2021 HIPAA in Review

HIPPA Review for 2021

Break out your pen and paper because if you haven’t already started your list of new year’s resolutions, the past 12 months have given us plenty of ‘New Year, new me’ examples to take note of. From ratified legislation and appointed government officials to trending cyberthreat tactics (and binge-worthy Netflix series), there have been plenty of ways that 2021 has said, “out with the old, and in with the new”. But while the world around us continues to evolve, the importance of protecting your patients is something that has not and will never falter. So as we wrap up yet another eventful year – let’s take a look at what’s changed, what’s stayed the same and what we can expect to see from HIPAA as we take on 2022.

Proposed HIPAA Privacy Rule Modifications

2021’s transformations began even before the new year countdown started with the announcement of proposed HIPAA Privacy Rule modifications made back in December 2020. The government’s proposed modifications help bring the HIPAA Privacy Rule up to current technology standards and address things like removing the barriers to value-based health care, reducing “unnecessary regulatory burdens” and improving the privacy of protected health information (PHI). These highlights only brush the surface of what the 357-page document aims to amend but until the ruling is officially finalized, it’s important for your practice to ensure your HIPAA compliance program is up to date and easy to manageas we should anticipate the new requirements coming into effect in the new year.

HIPAA Safe Harbor Law

2021 checked off another one of its resolution list items back in early January by officially signing the HIPAA Safe Harbor Bill into law. The amendment of the HITECH Act takes into account whether healthcare organizations have “recognized cybersecurity practices” in place and allows for some leniency in fines and other enforcement actions in the case of a data breach. While there’s a bit of fine print to follow, the biggest thing for your practice to know is that as long as you have a Security Risk Analysis (SRA), technical safeguards, and other HIPAA Security Rule basics down – you can not only reduce the penalties associated with a data breach but lessen your chances of falling victim in the first place.

21st Century Cures Act

Following the Safe Harbor Law’s lead, the 21st Century Cures Act came into effect just a few months later in April of 2021. The new legislation directed by the Office of the National Coordinator for Healthcare Technology (ONC) is centered around the ongoing balancing act that healthcare providers and app developers face in giving patients easy access to their ePHI while still maintaining data privacy and security. With patients at the focus, the Cures Act requirements enable things like transparency into the cost and outcomes of patient care, easier access to health data through apps that meet modern patient needs and the prevention of information blocking. Now, this law also requires a bit of further reading to see just how it impacts your practice but having a complete HIPAA program lays the foundation for meeting these additional requirements and ultimately protecting patient data.

Proposed Budget & New Appointed OCR Director

If all the new legislation wasn’t enough of a tell-tale sign that 2021 was the year of protecting patient rights along with healthcare and technology – the proposed 2022 HHS budget that increases its funding for those areas specifically sure is. In early June, the Biden Administration released their proposed budget calling for additional spending to better safeguard the healthcare industry from evolving cyber threats and support government efforts in compliance enforcement. This additional spending comes in the form of over $200 million for several different cybersecurity measures and $67 million in funding for the HHS and their HIPAA enforcement efforts. Much of this proposed budget includes an increase in hiring for these specific government agencies with the hope to add 39 staff members to the Office for Civil Rights (OCR) specifically. But the initiatives don’t just stop at the dollar signs – this past September the HHS officially appointed Lisa J. Pino as the new Director of the OCR, marking another step in the right direction of continuing their mission.

HIPAA Waivers Extended

In the midst of all the change, there have been some things that have stayed the same – one of them being the extension of the HIPAA Waivers and Enforcement Discretions. At the onset of COVID-19, the government issued a National Public Health Emergency. With it came several waivers and flexibilities that work in mitigating the risks to the health of the general public while assisting healthcare providers with the necessary accommodations to continue caring for their patients. So after several extensions to the waiver’s expiration date, we are starting off our second new year with the Public Health Emergency status with the hopes that the current end date of January 16, 2022 sticks. But even with the current flexibilities still in place, it’s important to adhere to HIPAA requirements for telehealth and PHI disclosure to avoid any violations once the enforcement discretion is lifted.

Patient Right of Access Enforcement

Now a seasoned veteran to the regulatory priority list, Patient Right of Access violations has had yet another impactful year in HIPAA enforcement. 2021’s Right of Access settlements has brought the total violation number to 25 and dollars collected to $1,505,650 since the government announced their initiative back in 2019. And just a few weeks ago, the OCR announced 5 Right of Access settlements in one day alone. So as the government’s focus on timely medical record access continues to reign, your practice should be adding HIPAA right of access standards to the top of your 2022 to-do list too.

Data Breaches

Last but certainly not least comes another trend that has shown little to no signs of stopping – data breaches. Between ransomware threats, phishing schemes, accidental disclosures and business associate incidents, 2021 has put up record numbers. And just in the past year alone, a total of 550 covered entities had experienced a data breach putting the PHI of over 40 million individuals at risk. So while maintaining strong cybersecurity within your organization is easier said than done, knowing how to identify a cyber threat and having the necessary technical safeguards to mitigate your risks are essential to protecting your practice and your patients from a data breach in 2022.

Now we know we just gave you a lot to unpack but each and every one of 2021’s resolutions play an important role in dictating your organization’s new year solutions. No matter what, healthcare, technology and patient needs are always evolving, and ensuring your practice’s success means having the necessary programs in place to do just that.

For More Information: 2021 hipaa in review 6971163