hipaa privacy rule

New HIPAA Privacy Rules: Everything You Need to Know Going into 2021

In 2021, it will be 25 years since the Health Insurance Portability and Accountability Act (HIPAA) was introduced. The legislation is in place to protect the intimate and personal information associated with the medical profession.

In those 25 years since the legislation was first introduced, a lot has changed. Threats have evolved dramatically and as such HIPAA has had to adapt.

What are the changes that affect the HIPAA laws as we move into 2021?

In this article, we’ll take a look at the new HIPAA privacy rule.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule was issued by the US Department of Health and Human Services.

The privacy rule is in place to restrict the way that personal information is used and shared. This type of information is referred to as protected health information (PHI).

The Right of Access Initiative

The Office for Civil Rights at the Department of Health and Human Services last year announced the Right to Access Initiative. This major policy change sets out to protect the rights of patents who would like to have copies of their medical records quickly without being overcharged.

These changes address criticisms of the HIPAA legislation. The criticisms state that it is too complex and expensive to gain access to your own personal medical records.

The right of access means that in the future, the Office of Civil Rights will clamp down on organizations that don’t meet the right of access requirements.

To avoid penalties, it is important that you review your policies that relate to the right of access and ensure that your pricing and delivery standards are up to scratch.

New Patient Identifier for Medicare Patients

A National Patient Identifier (NPI) is an identification number designed for use by healthcare providers. This has been on the cards ever since the early days of HIPAA back in 1996, however, for various reasons it has never come to pass.

In June 2019, congress ruled in favor of legislation that brought the NPI into existence. The reason for its creation? To overcome difficulties in patient matching so that medical errors and misidentification can be reduced.

The decision to implement the National Patient Identifier was supported by the American Health Information Management Association (AHIMA).

While there was plenty of support for this legislation it was not without criticism. Senator Rand Paul argued that NPIs would actually threaten the privacy of patients.

In total, there are 18 different identifiers that cover everything from email addresses, to social security numbers as well as biometric identifiers.

Non-Compliance Penalties Rise

One of the major changes that have come into play in 2020 has been a rise in penalties that can be levied in the event of non-compliance. These increases are in accordance with the Inflation Adjustment Act.

The amount that can be charged in penalties has risen significantly for each violation, There is also a new annual cap on each violation category too.

The maximum penalties for the four tiers are:

  • Tier 1- $58,490
  • Tier 2- $58,490
  • Tier 3- $58,490
  • Tier 4- $1,754,698

The maximum annual caps for each of the four tiers are now set at $1,754,698. With penalties being so high for non-compliance, it is vital that organizations review their procedures and policies immediately.

Healthcare organizations need to ensure they are meeting the standards set out by HIPAA.

No Non-Compliance Penalties for Telehealth During COVID-19

Back at the start of the COVID-19 pandemic, the Office for Civil Rights at the Department of Health and Human Services issued a notice. The notice stated that it will not apply penalties for non-compliance in accordance with HIPAA rules under the “good faith provision” of telehealth.

The change was effective from April 2020. It allowed healthcare organizations the discretion to use any non-public facing remote communication products available.

These apps can provide telehealth to their patients during the pandemic.

The Office for Civil Rights noted that while some of these audio and video communication products might not fully comply with HIPAA compliance regulations, they will not impose any fines on organizations using them.

By offering this good faith provision, organizations are better able to provide a diagnosis of any health problem during the pandemic.

The range of apps and software available will make it easier for patients to access their healthcare providers during their time of need. Providers are now able to use video chat apps such as Facebook Messenger, Google Hangouts, Skype, Zoom, or Apple Facetime.

Public-facing video apps such as Facebook Live, TikTok, YouTube, and Twitch should not form any part of a telehealth consultation.

Under normal circumstances, healthcare providers may only use software from vendors that have entered into HIPAA business associate agreements (BAAs). During the pandemic, however, the OCR will not fine any healthcare providers for a lack of BAA.

It is still the duty of the healthcare provider to inform any patients using this technology that third-party apps may still introduce privacy risks. They should also advise that patients should make use of privacy or encryption modes.

Community-Based Testing of COVID-19

In relation to the good faith participation in operating COVID-19 testing sites, the Office for Civil Rights announced in April that it won’t impose any penalties or sanctions on any of these drive-through and walk-up mobile testing sites.

This means that healthcare organizations can react to the changing situation in relation to COVID-19. They can do this without worrying about incurring penalties.

HIPAA in 2021

There is a great deal of uncertainty of exactly how the current global healthcare crisis will play out. As such, the HIPAA privacy rule will no doubt need to adapt further as 2021 progresses.

It is essential that all organizations that handle medical records keep up-to-date with HIPAA laws and comply with them to the letter.

To ensure your organization is fully compliant with the HIPAA privacy rule, get in touch today and we’ll happily ensure your needs are met. 

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top