Skip to main content

The healthcare industry is a fast-moving and rapidly changing environment, with cybersecurity and patient privacy as central topics and top priorities. Recently, the Federal Government enacted new HIPAA attestation requirements that can impact healthcare providers, insurers, law firms, and business associates. This article will explain the purpose of these new regulations, who they affect, and the key steps organizations must take to remain compliant. 

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 to improve the efficiency and effectiveness of the healthcare system. It is particularly focused on establishing rules to protect the privacy and security of individuals’ health information.

What Are the New Federal HIPAA Attestation Requirements?

In December 2024, new federal requirements were adopted to include an attestation statement attached to health information requests that may consist of reproductive records. Any entity that requests sensitive patient health information must include this statement signed and dated by the requestor.  This rule was promulgated in 45 CFR 160 & 164.

Who is Affected by the New Requirements?

Healthcare Providers, Law Firms, Insurers & Business Associates

Hospitals, clinics, individual healthcare providers, law firms, insurers, and business associates must follow the new attestation rules by requiring additional documentation (i.e., statement or additional attestation authorization form) in addition to current HIPAA authorization form requirements.

The Impact of Non-Compliance: What Happens if You Don’t Comply?

Custodians who house patient healthcare information can simply reject your request for information. This can cause delays in legal cases, insurance claims, and other interests, which could lead to legal consequences. Furthermore, requestors’ reputations may be damaged as organizations work to manage the new requirements. Improper request submission can disrupt custodians’ workflows. 

Steps to Ensure Compliance with the New Attestation Requirements

Review New Requirements

It is essential to review the new legislation requirements and establish a plan for any business updates or enhancements to currently established best practices and workflows. Identify gaps in current policies and plan to correct those inconsistencies to maintain compliance. Finally, regular security assessments should be conducted to ensure compliance with HIPAA.

Update Documentation

Once proper workflows and security assessments have been completed, integrate new documentation into workflows.

Training and Education

Be sure to highlight the importance of the new updates with staff and provide workforce training to ensure all employees understand the latest HIPAA requirements.

Create a Plan for Attestation Submission

You have several options for implementing the new requirements.  You can approach this process yourself or outsource to a reputable vendor who has the people, processes, systems, and resources to address this new process.  In either case, organizations must streamline the process to avoid any unnecessary delays or potential legal issues.

The Outsourced Solution

LCS is working diligently to position ahead of this new requirement to hedge against facility rejections.  We have found that most providers will not release records upon request unless the requestor (i.e., requesting attorney) or party signs an Attestation Statement.  LCS cannot sign on behalf of the requesting party or represent the person requesting the patient information.  There are several options for signing the attestations and avoiding delays in the record retrieval process.

Option 1

LCS offers an e-signature option for the HIPAA Attestation form to streamline this process. By signing this form, firms grant LCS permission to apply the necessary job information (Name on Record, Facility Name, Date) to the form for all your current and future requests. You can access the e-signature form by clicking the link below:

HIPAA Attestation Letter – E-Sign Here

Once signed, we will complete the required details (Name on Record, Facility Name, Date) before submitting the requests to the respective facilities. The signed Attestation Statement will be used for:

  • Existing requests that face rejections due to this requirement, and
  • Future requests submitted by you.

Clients can discontinue using the signed form at any time.

Option 2

For those who opt not to use the general e-signature form, please note:

  • LCS will require a signed Attestation Statement for each request.
  • You can provide a signed form when placing your order, or LCS will create one and email it to you for signature after placing the order.
  • The completed and signed form must be returned to LCS before we can process your requests with the facilities.

For more information about the federal guidelines, please refer to the following links:

Model Attestation Form

Federal Register Announcement

Conclusion

We encourage organizations to stay informed on upcoming healthcare privacy and security trends.  It is important to remain proactive in adapting to future HIPAA regulation changes.  By keeping abreast of new federal requirements and how they impact healthcare organizations, law firms, insurers, and business associates, one can save considerable time, financial cost, and administrative headaches, maintain compliance, and avoid any potential legal issues.  LCS recommends organizations begin reviewing the new updates and implement the necessary steps as soon as possible.   Maintaining patient privacy and security is not just about compliance; it is about protecting patient privacy, maintaining patient trust and healthcare integrity, and avoiding disruptions in business continuity.