Are adjustments to HIPAA improving the US healthcare sector?
The US Health Insurance Portability and Accountability Act (HIPAA) 1996 is a significant federal-level safeguard for the protection of personal health data and has long been a pillar of healthcare regulations.
In light of evolving healthcare landscapes, increased digitisation, and emerging challenges, HIPAA has experienced significant updates and revisions in recent years.
What are these changes and how will they affect the US healthcare landscape?
The pandemic’s effect on US HIPAA
Since COVID-19, temporary changes and flexibilities to HIPAA were introduced to keep up with the sky-rocketing demand for healthcare. Modifications were made to facilitate telehealth services, public health disclosures, and the flexibility of business associates.
During the pandemic, the Office for Civil Rights (OCR) exercised enforcement discretion for telehealth. Healthcare providers could use popular communication tools for remote visits and penalties for “good-faith” telehealth violations were waived. It encouraged providers to use telehealth platforms without fear of regulatory repercussions.
US HIPAA also permitted the sharing of patient information with public health authorities for controlling the spread of communicable diseases, including COVID-19 cases.
While these changes were temporary, they showed that HIPAA could be adapted to meet evolving healthcare needs.
In 2021, the HIPAA Safe Harbor Law was introduced to enhance cybersecurity, patient access to healthcare data, and HIPAA enforcement. It amended the Health Information Technology for Economic and Clinical Health (HITECH) Act to provide flexibility in enforcing penalties and conducting audits for HIPAA violations. As a result, the Department of Health and Human Services (HHS) could refrain from enforcing penalties, mitigate penalties, or reduce administrative burdens in specific circumstances.
These adjustments indicate a potential trend towards more flexible regulations that prioritise patient access to healthcare data, enhance cybersecurity and allow for broader telehealth services in the US healthcare landscape.
What are the proposed changes to HIPAA’s Privacy Rule?
To address concerns over the patchwork of state legislation and the possible uses or disclosures of protected health information (PHI), the OCR has proposed several changes to the HIPAA Privacy Rule. This is to protect patients' reproductive healthcare information and ensure that healthcare providers can deliver appropriate care.
It follows the Supreme Court's decision to overturn Roe v. Wade last year, where several laws in states restricting or prohibiting terminations have been re-enacted, resulting in women travelling across state lines for procedures.
The proposed changes include:
A definition of "reproductive healthcare" to HIPAA, which encompasses abortions, contraception, fertility, and miscarriage healthcare.
New limitations on the uses and disclosures of PHI related to reproductive healthcare that cannot be overridden by obtaining consent or authorisation. If there is a need to use or disclose PHI, there needs to be a guarantee it will not be further used or disclosed in out-of-state judicial or administrative proceedings.
Clarification on providing or facilitating reproductive healthcare that isn’t considered abuse, neglect, or domestic violence.
A new section to existing Notices of Privacy Practices to reassure patients that their PHI related to reproductive healthcare will not be used or disclosed inappropriately.
Shorter timeframes for providing medical records, expanded definitions of electronic health records, and the ability for patients to inspect their PHI in person.
These changes are likely to have a significant impact on safeguarding patients' reproductive health information, and from a business perspective, they may inspire significant investments in data management infrastructure and staff training to ensure compliance.
The evolution of HIPAA enforcement
In 2018, the OCR set a record for HIPAA enforcement with $28 million in fines and settlements, surpassing the previous record set in 2016. This trend continued in 2019 and 2020, with OCR imposing significant financial penalties for violations of the HIPAA Right of Access, inadequate risk management practices, and impermissible PHI disclosures.
Looking ahead, the OCR wants to address a wider range of HIPAA violations, prioritising privacy violations related to reproductive healthcare. As a result, it has restructured its divisions to better use its resources and increased the timeliness of investigations, particularly for hacking incidents.
The digitisation of healthcare and the inevitable emergence of wearables and personalised trackers has also spurred HIPAA enforcement to catch up.
The company Premom recently received a $100,000 HIPAA fine for their fertility app sharing sensitive PHI with third parties without notifying users. Similarly, the Federal Trade Commission took enforcement action under the Health Breach Notification Rule against the provider GoodRx. This was for failing to notify consumers and others of its unauthorised disclosures of consumers’ personal health information to advertisers.
The increased focus on addressing a wider range of HIPAA violations indicate a more stringent approach to data protection. The evolution of HIPAA highlights some of the pressing privacy considerations in the healthcare sector, and reinforces the need to ensure legislation keeps up pace with technology. While change may be slow, regulators are going in the right direction by re-emphasising a commitment to patient privacy and advocating for necessary updates.