HIPAA may be changing. Your HR team needs to know about the rules, privacy, and what tools and training employees need to ensure compliance.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) is seeking to facilitate information-sharing and improve care coordination—while still protecting privacy. Toward that end, the agency has issued a Request for Information (RFI) seeking input from the public about how the Health Insurance Portability and Accountability Act (HIPAA) rules could be modified to enhance value-based healthcare.
“We are looking for candid feedback about how the existing HIPAA regulations are working in the real world and how we can improve them,” said OCR Director Roger Severino. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information,” he added.
HHS Deputy Director Eric Hargan suggested that improving HIPAA’s utility could help health care organizations better address problems such as the opioid crisis. He said, “We’ve heard stories about how the privacy rules can get in the way of patients and families getting the help they need. We’ve also heard how the rules may impede other forms of care coordination that can drive value.”
Nursing homes and other health care organizations face many challenges when it comes to HIPAA compliance. Among them
· Patients often are too ill or cognitively impaired to consent or provide information.
· The privacy notice isn’t shared with all of the stakeholders.
· It isn’t always clear who the patient’s legal decision-maker is or who has power of attorney. Multiple people may inquire about the patient’s status, and staff is unsure who they can and can’t share information with and what details they can impart.
· Staff and practitioners use a variety of devices to communicate about patients and share personal health information (PHI).
In the meantime, there are a few steps you can take to ensure HIPAA compliance among all employees:
· Build awareness with regular training, reminders at meetings, posters in staff rooms, etc. Make sure everyone understands the risks that security violations can cause and their role in protecting privacy. Remind employees to use strong passwords and change them at regular intervals. Conduct “walk arounds” to identify and correct any risky behaviors (such as computer screens left unattended with open files).
· Have a formal security/privacy policy. Make sure all staff members are trained consistently.
· Consider replicating your data to the cloud where it is offline and inaccessible, as opposed to keeping physical copies.
· Make sure that consultants, practitioners, vendors, and visitors alike understand the importance of privacy and their role in protecting PHI.
HHS developed the HIPAA rules to protect individuals’ health information privacy and security interests, while permitting information sharing needed for important purposes. However, in recent years, OCR has heard calls to revisit aspects of the rules that may prevent appropriate and necessary information sharing and impede care coordination. Public comments on the RFI are due by February 11, 2019. The RFI may be downloaded from the Federal Register.