A Fast Start: 2021 Begins With Major HIPAA Developments

Ballard Spahr LLP
Contact

Ballard Spahr LLP

The new year began with an unusual amount of activity related to the Health Insurance Portability and Accountability Act (HIPAA). Health care providers, health plans, health care clearinghouses, and business associates subject to HIPAA will need to consider three significant developments—one regulatory, one legislative, and one judicial—relating to the Privacy and Security Rules under HIPAA and the related Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).

Regulatory

Prior to the departure of President Trump’s administration in January 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released proposed changes to the HIPAA Privacy Rule. The proposed regulations include several notable modifications to HIPAA requirements, including changes that:

  • enhance individuals’ access to their own health information in various respects, including a requirement for covered entities to provide information faster;
  • prohibit unreasonable verification procedures as to an individual’s identity before disclosing protected health information to the individual;
  • eliminate the need for a health care provider to obtain acknowledgement of receipt of the notice of privacy practices from an individual;
  • require revisions to the notice of privacy practices (which could impose a burdensome notification obligation on health plans) and impose new notification requirements regarding fees that may be charged in providing protected health information;
  • gently relax the standards that apply to permitted disclosures in certain emergency situations or where disclosure is determined in good faith to be in the best interests of a patient or plan participant; and
  • allow for disclosures without individual authorization for certain care coordination and public health activities—for example, by expressly allowing for the disclosure of protected health information to social service and other support agencies for individual care coordination without individual authorization.

While the proposed regulations are subject to President Biden’s Regulatory Freeze Pending Review, many of the proposed changes were previously raised by President Obama’s administration and are likely to proceed toward finalization.

Legislative

On January 5, 2021, Congress amended HITECH to require that HHS consider a covered entity or business associate’s use of “recognized security practices” when conducting an audit, assessing penalties, or seeking corrective action for violations. Recognized security practices include (but are not limited to) practices that are in line with certain standards promulgated by the National Institute of Standards and Technology (NIST) or approaches under the Cybersecurity Act of 2015. Covered entities and business associates may assess their security safeguards in view of such recognized standards when conducting their periodic security risk assessments.

Judicial

On January 14, 2021, the United States Court of Appeals for the Fifth Circuit vacated a penalty of $4,438,000 imposed by HHS upon University of Texas MD Andersen Cancer Center for three HIPAA security breaches on the basis that the agency’s action constituted an arbitrary and capricious enforcement of its regulations. The decision is a sharp reversal of penalties previously upheld on appeal before an administrative law judge. How the decision affects future HHS enforcement actions remains to be seen.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ballard Spahr LLP

Written by:

Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide