New HIPAA Regulations 2024

New HIPAA Regulations 2023-2024. HIPAAGuide.net

New HIPAA regulations are published more often than many people realize; and, because the new regulations may impact only a small number of covered entities or business associates, they generally go unnoticed. However, in recent years, there has been a number of Notices of Proposed Rulemaking (NPRMs) published in the Federal Register, and many of these are likely to evolve into new HIPAA regulations in 2024.

It is important for covered entities and business associates to keep up to date with HIPAA changes because a lack of knowledge is not an excuse for an avoidable HIPAA violation. It should also be noted that, in a December 2023 Security Rule “Concept Paper”, the Department of Health & Human Services (HHS) stated it intends to ask Congress for more resources to investigate alleged violations of HIPAA and for an increase in fines for HIPAA violations.

Not All Recent HIPAA Changes have been Minimal

Some recent changes to HIPAA – or associated laws – have applied to all covered entities and business associates. For example, since 2016, HHS has published new HIPAA regulations that increase the minimum and maximum penalties for violations of HIPAA each year to account for inflation.

Another example of a regulatory change that applies to all covered entities and business associates is the 2021 amendment to the HITECH Act. The amendment instructed HHS’ Office for Civil Rights to consider an entity’s compliance with a recognized security framework when determining the scale of a corrective action plan and/or the amount of a civil monetary penalty for a violation of HIPAA.

Other Rule Changes that Affect HIPAA Compliance

Rule changes that affect HIPAA compliance can happen at both the state and federal level. For example, when the Texas Medical Privacy Act was amended by HB 300, covered entities that collect, receive, use, or transmit PHI relating to Texas citizens have to consider the increased patients’ rights and fewer permissible disclosures under the Texas law when HB 300 preempts HIPAA.

Other non-HIPAA rule changes can affect covered entities nationwide. The best example of this is the changes to 42 CFR Part 2 in 2017 and 2020 (“The Confidentiality of Substance Use Disorder Patients Records”). These changes applied different permissible uses and disclosures to SUD patient records – effectively introducing a two-tier system for the privacy of some Protected Health Information.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

In February 2024, HHS attempted to mitigate the two-tier system by publishing a Final Rule more closely aligning the requirements of the Privacy Rule with the Confidentiality of SUD Patients Records. The new Final Rule includes measures allowing re-disclosures of Part 2 records by HIPAA-covered entities provided the disclosures are permitted by the HIPAA Privacy Rule, aligning SUD Patient Notices with HIPAA Notices of Privacy Practices, and requiring breach notifications consistent with the requirements of the HIPAA Breach Notification Rule.

HIPAA Changes Attributable to Advancing Interoperability Initiative

There have also been several rule changes to Chapter IV of the Public Health Code – particularly with regards to HHS’ Advancing Interoperability initiative. Some of the changes affect HIPAA-covered entities inasmuch as covered entities will be required to implement a Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.

The requirements of the “CMS Interoperability and Patient Access” Final Rule (85 FR 25510) not only has implications for complying with Privacy Rule standards relating to patients’  rights but also for complying with Security Rule standards relating to risk analyses. HHS’ Office for Civil Rights will consider it a violation of HIPAA to deny a patient access to their PHI via an app unless it can be demonstrated that a risk exists to the confidentiality, integrity, and availability of electronic PHI.

New HIPAA Regulations 2024

In addition to the non-HIPAA Rule changes, HHS’ Office for Civil Rights is still considering multiple proposed modifications to the Privacy Rule first announced in 2021 (OCR-0945-AAOO). The proposed modifications to the Privacy Rule include:

  • Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and in emergency circumstances.
  • Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion whether consent is required).
  • Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
  • Strengthening individuals’ access rights to inspect and obtain copies of PHI and reducing the time allowed to respond to access requests to 15 days.
  • Addressing the form of PHI access to include individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
  • Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden”.

The final two proposals will likely send shivers down the spines of compliance officers concerned about unsecured, unencrypted apps with significantly reduced verification requirements remotely accessing PHI. However, in a subsequent proposed interoperability rule (87 FR 76238), HHS commented that covered entities can only warn patients apps are unsecured – they cannot block access to PHI “absent an unacceptable security risk to the covered entity’s own system”.

While this seems to contradict the objectives of the Security Rule (“to protect individuals’ electronic PHI [and] ensure the confidentiality, integrity, and security of electronic PHI”), HHS has stated the proposed new HIPAA regulations for 2024 do not increase the risk of a HIPAA security breach because, if PHI is breached in transit or at rest once it has left the covered entity’s servers for a permissible use or disclosure, the vendor of the app to whom PHI is transmitted is liable.

Further New HIPAA Regulations 2024

In addition to the proposed modifications to the Privacy Rule and adjustments to the CMS Interoperability and Patient Access Final Rule, CMS has also proposed the addition of three new transaction codes for healthcare attachment transactions. While these new HIPAA regulations will not affect many covered entities or business associates, the Proposed Rule (87 FR 78438) stipulates HIPAA e-signature requirements for when the transaction codes are used.

The significance of stipulating HIPAA e-signature requirements is that electronic signatures are used in a number of healthcare transactions – not only those covered by the transaction and code sets rules in Part 162, but also for activities such as digitally signing Business Associate Agreements, acknowledging receipt of a Notice of Privacy Practices, remotely authorizing uses and disclosures of PHI not permitted by the Privacy Rule, and e-prescribing.

If the HIPAA e-signature requirements are more widely adopted throughout the HIPAA Administrative Simplification Regulations, the new HIPAA regulations could – in theory – be applied to patients connecting to covered entities’ Patient Access APIs via personal health apps. This could potentially resolve the issue of verifying patient ID without unreasonable burden to – at the least – ensure the person connecting to the Patient Access API is who they claim to be.

HIPAA Privacy Rule Changes Concerning Uses and Disclosures of Reproductive Health Information

Due to the time it takes for a Notice of Proposed Rulemaking to become a Final Rule, it was looking unlikely that the most recently proposed HIPAA Privacy Rule changes would come into force until late 2024, however, the Office for Civil Rights announced a final rule on April 22, 2024. The proposed changes (in 88 FR 23506) relate to reproductive healthcare information and how they can be used or disclosed in civil, criminal, or administrative proceedings involving out-of-state terminations.

Following the decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization that overturned Roe v. Wade and removed the federal right to an abortion, many states introduced laws that prohibit or restrict access to abortion care. As a result, women in those states who seek abortions are required to travel out of state to a more permissive state to receive the care they need where it can be legally provided. There are fears that authorities in states with abortion bans or restrictions may seek to prosecute the women who obtain that care and the healthcare professionals who facilitate or legally provide abortion care. The HHS believes that the risk of disclosure of reproductive health information may discourage patients from sharing important health information with physicians, which could negatively impact the level of care they receive. Because of this risk, the agency has updated the HIPAA Privacy Rule to strengthen reproductive health information privacy.

The reproductive health care final rule creates a new definition for “reproductive health care” which is defined as “health care [as currently defined under HIPAA] that affects the health of an individual in all matters relating to the reproductive system and to its functions and processes.” When an individual is seeking, obtaining, providing, or facilitating reproductive health care, and that health care is lawful in the state it is provided, a covered entity or business associate must restrict the uses and disclosures of that information. Due to the broad definition of reproductive health care, the new limitations apply to other pregnancy-related events such as contraception, miscarriages, and fertility treatment.

The Final Rule:

  • Prohibits the use or disclosure of PHI when it is sought to investigate or impose liability on individuals, health care providers, or others who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which such health care is provided, or to identify persons for such activities.
  • Requires a regulated health care provider, health plan, clearinghouse, or their business associates, to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for these prohibited purposes.
  • Requires regulated health care providers, health plans, and clearinghouses to modify their Notice of Privacy Practices to support reproductive health care privacy.

The Final Rule takes effect on June 25, 2024, and the compliance date is January 1, 2025, for all requirements of the Final Rule apart from updates to notices of privacy practices, the compliance date for which is February 16, 2026.

The December 2023 Security Rule Concept Paper

In December 2023, HHS published a Concept Paper outlining a cybersecurity framework to improve cyber resiliency and better protect patient data. At the heart of the framework is a plan to develop “voluntary” cybersecurity goals and incentivize healthcare providers to adopt best practices to help them reach Cybersecurity Performance Goals (CPGs).

Healthcare providers hoping for an incentivization program similar to the Meaningful Use program will be disappointed to learn that new HIPAA regulations will be added to the Security Rule, and the incentive for complying will be the avoidance of civil monetary penalties and continued participation in the Medicare program. However, to ease the burden on low-resourced healthcare providers, OCR has requested funds to provide financial assistance to help those healthcare providers implement the CPGs.

The HHS has also indicated a HIPAA Security Rule update will be proposed in 2024 (expected Spring 2024). The update will be subject to the usual notice requirements, so it is likely to be at least 2025 before the revisions to the HIPAA Security Rule will take effect, and HIPAA-regulated entities will be given a grace period to ensure compliance.

As discussed in the introduction to this article, HHS intends to ask Congress for more resources to investigate alleged violations of HIPAA and an increase in fines for HIPAA violations above the annual adjustments for inflation. Also as discussed in the introduction to this article, a lack of knowledge of the new HIPAA regulations is not a justifiable excuse for an avoidable HIPAA violation.

FTC Publishes Final Rule Updating the Health Breach Notification Rule

While the HHS’ Office for Civil Rights, Centers for Medicare and Medicaid Services (CMS), and state Attorneys General are the enforcers of compliance with HIPAA, the Federal Trade Commission (FTC) has rules that apply to healthcare data and the organizations that collect, store, and process that information. The FTC enforces the FTC Act, which prohibits deceptive and unfair business practices, and the Health Breach Notification Rule. The FTC’s Health Breach Notification Rule applies to non-HIPAA-regulated entities and requires notifications to be issued when healthcare data is breached. The FTC has been actively enforcing the FTC Act and the Health Breach Notification Rule and has taken action against several organizations that collect, process, and share health data.

In April, the FTC published a final rule that updates the Health Breach Notification Rule to better protect consumers’ sensitive health data and make sure that the decade-old rule keeps pace with changes in the health marketplace. The definition for “Personal Health Record (PHR) identifiable health information” has been modified and new definitions have been added for “covered health care provider” and “health care services or supplies” to ensure that the rule applies to health apps and similar technologies not covered by HIPAA. The change means the rule applies to data generated from interacting with apps, as well as standard health information such as diagnoses and medications. The final rule has a classification of emergent health data, which includes purchase records related to healthcare and location data that can be used to make inferences about a person’s medical history.

The rule has new requirements for the information that must be provided to consumers in breach notifications, such as the entities that have impermissibly received the health data, it permits notifications to be made via email and other electronic methods, and the timescale for issuing notifications has been changed. Notifications must be issued without undue delay and within 60 days of the discovery of a breach, and the FTC must be notified at the same time if the breach involves the information of 500 or more individuals. The final rule will take effect 60 days from the date of publication in the Federal Register.

New HIPAA Regulations: FAQs

Where is the best place to find the latest changes to HIPAA law?

The best place to find the latest changes to HIPAA law that relate to Parts 160 and 164 of the Administrative Simplification Regulations is the HIPAA Newsroom on the HHS website. Alternatively, you can sign up for HHS’ Email Updates or navigate through the items in the CMS Newsroom to find changes to Part 162 of the Administrative Simplification Regulations and other proposals that may affect the Privacy and Security Rules.

How long does it take for Proposed Rules to become new HIPAA regulations?

The time it takes for proposed rules to become new HIPAA regulations depends on the number and complexity of the proposals. For example, the three new transaction codes and the e-signature requirements proposed in December 2022 are relatively straightforward and should become new HIPAA regulations in 2024. However, the nine modifications to the HIPAA Privacy Rule proposed in January 2021 are still at the consultation stage after three years.

Are there further 2024 HIPAA changes in the pipeline?

There are further 2024 HIPAA Changes in the pipeline. In April 2022, HHS’ Office for Civil Rights published a Request For Information (RFI) with regards to implementing two requirements of the HITECH Act – the first being what constitutes a recognized security framework for the purposes of complying with the 2021 “Safe Harbor” amendment, and the second relating to a provision of the HITECH Act relating to “settlement sharing” with a civil monetary penalty is imposed.

How soon after publication do new HIPAA rules take effect?

The period of time it can take for new HIPAA rules to take effect varies according to the complexity of the rules. For example, some new HIPAA Rules have an effective date ninety days after publication; however, CMS has given Covered Entities that are required to implement Patient Access APIs three years to acquire the software, ensure it complies with the Security Rule, develop policies on the software’s use, and train staff.

How likely is a HIPAA Omnibus Final Rule in 2024 similar to the Omnibus Final Rule in 2013?

The likelihood of a HIPAA Final Rule in 2024 similar to the Omnibus Final Rule in 2013 is quite high due to the volume of new HIPAA regulations being considered and the similarities between certain proposals – for example, the attestation of reproductive health information and SUD records. It is also the case that, in 2013, the Omnibus Final Rule was comprised of four Final Rules – issued together in a single package to reduce the burden of complying with four separate Final Rules.

When were the last HIPAA Privacy Rule changes?

The last HIPAA Privacy Rule changes occurred in 2016 when HHS’ Office for Civil Rights added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required). The new subsection allows designated Covered Entities to disclose PHI without a patient’s consent or authorization for the purpose of reporting to the National Instant Criminal Background Check System.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/