This past December, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. These proposed modifications to the rule would help support patient engagement and remove barriers to coordinated care as well as reduce regulatory burdens on the health care industry.

This news from HHS set the stage for a timely webinar co-sponsored by eFax Corporate and the Electronic Healthcare Network Accreditation Commission (EHNAC) titled HIPAA in 2021: HHS Proposed Changes to Modify Privacy Rule and its Impact on Covered Entities.

Hosted by ANSWERS Media, the virtual discussion was led by two leading privacy and security experts in the healthcare sphere – Brad Spannbauer, Consensus’s VP of software implementation, and professional services and Lee Barrett, executive director and CEO of EHNAC. Both participants each brought diverse knowledge and opinions on the proposed changes to the HIPAA Privacy Rule, the potential effects it might have on providers and the patients they care for, along with any provisions that may need to be implemented once the rule is finalized.

Experts discuss overview and ramifications of key provisions outlined in the rule

The current timeline of the Proposed Rule and the release of Final Rule. The Proposed Rule was officially issued on December 10, 2020 and was published by NPRM in the Federal Register on January 22, 2021. Comments are open until March 22, 2021, and Spannbauer encouraged listeners to take part and leave their thoughts. He went on to inform attendees that it takes approximately 90 days after comments close for a rule to catch, and covered entities will have 180 days to implement the results.

The impact of COVID-19. According to Barrett, some of what has happened with the Privacy Rule goes back to the beginning of the pandemic. The Office for Civil Rights established bulletins and guidance in February of 2020, the focus is trying to minimize the impact on fines and penalties that could be levied throughout by the OCR. Overall, Barrett believes the objective was to increase information sharing amongst a variety of entities while also focusing on good faith efforts of covered entities and business associates regarding how patient information would be shared.  

Telehealth. We saw an astounding rise in telehealth practice during the pandemic. Telehealth was a key component in healthcare because patients were not making appointments or visiting their primary care physicians. Smartphone applications became a link between various organizations, trying to make it easy for both patients and providers no matter the diagnosis or treatment plan. The OCR will not be imposing HIPAA penalties against healthcare providers for noncompliance in connection with the good faith provision of telehealth using these remote communication technologies. It has been outlined that covered providers can utilize apps such as FaceTime or Skype, but are unable to use Facebook Live, TikTok, or Twitch when providing telehealth.

Guidance on disclosures to law enforcement, first responders, public health authorities. This will identify existing HIPAA Privacy Rule permissions and provide examples for when a covered entity may disclose PHI about individuals without their HIPAA authorization. If an individual was in an emergency situation where treatment was needed, a first responder was potentially at risk for infection, or any information would prevent or lessen a serious threat then the absolute minimum bit of information would be necessary to disclose.

Modifications to the rules. These modifications protect covered entities from being subject to the minimum necessary requirement for uses by, disclosures to, or requests by a health plan or covered healthcare provider for care coordination and case management activities. Covered entities can disclose PHI to social services agencies, community-based organizations, or home and service providers. The modifications were proposed to encourage covered entities to use and disclose PHI more broadly in a variety of circumstances, which allows for the broad sharing of information in the midst of emergencies.

A new administration brings change

Each administration brings about new changes, and the Biden Administration will be no different. Barrett discussed the vast background in healthcare technology that the newly designated head of ONC Micky Tripathi, will bring to his post – including serving on The Sequoia Board of Directors and furthering FHIR initiatives in support of interoperability. He went on to note how there will also be changes to the CMS administration as many candidates are currently going through the nomination process. A select few industry experts are also going through the nomination process for the position of HHS Secretary. As leaders are selected and continue to drive efforts in the right direction, Barrett expressed how it has been stated that interoperability initiatives started under the Obama Administration will continue under the Biden Administration.

HIPAA Safe Harbor Law

The webinar also touched on the Safe Harbor Law, which amends the HIPAA HITECH Act and requires HHS to focus on incentivizing organizations to promulgate best practice security. According to Barrett, the goal of this law is to “not penalize those organizations that may have been impacted by a cyberattack, ransomware or other.” He went on to say how choosing not to seek third-party accreditation leaves the impacted organizations subject to an audit by OCR as well as certain fines and penalties due to their lack of proper cyber hygiene.

Now you know, but what should you do to prepare for the Final Rule?

Barrett first advised that all covered entities take time to review their current policies and procedures to determine what revisions need to be made ahead of the Final Rule approval. Covered entities shouldn’t wait to start making provisions on what those revisions might be. Second, all covered entities should begin to look at their organizations’ training processes. Should the Final Rule be approved, where do training tactics need to be amended to meet the new changes? For example, front office staff members should be aware of all forms that patients might have completed and submitted previously as patients could come in and ask to review their PHI on the spot. They might even ask for their records to be sent to another entity. If this Rule is implemented, the timing of these events will go from 30 to 15 days.

Spannbauer concluded the webinar by telling attendees how a majority of these changes will eliminate burdens for covered entities and should be embraced as they will not only make life a little easier for those they impact but, most importantly, because they support patient care.

Watch the complete webinar: HIPAA in 2021: HHS Proposed Changes to Modify Privacy Rule and its Impact on Covered Entities