BLOG

by Lucas Baiocchi 

The HIPAA landscape is no stranger to change. A regulatory cornerstone for safeguarding health data, the Health Insurance Portability and Accountability Act (HIPAA), continuously evolves to meet the complex demands of the modern healthcare ecosystem. With updates looming on the horizon, healthcare organizations must ready themselves to adapt to these statutory amendments. What will these revisions entail, and crucially, how can healthcare entities prepare? 

A Recap on HIPAA's Legacy of Adaptation 

Since its inception, HIPAA has been a dynamic framework, regularly fortified with new provisions and guidelines. Major milestones include the promulgation of the Privacy Rule and Security Rule, the incorporation of the HITECH Act, and the Breach Notification and Omnibus Final Rules implementation. 

Notably, the last decade has borne witness to more subtle shifts, such as greater patient access to their health records. These past updates, combined with broader legislative changes, have set the stage for a HIPAA that is both formidable in data protection and aligned with patient empowerment. 

Looking Ahead: What the Future Holds  

The upcoming HIPAA overhaul is not merely routine housekeeping; it's a recalibration that's poised to enhance patient rights, bolster data security, and streamline privacy practices. It includes potential modifications to the Privacy Rule, Security Rule, and even the Administrative Simplification Regulations, underscoring a comprehensive update strategy. 

The proposed updates to the HIPAA Privacy Rule enhance patient rights, streamline processes, and improve overall healthcare data management.  

Here are some key points: 

• Patient Access to PHI: 
• Patients will be allowed to review their Protected Health Information (PHI) in person and even take notes or photographs of it. 
• The maximum time for providing access to PHI will be reduced from 30 days to 15 days. 
• ePHI Transfer: 
• Individuals will have the right to transfer electronic PHI (ePHI) to a personal health application upon request. 
• However, this transfer will be limited to ePHI stored in an Electronic Health Record (EHR). 
• Fee Transparency: 
• Covered entities will be required to inform individuals about their right to obtain or direct copies of their PHI to a third party. 
• This applies even when a summary of the PHI is provided instead of a full copy. 
• Additionally, covered entities must publish estimated fee schedules for PHI access and disclosures on their websites. 
• Personalized fee estimates for providing copies of PHI will also be offered. 
• Healthcare Operations and Coordination: 
• The definition of healthcare operations will be expanded to include care coordination and case management. 
• Covered healthcare providers and health plans must respond to specific records requests from other entities when individuals direct them to do so under the HIPAA right of access. 
• Disclosure of PHI: 
• Covered entities will have broader discretion to disclose PHI to prevent a foreseeable threat to health or safety. 
• The wording will change from "serious and imminent" harm to "seriously and reasonably foreseeable" harm. 
• Armed Forces and Uniformed Services: 
• The authorization to use or disclose PHI will be expanded to include all uniformed services, not just the Armed Forces. 
• Good Faith Use of PHI: 
• Covered entities will be allowed to use and disclose PHI in good faith belief that it serves the individual's best interest. 
• Minimum Necessary Standard Exception: 
• A minimum necessary standard exception will be implemented for individual-level care coordination. 

These proposed changes aim to strike a balance between patient rights, administrative efficiency, and healthcare quality. Keep an eye out for further updates as these modifications progress.  

Changes in early- and late-stage adoption will uniformly touch aspects ranging from PHI handling standards to cybersecurity practices. These pieces of legislation, when absorbed and adapted effectively, can serve as transformative tools to fortify both health data resilience and the patient-provider nexus. 

Crafting Your Compliance Blueprint 

As the dust settles from these regulatory ripples, it’s incumbent upon healthcare leaders to architect strategies that fuse compliance with organizational agility. Here are actionable markers to carve your HIPAA readiness plan: 

Conduct a Current State Assessment 

Begin by evaluating existing policies, procedures, and technologies against the backdrop of the slated regulatory updates. Determine gaps between current practices and the proposed changes, making sure to synthesize this assessment with the organization's broader compliance framework, which might include mandates like the FISMA Act and the General Data Protection Regulation (GDPR). 

Foster an Agile Compliance Culture 

View these amendments not as checkboxes to be ticked but as catalysts to drive cultural changes within your organization. Encourage ongoing learning and adaptation, leveraging educational initiatives, such as workshops and simulation exercises, to imbue your team with the knowledge and motivation to enact these changes seamlessly. 

Seamlessly Integrate IT Strategies with HIPAA Requirements 

Your technology infrastructure must be an extension of your revised HIPAA policies. This integration necessitates proactive IT roadmap alignment with upcoming HIPAA technology mandates. A multi-phased approach involves assessing existing security measures, updating protocols, and implementing new solutions that harmonize with the evolving regulatory framework. 

Community Engagement for Ultimate Preparedness 

With the enhanced role of community-based platforms and partnerships under the new regulations, collaboration becomes more than beneficial—it's a requisite. Engage with peers, industry coalitions, and regulatory workshops to glean insights and calibrate your strategies in line with a collective understanding of the upcoming changes. 

Regular Audits and Posture Reassessment 

HIPAA regulation alignment should not be a static pursuit. Regular, cyclical audits and assessments will assist in maintaining a current and compliant posture. These iterative reflections on your processes and controls will not only ensure adherence but can also surface performance optimization opportunities within your organization's compliance journey. 

Conclusion: Fortifying the Pillars of Patient Health and Data Protection 

The interplay between healthcare and privacy is an intricate, ever-evolving dance. With the forthcoming revisions to HIPAA, the harmonization of patient well-being and data security is at the center of the legislative agenda. For healthcare organizations, the roadmap to compliance is a multifaceted one, weaving together technological fortification, cultural permeation, collaborative strategies, and adaptability as its cornerstones. 

Appropriate workforce training, robust IT infrastructures, and strategic partnerships will not only bolster your organization's resilience in the face of regulatory updates but will also reinforce trust and superiority in patient health service delivery. 

It is the call for healthcare leaders to act now, to navigate these HIPAA modifications with agility, aligning ethical data practices with operational excellence. As we essay this era of change, let us not just commemorate HIPAA's updates, but let's use them as a launchpad to elevate the safeguarding of health data for all.  

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

Resources 

https://www.hipaajournal.com/new-hipaa-regulations/ 

---

About the Author 

Lucas Baiocchi, HCISPP, CCSFP| Manager, IT Risk Management  

Lucas is a seasoned information security, governance, and risk management leader at Meditology Services. While working as a Manager for Meditology, he has found a specialization in building and implementing risk management functions for entities from start-up to national enterprise. Working with Meditology for the past 6 years, he has found himself deeply involved in NIST CSF, NIST 800-53, HITRUST, HIPAA, Promoting Interoperability, and CEHRT attestation while currently holding a HealthCare Information Security and Privacy Practitioner (HCISPP) and Certified CSF Practitioner (CCSFP) certification. With a lifelong passion for artificial intelligence, cryptographic technologies, and advanced malware threats, he finds meaning in ensuring his clients have the most comprehensive yet feasible information security controls against the ever-changing threat landscape and regulatory environment. 

https://www.linkedin.com/in/lucas-baiocchi-hcispp-ccsfp-148270107