Changes Proposed to Healthcare Privacy Rules

Posted on March 11, 2021January 5, 2022

AAFCPAs would like to make healthcare clients aware that the Department of Health & Human Services’ Office for Civil Rights (DHHS OCR) proposed new regulations to modify the Standards for the Privacy of Individually Identifiable Health Information (Privacy Rule) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). These modifications address standards that may impede the transition to value-based health care by limiting or discouraging care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers) or posing other unnecessary burdens. The proposals address these burdens while continuing to protect the privacy and security of individuals’ protected health information.

The current HIPAA Rules have not been updated since 2013, when the HIPAA Omnibus Rule was enacted.

The Notice of Proposed Rulemaking (NPRM) issued by DHHS includes, but is not limited to, changes for:

Individual Right of Access
Reducing Identity Verification Burden for Individuals Exercising the Right of Access
Clarifying the Scope of Covered Entities’ Abilities to Disclose PHI to Certain Third Parties for Individual-Level Care Coordination and Case Management that Constitutes Treatment or Health Care Operations
Encouraging Disclosures of PHI When Needed to Help Individuals Experiencing Substance Use Disorder
Eliminating Notice of Privacy Practices Requirements Related to Obtaining Written Acknowledgment of Receipt, Establishing an Individual Right to Discuss the NPP with a Designated Person, Modifying the NPP Content Requirements, and Adding an Optional Element

These proposed changes include exceptions related to the penalties that are given for HIPAA, specifically the sharing of PHI for telehealth during COVID-19.

In addition, new guidelines on the sharing of Protected Health Information (PHI) data and the violation penalties that were proposed in 2019 are expected to take effect sometime in 2021 according to HIPAA Journal.

AAFCPAs advises clients to review the proposed changes and determine how these may impact your current processes for patient care.

If you have questions, please contact Mr. Anderson at manderson@nullaafcpa.com; Courtney McFarland, CPA, MSA, at 774.512.4051, cmcfarland@nullaafcpa.com; or your AAFCPAs Partner.

About the Authors

Mr. Anderson, MCSE, CCNP, CISSP, CEH

Mr. Anderson is a “white hat” ethical security hacker and business continuity advisor with extensive experience in the development & implementation of security-focused audit and control programs. He is highly sought-after for his expertise in Cyber Security & Technology Assessments, including: security architecture reviews; penetration/vulnerability testing; business resiliency, disaster recovery and other remediation strategies; hardware system selection and configuration; cloud application security reviews; and wireless security assessments. Mr. Anderson has a deep understanding of industry standards and …

Courtney McFarland, CPA, MSA, 340B ACE

Courtney is an audit & consulting partner in the firm’s Healthcare Practice with extensive experience advising the nation's healthcare safety net community, including Federally Qualified Heath Centers (FQHCs), clinics, and behavioral health providers. She delivers a full range of solutions solving the challenges that AAFCPAs’ healthcare clients face, including: audits in accordance with Uniform Guidance/Single Audit and Government Auditing Standards, 340B pharmacy program requirements, best practices for reconciliation & analysis of statistical and programmatic data, …

Related Insights

Navigating New York Medicaid Reimbursement: A Strategic Approach for FQHCs

Like many Federally Qualified Health Centers (FQHCs) across the country, New York’s centers are grappling with increasingly constrained budgets and rising staffing costs, making Medicaid reimbursements more critical than ever to sustaining their services. New York’s Medicaid system offers a key opportunity, providing FQHCs with the ability to apply for supplemental payments that cover costs […]

New UDS+ Reporting Requirements Announced for Health Centers

Health centers have long been required to submit a Uniform Data System (UDS) report to the Health Resources and Services Administration (HRSA) by February 15 each year. However, AAFCPAs would like to ensure FQHC clients are aware HRSA introduced a new requirement, the UDS+ filing due by April 30, 2025, for calendar year 2024 data. […]

IRS Launches Second Employee Retention Credit Voluntary Disclosure Program

AAFCPAs would like to make clients aware that the Internal Revenue Service introduced its second Employee Retention Credit (ERC) Voluntary Disclosure Program, which runs until November 22, 2024. This initiative allows businesses to correct improper ERC payments at a 15 percent discount and avoid future audits, penalties, and interest. Under this program, businesses will need […]