What the Proposed 2021 HIPAA Rules Mean for Health Data Management


As HIPAA turns 25, it has proposed but not yet finalized updates to further address the privacy and security guidance that supports patients’ rights and provides relevant guidance for providers. As digital health leader John Nosta explains: “The paradigm of digitalism is forged out of necessity. Technological adoption is emerging as an imperative that will transform medicine…” To that end, what are some considerations for the health data and those who manage it?

HIPAA 25th Anniversary

As the Health Insurance Portability and Accountability Act (HIPAA) celebrates its 25th birthday in 2021, it is receiving a proposed but not yet finalized a series of updates currently in review with the U.S. Dept. of Health and Human Services (HHS). The well-known national standards were created in 1996 to protect the privacy and security of individuals’ health information long before the digital health explosion. While there were significant updates in 2013, it’s time once again to refresh.

Earlier HIPAA updates focused on basic privacy and security measures which also gave way to the Health Information Technology for Economic and Clinical Health (HITECH) Act which encouraged healthcare providers to adopt electronic healthcare records and further introduced the Breach Notification Rule in 2009. While HHS issued guidance on interpretation and application of HIPAA and the HITECH act over the past 10 years or so, new laws currently under review focus on decreasing the administrative burden on HIPAA covered entities – with most rules and regulations following along and expanding from the 2013 updates.

The goal as stated by the HHS is to: “Address the regulations that impede care coordination and are part of a much broader regulatory reform effort.”

Updated Cybersecurity Safe Harbor Law Leads the Way for updated HIPAA Rules

In January, 2021, the HIPAA Safe Harbor bill HR7898 was signed into law. This law provides a potential safe harbor from penalties and extended investigation periods for covered entities and business associates that have adopted a common security framework and are utilizing best practices, but still experienced a data breach. As healthcare continues to be the most cyberattacked industry, the rule offers some protection from financial penalties and sanctions for those who have security best practices in place for the 12-months prior to a data breach.

A Brief Look at the HIPAA Privacy Updates in Review

The right of individuals to access their PHI was written into the Privacy Rule in 2000. Current privacy law changes are expected to be minor and focused on further aiding patient access to their PHI, as well as to support data sharing and to alleviate some administrative burdens. There are numerous HIPAA Privacy Rules updates under review,including:

  • Patients can inspect their PHI in person and take notes or photographs of their records.
  • The time to provide access to PHI shift from 30 to 15 days.
  • Covered health care providers and health plans may be required to respond to record requests from other covered providers when individuals direct those entities to do so by exercising their HIPAA right of access.

The 21st Century Cures Act isn’t directly included in the proposed HIPAA revisions, but the provisions were influenced by The Cures Act which is focused on the exchange of health information and prohibiting information blocking. As such, The Cures Act Rules goes hand-in-hand with proposed HIPPA updates, such as the provision that certified health IT developers make secure standards-based APIs available so patients can electronically access and share their health information with their chosen mobile application which directly supports the overall goals of the HIPAA revisions.

Relaxed Guidelines and Discretion about Penalties during COVID may Continue

There also are a variety of proposed updates based on recent healthcare issues related to COVID-19 challenges. A few include the flexibility offered to providers who engage in relaxed Telehealth platform options (like FaceTime and Google Hangout video), participated in organizing community-based COVID testing sites with good faith practices, and those who shared PHI for public health and health oversight activities with the CDC, CMS, state and local health departments for purposes of fighting COVID and saving lives.

Updates to HIPAA fines in Review

There may be adjustments to the penalties for HIPAA violations that were changed in 2019 to provide more clarity around the annual limits for fines. This would include a four-tiered approach with new guidance for annual maximums:

  • Tier 1 – Unaware of the HIPAA violation and used reasonable due diligence – $100 – $50,000 per violation with a maximum of $25,000 per year.
  • Tier 2 – Reasonable cause that the covered entity knew or should have known about the violation. $1,000 – $50,000 violation with a maximum of $100,000 per year.
  • Tier 3 – Willful neglect of HIPAA Rules with the violation corrected within 30 days of discovery. Fines are $10,000 – $50,000 per violation. Maximum is $250,000 per year.
  • Tier 4 – Willful neglect of HIPAA Rules with no effort made to correct the violation within 30 days of discovery. Fines are $50,000 per violation with a maximum of $1.5 million per year.

What Action Should Providers Take to Prepare for the Updated HIPAA Rules?

There’s never been a better time to take stock of the health data within your organization. As health data volumes continue to skyrocket, and the expectations for what has to happen with that data continue to expand, it’s critical to have a lean and nimble operation that can run the healthcare marathon. And, it’s equally as important to not be dragged down and left vulnerable by continuing to rely on outdated servers that are lugging around legacy health and business records.

Simply put, it’s not a best practice to run legacy applications that are leaving your organization vulnerable to system failures and security breaches.

As a leading innovator of proven data management solutions, the Harmony Healthcare IT  team of data experts has extracted, migrated, and retained billions of patient, employee or business records from over 500 different clinical, financial, and administrative EHR and ERP software brands. That includes the major leading EHR brands you would expect like Allscripts, Cerner, CPSI/Evident, eClinicalWorks, Epic, GE, Greenway, Healthland, McKesson, MEDHOST, MEDITECH, NextGen and Practice Partner as well as many smaller or custom-designed applications.

However, no matter which EHR platform you are using, our award-winning team is ready to talk about instituting a HIPAA-compliant, long-term record storage solution like HealthData Archiver® that can cut costs, fortify defenses, and streamline workflows for increased efficiency..

The momentum around the updated HIPAA guidelines, the upcoming enforcement of The Cures Act rules and public expectations require more than a data management strategy. It’s time for action to ensure the protection of our nation’s PHI.

We’re ready to help.


Apr 29 2021

Ready to learn more?

Contact us today to learn more about our healthcare data management solutions.

First Name *
Last Name *
Email *

Healthcare IT tips, guides, news & more delivered to your inbox

Sign me up