HIPAA Privacy Rule – Proposed Changes and Updates in 2021


Digitalization of healthcare has improved the efficiency of healthcare delivery, benefiting patients and physicians. Electronic health records (EHRs) supported by medical transcription services provide accurate, up to date and complete information about patients at the point of care, improving quality of care and practice efficiency. Telemedicine, mobile health, wearable medical devices, and other digital health solutions are driving a revolution in healthcare.

However, increased adoption of IT systems in healthcare has increased cybersecurity risks. Cybersecurity breaches of 500 records or more rose from 371 in 2018 to 618 in 2020, according to a recent For the Record article. In 2020, the Office for Civil Rights (OCR) settled 20 cases with resolution agreements or corrective action plans, and reached settlements totaling more than $55 million over the last three years.

In addition to increasing existing security risks, the COVID-19 pandemic has given rise to new challenges. In April 2020, the World Health Organization announced that there was a fivefold increase in cyberattacks targeting healthcare. Compliance with Health Insurance Portability and Accountability (HIPAA) regulations has become more important than ever before for all Covered Entities, including Business Associates with access to Protected Health Information (PHI).

On January 21, 2021, the Department of Health and Human Services (HSS) proposed modifications to the HIPAA Privacy Rule. However, organizations are calling for a review of these proposals and alignment of HIPAA with other health data regulations.

HSS Proposes Changes to HIPAA Rule

The proposed changes or reforms as published on www.healthcareinfosecurity.com are as follows:

  • Strengthen individuals’ rights to access their own health information, including electronic information;
  • Improve information sharing for care coordination and case management;
  • Facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises;
  • Enhance flexibilities for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies;
  • Reduce administrative burdens on HIPAA-covered healthcare providers and health plans while continuing to protect individuals’ health information privacy.

Concerns about Personal Health Applications and HIPAA Compliance

However, many organizations have expressed concern about the proposed changes and called for aligning any potential HIPAA Privacy Rule changes with other regulations that deal with privacy, patient access to records and secure exchange of electronic health information (www.govinfosecurity.com).

Tech savvy consumers are now using PHIs on their personal devices to access their electronic medical record, view lab results, schedule appointments, manage chronic conditions, track disease outbreak information and locate clinical trials. However, PHAs fall outside the scope of HIPAA.

The College of Healthcare Information Management Executives (CHIME) says that in proposed HIPAA changes, a “personal health application” is defined as a direct-to-consumer application used for the individual’s own purposes that would fall outside the scope of HIPAA’s protection. PHAs are not subject to HIPAA privacy and security obligations and, thus, can share patient protected health information.” CHIME draws attention to the fact that there are no business associate agreements in place for PHA vendors to help ensure the privacy and security of patient information.

The American Hospital Association (AHA) has also expressed similar concerns about PHAs. “Personal health applications should be limited to applications that do not permit third-party access to the information, include appropriate privacy protections and adequate security and are developed to correctly present health information that is received from electronic health records,” says the AHA.

HIMSS and other industry groups have urged HHS OCR to bring any potential HIPAA Privacy Rule changes in line with other regulations, including the provisions that recently went into effect and allows patients to access their health information via smartphones and application programming interfaces. HIMSS has called upon the agency to support the development of robust, up-to-date privacy and security frameworks and regulations to boost widespread adoption and build trust in new, innovative technologies that support the free flow of information between patients and providers.

HHS OCR will review all comments before deciding whether to go ahead with changes and issue a final rule or revised proposed rule.

HIPAA Compliance 2021

All organizations subject to the HIPAA Act (HIPAA) should periodically review their compliance to ensure that they meet HIPAA requirements for the privacy and security of PHI. Failure to do so would lead to severe penalties, including fines, fees, and audits imposed by the Office for Civil Rights (OCR), in addition to the costs of lost business, damaged reputation, and lawsuits.

For every covered entity, HIPAA compliance means implementing controls and protections for relevant PHI. This includes facilitating the secure transfer of healthcare records to provide continued health coverage, taking steps to prevent healthcare fraud, and ensuring standardized electronic billing and healthcare data. New technology that has not been properly vetted for security risks can pose security risks.

Here is a basic checklist to track your HIPAA compliance in 2021:

  • Make sure you have implement privacy policies and procedures to safeguard PHI.
  • Conduct a HIPAA compliance audit, assess results, and document gaps.
  • Document plans to correct deficiencies, take action and update strategies as necessary.
  • Have a designated HIPAA Compliance, Privacy and/or Security Officer implement HIPAA policies.
  • Train staff on HIPAA compliance and make sure everyone is aware of potential threats as well as HIPAA violation penalties.
  • Have systems and controls in place to prevent data breaches

It’s also important to ensure that third parties (business associates, partners, and subcontractors) also meet HIPAA regulations. Organizations outsourcing medical transcription, for instance, need to evaluate whether the company meets HIPAA requirements. HIPAA medical transcription service providers will have the necessary technical, physical and administrative safeguards in place to ensure that client data is handled with utmost confidentiality.