By Jennifer Larson, contributor May 15, 2019
More than 30 years after the federal Health Insurance Portability and
Accountability Act (HIPAA) redefined a healthcare provider’s role in protecting
patient privacy and access, the regulations continue to change. Are you keeping
up on a regular basis?
If not, we have summarized the major HIPAA changes for 2019. Check out
these HIPAA updates and developments, including some changes that experts are
predicting in the near future.
Recent changes in
Modification of penalties for
One significant new change to HIPAA this year is the modification of
fines for HIPAA violations. The U.S. Department of Health and Human Services (HHS)
released a Notification
of Enforcement Discretion Regarding HIPAA Civil Money Penalties in
late April 2019 to announce that it was changing the annual limits on the
Violations are judged based on a four-tier penalty structure that takes
negligence at the time of violation into account. The tiers increase in
severity and culpability from “No Knowledge of Violation” in Tier 1 to “Willful
Neglect That Goes Uncorrected” in Tier 4. In the past, the Health Information
Technology for Economic and Clinical Health Act (HITECH Act) had set out a $1.5
million annual limit on violations that occurred within any of the tiers,
regardless of the organization’s level of culpability.
The new modifications, however, significantly reduce the maximum
fines for three of the four tiers. The annual limit for violations
that fall into Tier 1 is now capped at $25,000. Fines for Tier 2 now have an
annual cap of $100,000, and Tier 3 is capped at $250,000. Tier 4 fines remain
“For clinicians, this could reduce some of the concern about
potentially disproportionate penalties for arguably unintentional violations,”
said Matthew Fisher, partner in the
Massachusetts-based law firm Mirick, O’Connell, DeMallie & Lougee, LLP.
Final conscience rule released
The HHS’s Office for Civil Rights (OCR) recently issued its final
Conscience Rule, which is actually a replacement of a 2011 rule.
It’s designed to protect individuals, healthcare providers and healthcare organizations
from discrimination on the basis of their exercise of religious belief or moral
conviction in HHS-funded programs.
The rule ensures that, among other things, healthcare professionals
will not feel compelled to leave the practice of medicine because they decline
to participate in actions that violate their conscience. It also protects the
right of diverse faith-based health care institutions to retain their religious
beliefs and identity as part of their mission of serving others. This final
rule implements approximately 25 federal conscience protection provisions, and
provides significant tools and mechanisms appropriate for enforcing the
conscience protections passed by Congress.
changes, in 2019 and beyond:
Tighter enforcement of
The HHS Office for Civil Rights (OCR) has indicated that it will be
ramping up enforcement of patient access rights, especially for those violations
that are considered “willful neglect” and don’t get corrected.
“The indication is that what they will focus on is those bad actors,”
said Joe Dickinson, a partner with the North
Carolina-based law firm Smith Anderson. “They’re going to be focusing on
egregious cases of noncompliance.”
Another record-setting year for
This past year hit a record for OCR when it came to collecting fines
for HIPAA violations. In fact, OCR collected a total of $28,683,400 in fines in
2018, including a single settlement for $16 million from Anthem after the
company was found responsible for the largest health
data breach in U.S. history. The total fines collected
represented a 22 percent increase over 2017’s total of $20,393,200.
Could 2019 be another record-setting year? “I think that’s an open
question,” said Fisher.
It may be too early to tell, especially since last year’s largest
settlement wasn’t announced until October. The most recent settlement,
announced on May 6, was a $3 million settlement for a Tennessee diagnostic
medical imaging services company that violated the HIPAA Security and Breach
Changes to HIPAA privacy rule
In December 2018, OCR issued a Request for Information (RFI) to
generate comments from the public on possible modifications to HIPAA,
especially the privacy rule, as part of the Regulatory Sprint to Coordinated
Care initiative. The comment window closed in February, but no word yet on
“I probably wouldn’t really expect to see anything until the end of
this year, if not 2020,” said Fisher.
Permanent audit program
The HIPAA Privacy, Security, and Breach Notification Audit Program has
been operating in Phase 2 for some time now, Dickinson noted, but a permanent
audit program is coming. The HHS Office of the Inspector General (OIG) has been
calling for a permanent audit program for several years now. When enacted, a
permanent audit program is expected to take a deeper and broader look at what
organizations are doing to identify and resolve noncompliance issues.
The effect of the California
Consumer Privacy Act
As a federal law, HIPAA takes precedence over state law…unless a state passes
a patient privacy law that requires even greater protection of patients’
rights. In June of 2018, California Governor Jerry Brown signed the California
Consumer Privacy Act into law, with the goal of enhancing privacy rights and
protections for California residents.
When the law takes effect in 2020, it may pose challenges for some organizations
when doing risk assessments. And if other states follow suit, they could face similar
“There may be compliance gaps because states have taken an approach
that’s more protective,” said Dickinson.
Changes to help fight opioid
Last year, OCR published guidance for healthcare providers working with
patients who may have opioid addictions, to better
understand what HIPAA allows in terms of sharing patients’ health information
with family members and caregivers—as well as a public education campaign
designed to improve people’s access to evidence-based treatment by clarifying
their civil protections.
But HHS has fielded complaints about HIPAA interfering with people
getting the help they need. So, according to Dickinson, we can probably expect
“changes that would be, at the very least, some additional guidance.”
STAFF CARE matches physicians and advanced practitioners with locum tenens opportunities across the U.S.
SEARCH OUR LOCUM JOBS to find your next opportunity.