Legislation Changes and New HIPAA Rules in 2018


The plan of two out for every new rule launched means there are likely to be few, if any, new HIPAA rules in 2018. Nevertheless, that doesn’t mean it will be all silence on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has signaled there are some HIPAA modifications under consideration.

OCR is planning on deleting some of the obsolete and labor-intensive parts of HIPAA that provide little benefit to patients, even though before HIPAA modifications are made, OCR will seek feedback from healthcare industry stakeholders.

As with earlier updates, OCR will submit notifications of planned rulemaking and will seek comments on the planned modifications. Those comments will be cautiously considered before any HIPAA modifications are made.

The complete list of planned modifications to the HIPAA Secrecy Rule has not been made public, even though Severino did provide some insight into what can be predicted in 2018 at a recent HIPAA conference in Virginia.

Severino clarified there were three possible modifications to HIPAA rules in 2018, the first pertains to implementation of HIPAA Laws by OCR.

Since the launch of the Enforcement Law, OCR has had the authority to financially penalize HIPAA protected units that are discovered to have violated HIPAA Laws or not put sufficient effort into compliance. Since the inclusion of HITECH Act into HIPAA in 2009, OCR has been allowed to keep a part of the settlements and CMPs it collects through its implementation activities. Those funds are used, in part, to cover the cost of future implementation activities and to provide compensation to sufferers. Thus far, OCR has not done the latter.

OCR is considering requesting information on how a part of the settlements and civil monetary fines it collects can be directed to the sufferers of healthcare data breaches and HIPAA violations.

One area of administration that OCR is considering altering is the requirement for protected units to keep signed forms from patients verifying they have received a copy of the protected unit’s notice of secrecy practices. In several cases, the forms are initialed by patients who only want to see a doctor. The forms are not actually read.

One possible change is to delete the requirement to get and store signed forms and instead to inform patients of secrecy practices through a notice in a conspicuous place within the protected unit’s facilities.

Severino also said OCR is considering altering HIPAA rules in 2018 relating to good faith disclosures of PHI. OCR is considering officially clarifying that revealing PHI in certain conditions is allowed without first getting approval from patients – The sharing of PHI with family members and close friends when a patient is debilitated or in cases of opioid drug abuse for example.

Although HIPAA does allow healthcare suppliers to disclose PHI when a patient is in impending harm, additional rulemaking is needed to cover good faith disclosures.

While these HIPAA modifications are being pondered, it might take until 2019 before they are applied.