HIPAA enforcement ebbs and flows, but I anticipate an increase in HIPAA fines in 2021. This pattern has already begun with a significant number of HIPAA actions occurring at the end of 2020 in connection with a patient’s right to access their medical records.
In addition, the Secretary nominee of the Department of Health and Human Services (HHS) has a background that leads us to believe that he will enforce HIPAA rules more strongly than his predecessors. As Attorney General of California, this HHS nominee has a law enforcement background and a history of HIPAA enforcement actions against covered entities. In other words, he has shown a willingness to hold covered entities accountable for their obligations under the law.
Some other big changes that could lead to increased HIPAA fines in 2021 are centered around how HHS exercises enforcement discretion. During the COVID-19 pandemic, the HHS has not enforced HIPAA to the full letter of the law for new telemedicine technologies that have been implemented. They’ve done this intentionally, of course, so that they wouldn’t stand in the way of innovations that could be used to help put an end to the global pandemic. As a result, many organizations have begun using non-compliant video conferencing technologies, text chatting technologies, and scheduling technologies without having the business associate agreement that is typically required.
However, once the pandemic begins to subside — hopefully in 2021 — the HHS is expected to enforce HIPAA rules once again to their fullest extent, which may catch many organizations by surprise if they are still in non-compliance.
The best way for your health organization to “future-proof” itself against changing enforcement standards is by simply stepping up your cybersecurity best practices and standards.
For a roadmap back to full compliance, talk to a Matterform risk analyst today about your telemedicine practices today.