2021 marks the 25th year of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This legislation that has done so much to protect the privacy of individuals seeking healthcare has never been so important as we increasingly rely on telemedicine and other forms of online care.
Here’s what you need to know about HIPAA as you take your healthcare practice into 2021.
Waived non-compliance penalties for telehealth continue
In March 2020, the U.S. Office for Civil Rights (OCR) division of the Department of Health and Human Services (HHS) issued a notice stating that it would not apply penalties for “non-compliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” This provision will continue into 2021 to make sure people are getting the care they need.
However, this notice doesn’t absolve practitioners of their responsibility to protect their clients’ data. From a professional, ethical standpoint, it’s still important to do what’s necessary to maintain privacy. Fortunately, putting safeguards in place for telehealth is as easy as signing up for a HIPAA-compliant service, many of which are affordable and easy to use.
Several Hushmail partners can help. As a Hushmail customer, you also benefit from discounts when you sign up for these services, which can be found on our Partner Offers page.
Non-compliance penalties went up last year
Although telehealth non-compliance penalties are being waived, other penalties for violations went up last year and will affect practices in 2021. HHS is required to adjust these penalties for inflation each year to maintain their effectiveness and deterrent effect. The maximum penalty for each violation of a particular HIPAA requirement increased to $59,522 (previously $58,490), with a calendar-year cap of $1,785,651 (previously $1,754,698).
Healthcare practices are missing the mark
In 2016 and 2017, the OCR conducted audits of 166 covered entities, including 150 healthcare providers, with respect to their compliance with selected provisions of the HIPAA Rules.
The results of the audits were published in December 2020 in the 2016–2017 HIPAA audits industry report.
Here are some of the findings:
- Only 2 percent of covered entities fully met the requirements of the Notice of Privacy Practices standard.
- 89 percent failed to show they were correctly implementing the individual right of access.
- Only a small percent of covered entities (14 percent) met the requirements for safeguarding protected health information (PHI) through risk analysis.
- 94 percent of covered entities and 88 percent of business associates failed to implement the HIPAA Security Rule requirements for risk management that would reduce risks to a reasonable level.
In multiple cases, a misunderstanding of the law was cited as the reason for non-compliance. There is much to be learned from the audit that can help you ensure your own practice is in compliance. In future blog posts, we’ll give you basic tips to ensure that 1) you’re correctly supporting the individual right of access to PHI, and 2) properly safeguarding your clients' PHI with risk analysis and risk management.
In this post, we’ll give you a few tips to ensure your Notice of Privacy Practices is in order.
Bring your Notice of Privacy Practices up to speed
The audits revealed that most covered entities had Notices of Privacy Practices (NPPs) that didn’t meet all of the requirements including the requirement to be written in plain language. According to the report “ almost all NPPs were missing required content, often related to individual rights."
The report listed the following as common omissions from the NPP requirements stated in 45 CFR § 164.520.
- § 164.520(b)(ii)(B) “A description of each of the other purposes for which the covered entity is permitted or required by this subpart to use or disclose protected health information without the individual’s written authorization.”
- § 164.520(b)(ii)(D) “ the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.”
- § 164.520(b)(iv) “Individual rights. The notice must contain a statement of the individual's rights with respect to protected health information and a brief description of how the individual may exercise these rights (emphasis added), as follows:... (C) The right to inspect and copy protected health information as provided by § 164.524.”
- § 164.520(b)(ii)(E) “A description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4), a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by § 164.508(b)(5).”
The best step you can take to ensure that your NPP is up to speed is to review the model NPPs provided by the OCR and then create your NPP to match. The OCR provides several different versions of the models, all using plain language and approachable designs, so you can choose the design you feel will best serve your practice.
Support your HIPAA compliance with encrypted email and web forms
In a future blog post, we’ll discuss how you can support your HIPAA compliance by properly safeguarding your clients' PHI with risk analysis and risk management. One safeguard you can put in place is an encrypted email and web forms service that will allow you to communicate securely with your clients. Hushmail for Healthcare gives you this peace of mind along with a Business Associate Agreement (BAA), assuring you and your clients that your messages are confidential and HIPAA compliant.