Important Highlights from the NIST/OCR HIPAA Security Conference Last Week

In his keynote for the conference, OCR Director Roger Severino raised several important issues regarding the ongoing work of HHS with regard to HIPAA:

• HHS is considering whether “future billing information” should be considered protected health information (PHI) under HIPAA, for purposes of access, such that health care providers would have to provide the information pursuant to the right of access to avoid surprise billing.
• HHS is prioritizing the upcoming HIPAA Notice of Proposed Rulemaking (NPRM) as part of the “Regulatory Sprint to Coordinated Care”— particularly with regard to potentially requiring health care providers to share PHI for treatment, expanding the “definition” of “threat to health and safety” to address individuals in crisis due to opioids, and removing the burden of the acknowledgement of Notice of Privacy Practices.
• With regard to OCR’s recent Health App FAQs ,Director Severino said that health care providers “don’t have to open doors to malware or viruses, don’t need a BAA to send PHI pursuant to a request from the patient,” and are “not liable as a covered entity for what happens to the PHI once the PHI goes to that app, unless the app is working on behalf of the covered entity.” He also mentioned that in some cases, with regard to use of these apps by patients, “buyer beware for patients.”

With regard to the recent Executive Order regarding non-binding, sub-regulatory guidance, Director Severino stated, in response to a question, that the HIPAA access guidance provides the $6.50 “safe harbor,” which is one of several options and not a requirement; as such, the access guidance, like all of OCR’s sub-regulatory guidance, does not impose any new requirements on entities and is not in need of revision.

Source: https://www.jdsupra.com/legalnews/important-highlights-from-the-nist-ocr-57967/