HIPAA Changes Providers Need to Heed

HIPAA Changes Providers Need to Heed

Here are some important Health Insurance Portability and Accountability (HIPAA) reminders and updates.

First, on the Security Rule side of things: this past Thursday, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted its latest settlement with a covered entity related to alleged HIPAA violations. This $250,000 settlement, with a Washington-based healthcare provider, followed a ransomware attack and subsequent investigation by OCR.

The risky business at issue here is, in many ways, merely operating in the healthcare industry. According to OCR, ransomware and hacking are the primary threats in healthcare. But a ransomware attack, which will always be disruptive and damaging, and can be challenging to prevent and often results from human error, does not need to result in further payment to the government.

There have been countless ransomware attacks, but only a handful of them result in settlements, and that’s because it’s not the ransomware itself, but the state of your compliance, when OCR comes knocking. This latest settlement was, as many are, a complaint-driven investigation. And when OCR investigated, it found one of the most common HIPAA compliance failures – the lack of a comprehensive, accurate, organization-wide risk analysis. OCR also found insufficient monitoring of activity within the organization’s information systems that housed electronic personal health information (ePHI).

Preparing your organization for that worst-case but sometimes inevitable-feeling attack means you need to get your house in order to make sure that any investigation shows you were meeting your compliance requirements.

Now, compliance with the HIPAA Security Rule is staying more or less status quo, but there are some significant changes to the Privacy Rule that go into effect at the end of this year and will require some additional effort.

The new HIPAA Privacy Rule to Support Reproductive Health Care Privacy goes into effect Dec. 23. This new Rule implements a variety of new requirements, focused on providing further protection for “reproductive healthcare” – a new and very broadly defined term. The Rule, which was published in April, seeks to prohibit covered entities from using or disclosing PHI related to reproductive healthcare to identify a patient or healthcare provider in connection with an investigation or proceeding where the care was provided under lawful circumstances.

Here are some things to consider and make sure you’ve implemented by the end of the year:

  • Regulated entities (covered entities and business associates) will be required to obtain an attestation in certain circumstances from the person requesting the use or disclosure, stating that the use or disclosure is not for a prohibited purpose. HHS has posted a model on its website.
  • Similarly, regulated entities need to revise their processes for responding to requests for the use or disclosure of PHI for which an attestation is required.
  • Regulated entities need to revise policies and train staff, with a particular emphasis on the staff that will be responsible for reviewing and determining the sufficiency of these attestations.
  • Covered entities need to review and potentially revise business associate agreements and assess vendor relationships to make sure everyone is aware of their new compliance requirements.

The final requirement is to update Notice of Privacy Practices, but you have until 2026 to do that.

EDITOR’S NOTE:

The opinions expressed in this article are solely those of the author and do not necessarily represent the views or opinions of MedLearn Media. We provide a platform for diverse perspectives, but the content and opinions expressed herein are the author’s own. MedLearn Media does not endorse or guarantee the accuracy of the information presented. Readers are encouraged to critically evaluate the content and conduct their own research. Any actions taken based on this article are at the reader’s own discretion.

Facebook
Twitter
LinkedIn

You May Also Like

Leave a Reply

Please log in to your account to comment on this article.

Subscribe

Subscribe to receive our News, Insights, and Compliance Question of the Week articles delivered right to your inbox.

Resources You May Like

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Unlock 50% off all 2024 edition books when you order by July 5! Use the coupon code CO5024 at checkout to claim this offer!

CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24