Changes to HIPAA, good or bad?

The Office for Civil Rights (OCR) is proposing changes to the HIPAA Privacy Rule. The Privacy Rule is the part of HIPAA that addresses patient rights and data protection requirements as it relates to patients. The proposed changes are intended to ease the flow of data for use in the coordination of care and in cases of emergency, like COVID 19, for example, and also to reduce some of the administrative burdens physicians and organizations encounter when conforming with HIPAA. What should we think?

Let’s face it. It’s ridiculous that we still live with our patient information isolated in data silos, largely inaccessible to other providers. The result is doctors are expected to diagnose and treat patients when they rarely have a complete picture. The proposed changes are an effort to assist in the alleviation of this shortcoming in our care. But is there a downside?

For the record, we wholeheartedly support the goal of a single health record that follows us throughout the care continuum. To the extent that these proposed changes will aid in facilitating that, we applaud them. However, there are potential pitfalls that need to be considered.

For starters, relaxing the rules regarding safeguarding our health information in the case of “emergencies” is potentially problematic. We believe what constitutes an emergency under this scenario would have to be narrowly and very specifically defined. If loosely defined, we risk the exposure of our health information for reasons many may not consider emergency circumstances. Too loosely defined and this can render the protection efforts moot.

Second, we support making HIPAA as easy as possible to comply with. We recognize, however, that there are limits that must be taken into consideration. For example, we can make it extremely easy to access your bank account, but the easier we make it for you, the easier we make it for others. Walls and security measures are in place for a reason and shouldn’t necessarily be compromised for convenience. The authors of these changes must be cognizant of the balancing act involved in protecting data while making it accessible across platforms and organizations.

Finally, it’s an unfortunate reality that cyber attacks have spiked dramatically in 2020 and are showing no sign of abating. Worse is their effectiveness. We’re witnessing an increase in sophisticated attacks that are frighteningly successful. While financial hits can be recovered from, our health information is forever, and once it’s in the wild, it’s out there for good. We need to keep the emphasis on compliance and enforcement to ensure all vested parties are doing everything reasonably possible to protect our sensitive information. While we want to see HIPAA compliance made as simple as possible, we don’t want to water it down to an extent that it hinders the protection of that information.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.


For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.