Legislation Changes and New HIPAA Regulations in 2018

The plan of 2 out for each new rule introduced means there are supposed to be few, if any, new HIPAA regulations in 2018. However, that doesn’t mean it will be all calm on the HIPAA front. HHS’ OCR director, Roger Severino has signaled there are some HIPAA modifications under consideration.

OCR is scheduling on removing a few of the obsolete and labor-intensive features of HIPAA that provide petite assistance to patients, even though before HIPAA alterations are made, OCR will request comments from healthcare sector stakeholders.

Like with previous upgrades, OCR will present notifications of planned rulemaking and will seek feedback on the proposed modifications. Those remarks will be carefully considered prior to any HIPAA changes are made.

The full list of planned changes to the HIPAA Secrecy Rule hasn’t been disclosed, even though Severino did provide some vision into what can be projected in 2018 at a recent HIPAA summit in Virginia.

Severino clarified there were three potential changes to HIPAA rules in 2018, the first relates to the implementation of HIPAA Rules by OCR.

Ever since the introduction of the Enforcement Law, OCR has had the power to fiscally penalize HIPAA protected entities that are found to have violated HIPAA Laws or not put sufficient efforts into compliance. Since the integration of HITECH Law into HIPAA in 2009, OCR has been permitted to keep a proportion of the resolutions and CMPs it collects through its implementation actions. Those amounts are used, partly, to cover the expense of future enforcement activities and to provide reimbursement to victims. So far, OCR hasn’t done the latter.

OCR is considering inviting information on how a proportion of the agreements and civil monetary fines it collects can be paid to the victims of healthcare data breaches and HIPAA violations.

One part of the establishment that OCR is pondering altering is the need for protected entities to keep initialed forms from patients verifying they have obtained a copy of the protected entity’s notification of secrecy practices. In several instances, the forms are initialed by patients who simply desire to see a physician. The forms aren’t actually read.

One potential modification is to remove the need to obtain and store initialed forms and instead to inform patients of secrecy practices via a notification in a prominent position within the covered unit’s facilities.

Severino also stated OCR is thinking about altering HIPAA rules in 2018 pertaining to good faith leaks of PHI. OCR is pondering formally explaining that disclosing PHI in specific circumstances is allowed without first getting approval from patients – The distribution of PHI with family members as well as close friends when a patient is disabled or in cases of opioid drug misuse for instance.

Although HIPAA does permit healthcare suppliers to disclose PHI when a patient is in impending harm, further rulemaking is necessary to cover good faith leakages.

While these HIPAA modifications are being considered, it might take until 2019 before they are implemented.