New HIPAA regulations are published more often than many people realize; and, because the new regulations may impact only a small number of covered entities or business associates, they generally go unnoticed. However, in recent years, there has been a number of Notices of Proposed Rulemaking (NPRMs) published in the Federal Register, and many of these are likely to evolve into new HIPAA regulations in 2024.
It is important for covered entities and business associates to keep up to date with HIPAA changes because a lack of knowledge is not a justifiable excuse for an avoidable HIPAA violation. It should also be noted that, in a December 2023 Security Rule “Concept Paper”, the Department of Health & Human Services (HHS) stated it intends to ask Congress for more resources to investigate alleged violations of HIPAA and an increase in fines for HIPAA violations.
Not All Recent HIPAA Changes have been Minimal
Some recent changes to HIPAA – or associated laws – have applied to all covered entities and business associates by impacted a small minority. For example, since 2016, HHS has published new HIPAA regulations that increase the minimum and maximum penalties for violations of HIPAA each year to account for inflation.
Another example of a regulatory change that applies to all covered entities and business associates is the 2021 amendment to the HITECH Act. The amendment instructed HHS’ Office for Civil Rights to consider an entity’s compliance with a recognized security framework when determining the scale of a corrective action plan and/or the amount of a civil monetary penalty for a violation of HIPAA.
Other Rule Changes that Affect HIPAA Compliance
Rule changes that affect HIPAA compliance can happen at both state and federal level. For example, when the Texas Medical Privacy Act was amended by HB 300, covered entities that collect, receive, use, or transmit PHI relating to Texas citizens have to consider the increased patients’ right and fewer permissible disclosures under the Texas law when HB 300 standards preempt HIPAA.
Other non-HIPAA rule changes can affect covered entities nationwide. The best example of this is the changes to 42 CFR Part 2 in 2017 and 2020 (“The Confidentiality of Substance Use Disorder Patients Records”). These changes applied different permissible uses and disclosures to SUD patient records – effectively introducing a two-tier system for the privacy of some Protected Health Information.
There have also been several rule changes to Chapter IV of the Public Health Code – particularly with regards to HHS’ Advancing Interoperability initiative. Some of the changes affect HIPAA covered entities inasmuch as covered entities will be required to implement a Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.
The requirements of “CMS Interoperability and Patient Access” Final Rule (85 FR 25510) not only has implications for complying with Privacy Rule standards relating to patients’ rights, but also for complying with Security Rule standards relating to risk analyses. HHS’ Office for Civil Rights will consider it a violation of HIPAA to deny a patient access to their PHI via an app unless it can be demonstrated that a risk exists to the confidentiality, integrity, and availability of electronic PHI.
New HIPAA Regulations 2024
Some new HIPAA regulations in the pipeline for 2024 more closely align the requirements of the Privacy Rule with the Confidentiality of SUD Patients Records and the Advancing Interoperability initiative. In a Notice of Proposed Rulemaking published in 2021 (OCR-0945-AAOO), HHS’ Office for Civil Rights announced multiple proposed modifications to the Privacy Rule which include:
- Permitting disclosures of PHI when needed to help individuals with substance use disorder, serious mental illness, and in emergency circumstances.
- Permitting disclosures of PHI for individual-level care coordination and case management (to avoid confusion whether consent is required).
- Creating an exception to the Minimum Necessary Standard for disclosures of PHI for individual-level care coordination and case management.
- Strengthening individuals’ access rights to inspect and obtain copies of PHI and reducing the time allowed to response to access requests to 15 days.
- Addressing the form of PHI access to include individuals’ personal health applications and transfers of PHI to third parties via a Patient Access API.
- Reducing the requirements for verifying the identity of an individual exercising their access rights so the individual does not experience an “unreasonable burden”.
The final two proposals will likely send shivers down the spines of compliance officers concerned about unsecure, unencrypted apps with significantly reduced verification requirements remotely accessing PHI. However, in a subsequent proposed interoperability rule (87 FR 76238), HHS commented that covered entities can only warn patients apps are unsecure – they cannot block access to PHI “absent an unacceptable security risk to the covered entity’s own system”.
While this seems to contradict the objectives of the Security Rule (“to protect individuals’ electronic PHI [and] ensure the confidentiality, integrity, and security of electronic PHI”), HHS has stated the proposed new HIPAA regulations for 2024 do not increase the risk of a HIPAA security breach because, if PHI is breached in transit or at rest once it has left the covered entity’s servers for a permissible use or disclosure, the vendor of the app to whom PHI is transmitted is liable.
Further New HIPAA Regulations 2024
In addition to the proposed modifications to the Privacy Rule and adjustments to the CMS Interoperability and Patient Access Final Rule, CMS has also proposed the addition of three new transaction codes for healthcare attachment transactions. While these new HIPAA regulations will not affect many covered entities or business associates, the Proposed Rule (87 FR 78438) stipulates HIPAA e-signature requirements for when the transaction codes are used.
The significance of stipulating HIPAA e-signature requirements is that electronic signatures are used in a number of healthcare transactions – not only those covered by the transaction and code sets rules in Part 162, but also for activities such as digitally signing Business Associate Agreements, acknowledging receipt of a Notice of Privacy Practices, remotely authorizing uses and disclosures of PHI not permitted by the Privacy Rule, and e-prescribing.
If the HIPAA e-signature requirements are more widely adopted throughout the HIPAA Administrative Simplification Regulations, the new HIPAA regulations could – in theory – be applied to patients connecting to covered entities’ Patient Access APIs via personal health apps. This could potentially resolve the issue of verifying patient ID without unreasonable burden to – at the least – ensure the person connecting to the Patient Access API is who they claim to be.
Future HIPAA Privacy Rule Changes
Due to the time it takes for a Notice of Proposed Rulemaking to become a Final Rule, it is unlikely the most recently proposed HIPAA Privacy Rule changes will come into force until late 2024. The proposed changes (in 88 FR 23506) relate to reproductive healthcare records and how they can currently be used or disclosed in civil, criminal, or administrative proceedings involving out-of-state terminations.
HHS’ Office for Civil Rights believes that the risk of disclosure may discourage patients from sharing important health information with physicians, which could negatively impact the level of care they receive. Because of this risk, the agency is proposing limitations on when reproductive healthcare records can be used or disclosed – and criminal penalties for violations of the new HIPAA Privacy Rule changes.
The proposed definition of reproductive healthcare will not only cover terminations and facilitating or assisting an abortion. If finalized, the new limitations will apply to other pregnancy- related events such as contraception, miscarriages, and fertility treatment. The proposals also prevent the changes being circumnavigated by prohibiting authorizations for disclosures of reproductive healthcare records.
The December 2023 Security Rule Concept Paper
In December 2023, HHS published a Concept Paper outlining a cybersecurity framework to improve cyber resiliency and better protect patient data. At the heart of the framework is a plan to develop “voluntary” cybersecurity goals and incentivize healthcare providers to adopt best practices to help them reach Cybersecurity Performance Goals.
Healthcare providers hoping for an incentivization program similar to the Meaningful Use program will be disappointed to learn that new HIPAA regulations will be added to the Security Rule, and the incentive for complying will be the avoidance of civil monetary penalties and continued participation in the Medicare program.
As discussed in the introduction to this article, HHS intends to ask Congress for more resources to investigate alleged violations of HIPAA and an increase in fines for HIPAA violations above the annual adjustments for inflation. Also as discussed in the introduction to this article, a lack of knowledge of the new HIPAA regulations is not a justifiable excuse for an avoidable HIPAA violation.
New HIPAA Regulations: FAQs
Where is the best place to find the latest changes to HIPAA law?
The best place to find the latest changes to HIPAA law that relate to Parts 160 and 164 of the Administrative Simplification Regulations is the HIPAA Newsroom on the HHS website. Alternatively, you can sign up for HHS’ Email Updates or navigate through the items in the CMS Newsroom to find changes to Part 162 of the Administrative Simplification Regulations and other proposals that may affect the Privacy and Security Rules.
How long does it take for Proposed Rules to become new HIPAA regulations?
The time it takes for proposed rules to become new HIPAA regulations depends on the number and complexity of the proposals. For example, the three new transaction codes and the e-signature requirements proposed in December 2022 are relatively straightforward and should become new HIPAA regulations in 2024. However, the nine modifications to the HIPAA Privacy Rule proposed in January 2021 are still at the consultation stage after three years.
Are there further 2024 HIPAA changes in the pipeline?
There are further 2024 HIPAA Changes in the pipeline. In April 2022, HHS’ Office for Civil Rights published a Request For Information (RFI) with regards to implementing two requirements of the HITECH Act – the first being what constitutes a recognized security framework for the purposes of complying with the 2021 “Safe Harbor” amendment, and the second relating to a provision of the HITECH Act relating to “settlement sharing” with a civil monetary penalty is imposed.
How soon after publication do new HIPAA rules take effect?
The period of time it can take for new HIPAA rules to take effect varies according to the complexity of the rules. For example, some new HIPAA Rules have an effective date ninety days after publication; however, CMS has given Covered Entities that are required to implement Patient Access APIs three years to acquire the software, ensure it complies with the Security Rule, develop policies on the software’s use, and train staff.
How likely is a HIPAA Omnibus Final Rule in 2024 similar to the Omnibus Final Rule in 2013?
The likelihood of a HIPAA Final Rule in 2024 similar to the Omnibus Final Rule in 2013 is quite high due to the volume of new HIPAA regulations being considered and the similarities between certain proposals – for example, the attestation of reproductive health information and SUD records. It is also the case that, in 2013, the Omnibus Final Rule was comprised of four Final Rules – issued together in a single package to reduce the burden of complying with four separate Final Rules.
When were the last HIPAA Privacy Rule changes?
The last HIPAA Privacy Rule changes occurred in 2016 when HHS’ Office for Civil Rights added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required). The new subsection allows designated Covered Entities to disclose PHI without a patient’s consent or authorization for the purpose of reporting to the National Instant Criminal Background Check System.