The Health Insurance Portability and Accountability Act of 1996 (HIPAA) had four primary objectives, but it is best known for its provisions that protect the privacy of patients’ medical information. The HIPAA Privacy Rule was developed shortly after the law was initially passed, and it has evolved over the years to adapt to changes in technology and in the healthcare system itself.
Healthcare providers, health plans, healthcare clearinghouses, and their vendors that are deemed “covered entities” under HIPAA must stay up to date with the latest developments, or risk exposing patient information to unauthorized parties and running afoul of regulatory agencies.
What new developments should covered entities be aware of? Here are some key highlights from the first few months of 2021:
- The US Department of Health and Human Services (HHS) Office for Civil Rights released a list of proposed changes to the HIPAA Privacy Rule in January of 2021. These include enhancements to patients’ rights to access to their personal health information, as well as some proposed revisions to privacy notices. The most far-reaching aspects of the proposed changes include “improving information sharing for care coordination and case management” and “facilitating greater family and caregiver involvement”. In other words, the proposed changes would allow for patient information to be shared more easily under certain conditions. These changes have not yet been adopted. HHS has extended the public comment periodfor these proposed changes to May 6, 2021.
- In January we also saw the enactment of legislative changes that will affect HIPAA covered entities. The Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) was enacted under the Obama administration with the intention of expanding the use of information technology in the healthcare field and facilitating the transition from paper records to electronic health records (EHRs). On January 5, 2021, an amendment to HITECH was signed into law, requiring HHS to consider a covered entity’s use of “recognized security practices”. If a covered entity has followed such industry-standard practices for the 12-month period preceding a potential violation of, that must be taken into account by HHS. The result, for many HIPAA covered entities, could be an easier defense in the event of an audit or enforcement action; and potentially lower penalties if an organization is found to have violated the HIPAA Privacy Rule. So-called “recognized security practices” would include adopting measures recommended by the National Institute of Standards and Technology (NIST) or measures recommended under the Cybersecurity Act of 2015.
- We have also seen some legal decisions recently that could potentially foreshadow future decisions regarding HIPAA covered entities and the Privacy Rule. In January, the Federal Fifth Circuit court vacated a $4.3 million penalty against the University of Texas M.D. Anderson Cancer Center for alleged HIPAA privacy violations. The hospital in question had self-reported the theft of three mobile devices containing unencrypted electronic protected health formation (ePHI), but HHS was unable to establish that the incident resulted in any actual breach of privacy. In its decision, the court found that actions by HHS constituted an “arbitrary, capricious and otherwise unlawful” enforcement of HIPAA regulations. This decision represents a sharp contrast from previous HIPAA penalties that were upheld by appellate courts. While this may be a good sign for healthcare providers and other covered entities, it should not be interpreted as a reason for relaxing privacy and security practices.
If your organization is a covered entity subject to HIPAA privacy regulations, it’s important that you stay up to date on new developments in the law. It’s also important to work with vendors who have a thorough understanding of HIPAA. This is especially true when it comes to electronic medications such as e-mail and fax.
Under HIPAA, any company who comes into contact with protected health information (PHI) while performing work on your behalf is defined as a Business Associate, and you are responsible for making sure that they understand their obligations to protect the privacy and security of PHI.
Your fax platform provides a critically important communication link between your organization, the other organizations you interact with, and the patients you serve. At WestFax, privacy and security are central to everything that we do, including our business practices, policies, procedures and personnel training. With multiple options to integrate fax into your processes and applications, we offer maximum interoperability for organizations that manage patient information on a day-to-day basis.
Sign up today for a free trial of WestFax’s HIPAA Basic plan; or if you’d like to sign up for one of our plans, visit our Healthcare Fax page to learn more. Contact us today at 800-473-6208 to discuss your needs; we can help you understand how our HIPAA-compliant cloud fax can work for you.