What’s New In 2019: Changes to HIPAA Laws, Rules & Regulations

You know you’ve worked hard to make sure your office’s privacy compliance meets and exceeds what the law requires.

We’re sure you want to maintain that level of service to your patients, so we’re here to help you keep up with any new 2019 changes to HIPAA laws.

Evolving internet data storage options invite new hacking challenges and data exploits. The health care industry meets these challenges by operating under stringent HIPAA data privacy laws.

Patient Health Information (PHI) is the among most private data in the world.

With the advent of personal health record (PHR) apps, more health information passed through the cloud than ever before. Patients can now access their health records wherever and whenever they want.

Understanding Cloud Computing

It’s important to understand a bit about cloud computing so that you understand how your provider stores your data.

It’s unlikely that you have all that data stored on a computer in your office. Your company transfers that data over the internet to your managed service provider who encrypts and stores it.

You and that MSP are responsible for keeping the data at rest: PHI that is stored on drives either at your facility or your provider. You are also responsible for data in motion: this is PHI that travels over the internet to your servers or your client’s health care apps.

Your cloud provider must meet a special set of compliance standards to host your data safely. They guarantee data accessibility, they host the data in the U.S. and have backup plans to protect it in case of a catastrophic event.

They also hold equal responsibility for risk assessment and security breaches.

New Payment Models

Speaking of computing, medical coders must follow new coding regulations that go into effect every year. This year’s regulations base the changes on quality metrics with the goal of value-based care in mind.

Some of the code changes include:

  • Evaluation/Management level changes
  • New technology codes
  • Specific history codes for cancer patients
  • Skin biopsy codes

OCR Request for Information

HIPAA laws haven’t changed since 2013. That may change this year due to the new U.S. Department of Health and Human Services’ Office of Civil Rights’ (OCR) request for information (RFI). In December 2018, this RFI was issued to collect feedback on whether HIPAA rules needed revision.

The intent of the OCR is to gather input and evaluate how HIPAA regulations would work in a value-based healthcare system. The rules are in place to cover the present fee-based health care structure.

Let’s compare these models to be clear about what each means to healthcare providers.

What is Value-Based Healthcare?

Value-based healthcare embraces the idea that the outcome of a patient’s treatment dictates the quality of care they received. It promotes a comprehensive treatment plan that holds health care providers accountable for costs and quality.

The health care industry was spending more on patient treatment without really impacting their health. The value-based healthcare model reduces spending and incentivizes positive health improvement.

Quality Over Quantity

The value-based, coordinated care framework is a modern way to reform healthcare. It is a data-driven approach designed to improve efficiency and quality and reduce costs.

The system measures the treatment outcomes of individuals or local populations and uses that data to calculate fees. There is no incentive for doctors or facilities to maximize costs and increase the quantity of service.

What About Fee-Based Healthcare?

The current health care delivery system is based on the number of services rendered. The more visits, tests, and procedures rendered to the patient, the more the provider bills to the insurance company or Medicare.

This model incentivizes providers to increase their revenue by adding tests and procedures to a patient’s treatment plan. This delivery model drives up costs and offers no reward for a good patient outcome.

Value-Based Care and HIPAA Regulations

OCR’s request for input is the first step away from the current health care system and toward a coordinated-care delivery model.

However, this model poses its own HIPAA privacy challenges as the patient’s records would be shared among a group of providers by default. Rules covering electronic records should remain unchanged.

The OCR is working to mandate that patients may know exactly where their medical information has been shared, and who it was shared with. The mandate has not happened yet because present electronic medical records systems can’t generate these reports.

If the U.S adopts a value-based healthcare system, health care coders must update their systems to accommodate this information. Any patient treated by a group of providers needs to know how their PHI is distributed to the group.

When Do These Changes Happen?

All HIPAA rule changes follow this process:

The OCR issues a request for information and sets a deadline for input responses. In the present case, the deadline for responses was February 12, 2019. After the deadline, the Department of Health and Human Services examines the feedback and then submits a notice of proposed rule changes.

Once the new rules are presented, the department requests more feedback to consider before its final decision. Once they agree on the final rules, providers are given a grace period to comply before they are penalized. This careful period of study can take years to finalize.

New changes to HIPAA laws are unlikely to happen within months.

Knowing what could change, however, can give you an advantage when planning your next audit or cloud service upgrade. If the industry moves toward a value-based model, then records sharing will have to be easier.

Brace for Changes to HIPAA Laws

There aren’t many new changes to how PHI is kept and stored. Since you now know that there may be significant changes in the upcoming years, why not arrange an audit to be sure that new changes are all you have to accommodate?

There could be small things you may have overlooked. You may not fully understand how cloud computing stores and encrypts your data.

Partnering with a team of specialists with a thorough knowledge of HIPAA laws can assure you that your patient’s information is secured correctly.

HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top