Breaking Compliance News Blog

Is HIPAA Changing?

Posted by Margaret Scavotto, JD, CHC on 4/26/18 6:44 AM

Find me on:


 Last week, I heard Marissa Gordon-Nguyen, Senior Advisor for HIPAA Policy for the Office of Civil Rights (OCR), and Iliana Peters, formerly of the OCR and now with Polsinelli, speak about HIPAA enforcement. Here’s a summary of the tips they shared, as well as a few ways HIPAA might be changing.

Not encrypting? That’s “less and less persuasive”

Many providers struggle to decide whether to invest in encrypting electronic PHI. After all, encryption is addressable, but not required, under the HIPAA security rule. Iliana Peters advised that covered entities’ and business associates’ reasons for not encrypting “are becoming less and less persuasive” to the OCR. This is partly because encryption methods are increasingly available and affordable. And, encryption brings important security benefits to an increasingly high-risk environment.

New guidance!

The OCR is currently developing new guidance for covered entities and business associates, addressing:

  1. Social Media
  2. Texting
  3. Encryption

While there is not a timeline for releasing this guidance, MPA will let you know when it’s available.

New changes?

Ms. Gordon-Nguyen discussed three potential HIPAA changes that we might see soon:

  1. Presumption of good faith. The OCR is in the process of proposing a rule that would modify the Privacy Rule “to clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members, unless there is evidence that a provider acted in bad faith.”  In the current environment, no such presumption exists.
  2. Removal of the NPP acknowledgment. OCR proposes to update the Privacy Rule to remove the “requirement that health care providers obtain from individuals a written acknowledgment of receipt of the provider’s notice of privacy practices, and if not obtained, to document its good faith efforts and the reason the acknowledgment was not obtained.”    
  3. Compensation for harmed individuals. The OCR also discussed a Request for Information, seeking public input on a rule that would distribute a portion of HIPAA settlements and penalties to the harmed individuals. This has also been referred to as the “whistleblower” provision, because patients could recover from the provider if they are damaged under HIPAA. 

None of these potential changes is in effect yet – but keep an eye out for rules and comment periods if you would like to provide input.

The top 10

Wondering how the OCR would view your HIPAA compliance program? Ms. Peters shared a “top ten” list of recurring HIPAA compliance issues:

  1. Pattern of Disclosure of Sensitive Paper PHI
  2. Business Associate Agreements
  3. Risk Analysis
  4. Failure to Manage Identified Risk, e.g. Encrypt
  5. Lack of Transmission Security    
  6. Lack of Appropriate Auditing
  7. No Patching of Software
  8. Insider Threat
  9. Improper Disposal
  10. Insufficient Data Backup and Contingency Planning

Share these top ten HIPAA issues with your Compliance Committee and use them to evaluate where your HIPAA compliance effort stands.

MCS Sig Aug 2017

Topics: HIPAA

    Privacy Policy           Terms of Use