Neurological

HIPAA needs to keep up with information technology

Major updates to the Health Insurance Portability and Accountability Act (HIPAA) privacy rule are expected in the coming months, and many stakeholders are hoping for some significant improvements in data reporting. Simplifying existing processes for reporting violations and tracking who has access to data could lead to some important advances. Currently, the processes are very cumbersome and can limit the ability to use data containing Protected Health Information (PHI) to investigate important public health issues.

Research risks minimal

“The potential risks of using data for research in areas such as epidemiology and health research are extremely small,” said Stephen Crystal, PhD, director of the Center for Health Services Research at Rutgers University in New Brunswick, New Jersey. “There have been almost no cases in which I have ever heard that such research has actually harmed a person in any way. That supports the simplification. “

The Office for Civil Rights (OCR) of the US Department of Health (HHS) announced last March a 45-day extension of the public comment period for the Notice of Proposed Regulations (NPRM) to change HIPAA. It has been more than 7 years since HIPAA played a significant role overall, despite significant improvements in information technology.

Continue reading

OCR first published the NPRM on December 10, 2020 on the HHS website and published it in the federal register on January 21, 2021. The 45-day extension has postponed the current deadline for the public to comment to May 6, 2021. The proposed changes to the HIPAA Privacy Policy include strengthening the right of individuals to have access to their own health information.

Complexity is the biggest problem

Many doctors hope that the administrative burden for HIPAA-covered care providers and health insurers will decrease. Richard Bailey, senior IT consultant at Atlantic.Net, which offers a range of data hosting services, said without a doubt that the biggest problem with HIPAA is its complexity. “This is primarily due to how technology has advanced exponentially over the past two decades, creating a complex technical layer that must be implemented within HIPAA’s physical, administrative, and technical safeguards,” said Bailey.

HIPAA compliance is confusing, according to Bailey, because there are so many caveats with any technical protective measure. One example is the encryption of the electronic health record (EHR). “It is not a requirement that the EHR be encrypted, but you must be able to show a roadmap for how your healthcare organization plans to achieve EHR encryption in the future,” said Bailey.

Need more flexibility required

The changes currently being discussed require an improvement in the exchange of information for care coordination and case management for individuals. “Not much has changed since 2013. At the start of the COVID-19 pandemic, we had some minor enforcement relaxations for telemedicine and PHI disclosure for COVID victims, and over the years there have been some increases in data breach penalties. but most of the core legislation is unchanged, ”said Bailey.

Healthcare cybersecurity standards are expected to change significantly, with new guidelines setting “expected best practice standards”. Clarification is needed for safety and wearable health devices, Bailey said. “We want clearer definitions of best practices like other industries have,” he said. “Take the credit card industry, for example. There are clear and defined best practices that you must follow for your physical locations, networks, server administration, and so on. This would help reduce confusion about HIPAA compliance best practices. “

The debate on expanding healthcare clearinghouses’ access to PHI is ongoing. Since clearinghouses are business partners, it makes sense to expand their access to PHI, Bailey said. The rise of artificial intelligence (AI) and machine learning enables clearinghouses to build data warehouses with decision algorithms to link patient data to healthcare clearinghouse payment systems.

Blockchain

A new technology known as blockchain promises to improve HIPAA compliance. It is a system of recording information that is said to make it difficult or impossible to modify, hack, or defraud the system. Each block in the chain has a certain number of transactions, and every time a new transaction occurs on the blockchain, it is recorded. A record of each transaction is then added to each ledger. “Together with the cloud, blockchain can significantly protect and protect the electronic PHI,” said Bailey. “There is no reason why this cannot be a success.”

HIPAA Compliance Specialist Susan Lucci, Senior Privacy / Security Consultant at tw-Security based in Tucson, Arizona, would like an update of the security terminology with a more precise nomenclature for today’s technology. HHS should also provide more clarifications and guidance on accounting for disclosures versus access reviews. Often times a patient can ask for disclosure to be billed, but what they really want to know when someone accesses their records internally without authorization (sniffing). These are two completely different processes. One has to do with disclosures made outside of the organization, while the other is essentially a privacy complaint that needs to be addressed, investigated, documented and resolved.

Lucci also wishes to see significant changes in the way data breach investigations and related corrective action plans and financial settlement agreements are handled. “The results should fully apply to both business partners and the companies covered in the absence of compliance documentation,” she said. “Currently, Covered Entities (CEs) are the ones that need to report a violation to the OCR, and they appear to be the ones that are more fully investigated than the business partner who had the violation in the first place.”

While right of access enforcement has gotten off to a good start, Lucci said it will likely include information blocking requirements in the future. “I would also like to see a resume for the OCR HIPAA compliance exam for both CEs and business partners. If you look at the HIPAA Wall of Shame (violations involving 500 or more people on the HHS website), it is clear that business partners caused about a third of the violations. These violations impact roughly two-thirds of the number of people affected, based on reporting over the past year. Therefore, business partners should be screened and then accountable just as CEs have done in the past, ”Lucci said. The HIPAA business partner audit log has never been published to the best of my knowledge.

HIPAA could benefit from some updates, simplifications, and clarifications to help all health organizations better comply with the regulation.

This article originally appeared on the Kidney and Urology News

Related Articles