The last major update to HIPAA came back in 2013, but all signs point to another update coming this year, in addition to, the minor changes and guidance previously established in February. Following is what to expect in 2022 from a data security, availability, and sharing perspective.
OCR Cyber Security Guidance for 2022
While not rising to the level of regulation, the OCR has provided guidance on what they see as critical best practices to perform to protect electronic health records. These best practices are largely in response to the threat of ransomware. As part of reviewing risk management policies and procedures, some best practices to include:
- Maintain offline encrypted backups and regularly test backups
- Conduct regular vulnerability scans on internet facing devices
- Regularly patch operating systems and software
- Train users on phishing and other common IT attacks
Breach Notification Rule of HIPAA
Requirements for data breach notification involving less than 500 individuals were modified in 2021.
*Change from previous Breach Notification Rule
Possible Modifications to HIPAA Rules
Healthcare organizations are the driver for updating HIPAA rules due to their desire to decrease the administrative burden of the current rules as well as remove provisions that limit or discourage the coordination of care. Changes to the rules are due sometime this year. Some of the elements under consideration are:
- Changing the time frame for responding to patient requests to obtain copies of health information
- Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
- Easing the restrictions on disclosures of PHI without authorization
- Changes to HITECH Act requirements for the tracking disclosures of PHI for treatment, payment, and healthcare operations
- Encouragement of information sharing for treatment and care coordination
- Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible
- Expansion of healthcare clearinghouses access to PHI
HIPAA Violation Penalties May Change
While penalties don’t necessarily relate to data security, availability and sharing, the reality is a data breach is typically going to be significantly costlier than paper-based or process-based violations. It takes knowing the penalty of “losing” to justify the investments needed. Doing everything to avoid a data breach still can’t guarantee avoiding it. Unfortunately, it’s a contest between us and the bad guys, with a data breach being a lost battle.
