By Rita Bowen, VP, Privacy, Compliance and HIM Policy for MRO
Twitter: @MROCorp
The month of March holds important projections for the healthcare industry—especially for those involved in privacy, security and patient access to health information. It is when the annual National HIPAA Summit is held every year in Washington, D.C., and this year was no exception.
The 28th National HIPAA Summit was held March 4 – 6 at the Grand Hyatt Washington. Thousands of healthcare professionals gathered to discuss current challenges, future goals and expert predictions for our industry. This year’s event focused on the changing landscape of healthcare privacy, security, HIPAA and Protected Health Information (PHI). Here are my five top takeaways from the National HIPAA Summit 2019.
1. Beacons of Change: GDPR and CCPA
Passage of both the European General Data Protection Rule (GDPR) and the California Consumer Protection Act (CCPA) is paving the way for stricter standards and expansion of HIPAA. GDPR and CCPA serve as the new measuring sticks for 2019 privacy conversations in healthcare. With this shift come increased compliance risks for providers and business associates (BAs), alongside greater privacy right of action for individuals. For example, presenters at the HIPAA Summit suggested that all stakeholders should be governed by revised guidelines including those currently carved out of the HIPAA rule.
2. Uptick in Audits
Speakers also suggested there will be an increase in third-party audits to assure a culture of compliance within organizations and BAs. Audits currently conducted reveal four ongoing concerns in healthcare privacy and security:
- Lack of BA agreements
- Incomplete or inaccurate risk analysis
- Impermissible disclosure of PHI
- Recurring compliance issue—gaps from risk register not closed
Significant attention remains focused on network servers compromised by hackers and malware. However, smaller breach incidents where patterns are identified but no mitigation efforts occurred will also be investigated.
3. New Approach to BA Assessments
With regard to BA assessments, generic risk assessments completed by BAs at the request of covered entities (CEs) have become obsolete. A new approach suggests that BAs provide information specific to three aspects of risk:
- Describe delivery of the BA’s services
- Identify the BA’s risk components
- Detail how the BA works to close privacy and security gaps
In addition, HIPAA Summit attendees reiterated that best-practice criteria for vetting BAs include compliance with HITRUST and SOC 2 certification.
4. Push for Greater Patient Access to Health Information
From HIMSS to the HIPAA Summit in 2019, the healthcare industry is squarely focused on the patient. Patient engagement, patient satisfaction and patient access to health information are top goals for most healthcare provider organizations in the year ahead. Similar to a call for better patient access, heard during a December 2018 congressional briefing, summit presenters pushed for specific improvements for the healthcare consumer:
- Harmonize information across all states for easier patient access
- Give the patient (or directed requester) information from the designated record set (DRS)
- Ensure right of access to the requester (patient and/or their representative)—a primary audit focus with penalties associated with any type of information blocking or hindrance to obtaining health information
Unless providers have contacted the patient and the patient states otherwise, requests for information should be processed by the CE in accordance with existing guidance. Proper alignment of processes to policy helps mitigate breach risk when processing patient-directed requests (PDRs) for information. For example, a specific individual must be named to receive information.
Greater patient access to information is an important step to improve patient satisfaction and create positive patient experiences. In fact, it is one of three key results highlighted in a recent blog post about MRO’s partnership with Saint Luke’s Health System.
5. Interoperability Promotes Data Sharing, Streamlines the Business of Healthcare
My final takeaway from the HIPAA Summit 2019 was renewed emphasis on interoperability in an effort to streamline the business of healthcare—especially data sharing between providers and payers. Both the OCR and ONC have announced initiatives around interoperability. Two areas in particular were discussed.
Electronic claims. An electronic claims attachments rule was passed in 2012, but has not been widely adopted or enforced. Enforcement of electronic remittance advice (ERA) will reduce paperwork between providers and clearinghouses, with the potential to save $8 billion annually. Facilities will be reviewed for compliance via the “optimization program” versus process audits.
Health plans. Getting data back to health plans is vital to success under value-based reimbursement. Our patients are health plan members. We all have the same purpose—to improve the health of those we serve. Direct exchange of information between CE, provider and plan support this goal while streamlining processes across all stakeholders. The ability for patients to also contribute electronic health data for better patient care coordination is the industry’s audacious goal.
HIPAA was first signed into law in 1996. Today, 22 years and 28 HIPAA summits later, I still learn and advance in concert with healthcare industry changes. Keeping abreast of predictions, such as those listed above, ensures every healthcare professional gains the knowledge they need to deliver high-quality care while protecting privacy, security and patient access to health information.
MRO is committed to keeping our clients and the HIM industry up to date on the latest happenings. To receive updates from MRO when we release new blog posts, complete the form below. You can also learn more in our upcoming PHI disclosure management webinar series, which kicks off April 10, 2019 with a session focused on payer requests for medical records, including audits and reviews.
This article was originally published on the MRO Blog and is republished here with permission.