HIPAA Trends in 2023

CompliancePoint attended the 2023 Health Care Compliance Association (HCCA) Annual Compliance Institute. There were several sessions discussing current and future HIPAA trends in enforcement and changes to HIPAA regulations.

Here are some of the most talked about issues that could have a big impact on the healthcare industry.

Security Risk Assessments

Melanie Fontes Rainer, the Director of The Office for Civil Rights (OCR), hosted two sessions at the event, giving an update on HIPAA compliance and enforcement.

During both sessions, the Director focused extensively on the expectation by the OCR that all organizations, both covered entities and healthcare business associates perform enterprise-wide security risk assessments at least annually.   

Fontes Rainer pointed out that if an organization does not perform a security risk assessment and has a Protected Health Information (PHI) breach, it may be subject to civil and criminal penalties enforced by the OCR. The HIPAA Security Rule requires organizations to maintain reasonable and appropriate administrative, physical, and technical safeguards for protecting electronic Protected Health Information (ePHI). A security risk assessment is necessary to meet these requirements and failure to do so can result in significant penalties from the OCR. Penalties for non-compliance can include fines of up to $50,000 per violation and criminal charges depending on the severity of the breach. It is essential that organizations take HIPAA compliance seriously and conduct necessary risk assessments to ensure that their PHI remains secure. Doing so can prevent serious penalties related to a potential breach of PHI. In addition to being subject to fines and criminal charges, an organization can be required by the OCR to undergo corrective action. This corrective action includes developing policies and procedures to mitigate any risks associated with PHI, as well as training staff on HIPAA compliance and data security best practices. The goal of corrective action is to ensure that future breaches of PHI are prevented. The Director made it very clear that the OCR expects organizations to have implemented this security control and that failure to do so will be considered in any OCR investigation.

Online Tracking

Fontes Rainer also spoke about the recently released Department of Health and Human Services (HHS) bulletin on the use of online tracking technologies. The use of tracking technologies such as cookies and beacons can pose serious risks to the privacy and security of individuals’ PHI under HIPAA. These technologies enable entities to track and store a vast amount of detailed data, including PHI, which could potentially be accessed by unauthorized individuals or malicious actors. To protect patient data when using tracking technologies, entities must have appropriate controls in place to ensure the safety and security of PHI. OCR has issued guidance on the use of online tracking technologies and their implications under HIPAA. This guidance outlines what entities should do to protect patient data when using tracking technologies, including:

• Developing policies and procedures to ensure that only the minimum amount of data necessary is collected and used

• Establishing safeguards to protect the collected data, such as encryption or tokenization

• Training employees on how to properly use tracking technologies, so they understand the implications for patient privacy

• Develop a mechanism to notify individuals if their data is collected and used in ways that are not consistent with Privacy Rule standards

Failure to comply with the guidance can lead to significant civil and potentially criminal penalties, so it’s essential that entities using tracking technologies have proper controls in place. By developing sound policies and procedures, training employees on how to correctly use tracking technologies, and implementing data security measures to protect collected data, entities can ensure that they are in compliance with HIPAA. These steps will help to ensure that the medical information of patients remains secure and private.

Cell Phone and Tablet Usage Guidance

The Director also pointed out HIPAA rules do not generally protect the security and privacy of PHI when it is accessed or stored on your personal cell phones or tablets. If you use an app that has not been provided to you by a covered entity or its business associates, then you should assume that the HIPAA rules do not apply.  Also, if you download or enter data into an app for your personal use the HIPAA rule does not apply, regardless of where the information comes from. The OCR has provided guidance to consumers on how to protect their privacy when using apps which includes evaluation of your apps and steps you can take to protect your data. 

CompliancePoint has a team of experienced healthcare, information security, and privacy professionals that can simplify HIPAA compliance for your organization. Contact us at connect@compliancepoint.com to learn more about how we can help.