In an "Expert's View" blog post for GovInfoSecurity, attorney David Holtzman laid out three HIPAA issues to watch in 2019.
Mr. Holtzman says healthcare organizations should keep an eye on the following topics this year regarding HIPAA:
1. The California Consumer Privacy Act: Although the law doesn't take effect until January 2020, healthcare organizations and their business partners are already preparing to meet its heightened privacy standards. The law expands privacy protections for businesses that collect Californians' personal information in both the physical and digital world. The law gives consumers new rights to their data, and Mr. Holtzman said it will pose a compliance challenge for companies not covered by the law.
"The California law was poorly drafted and hastily passed, with large parts containing undefined or contradictory terms. We will have to carefully monitor how the California legislature and attorney general resolve the law's conflicts and ambiguities," he wrote.
2. Individual state actions on healthcare privacy laws: In 2018, states brought data breach enforcement actions under both HIPAA and state laws, but a recent Pennsylvania Supreme Court ruling could allow even great protection for data breach victims, according to Mr. Holtzman.
"We'll be watching to see if state legislatures and attorneys general continue the trend toward taking action to protect health information that would not be protected by HIPAA and enforce these requirements for data held by any entity, anywhere. We'll also be on the lookout for lawsuits seeking to apply the Pennsylvania Supreme Court's legal reasoning on the duty to safeguard [personally identifiable information]," he wrote.
3. Possible HIPAA changes: HHS' Office for Civil Rights issued a request for information in December about existing HIPAA provisions that may limit or discourage information sharing. OCR's goal is to update HIPAA in a way that allows information sharing to better coordinate care and support patients' ability to access protected health information.
"My sense is that HHS is responding to a significant push from the healthcare and tech industries to lighten up on one of the few areas in which consumers have a federally protected right to privacy and control over their personal information," Mr. Holtzman wrote. "We'll see if this leads to concrete proposals that could modify the definitions of the types of PHI that can be disclosed without patient authorization to organizations that are not covered by the HIPAA rules."
To access Mr. Holtzman's complete blog post, click here.