New HIPAA Regulations 2023

New HIPAA regulations are published more often than many people realize. Additionally, existing regulations are frequently amended or rescinded. Therefore, it can be important for Covered Entities and Business Associates to keep up to date with regulatory HIPAA changes in order to avoid violating HIPAA due to a lack of knowledge.

Since the publication of the HIPAA Omnibus Final Rule 2013, there are many examples of standards within the HIPAA Administrative Simplification Regulations being added, amended, or rescinded. Most recent HIPAA changes go unnoticed due to affecting areas of HIPAA compliance that impact a minority of Covered Entities or Business Associates – for example, changes to transaction codes.

However, some changes to HIPAA – or associated laws – can affect many Covered Entities and Business Associates. For example, in 2016, the Department of Health and Human Services (HHS) published new HIPAA regulations that increase the minimum and maximum penalties for violations of HIPAA each year to account for inflation.

Another example of a regulatory change affecting Covered Entities is the 2021 amendment to the HITECH Act. The amendment instructed HHS’ Office for Civil Rights to consider a Covered Entity’s compliance with a recognized security framework when determining the scale of a corrective action plan and/or the amount of a civil monetary penalty for a violation of HIPAA.

Other Rule Changes that Affect HIPAA Compliance

Rule changes that affect HIPAA compliance can happen at both state and federal level. For example, when the Texas Medical Privacy Act was amended by HB 300, Covered Entities that collect, receive, use, or transmit PHI relating to Texas citizens have to consider the increased patients’  right and fewer permissible disclosures under the Texas law when HB 300 standards preempt HIPAA.

Other non-HIPAA rule changes can affect Covered Entities nationwide. The best example of this is the changes to 42 CFR Part 2 in 2017 and 2020 (“The Confidentiality of Substance Use Disorder Patients Records”). These changes applied different permissible uses and disclosures to SUD patient records – effectively introducing a two-tier system for the privacy of some Protected Health Information.

There have also been several rule changes to Chapter IV of the Public Health Code – particularly with regards to HHS’ Advancing Interoperability initiative. Some of the changes affect HIPAA Covered Entities inasmuch as Covered Entities will be required to implement a Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a Covered Entity.

The requirements of “CMS Interoperability and Patient Access” Final Rule (85 FR 25510) not only has implications for complying with Privacy Rule standards relating to patients’  rights, but also for complying with Security Rule standards relating to risk analyses. HHS’ Office for Civil Rights will consider it a violation of HIPAA to deny a patient access to their PHI via an app unless it can be demonstrated that a risk exists to the confidentiality, integrity, and availability of electronic PHI.

New HIPAA Regulations 2023

Some new HIPAA regulations in the pipeline for 2023 more closely align the requirements of the Privacy Rule with the Confidentiality of SUD Patients Records and the Advancing Interoperability initiative. In a Notice of Proposed Rulemaking published in 2021 (OCR-0945-AAOO), HHS’ Office for Civil Rights announced multiple proposed modifications to the Privacy Rule which include:

• Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and in emergency circumstances.
• Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion whether consent  is required).
• Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
• Strengthening individuals’ access rights to inspect and obtain copies of PHI and reducing the time allowed to response to access requests to 15 days.
• Addressing the form of PHI access to include individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
• Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden”.

The final two proposals will likely send shivers down the spines of compliance officers concerned about unsecure, unencrypted apps with significantly reduced verification requirements remotely accessing PHI. However, in a subsequent proposed interoperability rule (87 FR 76238), HHS commented that Covered Entities can only warn patients apps are unsecure – they cannot block access to PHI “absent an unacceptable security risk to the Covered Entity’s own system”.

While this seems to contradict the objectives of the Security Rule (“to protect individuals’ electronic PHI [and] ensure the confidentiality, integrity, and security of electronic PHI”), HHS has stated the proposed new HIPAA regulations for 2023 do not increase the risk of a HIPAA security breach because, if PHI is breached in transit or at rest once it has left the Covered Entity’s servers for a permissible use or disclosure, the vendor of the app to whom PHI is transmitted is liable.

Further New HIPAA Regulations 2023

In addition to the proposed modifications to the Privacy Rule and adjustments to the CMS Interoperability and Patient Access Final Rule, CMS has also proposed the addition of three new transaction codes for healthcare attachment transactions. While these new HIPAA regulations will not affect many Covered Entities or Business Associates, the Proposed Rule (87 FR 78438) all stipulates HIPAA e-signature requirements for when the transaction codes are used.

The significance of stipulating HIPAA e-signature requirements is that electronic signatures are used in a number of healthcare transactions – not only those covered by the transaction and code sets rules in Part 162, but also for activities such as digitally signing Business Associate Agreements, acknowledging receipt of a Notice of Privacy Practices, remotely authorizing uses and disclosures of PHI not permitted by the Privacy Rule, and e-prescribing.

If the HIPAA e-signature requirements are more widely adopted throughout the HIPAA Administrative Simplification Regulations, the new HIPAA regulations could – in theory – be applied to patients connecting to Covered Entities’ Patient Access APIs via personal health apps. This could potentially resolve the issue of verifying patient ID without unreasonable burden to – at the least – ensure the person connecting to the Patient Access API is who they claim to be.

Future HIPAA Privacy Rule Changes

Due to the time it takes for a Notice of Proposed Rulemaking to become a Final Rule, it is unlikely the most recently proposed HIPAA Privacy Rule changes will come into force in 2023. The proposed changes (in 88 FR 23506) relate to reproductive healthcare records and how they can currently be used or disclosed in civil, criminal, or administrative proceedings involving out-of-state terminations.

HHS’ Office for Civil Rights believes that the risk of disclosure may discourage patients from sharing important health information with physicians, which could negatively impact the level of care they receive. Therefore, the agency is proposing limitations on when reproductive healthcare records can be used or disclosed – and criminal penalties for violations of the new HIPAA Privacy Rule changes.

Importantly, the proposed definition of reproductive healthcare will not only cover terminations and facilitating or assisting an abortion. If finalized, the new limitations will apply to other pregnancy- related events such as contraception, miscarriages, and fertility treatment. The proposals also prevent the changes being circumnavigated by prohibiting authorizations for disclosures of reproductive healthcare records.

New HIPAA Regulations: FAQs