HIPAA Changes 2020: HHS Privacy and Security
Since 2013, there hasn’t been any significant changes to HIPAA, however there have been proposed changes. The Department of Health and Human Services (HHS) recently announced that they are revisiting previously proposed changes to security and privacy regulations in 2020. HIPAA changes 2020 is discussed below.
HIPAA Changes 2020: Civil Monetary Penalties
When a healthcare organization violates HIPAA privacy or security requirements, they are often required to pay civil monetary penalties (CMPs) to the HHS’ Office for Civil Rights (OCR). Under the current regulations, CMPs are not paid to individuals affected by a HIPAA violation. Individuals do not receive monetary compensation because HIPAA does not allow individuals affected by HIPAA violations to file lawsuits to recover damages. Some states allow patients to file lawsuits, but they cannot file at the federal level.
One proposed HIPAA change in 2020, is to allow individuals harmed by a HIPAA violation to seek monetary relief. Individuals affected by HIPAA violations (particularly those that have had their Social Security numbers or financial information exposed), spend significant time and money recovering from the incident. The only compensation victims receive at present is free credit monitoring and identity theft protection.
Although this is helpful in some cases, there are several instances in which HIPAA violations take months, or even years, to detect. In these cases, these services do little to help patients that have already had their identity or credit compromised.
HIPAA Changes 2020: Accounting of Disclosures
In 2009, the Office for Civil Rights proposed legislation to include electronic protected health information (ePHI) under the accounting of disclosures requirement. Under the accounting of disclosures requirement, patients have the right to request a list of entities that have had access to their protected health information (PHI).
However, this requirement does not extend to ePHI, only to access of paper records. Since ePHI is more widely used today, than when HIPAA was enacted in 1996, this change is long overdue. When the change was first proposed in 2009, it was met with backlash from providers and other HIPAA entities as it would significantly increase the number of entities listed in the accounting of disclosures. HHS has announced that they will add the amendment to the accounting of disclosures requirement to their agenda for 2020.