Changes Proposed to Healthcare Privacy Rules

AAFCPAs would like to make healthcare clients aware that the Department of Health & Human Services’ Office for Civil Rights (DHHS OCR) proposed new regulations to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals address these burdens while continuing to protect the privacy and security of individuals’ protected health information.

The current HIPAA Rules have not been updated since 2013, when the HIPAA Omnibus Rule was enacted.

The Notice of Proposed Rulemaking (NPRM) issued by DHHS includes, but is not limited to, changes for:

  • Individual Right of Access
  • Reducing Identity Verification Burden for Individuals Exercising the Right of Access
  • Clarifying the Scope of Covered Entities’ Abilities to Disclose PHI to Certain Third Parties for Individual-Level Care Coordination and Case Management that Constitutes Treatment or Health Care Operations
  • Encouraging Disclosures of PHI When Needed to Help Individuals Experiencing Substance Use Disorder
  • Eliminating Notice of Privacy Practices Requirements Related to Obtaining Written Acknowledgment of Receipt, Establishing an Individual Right to Discuss the NPP with a Designated Person, Modifying the NPP Content Requirements, and Adding an Optional Element

These proposed changes include exceptions related to the penalties that are given for HIPAA, specifically the sharing of PHI for telehealth during COVID-19.

In addition, new guidelines on the sharing of Protected Health Information (PHI) data and the violation penalties that were proposed in 2019 are expected to take effect sometime in 2021 according to HIPAA Journal.

AAFCPAs advises clients to review the proposed changes and determine how these may impact your current processes for patient care.

If you have questions, please contact Mr. Anderson at manderson@nullaafcpa.comCourtney McFarland, CPA, MSA, at 774.512.4051,; or your AAFCPAs Partner.

About the Authors

Mr Anderson - Ethical Security Hacker
Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs.   He is highly sought-after for his expertise in: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and extensive experience with internal controls evaluation, COSO, COBIT, ITIL, ITGCC, GLBA audits, and ISO, SOX 404 compliance requirements, including all phases of planning, evaluation, documentation, testing and remediation. 
Courtney McFarland
Courtney is an audit partner in the firm’s Healthcare Practice with over 15 years of assurance experience and a comprehensive understanding of the nuances of the healthcare industry. She delivers a full range of solutions solving the challenges that AAFCPAs’ healthcare clients face, including: audits in accordance with Uniform Guidance/Single Audit and Government Auditing Standards, 340B pharmacy program requirements, best practices for reconciliation & analysis of statistical and programmatic data, tracking and monitoring risk-based contracts, maximizing reimbursements, and guidance on healthcare reform. Courtney is a member of AAFCPAs’ Revenue Recognition Task Force, dedicated to helping the firm and clients understand best practices for an efficient and effective implementation of the robust new framework.