New HIPAA Regulations 2023
New HIPAA regulations are published more often than many people realize. Additionally, existing regulations are frequently amended or rescinded. Therefore, it can be important for Covered Entities and Business Associates to keep up to date with regulatory HIPAA changes in order to avoid violating HIPAA due to a lack of knowledge.
Since the publication of the HIPAA Omnibus Final Rule 2013, there are many examples of standards within the HIPAA Administrative Simplification Regulations being added, amended, or rescinded. Most recent HIPAA changes go unnoticed due to affecting areas of HIPAA compliance that impact a minority of Covered Entities or Business Associates – for example, changes to transaction codes.
However, some changes to HIPAA – or associated laws – can affect many Covered Entities and Business Associates. For example, in 2016, the Department of Health and Human Services (HHS) published new HIPAA regulations that increase the minimum and maximum penalties for violations of HIPAA each year to account for inflation.
Another example of a regulatory change affecting Covered Entities is the 2021 amendment to the HITECH Act. The amendment instructed HHS’ Office for Civil Rights to consider a Covered Entity’s compliance with a recognized security framework when determining the scale of a corrective action plan and/or the amount of a civil monetary penalty for a violation of HIPAA.
Other Rule Changes that Affect HIPAA Compliance
Rule changes that affect HIPAA compliance can happen at both state and federal level. For example, when the Texas Medical Privacy Act was amended by HB 300, Covered Entities that collect, receive, use, or transmit PHI relating to Texas citizens have to consider the increased patients’ right and fewer permissible disclosures under the Texas law when HB 300 standards preempt HIPAA.
Other non-HIPAA rule changes can affect Covered Entities nationwide. The best example of this is the changes to 42 CFR Part 2 in 2017 and 2020 (“The Confidentiality of Substance Use Disorder Patients Records”). These changes applied different permissible uses and disclosures to SUD patient records – effectively introducing a two-tier system for the privacy of some Protected Health Information.
There have also been several rule changes to Chapter IV of the Public Health Code – particularly with regards to HHS’ Advancing Interoperability initiative. Some of the changes affect HIPAA Covered Entities inasmuch as Covered Entities will be required to implement a Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a Covered Entity.
The requirements of “CMS Interoperability and Patient Access” Final Rule (85 FR 25510) not only has implications for complying with Privacy Rule standards relating to patients’ rights, but also for complying with Security Rule standards relating to risk analyses. HHS’ Office for Civil Rights will consider it a violation of HIPAA to deny a patient access to their PHI via an app unless it can be demonstrated that a risk exists to the confidentiality, integrity, and availability of electronic PHI.
New HIPAA Regulations 2023
Some new HIPAA regulations in the pipeline for 2023 more closely align the requirements of the Privacy Rule with the Confidentiality of SUD Patients Records and the Advancing Interoperability initiative. In a Notice of Proposed Rulemaking published in 2021 (OCR-0945-AAOO), HHS’ Office for Civil Rights announced multiple proposed modifications to the Privacy Rule which include:
- Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and in emergency circumstances.
- Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion whether consent is required).
- Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
- Strengthening individuals’ access rights to inspect and obtain copies of PHI and reducing the time allowed to response to access requests to 15 days.
- Addressing the form of PHI access to include individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
- Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden”.
The final two proposals will likely send shivers down the spines of compliance officers concerned about unsecure, unencrypted apps with significantly reduced verification requirements remotely accessing PHI. However, in a subsequent proposed interoperability rule (87 FR 76238), HHS commented that Covered Entities can only warn patients apps are unsecure – they cannot block access to PHI “absent an unacceptable security risk to the Covered Entity’s own system”.
While this seems to contradict the objectives of the Security Rule (“to protect individuals’ electronic PHI [and] ensure the confidentiality, integrity, and security of electronic PHI”), HHS has stated the proposed new HIPAA regulations for 2023 do not increase the risk of a HIPAA security breach because, if PHI is breached in transit or at rest once it has left the Covered Entity’s servers for a permissible use or disclosure, the vendor of the app to whom PHI is transmitted is liable.
Further New HIPAA Regulations 2023
In addition to the proposed modifications to the Privacy Rule and adjustments to the CMS Interoperability and Patient Access Final Rule, CMS has also proposed the addition of three new transaction codes for healthcare attachment transactions. While these new HIPAA regulations will not affect many Covered Entities or Business Associates, the Proposed Rule (87 FR 78438) all stipulates HIPAA e-signature requirements for when the transaction codes are used.
The significance of stipulating HIPAA e-signature requirements is that electronic signatures are used in a number of healthcare transactions – not only those covered by the transaction and code sets rules in Part 162, but also for activities such as digitally signing Business Associate Agreements, acknowledging receipt of a Notice of Privacy Practices, remotely authorizing uses and disclosures of PHI not permitted by the Privacy Rule, and e-prescribing.
If the HIPAA e-signature requirements are more widely adopted throughout the HIPAA Administrative Simplification Regulations, the new HIPAA regulations could – in theory – be applied to patients connecting to Covered Entities’ Patient Access APIs via personal health apps. This could potentially resolve the issue of verifying patient ID without unreasonable burden to – at the least – ensure the person connecting to the Patient Access API is who they claim to be.
Future HIPAA Privacy Rule Changes
Due to the time it takes for a Notice of Proposed Rulemaking to become a Final Rule, it is unlikely the most recently proposed HIPAA Privacy Rule changes will come into force in 2023. The proposed changes (in 88 FR 23506) relate to reproductive healthcare records and how they can currently be used or disclosed in civil, criminal, or administrative proceedings involving out-of-state terminations.
HHS’ Office for Civil Rights believes that the risk of disclosure may discourage patients from sharing important health information with physicians, which could negatively impact the level of care they receive. Therefore, the agency is proposing limitations on when reproductive healthcare records can be used or disclosed – and criminal penalties for violations of the new HIPAA Privacy Rule changes.
Importantly, the proposed definition of reproductive healthcare will not only cover terminations and facilitating or assisting an abortion. If finalized, the new limitations will apply to other pregnancy- related events such as contraception, miscarriages, and fertility treatment. The proposals also prevent the changes being circumnavigated by prohibiting authorizations for disclosures of reproductive healthcare records.
New HIPAA Regulations: FAQs
Where is the best place to find the latest changes to HIPAA law?
The best place to find the latest changes to HIPAA law that relate to Parts 160 and 164 of the Administrative Simplification Regulations is the HIPAA Newsroom on the HHS website. Alternatively, you can sign up for HHS’ Email Updates or navigate through the items in the CMS Newsroom to find changes to Part 162 of the Administrative Simplification Regulations and other proposals that may affect the Privacy and Security Rules.
How long does it take for Proposed Rules to become new HIPAA regulations?
The time it takes for proposed rules to become new HIPAA regulations depends on the number and complexity of the proposals. For example, the three new transaction codes and the e-signature requirements proposed in December 2022 are relatively straightforward and should become new HIPAA regulations in 2023. However, the nine modifications to the HIPAA Privacy Rule proposed in January 2021 are still at the consultation stage after more than two years.
Are there further 2023 HIPAA changes in the pipeline?
There are further 2023 HIPAA Changes in the pipeline. In April 2022, HHS’ Office for Civil Rights published a Request For Information (RFI) with regards to implementing two requirements of the HITECH Act – the first being what constitutes a recognized security framework for the purposes of complying with the 2021 “Safe Harbor” amendment, and the second relating to a provision of the HITECH Act relating to “settlement sharing” with a civil monetary penalty is imposed.
How soon after publication do new HIPAA rules take effect?
The period of time it can take for new HIPAA rules to take effect varies according to the complexity of the rules. For example, some new HIPAA Rules have an effective date ninety days after publication; however, CMS has given Covered Entities that are required to implement Patient Access APIs three years to acquire the software, ensure it complies with the Security Rule, develop policies on the software’s use, and train staff.
How likely is a HIPAA Final Rule in 2023 similar to the Omnibus Final Rule in 2013?
The likelihood of a HIPAA Final Rule in 2023 similar to the Omnibus Final Rule in 2013 decreases the longer the year goes on. The nine modifications to the HIPAA Privacy Rule proposed in January 2021 were originally expected to be implemented during 2022; but, since the proposed modifications were published, HHS’ Office for Civil Rights has also issued a Request for Information regarding the HITECH Act amendments and a further notice of proposed rulemaking to better align 42 CFR part 2 with the HIPAA Privacy Rule.
When were the last HIPAA Privacy Rule changes?
The last HIPAA Privacy Rule changes occurred in 2016 when HHS’ Office for Civil Rights added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required). The new subsection allows designated Covered Entities to disclose PHI without a patient’s consent or authorization for the purpose of reporting to the National Instant Criminal Background Check System.