Latest HIPAA Rulings and Guidance for 2022

90 Minutes
Jim Sheldon-Dean
Webinar Id:


One Attendee
Unlimited Attendees ?


The rules having to do with patient access of records need to be reflected in every health care-related organization’s policies and procedures. The guidance provides clear and detailed information on how to provide access, what can be charged for in fees, and what the individual’s rights are when it comes to access of information. The rallying cry for easy patient access and transfer of information increases daily and is no longer escapable. The proposed changes to the HIPAA Privacy Rule would put into regulation the access guidance, and provide new avenues for patients to request copies of their records be sent to their current providers.

At the same time, a recent Federal court decision has changed some of the aspects of the individual access rules pertaining to transmitting records to third parties at the request of the individual. Additionally, HHS has issued guidance when HIPAA Business Associates are involved, regarding the responsibility for the timing, and form and format of replies to requests for access, and the responsibilities for compliance with the fee requirements.

Social distancing to help prevent the spread of the novel coronavirus is effective, but patient care has typically required a face-to-face encounter, which can cause the spread of the virus as infected individuals travel to and from appointments. It is essential to be able to provide telemedicine services in order to reach the most individuals without risking more harm. HHS has announced the relaxation of enforcement pertaining to the use of teleconferencing technologies to provide remote medical services, allowing the use of such services to expand quickly, but limits on "public-facing" conferencing technologies remain. Providers need to adopt the necessary technologies without fear of HIPAA violation enforcement actions during the COVID-19 Emergency and must understand the limits of what is permitted in order to best serve patients and their families.

HHS has also issued guidance to remind healthcare providers of the allowances for communications with family and friends, with disaster relief organizations, and to prevent a serious and imminent threat to the health or safety of individuals or the public, as well as relax enforcement where necessary to provide data from HIPAA Business Associates to public health authorities, and to allow community COVID-19 testing sites to operate as necessary.

This session will discuss the issues surrounding the use of various communication technologies under HIPAA controls, and the recent guidance and declarations from HHS about HIPAA and the response to COVID-19, including a discussion of Business Associate responsibilities for compliance under new guidance from HHS. The session will prepare organizations for the impacts of likely rule changes in areas such as Accounting of Disclosures, the Notice of Privacy Practices, cell phone communications, and new technologies. New rules expected for Accounting of Disclosures will be explored and their expected futures and impacts will be discussed, and impacts of changes to 42 CFR Part 2 and controls on information relating to substance use disorders will be explained.


  • Overview of HIPAA Regulatory Expectations
    • New Regulatory Directions
    • Rule Modifications and Guidance on the COVID-19 Pandemic
    • Overdue Regulatory Action
    • Court Ruling Limiting Regulations
  • Issues in Individual Access of Records under HIPAA
    • New Emphasis on Enforcement of Individual Access Rules
    • New Court Ruling Limiting Third-Party Access Requests
    • New Limitation of Business Associate Liability for Compliance
  • HIPAA Accounting of Disclosures Changes
    • Current Accounting of Disclosures Requirements
    • Required Changes and Difficulties Implementing Them
    • Likely Regulation to be Proposed
  • Potential Rules Changes
    • Acknowledgement of Receipt of Notice of Privacy Practices
    • TCPA and Cell Phone Communications
    • Getting Back to Normal After the Pandemic Emergency
  • HIPAA Controls and New Technologies
    • Difficulty in Managing Privacy
    • Calls for HIPAA Expansions

Why should you Attend:
This session will look at the current state of HIPAA and identify recent guidance and court decisions affecting HIPAA, as well as expected changes in the rules in the coming year, and the focus and results of various HIPAA enforcement actions.

Over many years, the heads of the US DHHS have indicated that patient access of information is a key priority in order to improve the health of the nation. Patient rights under HIPAA have been expanded to include several rights of access, and detailed guidance has been issued on access of records. And more than two dozen of the most recent HIPAA enforcement actions were against entities that did not provide patient access to records properly. HHS is now using HIPAA Individual Access Rights to effectively implement new rules on prohibitions to Data Blocking, and the proposed changes to the HIPAA Privacy Rule will codify the current guidance on compliance.

The COVID-19 Emergency has created new demands on communications, and has made clear the need to provide services remotely to the extent possible. Providers need to communicate more, between themselves and with their patients, and the time to implementation of new services to meet these needs is almost zero, leaving no room for the usual processes of approval and adoption that health care is used to. In order to facilitate the delivery of services and necessary communications during the emergency, the US Department of Health and Human Services has issued guidance relaxing some HIPAA requirements pertaining to teleconferencing tools and reiterating HIPAA allowances for communication with family and friends of patients.

Areas Covered in the Session:
  • Understand the guidance and apply the HIPAA rules on providing information under the regulations for individual requests for PHI
  • Know the extent of the limitations on the fees charged to individuals for access of their records, and the new changes according to a Federal Court ruling
  • Understand how individual requests to direct their information to a third party are treated differently, and differences when paper vs. electronic records are requested
  • Know what parties are responsible for compliance with the timeliness, form, and format requirements for individual requests, and what parties are responsible for the fee requirements for individual requests of PHI
  • See how entities that have not managed individual access properly have been sanctioned by the US Department of Health and Human Services
  • Understand how the new rules on data sharing work with the HIPAA individual access rules, and how the rules may be updated under the proposed changes
  • Learn about communication needs during the Emergency
  • Find out about the types of Telemedicine and Teleconferencing technology, and HIPAA requirements
  • Learn about the Relaxation of Enforcement of some HIPAA rules to facilitate communication
  • Find out about the rules for permitted communications with Family and Friends of patients
  • See how HIPAA allows communications that are necessary in First Response circumstances., disclosures to Disaster Recovery agencies, and disclosures to Prevent a Serious and Imminent Threat

Who Will Benefit:
  • CEO
  • HIPAA Privacy Officers
  • HIPAA Security Officers
  • Information Security Officers
  • Risk Managers
  • Compliance Officers
  • Privacy Officers
  • Health Information Managers
  • Information Technology Managers
  • Information Systems Managers
  • Medical Office Managers
  • Chief Financial Officers
  • Systems Managers
  • Chief Information Officer
  • Healthcare Counsel/lawyer
  • Operations Directors

Speaker Profile
Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities.

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C.

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master's degree from the Massachusetts Institute of Technology.

You Recently Viewed