and the processes in place to achieve that. Examples are available online and can be modified and adopted for the organizations. The covered entity should also re-evaluate all business partners and determine if they qualify as business associates (BAs).
A HIPAA risk assessment, per HHS, should have certain objectives – no matter the size or complexity of the organization or BA. A risk assessment is typically done in FMEA format (Failure Mode Risk Analysis) and should be completed by a multidisciplinary team. This process should be repeated at least annually, and more often if significant changes occur to the law, organization, or breach(es) occur.
One way to mitigate risk to your organization is to partner with businesses that take HIPAA compliance seriously. FormDr provides HIPAA compliant patient forms that fit the complexity of your business. To learn more about how we make compliance simple, review our architecture, guiding principles, and security features here.
