Over the last few years, a revolution in personal communications has occurred, and the widespread adoption of mobile devices by staff and patients alike has presented new challenges in healthcare and compliance. Texting is often the preferred way of communicating with patients, and practitioners are finding that texting and using mobile devices is far more flexible, convenient, and effective than paging and telephoning. 

Breaches of Protected Health Information are becoming more and more common, and can be a result of a variety of circumstances, from words  spoken too loudly in a public setting, to a lost thumb drive full of medical records, to files being held for ransom by hackers. Even Ransomware attacks by hackers may be reportable, if you lose control of your data and don’t know exactly what happened. If the evaluation of necessity to report is not done correctly, you may not make the right decisions about reporting and be subject to penalties for non-compliance upon an investigation of a breach by HHS. 

Managing health information can become an even more complex endeavor when it may involve substance use disorder treatment information. HIPAA allows a number of disclosures without consent that SAMHSA prohibits without consent. We will explain how HIPAA and 42 CFR Part 2 are similar and how they’re different, and discuss the latest guidance from HHS and SAMHSA about harmonization of HIPAA and 42 CFR Part 2, as well as recent changes to Part 2 and new legislation affecting the sharing of information for treatment when substance use disorder information is involved.The HITECH Act in 2009 enacted requirements to update the rules for Accounting of Disclosures under HIPAA, and HHS did propose a new rule, but it was unworkable and was withdrawn. A new rule is expected to be proposed in late 2018, and it may include changes to the Security Rule to support the new Accounting of Disclosures rule.The rules adopted in 2013 include the right of an individual to ask that their health plan not be notified if they pay out of pocket for services. This right has gone largely unused, but if ACA protections are removed for pre-existing and chronic conditions, this may become a widely used right that must be prepared for. Also on the horizon are changes to requirements for collecting a signature for the provision of the Notice of Privacy Practices and their not insignificant impacts, increasing use of externally provided Web-based services and management of access, especially in terminations, and the expectations for future audit and enforcement activity at HHS.

This session provides the HIPAA specialist a look at the key issues to watch for in HIPAA compliance, both as current issues and as ones that will be coming onto compliance officers’ radar over the coming months. Issues being wrestled with today include the use of mobile devices, texting for professional purposes, dealing with breaches, ransomware, and coordination with Substance Use Disorder information rules under SAMHSA and 42 CFR Part 2. Issues coming into focus now are long-overdue changes to the rules on Accounting of Disclosures, new stresses on rights to limit disclosures to health plans, potential changes to the management of Notices of Privacy Practices, managing termination of access to systems provided via the Web, and the future of HIPAA enforcement and audits. It is essential to understand the issues most likely to be faced in HIPAA compliance so you can respond to the current ones now, before you encounter a violation, and be prepared for the next ones on the horizon.