The Department of Health and Human Services (HHS) has proactively updated those who fall under HIPAA coverage (aka, “covered entities”). Here’s what the HHS has to say about the increase in telehealth options:
“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” (Source: HHS)
Make sure to follow these updates from those who monitor and enforce HIPAA compliance in order to ensure the safest environment. Communications are likely to provide guidance on the most prominent issues caused by the pandemic, such as increased appointments, data threats, and mitigation techniques.
The Most Recent HIPAA Updates
A number of changes and updates to HIPAA are being considered and may become either guidance or parts of the law within the coming months such as:
Updated Penalties for HIPAA Violations. Potential fines and penalties were updated earlier in 2019. (The official documentation was scheduled to be published on April 30th.) Details outlined in the document included a tiered structure for violations with corresponding “caps” now starting from $25,000 for Tier 1.
Better Enforcement and Accountability of Violations. 2019 was a big year for enforcement. According to HIPAA Journal, the average financial penalty was more than $1.2 million. Enforcement was increased in 2018 and obviously wasn’t slowed this past year. The Health & Human Services Office for Civil Rights (HHS OCR) did tighten enforcement efforts in 2018, obviously continuing through last year. However, due to the current world situation, enforcement may take a backseat for most of 2020.
Potential Permanent Audit Program. The HHS has long spoken of a permanent audit program. When the organization launched “Phase 2”of the HIPAA audit program, it mentioned a permanent audit structure in the future. While, at the time of this writing, the audit program has not been changed to a permanent structure.
HIPAA Technical Safeguards: A Basic Review
While no healthcare organization can eliminate the possibility of facing a data breach, implementing HIPAA technical safeguards can go a long way toward mitigating cyber risk.
Under the HIPAA Security Rule, healthcare organizations are required to keep electronic protected health information (ePHI) safe from external and internal threats via technical, administrative, and physical safeguards.
Healthcare data breaches occur nearly every day, and threat actors are constantly shifting their tactics and targets to adapt. In response to the ever-changing cyber threat landscape, it is crucial that healthcare organizations implement technical safeguards that are current, comprehensive, and compliant. Contact Xantrion, we can help.