HIPAA Penalty Changes

January 11th, 2021 - Wyn Staheli, Director of Research
Categories:   HIPAA|PHI   Compliance  

One of the ongoing problems facing healthcare organizations today is HIPAA breaches. Cyber attacks are occurring with increasing regularity and placing an even greater burden on already overwhelmed healthcare providers. Regardless of how many steps you take to try and prevent breaches, they happen. Unfortunately, the HITECH provisions don’t seem to consider that healthcare organizations who have been breached are often victims themselves. Those who have followed the rules should not be penalized the same as those who have not. A new law aims to correct that situation. 

On January 5, 2021, H.R. 7898 was signed into law by President Trump. This new law modifies the HITECH Act such that when an organization experiences a breach, fines and/or penalties may be reduced if (for at least a year) they have instituted “recognized security practices” as defined within the law. Additionally, there may also be reductions in the length of an audit. It should be noted that if the covered entity was NOT in compliance with these practices, HHS can NOT increase audit lengths, fines, and penalties.

The law defines “recognized security practices” as (emphasis added):

“... standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities. Such practices shall be determined by the covered entity or business associate, consistent with the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title)”

John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk stated that “The law provides the right balance of incentivizing voluntary, enhanced cybersecurity protocols in exchange for regulatory relief and recognition that breached organizations are victims, not the perpetrators.”

This new law is to be effective “as if included in the enactment of the 21st Century Cures Act (Public Law 114-255).” It should be noted that implementation of the 21st Century Cures Act was delayed again in relation to the COVID-19 Public Health Emergency. There are different implementation dates within the Cures Act for different provisions of the law. At the time of publication, it appears that the effective date for H.R. 7898 provisions will be April 5, 2021 when the information blocking and communication requirements take effect.

Since we are at the start of a new year, now is a great time to begin coming into compliance with HIPAA Security rules by starting with a Security Risk Assessment. You can download a free Security Risk Assessment Tool from HealthIT.gov to get started, but keep in mind that this is only one component of HIPAA Security requirements. See the References section below and innoviHealth’s Complete & Easy HIPAA Compliance publication for more information.


Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.

Latest articles:  (any category)

Artificial Intelligence in Healthcare - A Medical Coder's Perspective
December 26th, 2023 - Aimee Wilcox
We constantly hear how AI is creeping into every aspect of healthcare but what does that mean for medical coders and how can we better understand the language used in the codeset? Will AI take my place or will I learn with it and become an integral part of the process that uses AI to enhance my abilities? 
Specialization: Your Advantage as a Medical Coding Contractor
December 22nd, 2023 - Find-A-Code
Medical coding contractors offer a valuable service to healthcare providers who would rather outsource coding and billing rather than handling things in-house. Some contractors are better than others, but there is one thing they all have in common: the need to present some sort of value proposition in order to land new clients. As a contractor, your value proposition is the advantage you offer. And that advantage is specialization.
ICD-10-CM Coding of Chronic Obstructive Pulmonary Disease (COPD)
December 19th, 2023 - Aimee Wilcox
Chronic respiratory disease is on the top 10 chronic disease list published by the National Institutes of Health (NIH). Although it is a chronic condition, it may be stable for some time and then suddenly become exacerbated and even impacted by another acute respiratory illness, such as bronchitis, RSV, or COVID-19. Understanding the nuances associated with the condition and how to properly assign ICD-10-CM codes is beneficial.
Changes to COVID-19 Vaccines Strike Again
December 12th, 2023 - Aimee Wilcox
According to the FDA, CDC, and other alphabet soup entities, the old COVID-19 vaccines are no longer able to treat the variants experienced today so new vaccines have been given the emergency use authorization to take the place of the old vaccines. No sooner was the updated 2024 CPT codebook published when 50 of the codes in it were deleted, some of which were being newly added for 2024.
Updated ICD-10-CM Codes for Appendicitis
November 14th, 2023 - Aimee Wilcox
With approximately 250,000 cases of acute appendicitis diagnosed annually in the United States, coding updates were made to ensure high-specificity coding could be achieved when reporting these diagnoses. While appendicitis almost equally affects both men and women, the type of appendicitis varies, as dose the risk of infection, sepsis, and perforation.
COVID Vaccine Coding Changes as of November 1, 2023
October 26th, 2023 - Wyn Staheli
COVID vaccine changes due to the end of the PHE as of November 1, 2023 are addressed in this article.
Medicare Guidance Changes for E/M Services
October 11th, 2023 - Wyn Staheli
2023 brought quite a few changes to Evaluation and management (E/M) services. The significant revisions as noted in the CPT codebook were welcome changes to bring other E/M services more in line with the changes that took place with Office or Other Outpatient Services a few years ago. As part of CMS’ Medicare Learning Network, the “Evaluation and Management Services Guide” publication was finally updated as of August 2023 to include the changes that took place in 2023. If you take a look at the new publication (see references below),....

Home About Terms Privacy

innoviHealth® - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain)

Copyright © 2000-2024 innoviHealth Systems®, Inc. - CPT® copyright American Medical Association