Enacted in 1996, the Health Insurance Portability and Accountability Act aims to ensure that PHI is protected while providing patients with better access to their health data. Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing diagnosis, treatment, and other healthcare services. HIPAA non-compliance can result in heavy civil and criminal penalties. Covered entities and Business Associates like medical transcription service providers need to adopt measures for full compliance with the law to protect PHI and stay up to date with any changes. In 2023, there are new HIPAA regulations that will impact small medical practices.
HIPAA Updates in 2023
In 2023, the responsibility of healthcare organizations to respond to requests is better defined as well as verifying the identity of parties requesting PHI and adequately handling data with third parties. Here are the key HIPAA Privacy Rule changes in 2023 that medical practices need to know about:
- Changes to how patients access their health data: Patients can inspect their PHI in person and take notes or capture images of their PHI. The maximum response time to provide access to PHI has been reduced to 15 days (from 30 days).
- Form and format for individuals’ PHI requests: The PHI access reform clarifies the form and format required for responding to individuals’ requests for their PHI.
- Changes to how practices inform patients of their rights: Patient rights to access data are now more clearly defined. Covered entities are required to let clients know how they can access their health data and also that they can get a complete copy of their health information (instead a summary).
- Sharing of PHI in an EHR: The HIPAA update also creates a pathway for individuals to direct the sharing of their PHI in an EHR among covered healthcare providers and health plans. Covered health care providers and health plans are required to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in the EHR. Covered entities are also required to respond to certain records requests they receive from other covered healthcare providers and health plans when so directed by individuals who are exercising their HIPAA right to access their own PHI.
- Transmission of PHI to electronic copies in an EHR: When an individual directs the PHI to be transmitted to a third party, the law limits PHI to electronic copies. This is intended to reduce the burden of PHI transmission as paper documents.
- Provision of fee schedules: Covered entities are required to post estimated fee schedules on their websites and provide estimates of the fees to individual clients.
- Exception to “Minimum Necessary” Standard: An exception to the “Minimum Necessary” standard has been created to accommodate individual-level care coordination and case management uses and disclosures.
Other updates include: specifying when electronic PHI must be provided to an individual at no charge; modifying the permissible fee structure for responding to requests to direct records to a third party, and requiring covered entities to post estimated fee schedules on their website for health information access and disclosures.
Implications of 2023 HIPAA Updates for Medical Practices
To stay compliant, medical practices need to pay attention to the following:
- Convergence of data privacy and HIPAA security: With the emergence of electronic PHI or ePHI, security has become almost synonymous with privacy. Practices should have robust security solutions to protect PHI in the EHR as well as proper procedures in place for handling patient rights and data with third parties.
- Focus on Staff training: Train security issues relevant to your practice, including the latest changes. Implement ongoing HIPAA compliance training for your entire workforce on security and compliance matters. All employees must be trained on steps to safeguard against threats. They must be able to recognize the signs of a phishing attack and correctly report any incident. Set up a system to track any security incidents and create documentation to deal with such incidents. Additionally, make sure to that your business associates are knowledgeable about security policies and HIPAA compliant.
- Conduct HIPAA risk assessments: HIPAA requires covered entities to conduct an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI”. Make sure to conduct a HIPAA privacy risk assessment which takes account of risks to the confidentiality, integrity, and availability of non-electronic PHI, as well as individuals´ access rights (to their PHI), Business Associate Agreements, and other Organizational Requirements of HIPAA. Conduct periodic evaluations of security preparedness both internally and externally. Today, many facilities are utilizing compliance automation software to manage their risk assessment processes.
- Implement cybersecurity best practices: Global healthcare cyberattacks increased by 74% in 2022, according to an article in HIPAA Journal. The healthcare industry experienced the highest percentage increase in weekly cyberattacks among all industries, with an average of 1,463 attacks per week. A 2021 report from IBM Security and Ponemon Institute found that healthcare data breaches cost on average $9.23 million per incident. Practices need to increase investment in cybersecurity and implement recognized best practices and methodologies.
- Create effective response procedures: Create a plan for emergencies that may compromise ePHI. HIPAA requires covered entities must develop a data backup plan, a disaster recovery plan, and an emergency mode operation plan, among other administrative safeguards. The plan should include a way to continue critical business processes to protect the security of ePHI during an emergency.
With latest HIPAA updates, medical practices also have to be prepared to handle requests for information in a timely manner. Partnering with a HIPAA-complaint medical transcription company can help them meet clients’ record requests within the 15-day period. On their part, medical transcription companies will need to evaluate their security best practices to ensure HIPAA compliance when handling ePHI.