HIPAA NEWS | May 23


Implications of The New Administration on Healthcare and HIPAA

The Trump administration could make some major changes to America's healthcare system.

Accountable Staff

You might be aware of the fact that the landscape of healthcare in America is changing.

As a covered entity or business associate of a healthcare organization, you might be wondering how, exactly, these changes will affect your company.

The good news is - with regard to HIPAA privacy and security laws - no major changes are officially in the works as of right now.

However, as the new administration is still in the process of making changes to government personnel across the board, official policies and procedures may quickly change without much warning.

The best course of action for your company to take is to stay up to date with news briefs and press releases coming from the US Department of Health and Human Services (specifically the Office for Civil Rights).

Additionally, until you receive official directives stating otherwise, err on the side of cautiousness when it comes to your patients’ privacy and security. Doing so will ensure that your organization remains in compliance with HIPAA protocol and the OCR’s expectations.

Now, let’s take a look at how patient privacy and security laws may change (for better or worse) in the near future.

A Major (Possible) Change to the Privacy Rule

One of the main tenets of HIPAA’s Privacy Rule is the Minimum Necessary Rule.

This rule states that, whenever someone from a covered entity or associated company shares a patient’s protected health information (PHI) with another individual in a professional capacity, only information that is pertinent to the current situation should be shared.

For example, when sharing patient information with your billing department, there’s no need to include information regarding their diagnosis (as billing is only concerned with contacting the patient in reference to insurance coverage, copays, etc.).

However, under newly-appointed HHS Secretary Tom Price, this policy might soon change - at least in one area.

Price is known to be a huge proponent of transparency with regard to medical insurance claims through a person’s place of employment. Essentially, Price has pushed for changes to the Privacy Rule that allow employers to access a broader range of their employees’ PHI in the interest of allowing them to better anticipate and document health insurance costs.

Although it’s arguably reasonable for an employer to be privy to information regarding the cost of certain procedures and how such claims affect the company’s overall insurance policy, Price’s proposal also allows employers access to “applicable procedure and diagnosis codes.” In other words, employers would be allowed to keep track of every aspect of their employees’ prognosis and treatment.

Though on the surface this change focuses on financial awareness, it can have much further reaching consequences.

Simply put: such transparency opens up the door for employers to target workers for termination for reasons beyond their control. For example, in the unfortunate event that an employee is diagnosed with a serious illness, if their employer is only interested in the company’s bottom line - and not in their employees’ health - they might try to find seemingly-unrelated grounds on which to fire said employee.

(Although this situation is arguably a worst-case scenario, it’s precisely the reason the Minimum Necessary Rule exists in the first place.)

Although Price, as the new HHS Secretary, ultimately has the final say over the decision, the OCR will likely push back against such a drastic change to HIPAA’s Privacy Rule. Considering the office’s long-standing support of patient privacy, it’s hard to imagine it would allow for such transparency knowing the negative implications doing so could lead to throughout the country.

As of now, though, nothing is certain. As mentioned earlier, healthcare organizations and their associates should remain prudent when sharing PHI - even if Price’s proposal begins to gain ground. Until amended by an official government entity, the Minimum Necessary Rule remains in place as is - and must be followed to the letter.

Ramping Up Security

Though cybercrime is rampant throughout all industries involving sensitive data, patient information is one of the most common targets of cybercriminals across the country.

Because of this, the OCR has begun focusing heavily on cybersecurity and safeguards regarding electronically-stored PHI.

Incidentally, the new administration continues to acknowledge the importance of keeping confidential and sensitive data secure in today’s digital age - as well as the implications of not doing so.

While the healthcare industry isn’t a specific focus of the increase in cybersecurity measures and protocol, the industry will inherently benefit from the upcoming improvements to be made across the board.

The OCR has already committed itself to doing its part to stay ahead of cybercriminals targeting PHI. Throughout 2017, the office will be performing on-site audits of covered entities and business associates, with a major focus being on whether or not an organization’s cybersecurity measures are up to standard.

As technology is ever-evolving, healthcare-related organizations need to ensure that cybersecurity is a top concern. Not only must these organizations ensure electronically-stored PHI is secure, but they also must have documented policies and procedures in place when integrating a new piece of technology into practice.

Even if specific legislation is not put into place regarding changes to cybersecurity and e-PHI, it’s in your best interest to stay ahead of cybercriminals by implementing proper safeguards and ensuring you’ve covered all angles of electronic security. In turn, when or if such legislation does officially come into law, your organization will already be prepared for the coming changes to protocol.

Conclusion

Regardless of the policy changes that may or may not be implemented in the near future, healthcare-related organizations should always adapt a patient-first attitude when it comes to privacy and security.

Legislation may change with the new administration, but your organization should continue to be dedicated to providing your patients with a safe haven in which they feel comfortable sharing the most intimate details of their life.

As we move forward, you can count on Accountable to keep you up to date with official changes to HIPAA laws and legislation. And, for more information on HIPAA accountability, check out our free guides, as well.