Verisma Academy recently hosted an informative webinar featuring Timothy Noonan, the Deputy Director for Health Information Privacy, Data, and Cybersecurity at the HHS Office for Civil Rights. The session provided attendees with crucial updates on the proposed rulemaking and guidance from OCR (Office for Civil Rights), shedding light on various aspects such as reproductive health, Part 2 records, and the use of tracking technologies. In this blog post, we’ll delve into the key takeaways from the webinar and explore the implications of these developments in the realm of healthcare information management (HIM).

Strengthening Privacy Protections for Reproductive Health:

One significant aspect discussed during the webinar was the Notice of Proposed Rulemaking (NPRM) regarding reproductive health. The primary objective of this proposal is to enhance privacy protections by restricting the use or disclosure of Protected Health Information (PHI) by regulated entities for investigations related to reproductive health care. To enforce this prohibition, the NPRM suggests that regulated entities obtain a signed attestation ensuring that the requested PHI is not intended for prohibited purposes. This attestation requirement applies to various circumstances, including health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. The comment period for this proposal ends on June 16, 2023.

Understanding the Impact on HIM and Release of Information Processing:

From an HIM perspective, numerous questions arise regarding the content of the attestation and its impact on the release of information processing. To gain more insights and details on this matter, interested individuals can refer to the official Federal Register document available here.

Transitioning from COVID-19 Telehealth Measures:

Timothy Noonan also provided updates on the conclusion of the COVID-19 health emergency with regards to telehealth. Attendees were reminded that personal health information (PHI) stored on mobile devices such as cell phones and tablets is not protected under HIPAA. This serves as a critical reminder for healthcare professionals to ensure appropriate safeguards are in place when handling PHI on personal devices.

Enhanced Coordination for Substance Use Treatment:

The webinar covered proposed modifications to 42 CFR Part 2 records, which deal with substance use and disorders. The objective of these modifications is to enhance coordination among providers involved in the treatment of substance use, thus reducing existing challenges. By potentially increasing patient protections regarding the disclosure of records, these changes aim to prevent discrimination in treatment. More information on the proposed modifications can be found here.

Understanding Online Tracking Technologies and Protecting ePHI:

Another crucial topic discussed in the webinar was the use of online tracking technologies, such as Google Analytics and Meta, on entity websites or apps. Attendees were reminded that using tracking technologies in a manner that leads to impermissible disclosures of electronic Protected Health Information (ePHI) to tracking vendors is strictly prohibited. The webinar provided insights into the nature and usage of tracking technologies, as well as the necessary steps that regulated entities must take to safeguard ePHI. For additional information, visit the OCR’s website here.

Escalating Breach Incidents and the Need for Robust HIPAA Security:

The number of PHI breaches has seen a concerning increase, with hacking breaches accounting for a significant portion. In 2022 alone, there were 712 reported breaches, a sharp rise from 369 in 2018. Hacking incidents accounted for 49% of all breaches in 2022, and from January 1 to April 30, 2023, hacking incidents constituted a staggering 67% of all breaches. Moreover, during the same period, there were 559 breaches affecting 400 or more individuals, with 57% being network server-related and 21% related to email. These alarming figures highlight the urgency for organizations to fortify their security measures and conduct regular HIPAA security assessments to identify and mitigate risks.

Looking Ahead and Staying Informed:

While the finalization of the HIPAA NPRM and its potential impact on turnaround times and other significant changes remains uncertain, organizations should stay updated and watch for the upcoming Spring Unified Agenda release, which may offer more clarity. In the meantime, the industry must stay vigilant about evolving areas such as reproductive health, Part 2 records, and HIPAA security to ensure compliance and protect sensitive health information.

Verisma Academy’s webinar featuring Timothy Noonan shed light on the latest proposed rulemaking and guidance from OCR regarding HIPAA. Attendees gained valuable insights into reproductive health privacy protections, substance use records modifications, the usage of online tracking technologies, and the increasing importance of robust HIPAA security measures. In this dynamic healthcare landscape, it is crucial for organizations to stay informed, adapt to changing regulations, and prioritize the protection of patients’ health information.

Verisma Academy

The recording of this event is available on-demand and CEU-eligible through May 2024.