HIPAA Compliance: Highlights from 2020 and Focus Areas for 2021

2020 was an active year for HIPAA regulatory activity by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In this article, we take a look at some of the HIPAA highlights from 2020 and offer thoughts about potential compliance focus areas for 2021.

HHS OCR Enforcement – Right of Access Initiative

2020 Highlights

Amid a challenging year, OCR announced a record 19 HIPAA resolution agreements in 2020, the most HIPAA resolution agreements ever announced in one year. Notably, roughly two-thirds of those enforcement actions were brought pursuant to OCR’s HIPAA Right of Access Initiative (the “Initiative”). The remaining enforcement actions dealt with familiar privacy and security issues such as breaches of protected health information (PHI) and failure to comply with the HIPAA Security Rule requirements.

The purpose of the Initiative is to “vigorously enforce” the HIPAA regulations which provide patients the right to access and obtain copies of their PHI promptly and subject to certain fee limits.  As of mid-January, OCR has reached a total of 14 settlements pursuant to the Initiative since it was launched in September 2019. Settlements under the Initiative have ranged from $3,500 to $200,000. While these settlements are relatively small dollar amounts in comparison to many other HIPAA settlements (often six- or seven-figures), they underscore OCR’s commitment to the Initiative and to ensuring patients’ right of access. One element of the Initiative settlements of particular note is that they have been reached with entities of all sizes – from large health systems to solo practitioners. In a press release related to a recent Initiative settlement, outgoing OCR Director, Roger Severino, emphasized, “providers of all sizes need to respect the right of patients to have timely access to their medical records.” For our prior discussion of selected Initiative settlements, see here, here, and here.

2021 Compliance Takeaway

In light of the numerous settlements resulting from the Right of Access Initiative and the range of providers affected, covered entities of all sizes should ensure they have processes in place to provide timely responses to patient requests for health records.

CIox and Changes to HIPAA Fee Limits

2020 Highlights

In a development that was overshadowed by the COVID-19 pandemic, the U.S. District Court for the District of Columbia in February 2020 vacated controversial portions of the HHS regulations and guidance regarding access and copy fees for third party requests for PHI. Specifically, the Court vacated HHS’s 2013 rule compelling delivery of medical records to third parties regardless of the records’ format (instead dialing it back to align with the statutory scope of the HITECH Act, which is limited to electronic health records), and also vacated the 2016 guidance which applied strict HIPAA fee limits to records delivered to third parties pursuant to a patient-directed request. Our previous discussion of the decision can be found here.

2021 Compliance Takeaway

Although not formally linked, it seems likely that the increased activity under the Initiative was influenced by the Ciox decision. Further, the 2020 Proposed Rule (discussed below) clearly incorporates elements responsive to Ciox. As an immediate matter, covered entities and their business associates should ensure they understand the ways that HIPAA regulates charging fees for copies of PHI, if they have not done so already. As a prospective consideration, they should monitor for continued enforcement and development under the Proposed Rule.

COVID-19 Temporary Enforcement Discretion

2020 Highlights

Last year, in light of the challenges caused by the COVID-19 pandemic, OCR issued various notices of sub-regulatory guidance stating they would exercise “enforcement discretion,” i.e., temporarily waive sanctions and penalties, for failure to comply with certain HIPAA requirements.

To date, OCR has issued four notifications of enforcement discretion, with the most recent announced on January 19, 2021. It states that OCR will exercise HIPAA enforcement discretion toward covered entities and their business associates for the good faith use of non-public facing online or web-based applications to schedule COVID-19 vaccination appointments. The notice points out that a non-public facing web-based scheduling application does not include appointment scheduling technology that connects directly to electronic health record systems used by covered entities. In 2020, OCR issued three other notifications of enforcement discretion; they apply to the use of telehealth (read our discussion here), business associates’ use of PHI for public health or health oversight activities (read our discussion here), and the operation of community-based COVID testing sites (read more here).

All four notifications of enforcement discretion will remain in effect “until the Secretary of HHS determines that the public health emergency [PHE] no longer exists, or upon the expiration date of the public health emergency…whichever occurs first.”

2021 Compliance Takeaway

Covered entities and business associates conducting activities covered by these notices should keep a close eye on the PHE, and be prepared to transition back to normal operations swiftly and efficiently, as it is not clear whether there will be a grace period following the PHE before return to normal operations is expected.

Proposed Rule

2020 Highlights

In December 2020, OCR announced a Notice of Proposed Rulemaking (“Proposed Rule”) which would make modifications to the HIPAA Privacy Rule. As we previously discussed, the Proposed Rule would make a number of changes to the HIPAA Privacy Rule, many of which would require operational changes by covered entities including, but not limited to, shortening the time to respond to patient requests to access records and changing the content of the Notice of Privacy Practices.

2021 Compliance Takeaway

The Proposed Rule was published in the Federal Register on January 21, 2021. Providers interested in submitting comments to the Proposed Rule must do so before or on March 22, 2021. As the rulemaking process progresses, covered entities and business associates will need to consider how it will impact their operations.

New Administration

2020 Highlights

As with any change in administration, it is possible that there may be changes to HHS’s regulatory focus or enforcement approach. It remains to be seen how the new Biden administration will impact HIPAA enforcement and the Proposed Rule in the coming year, but it may be worth noting that President Biden’s nominee for Secretary of Health and Human Services, Xavier Becerra, oversaw the implementation of the California Consumer Privacy Act (CCPA) in 2020 as Attorney General of California. The CCPA is a comprehensive data privacy law that provides California residents certain rights and protections regarding their personal information, and Becerra’s involvement demonstrated his support for strong data privacy protections for consumers.

2021 Compliance Takeaway

While the direct impact of the new administration and a Becerra confirmation on OCR’s HIPAA enforcement is not yet clear, it might signal that we can expect to see a continued focus on strong enforcement.

Conclusion

2020 saw significant HIPAA regulatory activity. Much of this activity was responsive to the COVID-19 pandemic, but significant portions were unrelated to the PHE—e.g., the Ciox decision, the ramp-up of the Initiative, and the Proposed Rule. As 2021 progresses, there will be much to monitor for covered entities and business associates. For more information or for assistance in assessing how the 2020 highlights specifically may affect your organization in 2021, please contact Madison M. Pool or Erin E. Doyle.