HIPAA Act Turns 25
The HIPAA Act was enacted on August 21, 1996 in an effort to improve the privacy and security of patient protected health information. Over the past 25 years, the HIPAA Act has undergone changes, expanding who it regulates and improving patient access to their medical information.
What Changes Have Been Made Over the Years
There have been several changes made to the HIPAA Act over the years to improve patient privacy and security. This includes the enactment of the Omnibus Rule, Interoperability and Information Blocking Rule, and HR 7898; as well as prioritizing HIPAA right of access enforcement.
The HITECH Act of 2009 was created to encourage the implementation of electronic health records (EHR), and to support the technology required to do so. With the enactment of HITECH, the HIPAA Act privacy and security requirements had to be modified to account for the increased adoption of EHRs. The Office for Civil Rights (OCR) enacted the HIPAA Omnibus Rule to adopt HITECH requirements including breach penalties and notification reporting, business associate HIPAA compliance, and business associate agreements.
The Omnibus Rule also provided additional guidance for the use and disclosure of PHI, including:
- Communications for marketing or fundraising;
- Exchanging PHI for payment;
- Disclosures of PHI to persons involved in a patient’s care or payment for care;
- Disclosures of student immunization records; and
- New rights to restrict certain disclosures of PHI to health plans and to request access to electronic PHI (ePHI).
Interoperability and Information Blocking Rule
The Interoperability and Information Blocking Rule of 2020 was enacted to improve the exchange of electronic health information (EHI), with the intention of increasing patient access to information, lowering costs, and improving outcomes.
To comply with the Interoperability and Information Blocking Rule, it is important to:
- Identify and educate stakeholders on information sharing practices;
- Review EHI practices and make adjustments if necessary;
- Review EHI system functionality to ensure that they are configured properly to facilitate information sharing;
- Respond appropriately to requests for information sharing; and
- Pay attention to newly released guidance.
Focus on Cybersecurity
In January 2021, a bill (HR 7898) was passed that requires the Department of Health and Human Services (HHS) to incentivize an organization to implement cybersecurity best practices. Under HR 7898 HHS must take into consideration whether or not an organization has implemented a recognized cybersecurity framework when deciding whether to issue a fine or undertake an audit.
HIPAA Right of Access Enforcement
Over the past few years, the OCR has ramped up enforcement efforts surrounding HIPAA Right of Access compliance. In 2019, the OCR announced a “Right of Access” enforcement initiative in which they prioritized these types of HIPAA audits. Before the enforcement initiative was announced, a study found that 51% of healthcare providers were either partially compliant or requests had to be escalated to supervisors multiple times before records were received; and 71% of providers would not have been compliant with the HIPAA right of access had the request not been escalated to supervisors.
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!