HIPAA changesIn case you have missed it there have been several headlines about HIPAA changes in the last month.  What is that all about and what should you worry about?  Today we are discussing if HIPAA changes are will be coming this year.  Even better we will tell you what we plan to do with the information.

HIPAA For MSPs by David Sims Are HIPAA Changes Coming?
00:00:00 00:00:00

It IS about time for change to happen in the HIPAA world.  However, I don’t think the change that many people seek is the change we are going to be talking about today.  In early 2017 we got a lot of comments that HIPAA was going to be gone soon so no need to deal with it.  I thought we have put that one to bed. With the recent headlines, there is more confusion. Go figure!

First, let’s review what is stirring up all the hoopla.  On Dec 12, 2018, HHS published a press release with the heading “HHS seeks public input on improving care coordination and reducing the regulatory burdens of the HIPAA Rules”  Since so many people have a habit of reading the part of the headlines that seems interesting to them we need to be clear there is both a beginning AND an end to the sentence.  Not just an end. They are both very important.

The OCR has issued what is known as a Request for Information.  Here is what the official post in the federal register says:

“The Office for Civil Rights (OCR) is issuing this Request for Information (RFI) to assist OCR in identifying provisions of the Health Insurance Portability and Accountability Act privacy and security regulations that may impede the transformation to value-based health care or that limit or discourage coordinated care among individuals and covered entities (including hospitals, physicians, and other providers, payors, and insurers), without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information. This RFI requests information on whether and how the rules could be revised to promote these goals, while preserving and protecting the privacy and security of such information and individuals’ rights with respect to it.”

They want the public’s help in identifying provisions of HIPAA privacy and security regulations that impede the healthcare industry from transitioning to a value-based health care model.  Also, they want to know if there are things that discourage coordinated care.

The next bit is important.  They want to know those things above but also include that the input must keep in mind that your ideas meet one other point.  The problems you see must also be “without meaningfully contributing to the protection of the privacy or security of individuals’ protected health information”.  It is clearly stated they want to make changes to improve things “while preserving the privacy and security of PHI”.

Now that we know that it isn’t just “going away”, we can look at it seriously to improve the protections to better work with the way we share information today.

Director Severino’s quote in the press release says:

“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

So, they are asking for general comments looking for ideas to make things better while still protecting patient privacy and security.  They also ask for input in some specific areas that they have been discussing for some time.

In addition to requesting broad input on the HIPAA Rules, the RFI also seeks comments on specific areas of the HIPAA Privacy Rule, including:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

That list is the important one.  All of those items have been discussed for months.  The opening up for public comment is the next step in the process.  It is important to understand that the RFI has very specific questions to answer not just prognostications about where HIPAA is going.  There are 54 specific questions and some of them with multiple parts.  Here is an example of just one of them:

31) Should the Department require covered entities to account for their business associates’ disclosures for TPO, or should a covered entity be allowed to refer an individual to its business associate(s) to obtain this information? What benefits and burdens would covered entities and individuals experience under either of these options?

BTW, that one is just a single questions others have a, b, c, etc. to address after that part.

There is another area of HIPAA with an official proposed rule change in HIPAA.  It is the part of HIPAA that people often forget about which is the transaction code set standards.  The official federal register page (Administrative Simplification:  Rescinding the Adoption of the Standard Unique Health Plan Identifier and Other Entity Identifier) explains that after careful consideration and multiple tries the industry disliking them they have decided it is best just to rescind this part of the law.

This proposed rule would rescind the adopted standard unique health plan identifier (HPID) and the implementation specifications and requirements for its use and the other entity identifier (OEID) and implementation specifications for its use. The decision to propose to rescind the adopted standards was made following a careful assessment of industry input, as well as HHS’s intention to explore options for a more effective standard unique health plan identifier in the future.

I can’t imagine they will fight to keep that stuff but who knows.  People hate regulations until it does something to protect them.

What do we think are good ideas for HIPAA changes in privacy?

Love getting rid of requiring the signature be obtained for the NPP.  It should be posted in the waiting area, lobby, and website.  I want to know that they have one so if we need to point back to something we have it.  When organizations don’t have the NPP in place properly today it is a sign to me they aren’t taking it seriously.

I would love to see there be some additional exceptions for sharing information with family members and caretakers in certain cases.  Drug addiction is a huge one.  Today a drug-addicted adult can instruct providers not to tell their family about the problem.  Lives could have been saved during this opioid epidemic had family members known to have NARCAN (naloxone) in the house at all times.  This disease is awful and deadly but we are making progress with the right treatment.  Support from your loved ones helps you get through it.  So, yes, we need to be able to have the ability to use professional judgment that a problem exists and educate everyone about the dangers.  On the flip side of that, though, we do not want to open the floodgates and say if someone has an opioid prescription we can tell everyone.  There must be a middle ground where multiple people agree there is an issue.  It can be multiple nurses, social workers, doctors, PAs, RNs, NPs, CNAs, etc.  If more than one of them see the signs they can discuss the problem and bring it to someone’s attention.

Mental illness is another one like opioid addiction.  Some of the people who have committed these mass shootings were under the care of mental health officials who could not tell anyone unless specific threats were made.  They know this person is a ticking time bomb but the law won’t let them prevent it from going off.  When these patients are being suspended (or asked to leave) school because of their behavior it is time to do something.  We need to figure out ways to handle these cases to protect the public but not go off the chain in the other direction either.  We count on professional judgment in these cases.  Again, having another opinion like some sort of instant peer review would be one way of handling it.

All of these things are ones where the “spirit” of the law would matter.  The changes would be to protect people not to allow people to abuse the system.  It is unfortunate that we must worry about that today.  Our regulations are in place because so many people abuse the system and each other we can’t trust them to do the right thing without a law in place.

In relation to the accounting of disclosures changes, it just seems like a dead end to me.  There is so much TPO that goes on in the medical industry any accounting of those disclosures would be massive.  All of it could be perfectly normal but there is so much of it that you couldn’t use it without a lot of summarization.  It is one of those “seems like a good idea” things suggested by people who don’t have a clue what would be required to implement it.  I don’t disagree it would be a good thing but would it be a helpful thing?  I know of cases where the full accounting would be helpful.  But I know of way more cases where it would be overkill and drag down the systems in place just to be able to generate those in a readable format anytime someone wanted them.  That is why OCR has this statement in the RFI (emphasis my own):

OCR has not taken action to finalize the proposed accounting of disclosures rule since the comment period closed in 2011, and it now believes that the proposed access report requirement would create undue burden for covered entities without providing meaningful information to individuals. Thus, OCR intends to withdraw the NPRM, and requests public input on the questions below to help OCR to implement the HITECH Act requirement and ensure that individuals can obtain a meaningful accounting of disclosures that gives them confidence that their PHI is being disclosed appropriately as part of receiving coordinated care or otherwise, without erecting obstacles or disincentives to the adoption and use of interoperable electronic healthcare records, which is necessary for efficient care coordination, case management, and value-based healthcare.

What about HIPAA changes in security?

We would really like to see it become more specific and start to blend with the NIST Framework v1.1.  Using the framework makes it a bit easier to direct what should be done since it is standardized.  While that would be a good option, I don’t see it being something that can be done easily since that is an optional Framework where HIPAA security requirements are the law.

What could be changed (without too much hoopla), though, is adding some specific guidance in areas that people still argue and get confused about today.  Here are a few of them.

Who is a BA?

  • List out why a copier company that removes drives with PHI on them would be a BA.
  • What about your IT provider who says we manage the network but never look at the EHR so we aren’t a BA but we can do your SRA?
  • Voicemail providers who say that a voicemail is not PHI – what about them?
  • How do we handle janitorial services now that we know people have used those jobs to steal PHI out of the trash or with keyloggers on USB sticks?

What must BAs follow?

  • If you are a data center and the only thing you do is make sure the PHI is safe and accessible do you have to do every little part of HIPAA?
  • Is 45 minutes annual training on a video really going to protect patient privacy?  Well, that one should be for everyone.

Provide a real-world example case of what they would like to see happen in a ransomware attack.  A case study that says these things happened and we would like to have seen X, Y, and Z take place.  If I hear one more time that ransomware requires you to report to patients and HHS I think I might ……

Make a change that says all mobile devices must be encrypted.  But, at the same time, allow for a server kept in a huge data center to not be encrypted if you can show the physical and administrative protections are sufficient.

Address medical devices that attach to the network to clearly state they fall under the security rule.  Yes, you IT companies that have no idea what is out there, you should know about them too.

I guess I could go on and on with this list but we only have so much time.  I will say that, in my opinion, some of the other things that would be helpful to change are the laws that these major offenders are using to hide from civil judgments.  That would probably make them wake up and take action.

  1. Remove privacy and security concerns from the peer review exemptions.  This alone would allow transparency that is truly needed.
  2. Allow class action lawsuits using the harm requirement that “I no longer feel comfortable sharing private information with my providers”.  That lack of trust impacts my ability to receive care and therefore I have experienced harm.

These enforcement changes are more likely to improve actual compliance with the law.  Today, the ones that do take it seriously should be commended.  However, there are plenty of businesses that do not take it seriously or think that they do but have no idea that they are in a mess.  Just as the items above, you have to be prepared for people to abuse the system.  It is unfortunate that we know that will happen no matter what we do.

The bottom line here is that HIPAA changes are certainly needed.  We need ones that make it easier to legally share information when people are in danger or need care but can’t get it themselves.  We also need HIPAA changes that make it easier to be sure PHI is actually being secured.  I guess that part has to do with getting people to stop worrying about just compliance.  You know:  Compliance isn’t security; security isn’t compliance.  You need both.