Major updates with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are expected in the coming months, and many stakeholders are hoping for some significant improvements for reporting data. Simplification of existing processes for notification of breaches and tracking who has access to data could lead to some important advances. Currently, the processes are highly burdensome and can limit the ability to use data that include protected health information (PHI) to study important public health issues.
Research Risks Minimal
“The potential risks from use of data for research in areas like epidemiology and health services research are extremely minimal,” said Stephen Crystal, PhD, director of the Center for Health Services Research at Rutgers University in New Brunswick, New Jersey. “There have been almost no cases that I have ever heard about where an individual was actually harmed in any way from such research. This supports simplification.”
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) this past March announced a 45-day extension of the public comment period for the Notice of Proposed Rulemaking (NPRM) to modify HIPAA. It has been more than 7 years since HIPAA has undergone a major overall despite significant improvements in information technology.
OCR first released the NPRM to the public on the HHS website on December 10, 2020, and it was published in the Federal Register on January 21, 2021. The 45-day extension moved the current deadline for the public to submit comment to May 6, 2021. The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information.
Complexity Is the Biggest Problem
Many physicians hope there will be a reduction in the administrative burdens on HIPAA-covered health care providers and health plans. Richard Bailey, lead IT Consultant for Atlantic.Net, which provides an array of data hosting services, said without a doubt the biggest problem with HIPAA is its complexity. “This is primarily due to how technology has evolved exponentially in the past 2 decades, creating a complex technical layer that must be implemented within the physical, administrative, and technical safeguards of HIPAA,” Bailey said.
HIPAA compliance is confusing, according to Bailey, because there are so many caveats regarding each technical safeguard. Electronic health record (EHR) encryption is an example. “It is not a mandatory requirement for EHR to be encrypted, but you must be able to demonstrate a roadmap of how your health care organization plans to achieve EHR encryption in the future,” Bailey said.
Greater Flexibility Needed
The current changes under discussion call for improving information sharing for care coordination and case management for individuals. “Not a great deal has changed since 2013. We had some minor regulatory enforcement easing at the start of the COVID-19 pandemic for telehealth and PHI disclosure for COVID victims, and there have been some increases in the data breach penalties over the years, but the majority of the core legislation is unchanged,” Bailey said.
Significant changes are expected to be introduced over cybersecurity standards in health care, with new guidelines establishing “expected best practice standards.” Clarification is needed for security and wearable health care devices, Bailey said. “We would like to see clearer definitions of best practices as other industries have done,” he said. “Take the credit card industry for example. There are clear and defined best practices to follow for your physical locations, networking, server administration, etc. This would help reduce the confusion on what is best practice when it comes to HIPAA compliance.”
Debate is underway about expanding health care clearinghouses’ access to PHI. As clearinghouses are business associates, Bailey said, it seems logical to expand their access to PHI. The rise of artificial intelligence (AI) and machine learning allows clearinghouses to create data warehouses with decision-making algorithms to link patient data to clearinghouse health care payment systems.
New technology known as Blockchain has significant promise for improving HIPAA compliance. It is a system of recording information, which reportedly makes it difficult or impossible to change, hack, or cheat the system. Every block on the chain has a specific number of transactions, and every time a new transaction occurs on the Blockchain it is recorded. Subsequently, a record of every transaction is added to every ledger. “Along with cloud, Blockchain can introduce significant protection and security to electronic PHI,” Bailey said. “There is no reason why this cannot be a success.”
HIPAA compliance specialist Susan Lucci, a senior privacy/security consultant with tw-Security based in Tucson, Arizona, would like to see an update of security terminology, with more precise nomenclature around today’s technology. HHS also should provide greater clarification and guidance on accounting of disclosures versus access audits. Many times, a patient may request an accounting of disclosures, but what they really want to know if anyone has been accessing their records internally without authorization (snooping). These are two entirely different processes. One has to do with disclosures made outside the organization while the other is essentially a privacy complaint that needs to be acted upon, investigated, documented and resolved.
Lucci also would like to see significant changes in how investigations of data breaches and the associated corrective action plans along with financial settlement agreements are handled. “The findings should apply fully to business associates as well as the covered entities when compliance documentation is missing,” she said. “Right now, covered entities (CEs) are the ones who must report a breach to the OCR, and they appear to be the ones being investigated more fully than the business associate that had the breach in the first place.”
While right-of-access enforcement has gotten off to a good start, Lucci said it will likely include the requirements under Information Blocking in the future. “I’d also like to see OCR HIPAA compliance auditing resume for both CEs and business associates. If you look at the HIPAA Wall of Shame (breaches involving 500 or more individuals on the HHS website), it’s clear that business associates have caused about a third of breaches. Those breaches impact about two-thirds the number of people impacted based on reporting over the last year. So business associates should be audited and then be accountable just as CEs have been in the past,” Lucci said. The business associate HIPAA audit protocol has never been released to my knowledge.
HIPAA could benefit from some updating, simplification and clarification to help all healthcare organizations do a better job of complying with the regulation.