The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).
Prior to the departure of President Trump’s administration in January 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released proposed changes to the HIPAA Privacy Rule. The proposed regulations include several notable modifications to HIPAA requirements, including changes that:
- enhance individuals’ access to their own health information in various respects, including a requirement for covered entities to provide information faster;
- prohibit unreasonable verification procedures as to an individual’s identity before disclosing protected health information to the individual;
- eliminate the need for a health care provider to obtain acknowledgement of receipt of the notice of privacy practices from an individual;
- require revisions to the notice of privacy practices (which could impose a burdensome notification obligation on health plans) and impose new notification requirements regarding fees that may be charged in providing protected health information;
- gently relax the standards that apply to permitted disclosures in certain emergency situations or where disclosure is determined in good faith to be in the best interests of a patient or plan participant; and
- allow for disclosures without individual authorization for certain care coordination and public health activities—for example, by expressly allowing for the disclosure of protected health information to social service and other support agencies for individual care coordination without individual authorization.
While the proposed regulations are subject to President Biden’s Regulatory Freeze Pending Review, many of the proposed changes were previously raised by President Obama’s administration and are likely to proceed toward finalization.
On January 5, 2021, Congress amended HITECH to require that HHS consider a covered entity or business associate’s use of “recognized security practices” when conducting an audit, assessing penalties, or seeking corrective action for violations. Recognized security practices include (but are not limited to) practices that are in line with certain standards promulgated by the National Institute of Standards and Technology (NIST) or approaches under the Cybersecurity Act of 2015. Covered entities and business associates may assess their security safeguards in view of such recognized standards when conducting their periodic security risk assessments.
On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a penalty of $4,438,000 imposed by HHS upon University of Texas MD Andersen Cancer Center for three HIPAA security breaches on the basis that the agency’s action constituted an arbitrary and capricious enforcement of its regulations. The decision is a sharp reversal of penalties previously upheld on appeal before an administrative law judge. How the decision affects future HHS enforcement actions remains to be seen.