Major updates with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule are expected in the coming months, and many stakeholders are hoping for some significant improvements for reporting data. Simplification of existing processes for notification of breaches and tracking who has access to data could lead to some important advances. Currently, the processes are highly burdensome and can limit the ability to use data that include protected health information (PHI) to study important public health issues.
Research Risks Minimal
“The potential risks from use of data for research in areas like epidemiology and health services research are extremely minimal,” said Stephen Crystal, PhD, director of the Center for Health Services Research at Rutgers University in New Brunswick, New Jersey. “There have been almost no cases that I have ever heard about where an individual was actually harmed in any way from such research. This supports simplification.”
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) this past March announced a 45-day extension of the public comment period for the Notice of Proposed Rulemaking (NPRM) to modify HIPAA. It has been more than 7 years since HIPAA has undergone a major overall despite significant improvements in information technology.
OCR first released the NPRM to the public on the HHS website on December 10, 2020, and it was published in the Federal Register on January 21, 2021. The 45-day extension moved the current deadline for the public to submit comment to May 6, 2021. The proposed changes to the HIPAA Privacy Rule include strengthening individuals’ rights to access their own health information.
Complexity Is the Biggest Problem
Many physicians hope there will be a reduction in the administrative burdens on HIPAA-covered health care providers and health plans. Richard Bailey, lead IT Consultant for Atlantic.Net, which provides an array of data hosting services, said without a doubt the biggest problem with HIPAA is its complexity. “This is primarily due to how technology has evolved exponentially in the past 2 decades, creating a complex technical layer that must be implemented within the physical, administrative, and technical safeguards of HIPAA,” Bailey said.
HIPAA compliance is confusing, according to Bailey, because there are so many caveats regarding each technical safeguard. Electronic health record (EHR) encryption is an example. “It is not a mandatory requirement for EHR to be encrypted, but you must be able to demonstrate a roadmap of how your health care organization plans to achieve EHR encryption in the future,” Bailey said.
Greater Flexibility Needed
The current changes under discussion call for improving information sharing for care coordination and case management for individuals. “Not a great deal has changed since 2013. We had some minor regulatory enforcement easing at the start of the COVID-19 pandemic for telehealth and PHI disclosure for COVID victims, and there have been some increases in the data breach penalties over the years, but the majority of the core legislation is unchanged,” Bailey said.
Significant changes are expected to be introduced over cybersecurity standards in health care, with new guidelines establishing “expected best practice standards.” Clarification is needed for security and wearable health care devices, Bailey said. “We would like to see clearer definitions of best practices as other industries have done,” he said. “Take the credit card industry for example. There are clear and defined best practices to follow for your physical locations, networking, server administration, etc. This would help reduce the confusion on what is best practice when it comes to HIPAA compliance.”
Debate is underway about expanding health care clearinghouses’ access to PHI. As clearinghouses are business associates, Bailey said, it seems logical to expand their access to PHI. The rise of artificial intelligence (AI) and machine learning allows clearinghouses to create data warehouses with decision-making algorithms to link patient data to clearinghouse health care payment systems.
This article originally appeared on Renal and Urology News