The Health Insurance Portability and Accountability Act (HIPAA) has been the subject of several major developments already in 2021. Healthcare providers, health plans, healthcare clearinghouses, and business associates subject to HIPAA must consider these developments to comply with HIPAA’s technical requirements through 2021 and beyond. For those entities subject to the HIPAA Privacy Rule and Security Rule, our team of HIPAA lawyers has penned an Alert describing these developments in detail. This post will summarize several highlights.
In the regulatory arena, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released proposed changes to the HIPAA Privacy Rule in late January 2021. The proposed regulations include several modifications to HIPAA requirements, including changes that enhance individuals’ access to their own health information and require revisions to privacy notices. Although the rules were announced under the prior Administration, and are subject to President Biden’s Regulatory Freeze Pending Review, many of these rules were previously raised by President Obama’s Administration and are likely to be adopted.
A key legislative development to note is an amendment to Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) that requires HHS to consider a covered entity or business associate’s use of “recognized security practices” when conducting an audit, assessing penalties, or seeking corrective action for violations. Recognized security practices may include practices consistent with standards promulgated by the National Institute of Standards and Technology (NIST) or approaches under the Cybersecurity Act of 2015.
The courts have also recently weighed in on HIPAA privacy and security. The Fifth Circuit recently vacated a nearly $5 million penalty imposed by HHS against a university cancer center for three alleged HIPAA security breaches. The court determined that the agency’s action constituted an arbitrary and capricious enforcement of its regulations. The decision is a sharp reversal of HIPAA penalties previously upheld on appeal, but is not a basis for relaxing vigilance on privacy and security.
These wide-ranging developments demonstrate that entities subject to HIPAA need to monitor current developments and prepare to adapt quickly.