The Latest HIPAA Updates for 2019
More than 30 years after the federal Health Insurance Portability and Accountability Act (HIPAA) redefined a healthcare provider’s role in protecting patient privacy and access, the regulations continue to change. Are you keeping up on a regular basis?
If not, we have summarized the major HIPAA changes for 2019. Check out these HIPAA updates and developments, including some changes that experts are predicting in the near future.
Recent Changes In HIPAA Enforcement:
Modification of penalties for HIPAA violations
One significant new change to HIPAA this year is the modification of fines for HIPAA violations. The U.S. Department of Health and Human Services (HHS) released a Notification of Enforcement Discretion Regarding HIPAA Civil Money Penalties in late April 2019 to announce that it was changing the annual limits on the fines.
Violations are judged based on a four-tier penalty structure that takes negligence at the time of violation into account. The tiers increase in severity and culpability from “No Knowledge of Violation” in Tier 1 to “Willful Neglect That Goes Uncorrected” in Tier 4. In the past, the Health Information Technology for Economic and Clinical Health Act (HITECH Act) had set out a $1.5 million annual limit on violations that occurred within any of the tiers, regardless of the organization’s level of culpability.
The new modifications, however, significantly reduce the maximum fines for three of the four tiers. The annual limit for violations that fall into Tier 1 is now capped at $25,000. Fines for Tier 2 now have an annual cap of $100,000, and Tier 3 is capped at $250,000. Tier 4 fines remain the same.
“For clinicians, this could reduce some of the concern about potentially disproportionate penalties for arguably unintentional violations,” said Matthew Fisher, partner in the Massachusetts-based law firm Mirick, O’Connell, DeMallie & Lougee, LLP.
Final conscience rule released
The HHS’s Office for Civil Rights (OCR) recently issued its final Conscience Rule, which is actually a replacement of a 2011 rule. It’s designed to protect individuals, healthcare providers and healthcare organizations from discrimination on the basis of their exercise of religious belief or moral conviction in HHS-funded programs.
The rule ensures that, among other things, healthcare professionals will not feel compelled to leave the practice of medicine because they decline to participate in actions that violate their conscience. It also protects the right of diverse faith-based health care institutions to retain their religious beliefs and identity as part of their mission of serving others. This final rule implements approximately 25 federal conscience protection provisions, and provides significant tools and mechanisms appropriate for enforcing the conscience protections passed by Congress.
Expected HIPAA Changes, In 2019 And Beyond:
Tighter enforcement of violations
The HHS Office for Civil Rights (OCR) has indicated that it will be ramping up enforcement of patient access rights, especially for those violations that are considered “willful neglect” and don’t get corrected.
“The indication is that what they will focus on is those bad actors,” said Joe Dickinson, a partner with the North Carolina-based law firm Smith Anderson. “They’re going to be focusing on egregious cases of noncompliance.”
Another record-setting year for HIPAA fines?
This past year hit a record for OCR when it came to collecting fines for HIPAA violations. In fact, OCR collected a total of $28,683,400 in fines in 2018, including a single settlement for $16 million from Anthem after the company was found responsible for the largest health data breach in U.S. history. The total fines collected represented a 22 percent increase over 2017’s total of $20,393,200.
Could 2019 be another record-setting year? “I think that’s an open question,” said Fisher.
It may be too early to tell, especially since last year’s largest settlement wasn’t announced until October. The most recent settlement, announced on May 6, was a $3 million settlement for a Tennessee diagnostic medical imaging services company that violated the HIPAA Security and Breach Notification Rules.
Changes to HIPAA privacy rule
In December 2018, OCR issued a Request for Information (RFI) to generate comments from the public on possible modifications to HIPAA, especially the privacy rule, as part of the Regulatory Sprint to Coordinated Care initiative. The comment window closed in February, but no word yet on proposed changes.
“I probably wouldn’t really expect to see anything until the end of this year, if not 2020,” said Fisher.
Permanent audit program
The HIPAA Privacy, Security, and Breach Notification Audit Program has been operating in Phase 2 for some time now, Dickinson noted, but a permanent audit program is coming. The HHS Office of the Inspector General (OIG) has been calling for a permanent audit program for several years now. When enacted, a permanent audit program is expected to take a deeper and broader look at what organizations are doing to identify and resolve noncompliance issues.
The effect of the California Consumer Privacy Act
As a federal law, HIPAA takes precedence over state law…unless a state passes a patient privacy law that requires even greater protection of patients’ rights. In June of 2018, California Governor Jerry Brown signed the California Consumer Privacy Act into law, with the goal of enhancing privacy rights and protections for California residents.
When the law takes effect in 2020, it may pose challenges for some organizations when doing risk assessments. And if other states follow suit, they could face similar challenges.
“There may be compliance gaps because states have taken an approach that’s more protective,” said Dickinson.
Changes to help fight opioid epidemic
Last year, OCR published guidance for healthcare providers working with patients who may have opioid addictions, to better understand what HIPAA allows in terms of sharing patients’ health information with family members and caregivers—as well as a public education campaign designed to improve people’s access to evidence-based treatment by clarifying their civil protections.
But HHS has fielded complaints about HIPAA interfering with people getting the help they need. So, according to Dickinson, we can probably expect “changes that would be, at the very least, some additional guidance.”