- The HIPAA Privacy Rule is not something that covered entities or business associates can afford to ignore, even as technology continues to evolve and patients have increased access to their own records.
AHIMA raised a key issue though in a recent blog post: does HIPAA need to be improved to reflect the reality of the current healthcare environment?
AHIMA IG Advisors Senior Director Kathy Downing, MA, RHIA, explained in an email to HealthITSecurity.com that the 21st Century Cures Act discusses critical changes for privacy, security, interoperability, and even specifically addresses technology advancements.
“Section 3001 ensures interoperability of health information technology,” Downing stated. “This means that for health information technology to be considered interoperable, such technology must satisfy certain criteria.”
This includes the secure transfer criteria, which is technology allowing the secure transfer of all electronically accessible health information to and from any and all health information technology for authorized use under applicable State or Federal law.
Additionally, complete access to health information must be followed. This is technology allowing complete access, exchange, and use of all electronically accessible health information for authorized use under applicable State or Federal law without special effort by the requestor of such health information, Downing noted.
Finally, the legislation states no information blocking, which is ensuring that technology is not configured, set up, or implemented to information block, as defined in section 3010A(d).
Downing also stressed the importance of the HIPAA risk assessment, especially as technology continues to evolve. The increase in ransomware attacks, disk operating systems, and other cybersecurity attacks against healthcare organizations further shows why entities need current and comprehensive risk assessments.
“Incomplete and inaccurate risk assessment is no longer an acceptable practice for any organization, regardless of size or scope,” she maintained. “Information governance practices, which expand HIPAA Privacy and Security rules beyond just protection of PHI, encourage the organization to understand their information assets by performing and documenting an inventory and then ensuring that all information systems are addressed in the Risk Assessment process, not just systems that collect electronic protected health information.”
She added that healthcare data breaches currently being reported on in the news show that covered entities are being infiltrated in various avenues, including phishing emails. It is not just about PHI access.
“In addition to the Risk Assessment, the organizations must manage and mitigate identified risks. Just doing the assessment is not the end of the process,” Downing said. “Regardless of whether the Security Rule standard is required or addressable, organizations must take reasonable steps to safeguard information and this includes encryption of data in transit, at risk and on mobile devices.”
Covered entities and business associates must also take note of applicable state privacy laws, Downing noted.
“Under HIPAA, if state law is more stringent or provides more patient rights, the organization must follow state law,” she explained. “Initially, this caused some confusion as the patchwork of state laws (new and old) were sorted out.”
“But 14 years after the HIPAA Privacy effective date, most organizations have a good understanding of how to comply with HIPAA and/or state law,” Downing continued.
OCR also continues to provide guidance to assist with state law interpretation, she stated, referring to guidance released in February 2016. That OCR guidance reiterated key points for individuals’ right of access when it comes to their own health information.
OCR wanted to address common issues, such as the fees individuals may be charged and if they want to send their information to a third party.
“HIPAA’s right of access is critical to enabling individuals to take ownership of their health and well-being – but this core right is rendered meaningless when individuals cannot afford to pay the fees,” previous OCR Director Jocelyn Samuels wrote in a blog post at the time. “These new FAQs clarify that individuals can be charged only a reasonable, cost-based fee for the labor and supplies associated with making the copy, whether on paper or in electronic form.”
AHIMA also has tools for healthcare organizations to utilize, ensuring that both providers and patients stay educated on patient rights to their own health information, Downing stated.
For example, AHIMA updated a slideshow in March 2017 for consumers on how to access their health information, set up a patient portal, and navigate the complexities of HIPAA.
HIPAA regulations allow for patients to view and obtain a copy of their health records, receive records in paper or electronic copies, and have records sent to another entity for treatment, billing, or operations purposes.
Overall, covered entities and business associates must both ensure that even as they implement new technologies – such as patient portals – HIPAA compliance continues to remain a top priority.