Ensuring Healthcare Industry Compliance with HIPAA in 2021

October 25, 2021 - As the healthcare industry has evolved to become increasingly digital, the Department of Health & Human Services and its departments have moved to bring the Health Insurance Portability and Accountability Act (HIPAA) into the modern age to support advancements in care coordination and improve patient access to their health information.

Beginning in 2021 and moving into the next few years, covered entities (both providers and payers) and business associates must enable both secure access and disclosures (i.e., sharing) of protected health information (PHI) to avoid financial penalties for noncompliance from HHS, namely the Office for Civil Rights.

To achieve and maintain HIPAA compliance today and into the future, providers, payers, and their business partners must remain aware of all the provisions necessary for them to comply with a host of mandates. In particular, for covered entities, a strategic technology partner can help identify potential risks to protect the organization from avoidable risks and public relations fallout resulting from HIPAA noncompliance. 

First and foremost, HHS is set to finalize modifications to the HIPAA Privacy Rule aimed at removing barriers to coordinate care and individual engagement.

“These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens,” agency states in the notice of proposed rulemaking issued earlier this year.

Chief among the proposed requirements are shortening the duration to respond to individual requests for PHI (from 30 to 15 days) and making this information available electronically as ePHI. Doing so also requires reducing identity verification on individuals wishing to access their private data and enabling individuals to direct the sharing of PHI among different organizations. Considering the healthcare industry’s reliance on outsourcing, these changes represent a major wakeup call to covered entities and their business associates.

What’s more, providers, payers, and business partners must recognize a new exception to the “minimum necessary” standard to make disclosures essential for care coordination and case management more efficient but no less secure. Likewise, disclosures must also be made “to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.”

Additionally, covered entities will need to act in good faith when determining whether the use or disclosure of PHI is in the individual’s best interest, especially in the interest of avoiding serious harm to the safety and well-being of the individual. Requesting an individual written acknowledgment of a provider’s notice of privacy practices (NPPs) is no longer required.

Lastly, the Office of Inspector General (OIG) has the authority under the 21st Century Cures Act to investigate any claim of information blocking by a health IT developer, healthcare provider, or health information exchange (HIE) or network (HIN), as noted in the HIPAA Privacy Rule NPRM.

Also specific to HIPAA in 2021 and beyond is a new law enacted to incentivize security, known as the HIPAA Safe Harbor Bill. Made into law on January 5, the bill directs HHS to take into account a covered entity’s or business associate’s use of industry-standard security practices within 12 months when investigating and undertaking HIPAA enforcement actions or other regulatory purposes.

HHS and its subagencies have a strong track record of enforcing HIPAA rules and issuing substantial penalties for noncompliance. In 2020, OCR issued 19 fines, one of the most significant around a business associate’s failure to conduct a security risk analysis. Following a health data breach of PHI of more than 6 million individuals, Community Health Systems agreed to a $2.3-million settlement with the federal government for “longstanding, systemic noncompliance with the HIPAA Security Rule.”

The HIPAA-related requirements exist against a backdrop of numerous other mandates on providers, payers, and business partners. Considering that HIPAA ensures individuals have access to their PHI, these covered entities and business associates must:

• enable patient access to PHI using the FHIR application programming interface
• make publicly available provider directory information via APIs
• participate in payer-to-payer exchange of patient clinical data
• exchange specific enrollee data for dual eligibles
• publicly attest not to be participating in information blocking
• publish digital contact information
• sharing admission, discharge, and transfer event notifications

Meanwhile, the industry must still contend with the potential ending of the telemedicine enforcement discretion (which federal officials have continued to extend to support the country’s response to COVID-19) and ensure that their business partners are compliant with policies around potential fraud, waste, and abuse (FWA) — as detailed in a previous post.

Altogether, HIPAA compliance in 2021 is a tall order for covered entities and business associates. The former must hold their business partners accountable and work hard to mitigate potential risks by leveraging technology partners and solutions to identify potential weak points. The latter must fall in line with federal rules and regulations or else face litigation and penalties.

To ensure successful compliance, covered entities and business associates must be aligned to enable information to move securely from point A to point B to assist patients in their healthcare journeys.