Given the rise in telehealth, cyber threats, and other factors impacting health information privacy and security, there’s never been a better time to revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement process and reenforce the importance of HIPAA training for healthcare workers. They all must be trained before encountering protected health information (PHI) and whenever there are updates or additions to regulations, policies, procedures, practices, or technology. Additionally, it’s important to implement periodic or annual training on HIPAA privacy, security, and breach notification requirements.
What Are Some Recent HIPAA Announcements?
Healthcare organizations are required to update their own policies, procedures, and forms in accordance with new HIPAA rules, so staying up-to-date on changes is key. Recent announcements include:
- The new final rule, entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy strengthens the HIPAA Privacy rule by prohibiting the disclosure of protected health information related to lawful reproductive health care in certain circumstances. This final rule was published in the federal register on April 26, 2024, and took effect on June 25, 2024, with a compliance date of December 23, 2024, except for the Notice of Privacy Practices (NPPs), which must be implemented by February 16, 2026. This final rule also requires revisions of NPPs to include the Confidentiality of Substance Abuse Disorders Patient Records per the new 42 CFR Part 2 final rule.
- The final rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”) was Issued on February 8, 2024, and took effect on April 16, 2024. The compliance date is February 16, 2026. This is not directly a new HIPAA final rule, but the rule modifies Part 2 to align certain aspects with HIPAA and the HITECH Act to increase coordination among providers treating patients and strengthens confidentiality protections to improve patient health outcomes.
What Is the Typical HIPAA Enforcement Process?
- The Office for Civil Rights (OCR) receives HIPAA a complaint
- The OCR investigates, and possibly initiates, a compliance review involving the entire HIPAA program, not just the subject of the complaint
- The OCR may assign civil monetary penalties for violations and can work with the Department of Justice (DOJ) to determine if criminal penalties are appropriate
- The OCR works with covered entities and business associates that settle and often agree to develop a corrective action plan (CAP)
What Are the Top 5 Issues in Investigated Cases?
The compliance issues most often reported in complaints are:
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information
When Do Healthcare Workers Need to be HIPAA Trained?
HIPAA training is required:
- Within a reasonable time after hiring a new employee and before they have access to PHI
- When the Department of Health and Human Services (HHS) implements new guidance or requirements
- When there is a change in workplace policies, procedures, or technology
- Periodically, often interpreted at a minimum as annually
What Can Happen If a Covered Entity or Business Associate Doesn't Comply with HIPAA?
The Office for Civil Rights (OCR) recently stated that they plan to renew HIPAA audits that they started in 2016 and 2017. This time however, they will also look at cybersecurity and online tracking due to the increase of ransomware and malware in the past few years. Due to the increase in cybersecurity threats, it is also important to make sure your organization is training employees and implementing countermeasures. In fact, HIPAA Security requires covered entities and business associates to actively try to counter hacking and ransomware threats. OCR intends to initiate audits of HIPAA-regulated entities later this year. Additionally, the audits will evaluate regulated entities' compliance with potential changes to the HIPAA Security Rule that the agency is planning for this year.
If an organization is found to be in violation, fines can range from $137K – $1.5M per incident. As of May 31, 2024, OCR has settled or imposed civil monetary penalties totaling over $143M.
With Steri-Safe® HIPAA Compliance Solutions you gain access to up-to-date HIPAA training covering topics such as HIPAA's Privacy Rule, Security Rule, the HITECH act, best practices to safeguard PHI, and Cybersecurity. Visit Stericycle.com/HIPAA to learn more.