New HIPAA Regulations in 2021

Although the changes to HIPAA regulations in 2021 were not much, new laws were introduced that are associated with the HIPAA Privacy and Security Rules, with regards to cybersecurity, patient access to medical information, and HIPAA enforcement.

2021 HIPAA Safe Harbor Law

President Trump signed the HIPAA Safe Harbor Bill (HR 7898) on January 5, 2021 and changed the HITECH Act. The goal of the HIPAA Safe Harbor Bill was to inspire healthcare institutions to follow standard cybersecurity procedures to enhance their protection against cyberattacks.

The HIPAA Safe Harbor Bill teaches the HHS to consider the cybersecurity guidelines that a HIPPA-covered entity has implemented in the one year prior to any data breach when looking at HIPAA enforcement actions and computing financial fines associated with security breaches. The bill additionally calls for the HHS to reduce the duration and magnitude of any audits with regards to those breaches when industry security guidelines were enforced.

Companies that have followed standard cybersecurity guidelines and have finished a HIPAA Security Risk Analysis, diminished identified hazards to a low and appropriate level, and enforced technical safety measures to protect the integrity, availability, and confidentiality of electronic protected health information (ePHI) will be given more tolerance by OCR, however financial fines for companies that do not comply with cybersecurity guidelines can’t be lifted.

Besides facing smaller penalties and sanctions, HIPAA-covered entities that follow cybersecurity guidelines and comply with the prerequisites of the HIPAA Security Rule will be safer against security and data breaches.

21st Century Cures Act

The 21st Century Cures Act (Cures Act) of 2016 was created to inspire development in healthcare research, and one way this was realized was to make it simpler for patients to get their healthcare information and share that data with research organizations. The Cures Act required the HHS to make a new Rule that will better the movement of healthcare information among providers, patients, and creators of Health IT for example electronic health record (EHR) providers.

The HHS’ Office of the National Coordinator for Health Information Technology (ONC) released its Interoperability and Information Blocking Final Rule last March 2020, and medical care companies, creators of Certified Health IT, and health data networks or exchanges had up to April 5, 2021, to adhere to the data blocking conditions of the Final Rule. The Centers for Medicare and Medicaid Services (CMS) likewise introduced an interoperability regulation in March 2020 that is applicable to Medicaid- and Medicare-participating interim acute care hospitals, long-term care hospitals, psychiatric hospitals, rehab hospitals, pediatric hospitals, critical access hospitals (CAHs), and cancer hospitals. The CMS regulation took effect on July 1, 2021.

As per the CMS Final Rule, CMS-controlled payers such as MA companies, Medicaid Fee-for-Service (FFS) programs, CHIP managed care entities, Medicaid managed care plans, QHP issuers, and CHIP FFS programs, should employ and retain a safe, standards-based Application Programming Interface (API)) to enable patients to get access to their claims and get data by means of a third-party application of their choosing, make provider directory data available to the public by means of a standards-based API, and deliver electronic patient event alerts of a patient’s admission, transfer or discharge to a different healthcare center or a different community provider or doctor.

The final interoperability and information blocking policies don’t change HIPAA or the HITECH Act, though they are connected. The final rules support patient access to ePHI and are meant to make easier access possible. It is likely that HIPAA policies and processes may breach the ONC Final Rule when they consist of practices thought to make up information blocking. Any entity that participates in data blocking can deal with financial fines, which are capped at $1 million (tweaked yearly for inflation).