Catherine Short speaks with Rachel V. Rose, JD, MBA, principal with Rachel V. Rose – Attorney at Law, P.L.L.C., Houston, TX, on the topic of “HIPAA Celebrates 25 Years – A Synopsis of the Law’s Evolution.” It’s hard to believe that it’s been 25 years since HIPAA was signed into law on August 21, 1996! Over the past two and a half decades, there have been a multitude of changes in the healthcare industry and technology. The three items that remain constant are preserving the confidentiality, integrity, and availability of a patient’s protected health information. In this “ode to HIPAA,” participants will be given a glimpse into some of the lesser known or emphasized aspects of HIPAA, as well as key parts of its history, recent enforcement actions, and anticipated developments.
HIPAA, privacy rule, compliance, act, NIST, practices, NIST standards, information, exchange, blocking, health, exception, HHS, standards, procedures, security, ransom, 21st century CURES Act
Catherine Short, Rachel V. Rose
Catherine Short 00:02
Welcome, and lets 1st Talk Compliance. I’m Catherine Short Partnership Marketing Manager at First Healthcare Compliance. Thanks for tuning in. This show is brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We have create confidence among compliance professionals throughout the United States. Please show your support by taking a moment to provide a review on Google, Facebook or iTunes.
Catherine Short 00:32
On today’s episode, we’re speaking with Rachel V. Rose, JD MBA principal with Rachel V. Rose, Attorney at Law P.L.L.C. Houston, Texas on the topic of “HIPAA celebrates 25 years, a Synopsis of the Law’s Evolution.” it’s hard to believe that it’s been 25 years since HIPAA was signed into law on August 21 1996. Over the past two and a half decades, there have been a multitude of changes in the healthcare industry and technology. The three items that remain constant are preserving the confidentiality, integrity and availability of the patient’s protected health information. At First Healthcare Compliance, we strive to serve as a trusted resource to compliance professionals. And every month we celebrate their hard work and dedication with our compliance super ninja recognition. For this episode we’re spotlighting super ninja Julie Garcia, business office manager at Coastal Vascular Center. Julie says Coastal Vascular Center has three office locations and yet the whole group works as a team. They all respond well to the compliance updates and changes. Congratulations Julie, our team is honored to have the privilege of working with you.
Catherine Short 01:49
So hello, Rachel, thank you for joining me today on 1st Talk Compliance. It’s a privilege to have you with us today.
Rachel V. Rose 01:57
Likewise, Catherine, thank you for having me. And I do hope you have a cake with a candle on it on your side for this illustrious celebration of HIPAA.
Catherine Short 02:08
Absolutely. Why wouldn’t I? it’s a very, very special special occasion. Super excited about this! So HIPAA is having its 25th anniversary this year, and in fact this August right now, can you first give us a brief overview of HIPAA and why it was brought forth in the first place.
Rachel V. Rose 02:30
So how did HIPAA come to be HIPAA? As we know, it is known as the Health Insurance Portability and Accountability Act of 1996. It was signed into law on August the 21st of 1996. And it is also known as the Kennedy-Kassebaum act. Now, Kennedy and Kassebaum were two senators at the time. And it’s interesting to see how its utilization when I worked on the Hill when HIPAA passed, it was referred to more as Kennedy Kassebaum than it was HIPAA. And as time has evolved, notably, we see whether it’s publications or even in presentations, either that I give or that I attend or articles that I read. Very rarely does one see it referenced as the Kennedy Kassebaum act. Fundamentally, HIPAA was created to improve the Portability and Accountability of health insurance coverage for employees between jobs and other aspects or objectives of HIPAA were to combat fraud, waste and abuse in health care, insurance and health delivery. It was also meant to create as it did medical savings accounts, which many of you may be familiar with by introducing tax breaks as well as one aspect of COBRA portability is in fact, the pre existing medical conditions up until that point. Basically, there was nothing written and some insurance rates were really jacked up high if a person had a pre existing medical condition. But what HIPAA did and continues to do is to provide coverage for employees with pre existing medical conditions and simplifies the administration of health insurance. Part of the simplifying the administration of health insurance really had to do with the protection of the privacy and As well as the security protections that we saw come about in the Privacy Rule. And then the Security Rule. Subsequently, as we know, there was a push in 2009 with the health information technology for Economic and Clinical Health Act, known as the high tech Act, which in turn led to the introduction of the meaningful use incentive program in order to get providers to adopt electronic health records. So that if we look at the landscape of HIPAA, that’s really why it was passed in 1996. The more prominent areas that are focused on are obviously the protection of protected health information, the portability of health insurance, while an employee, he is between jobs, the advent of not precluding individuals with pre existing conditions, and one of the caveats there was so long as they had continued health insurance coverage. And that’s what HIPAA enabled to happen there. And then finally, we have the medical savings.
Catherine Short 06:23
Can you tell us more about HIPAA is evolution from over the past 25 years and some of the major changes that have happened?
Rachel V. Rose 06:32
Well some of the major changes include the HITECH Act, which I just mentioned, which really led to the push for the adoption of electronic health records. And one item that is interesting to me, because it was actually 20 years ahead of HIPAA in terms of its timing is 42 CFR Part Two, and it’s typically referred to as part two, and it falls under the Substance Abuse and Mental Health Services Administration, was created in 1976, nearly 20 years before HIPAA, but we see the intersection of HIPAA in part two, in really the unfortunate situations which have arisen with the opioid crisis, the for the types of information that could be released, as well as some of the abilities to exchange certain information were not aligned between HIPAA in part two. But stemming back to about 2016, there was more of an emphasis between OCR and sSAMHSA To cordinate that disclosure of information, with the caveat that everyone would agree that drug substance abuse treatment and mental health are particularly sensitive, because of the oftentimes the stigma that’s attached to that, or how it may affect employment down the line. So there really is a I would call a heightened awareness with certain types of medical information. So that’s one area another area was the passage of the 21st Century Cures Act in December of 2016. And then two final rules came about in May of 2021 is known as the CMS final rule. The other one is known as the O n c. Final Rule. And what’s very important about the lnc final rule is the concept of information blocking. And really, if we look to see how all of these initiatives and laws are dovetailing off of each other, it really brings us to the proposed final rules for the Privacy Rule, the proposed changes to the Privacy Rule. Now, HHS published those in the Federal Register late last year. However, the notice and comment period was extended in that closed in the beginning of May of 2021. Notably, the Privacy Rule, proposed changes expressly address HIPAA, the high tech Act and the 21st Century Cures Act because of two main things a, the access to medical records and be the need, especially in light of the myriad of attacks that all sectors have experienced lately. The cybersecurity of that protected health. information.
Catherine Short 10:01
I wanted to ask you about the executive order impact on pending revisions to the Privacy Rule. Can you explain that? And how might this executive order impact it?
Rachel V. Rose 10:15
So as I mentioned, the proposed Privacy Rule really hones in on the HITECH act, HIPAA and the 21st Century Cures Act. On January 5 of 2021. House Resolution 7898 was signed into law. And it’s relatively short. However, what it did was to establish that if healthcare entities are utilizing technical best practices, so to speak, basically, there is an opportunity for an additional Safe Harbor, or a mitigation of a government investigation or penalties that would be assessed. Now, NIST stands for the National Institute for Standards and Technology. And although NIST has been around for nearly 100 years, what’s fascinating is that it started out as dealing with weights and measures now, and actually stemming back into the 30s and 40s, it really evolved to focus on technology. Now, technology’s changed dramatically since the 1940s. But NIST now falls under the United States Department of Commerce. NIST standards are critical, as well as what I call it sister standards, and that is the Federal Information Processing standards. So it’s imperative to appreciate that there is a crosswalk that HHS has had on its website for years between the NIST standards and the HHS Security Rule standards. And then another part of that intersection between NIST and the Privacy Rule 21st Century Cures Act. And the executive order that you mentioned, which was published by the White House on May 12, of 2021. Is that cybersecurity requires more than government action. And really, the White House called on the private sector to adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace. Well, one way to do that is in fact, utilizing the protection and security standards for processing data, which are set forth in those NIST publications.
Catherine Short 13:13
Okay, great. If you’re just tuning in, you’re listening to 1st Talk Compliance brought to you by First Healthcare Compliance as part of our commitment to provide high quality complimentary educational resources. We help create confidence among compliance professionals throughout the United States. My guest today is Rachel V. Rose, JD, MBA, Principal with Rachel V. Rose, Attorney at Law P.L.L.C., Houston, Texas on the topic of “HIPAA celebrates 25 years – a synopsis of the laws evolution.” Please show your support by taking a few minutes to provide a review of First Healthcare Compliance on Google or Facebook. You can also follow us and subscribe on all forms of social media.
Catherine Short 14:00
I have a question now about blocking policies if you could explain a little bit about what blocking policies are and then what are ways that organizations can legally implement information blocking policies.
Rachel V. Rose 14:15
Okay, so information blocking is actually part of the ONC. And basically the ONC Final Rule is a balance of striking cyber security of a practice and business associates for example, with providing patients access to their medical record. So first, it’s important to understand that information blocking is a practice by a health IT developer of certified health ID health information, network Health Information Exchange or health care provider that except as required by law, or specified by the Secretary of Health and Human Services, as a reasonable unnecessary activity is likely to interfere with access, exchange or use of electronic health information. And some of you may be thinking, Wait, what’s electronic health information? For years. Under the Security Rule, we’ve known electronic protected health information. So it’s important that ePHI is defined as electronic protected health information as defined in 45 CFR 160 point 103. And for those of you who are not familiar with that particular provision, that’s the definition section, to the extent that it would be included in a designated record set as defined in 45 CFR 160 4.501. Regardless of whether the group of records or used or maintained by or for the covered entity, as defined again, in that particular definition section. But ePHI shall not include psychotherapy notes, or information compiled in reasonable anticipation of or for use in a civil criminal or administrative action or proceeding. So basically, now that we know what information blocking is, it’s important that there are three main types of practices that constitute information blocking, one in general is practices that restrict authorized access, exchange or use under applicable state or federal law. Second, implementing health IT in non standard ways that are likely to substantially increase complexity or burden of accessing, exchanging or using eh II. And lastly, implementing health it in ways that are likely to a restrict access, exchange or use of ePHI with respect to exporting complete information sets, or in transitioning between health IT systems, or be lead to fraud, waste, and abuse. So now that we know that there are these three main practices, which would constitute information blocking, it’s equally as important to appreciate that there are two main categories of exceptions. And within those two main categories, there are eight total subcategories. So the first is not fulfilling requests to access exchange, or use, ePHI and these specific exceptions to that particular broad category are preventing harm. The Privacy exception, the security exception, the infeasibility exception, health IT performance exception, those are the five there. Our next category is an exception that involves procedures for fulfilling requests to access exchange, or use, ePHI. So specifically, there’s the content and manner exception, the fee exception and the licensing exception. So you want to make sure then, in tying that back into your policies and procedures, that you have the 21st Century Cures Act and information blocking included in your HIPAA privacy laws and procedures, you may also need to revise your Notice of Privacy Practices, as well as your HIPAA authorization forms.
Catherine Short 19:27
Can you tell me what do you think the five best ways to mitigate risk of non compliance with HIPAA might be?
Rachel V. Rose 19:37
Absolutely and Catherine, you know, this is one of my favorite things to talk about. And really, it’s something that I’ve always homed in on, however, after I read a law 360 article, which was published in February of 2020, which identified low hanging fruit that the Office for Civil Rights goes after when enforcing HIPAA, it really made sense to me. And these five ways to mitigate risk, and help with compliance are conducting an annual risk assessment, making sure that you have adequate policies and procedures in place and that they’re revised, at least annually. But during an event such as COVID, all of my clients revise theirs, or we did an appendix that was specific to COVID. Another one is annual employee training at a minimum with cyber security and HIPAA reminder trainings. And those could be in the form of an article or a webinar, just something to keep reinforcing the different items. And then the different changes that we’ve seen so much of recently, another item to look at is making sure you have business associate agreements in place. And then lastly, ensuring that data is encrypted, both at rest and in transit.
Catherine Short 21:12
Okay, great. I believe you mentioned the HR 7898. If you could explain that a little bit, and how should organizations incorporate hr 7898?
Rachel V. Rose 21:25
That’s a great question. And I did mention it during my longer answer to the question of really how all of these laws are intertwining. And I think of it I would have thought of it as a double helix. But now it’s more like a braid with a lot of different strands. And HR7898 was signed into law on January the 5th of 2021. And basically what it does is to create a safe harbor of sorts. And by a safe harbor, I mean, by utilizing NIST standards, in addition to the HIPAA Security Rule standards, this would be known as recognition of security practices. So basically, if you are utilizing recognized security practices, then it can help mitigate the risk not only of an attack, but also in the event of a lawsuit or a government investigation. It can mitigate your exposure both to the length of the investigation as well as potential penalties. So recognized security practices are basically the standards, guidelines, best practices, methodologies, procedures and processes developed under section 2 C 15 of the National Institute of Standards and Technology Act, the approaches promulgated under Section 405d of the Cyber Security Act of 2015 and other programs and processes that address cyber security and that are developed, recognized or promulgated through regulations under other statutory authorities. such practices shall be determined by the covered entity or business associate consistent with the HIPAA Security Rule. So again, that’s really how NIST intertwines with HIPAA and the HITECH act.
Catherine Short 23:58
What are two items that anyone should remember before paying ransom in the event of a ransomware attack? And should it be paid?
Rachel V. Rose 24:08
So first and foremost, don’t pay the ransom right away. Secondly, is to contact the FBI and the FBI on their website has a link for you to report. Obviously, if it involves a healthcare entity, you may reach out to HHS OCR as well. But the reason for not paying the ransom is a it could escalate the situation and be you don’t know who was requesting the ransom. And because of that, you need to go and review the Office of Foreign asset controls. October 2020 bulletin that says if you pay ransom and it is a state actor that a United States citizen or the United States is precluded from doing business with then there are potential criminal penalties. So that’s just something to bear in mind. But again, the first thing to do after you’ve notified your IT department and halted the spread, of course, is not to pay the ransom and contact the FBI and any other relevant government agencies.
Catherine Short 25:30
Okay, great advice. I think that’s about all the time that we do have. Do you have any more advice before we end our show?
Rachel V. Rose 25:40
Well, because it is HIPAA’s 25th anniversary, I think it’s very appropriate for everyone to go and get a cupcake and celebrate Catherine.
Catherine Short 25:52
I, I heartily endorse that suggestion. It’s always a great time for for cake. And today would be a great day for that. So I agree. I agree. Thank you so much for being here today. Rachel, always enjoy you being here. And it’s a real pleasure.
Rachel V. Rose 26:09
Likewise, Catherine, thank you for having me. And I look forward to our next presentation. Me too.
Catherine Short 26:16
Me too. So thank you so much. Thank you. And thanks to our audience for tuning in to first talk compliance. You can learn more about our show on the program’s page on healthcarenowradio.com and lend your voice to the conversation on Twitter @1sthcc or #1sttalkcompliance. You can also email me at firstname.lastname@example.org. I’m Catherine Short of First Healthcare Compliance. Remember, compliance is the key to achieving peace of mind