HIPAA Changes 2024

HIPAA Minimum Necessary Standard - HIPAAGuide.net

There are proposed HIPAA changes in the pipeline that could have a significant impact on HIPAA compliance in 2024. The most recent HIPAA changes relate to disclosures of reproductive health information, how much the HHS’ Office for Civil Rights (OCR) can impose as a civil monetary penalty for HIPAA violations, and the measures that must be considered when calculating a civil monetary penalty or other sanction.

HIPAA Privacy Rule Changes: 2013-2024

HIPAA Privacy Rule changes are infrequent and, since 2013, have been in response to a change in law or an Executive Order that impacts a Privacy Rule standard. For example, in 2014, a change to the Clinical Laboratory Improvement Amendments of 1988 made it possible for OCR to remove an exception to patients’ rights of access in §164.524 (Access of Individuals to PHI).

Two years later, OCR added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required) in response to an Executive Order. The change to the HIPAA Privacy Rule permits covered entities to disclose the identities of certain individuals to the National Instant Criminal Background Check System (NICS).

Other HIPAA Privacy Rule changes for 2023 were proposed by OCR in 2021. These are discussed in greater detail below (“Will There Be an Omnibus HIPAA Final Rule 2024?”). As with previous HIPAA Privacy Rule changes, some of the proposals are in response to changes in law or Executive Orders. However, others are being introduced to align with HHS’ Advancing Interoperability initiative – which is also discussed in greater detail below.

Other HIPAA Rule Changes up to 2023

OCR is not the only agency within the Department of Health and Human Services (HHS) with the authority to make new HIPAA rules or publish HIPAA rule changes. The Centers for Medicare and Medicaid Services (CMS) also has the authority to publish new HIPAA regulations and is currently the driving force behind HHS’ Advancing Interoperability initiative.

CMS has exercised its authority to publish HIPAA changes on several occasions since 2013. In 2014, the agency changed the compliance date for previously published ICD-10 transaction standards; and in 2019, a more recent HIPAA change rescinded a previous Rule requiring the adoption of a standard unique health plan identifier following four years of “enforcement discretion”.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

However, the most significant CMS HIPAA changes occurred in 2020 when the agency published the “Interoperability and Patient Access” Final Rule (85 FR 25510). Among other provisions, this Rule requires covered entities to implement and maintain a standards-based Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.

While this Rule does not amend any HIPAA standards other than those in Part 162, it has implications for complying with the patients’ rights standards of the Privacy Rule and the risk assessment standards of the Security Rule. This is because covered entities will not be able to refuse access requests if there is no provable risk to the confidentiality, integrity, and availability of electronic PHI maintained by the covered entity while a third-party app is connected to the Patient Access API.

HIPAA Privacy Rule Changes in 2024

In April 2023, OCR published a Notice of Proposed Rule Making in the Federal Register (88 FR 23506) relating to reproductive healthcare and reproductive healthcare records. In the Notice, the agency reported concerns that reproductive healthcare records could be used to pursue criminal charges against individuals seeking, obtaining, or facilitating out-of-state pregnancy terminations and that the threat of the disclosure of that information might prompt patients to withhold information from healthcare providers.

The agency has responded to these concerns by proposing a new definition of “reproductive healthcare” and putting forward new limitations on the use and disclosure of reproductive healthcare records. Due to the sensitive nature of reproductive healthcare in the current political climate, the proposed rule was quickly finalized. OCR announced the final rule in April 2024, the effective date is June 25, 2024, and the compliance date for all but the Notice of Privacy Practices requirement is January 1, 2025.  To ease the burden on entities covered by the Part 2 regulations, the compliance date for changing Notices of Privacy Practices is February 16, 2024.

The new definition of reproductive healthcare is broad, so it applies not only to terminations, but also to any pregnancy-related event, including contraception, fertility treatment, and miscarriages regardless of whether the covered entity operates in a permissive or restrictive state.

The main changes implemented by the final rule prohibit the disclosure of protected health information by HIPAA-regulated entities for the purpose of conducting a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care when that health care is lawful under the circumstances in which it is provided. The final rule also prohibits the identification of any person for the purpose of conducting such investigation or imposing such liability.

When a HIPAA-regulated entity receives a request for protected health information related to reproductive health care, they must obtain a signed attestation from the requester of the records that they will not be used or disclosed for a prohibited purpose. This attestation requirement applies to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. If the records are subsequently used or disclosed for a prohibited purpose, the attestor will be considered to be in violation of §1177 of the Social Security Act – a criminal offense for which the maximum penalty is $250,000 and/or up to ten years in jail.

Other Rules and Changes that Impact HIPAA Compliance

HIPAA is not the only federal law that imposes standards for the privacy of health information. In 2017, the Confidentiality of Alcohol and Drug Abuse Patients Records (42 CFR Part 2) was updated for the first time in 22 years – creating a two-tier scenario in which some individually identifiable health information had fewer permissible uses and disclosures than other health information.

Now referred to as the Confidentiality of Substance Use Disorder Patients Records, this Part of the Public Welfare Code was again updated in 2020 to “align the regulations with advances in the health care delivery system”, and further updates were finalized on February 16, 2024, that align Part 2 regulations with those of the HIPAA Privacy Rule more closely and clarify existing Part 2 permissions and restrictions to make it easier for covered entities to use and disclose Part 2 records. The update aims to reduce the burden on patients and providers and improve the coordination of care and access to care and treatment while protecting the confidentiality of treatment records.

The key changes implemented by the final rule are to allow a single Part 2-compliant consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations. HIPAA-regulated entities that receive records under this consent may redisclose the records for purposes permitted by HIPAA, except for legal proceedings against the patient. Any disclosure of Part 2 records made with a patient’s consent must include a copy of the consent or a clear explanation of the scope of the consent. A patient’s consent for the use and disclosure of Part 2 records for civil, criminal, administrative, or legislative proceedings cannot be combined with consent for any other use or disclosure.

Other changes implemented by the final rule include the creation of a new definition for SUD counseling notes, the use or disclosure of requires separate patient consent, which aligns the Part 2 regulations with the HIPAA provision concerning psychotherapy notes. If Part 2 records are disclosed to a HIPAA-regulated entity, the records do not need to be segregated from other PHI. Disclosures of Part 2 records to public health authorities can be made without patient consent if the records are unidentified using one of the methods stipulated by HIPAA. Other changes that align the Part 2 regulations more closely with HIPAA include notification requirements that mirror those of the Breach Notification Rule, changes to notice requirements to align the regulations with HIPAA’s Notice of Privacy Practices requirements, changing the criminal penalties to match the civil and criminal penalties that can be imposed for HIPAA violations, and giving patients new rights, similar to those under HIPAA. Complaints about alleged Part 2 violations can be filed directly with the HHS Secretary, patients can obtain an accounting of disclosures, can request restrictions on disclosures, and are able to opt out of receiving fundraising communications.

In addition to other regulations in the Public Welfare Code, other federal laws, and Executive Orders, state rules – and changes to them – can also impact HIPAA compliance. The best example of this is the Texas Medical Privacy Act as amended by HB 300 which classifies all entities that assemble, analyze, use, evaluate, store, or transmit the PHI of a Texas citizen as a covered entity.

Conversely, other state laws can exempt HIPAA-covered entities from complying with state privacy and/or breach notification regulations. This can result in a scenario in which an Organized Health Care Arrangement or other healthcare group can operate on two sides of a state border and be subject to different privacy, security, and breach notification regulations and procedures.

Other Law Changes Related to Health Information Privacy and Security

The Federal Trade Commission (FTC) has been actively enforcing compliance with the FTC Act, which prohibits deceptive and unfair business practices, and has taken action against multiple healthcare companies for failing to notify consumers that the information collected via website tracking technologies is disclosed to third parties for advertising purposes. The FTC has also started enforcing its Health Breach Notification Rule, and in 2024, issued a final rule updating the Health Breach Notification Rule. The final rule broadens definitions to ensure the rule applies to health apps and similar technologies not covered by HIPAA, and that it covers data security breaches and unauthorized disclosures. The final rule also expands the use of electronic notices to consumers, clarifies what information must be included in notices, and changes the time frame for issuing notices. The rule will take effect 60 days from the date of publication in the Federal Register.

Changes to the Enforcement of HIPAA

In 2009, Section 13410(d) of the HITECH Act amended §1176 of the Social Security Act to introduce a four-tier civil monetary penalty structure for violations of HIPAA according to the culpability of the violating party. The same section also removed the previous affirmative defense to the imposition of penalties if a covered entity did not know and with the exercise of reasonable diligence would not have known of the violation, and made business associates directly liable for HIPAA violations.

Originally, the maximum penalty per violation type per year was set at $1,500,000. However, following the passage of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the minimum and maximum penalties in each penalty tier have been increased annually to account for inflation. As of December 2023, the civil monetary penalties for violations of HIPAA are:

Penalty Tier Level of Culpability Minimum Penalty per Violation Type Maximum Penalty per Violation Type Annual Penalty Limit
Tier 1 Lack of Knowledge $137 $34,464 $34,464
Tier 2 Lack of Oversight $1,379 $68,928 $137,886
Tier 3 Willful Neglect $13,785 $68,928 $344,638
Tier 4 Willful Neglect not Corrected in 30 days $68,928 $68,928 $1,919,173

In 2021, an amendment to the HITECH Act allowed OCR to use its discretion when imposing a civil monetary penalty or corrective action plan on an organization that can demonstrate 12 months of compliance with a recognized security framework. Compliance with a security framework does not absolve an organization of its liability, but it can significantly reduce the financial consequences. OCR has published a video that explains what constitutes “recognized security practices”.

OCR was also allowed to use enforcement discretion with regard to certain activities during the COVID-19 pandemic. The temporary relaxation of enforcement during the public health emergency enabled healthcare providers to better provide remote telehealth services, disclose PHI for public health purposes, and participate in community-based testing and vaccination administration.

Expected Changes to HIPAA in 2024

New HIPAA regulations follow a set process. Initially, OCR publishes a Request for Information seeking feedback on a proposed change to one or more HIPAA regulations or a new HIPAA standard. After considering the feedback, OCR publishes a Notice of Proposed Rulemaking (NPRM) which includes a period for further comments before a Final Rule is published.

There have been several NPRMs published in recent years – some of which are complicated and may take some time for the comments to be considered. Others are simpler and/or less contentious, and these will be quicker to progress from the NPRM to a final rule. Two in particular are more straightforward than most and these, we expect, will make changes to HIPAA in 2024.

The first NPRM (CMS-0053-P) proposes three new standards to facilitate healthcare attachment standards and the requirement that e-signatures are used to verify attachments when these standards are used. Although modest in the changes to HIPAA, the e-signature standard could be extended to other transactions and HIPAA-covered procedures as discussed in this article.

The second NPRM (CMS-0057-P) relates to CMS’ “Interoperability and Patient Access” Final Rule published in 2020 (see “Other HIPAA Rule Changes” above). While the NRPM rescinds certain measures and delays the effective date for others, it also introduces new measures to streamline prior authorization processes and standards to facilitate payer-to-payer data exchanges.

Will There Be an Omnibus HIPAA Final Rule 2024?

Compared to the relative simplicity of the two CMS NPRMs, the Proposed Modifications to the HIPAA Privacy Rule published by OCR in January 2021 (OCR-0945-AAOO) cover many possible new HIPAA regulations in 2024 – with the focus on aligning the Privacy Rule more closely with HHS’ Advancing Interoperability initiative. The summary of the major provisions includes:

  • Modifying patients’ rights so they can access copies of PHI within 15 days, take photos of PHI, and send copies to a third-party provider or app.
  • Amending the definition of health care operations to permit disclosures of PHI for individual-level care coordination and case management.
  • Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures.
  • Replacing language referring to “professional judgment” with “good faith belief” (that disclosures are in the best interests of individuals).
  • Changing the wording of disclosures to avert a threat to health and safety to “serious and reasonably foreseeable” from the stricter “serious and imminent”.
  • Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a treatment provider’s Notice of Privacy Practices.

Due to the complexity of the NPRM and attempts to align patients’ rights with HHS’ Advancing Interoperability initiative, it is likely that some of the major provisions will be adopted, while others will be delayed for further consideration. With further changes to the HIPAA Privacy Rule in the pipeline to accommodate the Part 2 and interoperability proposals, it seems unlikely there will be an Omnibus HIPAA Final Rule 2024 like there was in 2013.

Future HIPAA Updates to be Aware Of

In December 2023, the HHS published its cybersecurity strategy which outlines the steps the HHS will be taking to improve healthcare cybersecurity. Those measures included the development of voluntary Cybersecurity Performance Goals (CPGs), which were published by OCR in January. The CPGs include high-impact measures that HIPAA-regulated entities can implement to improve cybersecurity, and they are split into two sets – “essential” and “enhanced.” It is hoped that all HIPAA-regulated entities will ensure that they at least implement all of the essential CPGs, and to make that as easy as possible, the HHS has requested Congress make funds available to provide financial assistance to low-resourced hospitals to help them cover the upfront costs of implementing the CPGs. The Biden Administration has included the funds in its proposed budget.

In the cybersecurity strategy, the HHS indicated it will be proposing an update to the HIPAA Security Rule in 2024 and it aims to issue a Notice of Proposed Rulemaking in Spring 2024. Some of the essential CPGs may be included in the proposed update, but if not, they certainly will be in future updates. OCR has indicated that while the CPGs will initially be voluntary, they are likely to become mandatory in the future.

How to Keep Up to Date with HIPAA Changes in 2024

The most effective way to keep up to date with HIPAA changes in 2024 is to sign up for HHS’ Email Updates. The best of the update services to subscribe to is the “Weekly News Digest” because these are easier to scan to see if there are any recent HIPAA changes that affect your organization. You can also comment on open rules (i.e., Requests for Information and NPRMs) via the HHS Laws and Regulations Home Page.

If your interest extends beyond proposed HIPAA changes to OCR enforcement actions, guidance, and other press releases, the HHS website hosts a dedicated HIPAA Newsroom web page; while the best place to identify proposals that may lead to future new HIPAA regulations – particularly those relating to Part 162 and interoperability – is the CMS Newsroom.

HIPAA Changes 2023-2024: FAQs:

What did the Omnibus Final Rule changes to HIPAA in 2013 do?

The Omnibus Final Rule changes to HIPAA in 2013 implemented most of the changes stipulated by the HITECH Act 2009. These included increasing the limitations on uses and disclosures of PHI, making Business Associates directly liable for HIPAA violations, and expanding patients’ rights. The Omnibus Final Rule also finalized the changes to HIPAA enforcement that, up to that point, had been governed by an Interim Rule.

When was HIPAA last updated?

HIPAA was last updated in 2020 with the publication of CMS’ “Interoperability and Patient Access” Final Rule. However, this Final Rule is under review and many of its provisions may be rescinded or delayed. Prior to 2020, the previous update was the Privacy Rule change to accommodate disclosures of PHI required for the National Instant Criminal Background Check System in 2016.

What were the changes to HIPAA in 2017?

There were no changes to HIPAA in 2017. However, there were changes to the Public Welfare Code (42 CFR Part 2) that impacted HIPAA Covered Entities who create, receive, use, store, or transmit patient records that include information about substance abuse disorders. This information is currently subject to stricter uses and disclosures than PHI. However, this may change in 2024.

Where is the best place to find the latest changes to HIPAA law?

The best place to find the latest changes to HIPAA law – or at least changes to the Administrative Simplification Regulations that resulted from the passage of HIPAA – is the HHS’ Office for Civil Rights website. As mentioned in the above article, the opportunity exists to sign up for a “Weekly News Digest” that will deliver the latest changes to HIPAA law to your email inbox.

How will HHS announce HIPAA law changes in 2024?

HHS will announce HIPAA laws changes in 2024 via one or more Final Rules published in the Federal Register. Final Rules tend to be long-winded, but they do provide the background to why a standard is being added, amended, or rescinded, and reference the standard in the Code of Federal Regulations so it can be viewed in context of other standards in the same section.

Where can you find the latest version of HIPAA?

You can find the latest version of HIPAA via the online eCFR system (https://www.ecfr.gov/). The HIPAA Administrative Simplification Rules are in three Parts – 45 CFR 160, 162, and 164. If you only want to find the latest version of the HIPAA Privacy Rule, you can navigate directly to 45 CFR Part 164 Subpart E. (The Security Rule is in Subpart C and the Breach Notification Rule is in Subpart D).

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/