HIPAA Privacy: Reviewing Calling & Planning Ahead

HIPAA Privacy

Share This Post

Table of Contents

The Health Insurance Portability and Accountability Act (HIPAA) has been in effect for 25 years, and this year there may be modifications related to patient access to protected health information (PHI).

HIPAA Information is Eye-Opening.

There are currently over 400 covered entities on the Department of Health & Services Office for Civil Rights’ so-called ‘wall of shame,’ which lists data breaches over 24 months under investigation by the OCR.

In 2019, HIPAA Journal reported that 712 healthcare data breaches (an average of 59 per month) affected 45.7 million people, the most since 2015. Data breaches accounted for 82% of the breaches in December of last year, and the largest healthcare data breach settlement of $5.1 million and a corrective action plan resulted. Hackers installed the malware, and reconnaissance activities were conducted undetected for 16 months, affecting more than 9.3 million individuals.

In response to complaints from patients who had not been given prompt access to their medical records, the HIPAA Right of Access enforcement initiative was launched in the fall of 2019. The following data relate to individuals’ right to access their health information:

  • As of December 2021, 25 enforcement actions had taken place.
  • There was 12 Right of Access violations in 2021 and imposed penalties ranging from $5,000 to $200,000 on healthcare organizations based on the organization’s size and severity.

The Proposed HIPAA Privacy Rule Changes are Described.

The HIPAA Privacy Rule alterations eliminate barriers to care coordination and value-based care, reduce provider burden, and expand patients’ access to medical records. After the OCR issued a Notice of Proposed Rulemaking (NPRM) in December 2020 (Federal Register, January 2021), the NPRM was published on March 22, 2021, and the initial comment deadline (March 22, 2021) was extended to May 6, 2021.

Covered entities must comply with a large number of proposed changes to the HIPAA Privacy Rule.

  • HIPAA requires healthcare providers to post estimated fees for access and PHI disclosures with patients’ authorizations on their websites.
  • Organizations must provide, at the patient’s request, an itemized invoice for the fees associated with giving a patient a copy of their PHI.
  • Health plans and other providers must respond to record requests if patients direct those entities to do so.
  • Specific emergencies or instances of financial hardship can be waived fees.
  • Patients must be allowed to view their PHI in person and take notes, photos, or videos.
  • Within 15 days of receiving a patient’s request for PHI, the provider must respond ( PHI is now required to be provided within 15 days rather than 30).
  • Covered entities must provide a pathway for patients to direct the sharing of their PHI (stored in the electronic health record) among covered entities.
See also  Managing the Dermatology Shortage in Long Term Care

Covered entities may continue to require patients to request PHI in writing, but they must not impede access. For instance, the following would be prohibited:

  • Patients attempting to access their PHI may be subject to unacceptably high identity verification requirements.
  • Patients can exercise the right to access their data by imposing other unreasonable measures.


The Notice of Proposed Rulemaking includes new and revised definitions as part of the proposed HIPAA Privacy Rule changes. Electronic health records (EHR) are electronic records of health-related information on a patient, created, collected, managed, and consulted by healthcare professionals and staff.

A personal health application is an electronic app that an individual uses to access health information about that individual in electronic form. Multiple sources can draw it, provided information is managed, shared, and controlled by or primarily for the individual and not by or primarily for a covered entity or another party such as the application developer.  The NPRM modified the healthcare operations definition to clarify that PHI is disclosed for patient-level care coordination and case management without patient permission.

Further Alterations are Required.

With the newly-enacted Notice of Privacy Practice (NPP) regulations, it is no longer required that covered entities receive written confirmation of the NPP given by the person. The exceptions were made to the minimum standard for coordinating patient-level care and case management use and disclosures. The new standard for good faith has been replaced by “exercise of professional judgment” with “good faith belief” regarding the use or divulgation of personal health information as in the patient’s best interests.

The standards for healthcare providers disclosing patients’ PHI to prevent a serious and reasonably foreseeable threat to health or safety have been relaxed. This is the case when a patient poses a danger to himself or others. The current standard is ‘serious and imminent.’ The proposed alterations would allow patient-level PHI to be disclosed to social service agencies, community-based organizations, home community-based service providers, and third parties that provide health-related services.

There are Proposals to Change HIPAA. What Should you Do?

See also  Physicians Fight COVID Rise with Telemedicine and Innovative Care Layout

Covered entities can begin altering their current environment in response to the proposed HIPAA requirements and guidelines. Furthermore, they must revise their existing policies, procedures, and NPPs. As noted, under the proposed alterations, a covered entity would be required to designate a distinct area where patients may examine their PHI in person, which might necessitate additional physical space.

Covered entities should compare the newly revised HIPAA requirements with state laws and audit their Business Associate Agreements (BAAs). Employees are informed of the new policies and procedures. Once the Privacy Rule changes are finalized, risk assessments are conducted.

There is a HIPAA Safe Harbor Act.

The HIPAA Safe Harbor Act provides a way for covered entities to disclose protected health information for research purposes. Covered entities and business associates must follow industry-standard security practices under the HIPAA Safe Harbor Act, which was signed into law on January 5, 2021. The act amends the HITECH Act and directs the Department of Health and Human Services (HHS) to incentivize cyber security best practices. The new law directs HHS to consider whether covered entities and business associates using industry-standard security practices over the previous 12 months when investigating data breaches and taking enforcement actions. HHS must decrease the length and extent of any audits if industry-standard security practices are adopted in response to a violation.

Organizations must conduct an annual security risk analysis and address identified weaknesses per the HIPAA Safe Harbor Act. If an organization follows “common cyber security practices,” fines and penalties are reduced if a data breach occurs.

OCR Guided on HIPAA, COVID-19 Vaccination, and the Workplace

The CDC has issued guidance on compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HHS Office of Human Resources Management (HRM) guidance on workplace influenza vaccination programs (COVID-19).

Covered entities and business associates may not employ workers who have not received the COVID-19 vaccine on September 30, 2021, as per OCR guidance. Covered entities and business associates are only forbidden to use the Privacy Rule in their function as health care providers/payers, not as employers. Patients may be asked by providers or health plans whether or not they have received the COVID-19 vaccine, as well as health care records held by covered entities and business associates in their function as employers. The guidance also stipulates that vaccination records must be stored securely and separately from personnel files and must be kept confidential. 

See also  Positive Transformation of Patient Care Through Telenursing

Furthermore, the guidance states that a covered service can disclose personal health information regarding a person’s vaccination status to their employer in the interest of monitoring COVID-19’s spread in the workplace only when the following conditions are satisfied.

  • The employer has provided healthcare services to employees at the employer’s request or as a workforce member.
  • The information disclosed relates to illness or medical surveillance in the workplace.
  • OSHA, the Mine Safety and Health Administration, and state occupational safety and health laws require employers to have the information necessary to meet their requirements.
  • Employers will provide PHI relating to work-related illnesses and medical surveillance.

HIPAA Protective Order and an Extreme Risk Protection Order.

Two things are important: protecting the rights of those with mental illness and keeping people safe from harm. On December 20, 2021, HSS issued guidance on HIPAA and extreme risk protection order (ERPO) disclosures. The guidance states that a covered healthcare provider may sometimes disclose patient PHI without the patient’s permission to support an ERPO against the patient. When disclosure is required by law, occurs as a result of a court order or administrative tribunal subpoena, discovery request, or other lawful processes, or is necessary to prevent or reduce a serious and imminent risk to public health or safety, PHI may disclose.

Increasing healthcare’s cyber security posture by 2022 is what we want to achieve.

HIPAA-covered entities must improve their cyber security in 2022. Some good practices include:

  • Having offline, encrypted data backups and testing them is crucial to maintain data integrity.
  • Cyber Eason recommends regular scans to discover vulnerabilities, particularly those on internet-accessible gadgets.
  • It is essential to keep your software and operating systems up to date.
  • Teaching employees about phishing and other common IT attacks

Hucu.ai allows users to securely and easily share files, photos, videos, links, and more! Bonus: any shared attachments are saved in the Hucu.ai Secure Cloud, saving you more storage on your device. 

Hucu.ai conducts a variety of data analytic dashboards, including engagement tracking, for organizations to view in the Hucu.ai Admin Panel. You can view collected data reports by your location, team member, and partner location(s). Additionally, we continue to add more reports and charts on a regular basis based on our client’s needs.

Subscribe To Our Newsletter

Get updates and learn from the best

Top Posts

Do you want to learn more about Hucu.ai?

drop us a line and keep in touch

HIPAA-Compliant Cloud Hosting