As we’re all painfully aware, public health issues dominated 2020 and with the country’s attention focused on COVID-19 testing, status, transmission and care, HIPAA went mainstream. Health information became critical not only for health care providers, but for all manner of businesses, employers, property owners, and the national media. HIPAA – or more often than not “HIPPA” – was frequently touted in the news and on social media as the reason why COVID-related information could or could not be shared. As we head into 2021 with the pandemic raging on, the vaccination program underway, and a new administration taking over, here is a look at what we expect for “HIPPA” in 2021.
Telemedicine Enforcement Discretion Is Likely to Continue Well Into 2021
The Department of Health and Human Services (HHS) Office for Civil Rights’ announcement last March that it would be exercising its enforcement discretion and would not impose penalties against providers and their business associates who provide telehealth services using applications like FaceTime and Zoom that do not fully comply with HIPAA played an important role (along with much-needed changes to coverage and reimbursement policies) in fueling the explosion of telehealth services during the last 9 months. Although patients began heading back to the their doctors’ offices in the summer and fall, the recent sharp rise in COVID-19 cases means that ensuring the availability of telehealth services is as important as ever. While the Office for Civil Rights (OCR) is not likely to discontinue this enforcement discretion policy anytime soon, when providing telehealth services, covered entities and their business associates should use their best efforts to comply with HIPAA. Patients who receive their health care via telehealth expect their providers to protect the privacy and security of their health information just the same as if the services were provided in person.
Patients Will Seek Out Their Health Data, While Providers Seek Clarity About Compliance
OCR kept quite busy this year moving forward with its “Right of Access” initiative, announced in 2019, which has resulted in thirteen settlements to date. 2021 will bring even broader patient access rights, as the ONC’s new interoperability and information blocking rule will apply to covered “actors” on April 5, 2021. Among its many mandates, the rule requires health care providers to give patients access to their electronic protected health information (ePHI) comprising a variety of data elements, including clinical notes. For purposes of the rule, clinical notes consist of consultation notes, discharge summary notes, history and physical, imaging narratives, laboratory report narratives pathology report narratives, procedure notes, and progress notes. If the comments submitted in response to the proposed rule give any indication, actors subject to the final rule have more than a few lingering questions and concerns about how they’ll comply with both HIPAA and the information blocking requirements. While we expect to see greater patient access to health information in 2021, we also anticipate that health care providers will be investing a not insignificant amount of resources in preparing to comply with the new rule and revisiting their HIPAA compliance programs.
OCR Will Keep A Keen Eye On Business Associates
This year, much like 2019, saw a number of large-scale data breaches attributable to business associates. Last December, we pondered whether business associates would start bearing more of the burden associated with these breaches – and 2020 brought us an answer. In September, OCR announced a $2.3 million settlement (and a corrective action plan) with CHSPSC LLC (CHSPSC), which provided various business associate services to hospitals and physician clinics in Tennessee. CHSPSC’s troubles began in April 2014, when a cyberhacking group infiltrated its systems and gained access to the ePHI of over 6.1 million individuals who were patients of CHSPSC’s covered entity clients. The hackers continued accessing CHSPSC’s systems until mid-August 2014. Through its investigation of CHSPSC, OCR found “longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls,” ultimately resulting in the Resolution Agreement.
Covered entities also learned this year that OCR’s increased attention to business associate compliance can turn OCR’s focus toward a covered entity’s own practices. In March, OCR entered into a Resolution Agreement with a covered entity after an OCR investigation revealed that it had failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Under the terms of the agreement, the covered entity agreed to pay $100,000 and comply with a corrective action plan. Notably, OCR initiated its compliance review of the covered entity after the entity filed a breach report with OCR claiming that its business associate was impermissibly using patients’ ePHI. In complying with its business associate reporting obligations, the covered entity inadvertently turned the spotlight on its own HIPAA compliance posture (and didn’t hold up well in the limelight).
We expect to see more of this business associate-related enforcement activity into 2021. Given the activity we’ve seen this year, we also anticipate that both covered entities and business associates will pay closer attention to their respective compliance with the Security Rule going forward.
Cybersecurity Will Matter More Than Ever
It seems like not a week goes by without the emergence of some new cyberthreat. In 2020, we saw both public and private entities impacted by a variety of new threats, including Taidoor malware utilized by the Chinese government to conduct malicious cyber activity, a targeted TrickBot and BazarLoader malware attack aimed specifically at U.S. hospitals and health care providers, and, quite recently, the exploitation of SolarWinds software by hackers. Entities within the health care industry remain attractive targets for cyber criminals, and we expect these kinds of cyberattacks will continue unabated in 2021 with threat actors improving their abilities to operate undetected.
Against this backdrop, OCR released its HIPAA Audits Industry Report earlier this month. The report provides some general insight into covered entities’ and their business associates’ compliance with the HIPAA rules. Notably, it states that “[c]onsistent with the findings of OCR’s compliance reviews and complaint investigations, these audits confirmed that small percentages of covered entities (14%) and business associates (17%)…are substantially fulfilling their regulatory responsibilities to safeguard ePHI they hold through risk analysis activities.” In light of ongoing malicious cyber activity the health care industry faces and the high stakes involved (not to mention OCR/ONC’s September release of version 3.2 of HHS’ Security Risk Assessment tool), we anticipate that this will be a renewed area of focus for OCR in 2021.
Health Information Exchanges Continue to Play an Important Role during Public Health Emergencies
Despite the growth of electronic health records, it is still commonplace for a patient’s records to be spread across a dozen different providers, from the local pharmacy to the primary care doctor to one or more specialists, with no easy access by those providers to the records. Health Information Exchanges or HIEs are designed to allow different providers to access and securely share a patient’s medical information electronically, providing necessary care coordination and improving the speed, quality, and safety of patient care. During the pandemic, HIEs have played an important role in aggregating public health data and providing key alerts to public health officials. On December 18, 2020, OCR issued guidance reinforcing its support of the use of HIEs to report data to public health authorities. The guidance provides that even when a covered entity does not authorize an HIE to disclose health information to public health authorities, and even where there is not direct request from a public health authority, an HIE may share this data. Over the next year, we expect OCR to continue its support of HIEs, not only during public health emergencies but in the critical role they play in care coordination generally.
HIPAA Amendments May (or May Not) Shake Things up for Regulated Entities
Speaking of care coordination, as we discussed in detail here, HHS has released a proposed rule modifying the HIPAA Privacy Rule. This proposed rule follows HHS’ 2018 Request for Information on Modifying HIPAA Rules to Improve Coordinated Care, which sought to identify regulatory impediments to value-based care presented by HIPAA.
With this proposed rule, HHS aims to “reduce burden on providers and support new ways for them to innovate and coordinate care on behalf of patients, while ensuring that [HHS] uphold[s] HIPAA’s promise of privacy and security,” according HHS Deputy Secretary Eric Hargan. However, it’s unclear: 1) that the amendments contemplated under the proposed rule would dramatically change things for regulated entities; and 2) what the incoming Biden Administration will do with the proposal. According to our ML Strategies colleagues, the outcome of the Georgia special elections on January 5th could have an impact on the proposal. Specifically, if Democrats win both seats and gain control of the Senate, along with the House and the Administration, it would open up the possibility for successful challenges of last-minute regulatory actions under the Congressional Review Act. It’s uncertain that HHS’ HIPAA proposal is a regulation that Democrats would target, but it would be a possibility for controversial last-minute actions by the previous administration.