Breach Notification , Governance & Risk Management , HIPAA/HITECH
HIPAA Privacy and Security: At a Crossroads in 2022?
HHS Health Data Privacy and Security Regulations Could Be in for Big ChangesThe healthcare industry and consumers are heading into the New Year with indications of significant changes to the regulation and enforcement of health information privacy and security by the Department of Health and Human Services.
See Also: Live Webinar | Compliance and Cyber Resilience: Empowering Teams to Meet Security Standards
Pending Privacy Rule Modifications
The HHS Office for Civil Rights, the agency with primary responsibility for regulation of the HIPAA standards, is slated to address a controversial proposal developed under the Trump administration that would make extensive changes to the Privacy Rule, a congressional mandate to expand its mission into the confidentiality of substance use disorder treatment records, and the department’s shifting approach to information security requirements for the healthcare industry.
In early 2021, HHS formally proposed rule-making that would mark significant modifications to the HIPAA Privacy Rule standards. The publication of the proposed rule changes in the Federal Register just days before the new Biden administration took office led to an extended public comment period lasting through May 2021. Over 1,400 individuals and organizations submitted comments to HHS about the proposed Privacy Rule changes.
The Biden administration’s recently released Fall Unified Regulatory Agenda tells us to expect that HHS will issue final rule-making sometime toward the end of 2022. Expect OCR to loosen but not remove restrictions on the disclosure of PHI by healthcare providers and payers for care coordination and case management.
Healthcare providers will be permitted to share information about their patients with social service agencies and organizations that coordinate or manage food and shelter for the unhoused and those needing life-sustaining community-based services. Patients will see their rights of access to PHI expanded and waiting times reduced while removing fees for obtaining many types of health information.
SUD Data Disclosure Changes
Meanwhile, the federal Coronavirus Aid, Relief, and Economic Security Act - or CARES Act - amended the federal law that governs the confidentiality of substance use disorder, or SUD, treatment records. The regulations at 42 CFR Part 2 were issued under the authority of this statute.
The Substance Abuse and Mental Health Services Administration - or SAMHSA - is required to issue new regulations to implement the CARES Act changes. Among the modifications mandated by Congress is that the 42 CFR Part 2 rules for the confidentiality of SUD patient information align more closely with the use and disclosure of "protected health information" under the HIPAA Privacy Rule.
According to the Biden administration, these new standards are being developed jointly by SAMHSA and OCR. They are expected to release proposed rule-making in the first half of 2022.
Among the changes we expect to see in a proposed 42 CFR Part 2 regulation are that consent will still be required for disclosure of SUD treatment records by a Part 2 Program providing SUD treatment.
There will be a loosening of the current strict requirements limiting the sharing of SUD data to allow that general consent, disclosures and re-disclosures may be made consistent with the HIPAA privacy standards for treatment, payment and healthcare operations. The HITECH breach notification rules will be extended to SUD treatment programs and their vendors who handle data protected by 42 CFR Part 2.
The new rule will propose adopting the HIPAA fines and penalties for violations of the confidentiality standards for SUD data. OCR will see a significant expansion to its mission with the delegation of enforcement authority for 42 CFR Part 2 in the place of the current enforcement mechanism.
Is HIPAA Enforcement at a Standstill?
The likely expansion of OCR’s mission into protecting the confidentiality of SUD data comes as actions to enforce the HITECH Breach Notification and HIPAA Security Rule appear to be at a standstill.
According to the data compiled by OCR, in 2021 there were more than 660 breaches of the unauthorized disclosure of unsecured PHI reported by HIPAA-covered entities and their business associates that compromised the health information of over 40 million people.
A significant number of the breaches reported to OCR appear to show violations of the HIPAA standards due to late reporting and failure to adequately secure information systems or train workforce members on safeguarding PHI. In 2021, OCR announced settlements in two enforcement actions involving compliance with the HIPAA Security Rule standards.
Back to the Drawing Board
OCR has been mum on its approach to enforcement of the HIPAA breach and security rules. One explanation could be the impact being felt by the 5th Circuit Court of Appeals decision overturning an enforcement action against the University of Texas MD Anderson Cancer Center.
In that case, in which a covered entity appealed a determination by OCR that resulted in a $4.3 million civil monetary penalty, the court took issue with the processes and analysis employed, which have made it much more difficult for the agency to enforce the HIPAA and HITECH standards.
There are some who believe HHS OCR will need to go back to the drawing board to modify its regulations on when and how it pursues some types of formal enforcement actions.
Defining 'Recognized Security Practices'
Further complicating the enforcement of the HIPAA standards is legislation passed by Congress in late 2020 requiring HHS to evaluate efforts to put into place recognized security practices to comply with the HIPAA Security Rule when considering penalties for potential violations.
The sponsors of the legislation sought to provide incentives for covered entities and business associates to adopt "recognized cybersecurity practices" and information security risk management programs to reduce vulnerabilities caused by security threats. The goal is to reward the adoption of an established, formalized and recognized cybersecurity framework to give entities a defense against regulatory enforcement of the HIPAA privacy and security standards in the wake of subsequent security incidents or data breaches.
OCR will need to implement these provisions through rule-making. Among other things the agency needs to define is what is meant by "recognized security practices," the documentation required to show that a covered entity or business associate has taken adequate measures, as well as the effect of these measures as mitigation in an OCR audit, compliance review or enforcement action.
The Biden administration has provided no information in its regulatory agenda on when or how the congressional mandate to mitigate enforcement actions for the adoption of recognized security practices will be implemented.
Healthcare information privacy and security pros watching for changes to how HHS regulates patient confidentiality standards and the enforcement of the HIPAA standards need to buckle in. 2022 could prove to be a bumpy ride.