The most recent HIPAA changes relate to how much HHS’ Office for Civil Rights can impose as a civil monetary penalty for HIPAA violations, and what measures the agency has to take into account when calculating a civil monetary penalty or other sanction. There are many proposed HIPAA changes in the pipeline that could have a significant impact on HIPAA compliance in 2024.
HIPAA Privacy Rule Changes 2024 Since 2013
HIPAA Privacy Rule changes are infrequent and – since 2013 – have been in response to a change in law or an Executive Order that impacts a Privacy Rule standard. For example, in 2014, a change to the Clinical Laboratory Improvement Amendments of 1988 made it possible for HHS’ Office for Civil Rights to remove an exception to patients’ rights of access in §164.524 (Access of Individuals to PHI).
Two years later, HHS’ Office for Civil Rights added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required) in response to an Executive Order. The change to the HIPAA Privacy Rule permits covered entities to disclose the identities of certain individuals to the National Instant Criminal Background Check System (NICS).
Other HIPAA Privacy Rule changes for 2023 were proposed by HHS’ Office for Civil Rights in 2021. These are discussed in greater detail below (“Will There Be an Omnibus HIPAA Final Rule 2024?”). As with previous HIPAA Privacy Rule changes, some of the proposals are in response to changes in law or Executive Orders. However, others are being introduced to align with HHS’ Advancing Interoperability initiative – which is also discussed in greater detail below.
Other HIPAA Rule Changes up to 2023
The Office for Civil Rights (OCR) is not the only agency within the Department of Health and Human Services (HHS) with the authority to make new HIPAA rules or publish HIPAA rule changes. The Centers for Medicare and Medicaid Services (CMS) also has the authority to publish new HIPAA regulations and is currently the driving force behind HHS’ Advancing Interoperability initiative.
CMS has exercised its authority to publish HIPAA changes on several occasions since 2013. In 2014, the agency changed the compliance date for previously published ICD-10 transaction standards; and, in 2019, a more recent HIPAA change rescinded a previous Rule requiring the adoption of a standard unique health plan identifier following four years of “enforcement discretion”.
However, the most significant CMS HIPAA changes occurred in 2020 when the agency published the “Interoperability and Patient Access” Final Rule (85 FR 25510). Among other provisions, this Rule requires covered entities to implement and maintain a standards-based Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a covered entity.
While this Rule does not amend any HIPAA standards other than those in Part 162, it has implications for complying with the patients’ rights standards of the Privacy Rule and the risk assessment standards of the Security Rule. This is because covered entities will not be able to refuse access requests if there is no provable risk to the confidentiality, integrity, and availability of electronic PHI maintained by the covered entity while a third party app is connected to the Patient Access API.
Other Rules and Changes that Impact HIPAA Compliance
HIPAA is not the only federal law that imposes standards for the privacy of health information. In 2017, the Confidentiality of Alcohol and Drug Abuse Patients Records (42 CFR Part 2) was updated for the first time in 22 years – creating a two-tier scenario in which some individually identifiable health information had fewer permissible uses and disclosures than other health information.
Now referred to as the Confidentiality of Substance Use Disorder Patients Records, this Part of the Public Welfare Code was again updated in 2020 to “align the regulations with advances in the health care delivery system”, and further updates are under consideration that would more closely align Part 2 regulations with those of the HIPAA Privacy Rule to do away with the two tiers of protection.
In addition to other regulations in the Public Welfare Code, other federal laws, and Executive Orders, state rules – and changes to them – can also impact HIPAA compliance. The best example of this is the Texas Medical Privacy Act as amended by HB 300 which classifies all entities that assemble, analyze, use, evaluate, store, or transmit the PHI of a Texas citizen as a covered entity.
Conversely, other state laws can exempt HIPAA covered entities from complying with state privacy and/or breach notification regulations. This can result in a scenario in which an Organized Health Care Arrangement or other healthcare group can operate on two sides of a state border and be subject to different privacy, security, and breach notification regulations and procedures.
Changes to the Enforcement of HIPAA
In 2009, Section 13410(d) of the HITECH Act amended §1176 of the Social Security Act to introduce a four-tier civil monetary penalty structure for violations of HIPAA according to the culpability of the violating party. The same section also removed the previous affirmative defense to the imposition of penalties if a covered entity did not know and with the exercise of reasonable diligence would not have known of the violation, and made business associates directly liable for HIPAA violations.
Originally, the maximum penalty per violation type per year was set at $1,500,000. However, following the passage of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the minimum and maximum penalties in each penalty tier have been increased annually to account for inflation. As of December 2023, the civil monetary penalties for violations of HIPAA are:
|Level of Culpability
|Minimum Penalty per Violation Type
|Maximum Penalty per Violation Type
|Annual Penalty Limit
|Lack of Knowledge
|Lack of Oversight
|Willful Neglect not Corrected in 30 days
In 2021. an amendment to the HITECH Act allows OCR to use its discretion when imposing a civil monetary penalty or corrective action plan on an organization that can demonstrate 12 months compliance with a recognized security framework. Compliance with a security framework does not absolve an organization of its liability, but it can significantly reduce the financial consequences.
OCR was also allowed to use enforcement discretion with regards to certain activities during the COVID-19 pandemic. The temporary relaxation of enforcement during the public health emergency enabled healthcare providers to better provide remote telehealth services, disclose PHI for public health purposes, and participate in community-based testing and vaccination administration.
Expected Changes to HIPAA in 2024
New HIPAA regulations usually follow a set process. Initially, HHS publishes a Request for Information seeking feedback on a proposed change to one or more HIPAA regulations or a new HIPAA standard. After considering the feedback, the Department publishes a Notice of Proposed Rulemaking (NPRM) which allows a period for further comments before a Final Rule is published.
There have been several NPRMs published in recent years – some of which are complicated and may take some time for the comments to be considered. Others are simpler and/or less contentious, and these will be quicker to progress from NPRM to Final Rule. Two in particular are more straightforward than most and these, we expect, will make changes to HIPAA in 2024.
The first NPRM (CMS-0053-P) proposes three new standards to facilitate healthcare attachment standards and the requirement that e-signatures are used to verify attachments when these standards are used. Although modest in the changes to HIPAA, the e-signature standard could be extended to other transactions and HIPAA-covered procedures as discussed in this article.
The second NPRM (CMS-0057-P) relates to CMS’ “Interoperability and Patient Access” Final Rule published in 2020 (see “Other HIPAA Rule Changes” above). While the NRPM rescinds certain measures and delays the effective date for others, it also introduces new measures to streamline prior authorization processes and standards to facilitate payer-to-payer data exchanges.
Will There Be an Omnibus HIPAA Final Rule 2024?
Compared to the relative simplicity of the two CMS NPRMs, the Proposed Modifications to the HIPAA Privacy Rule published by OCR in January 2021 (OCR-0945-AAOO) cover many possible new HIPAA regulations in 2024 – with the focus on aligning the Privacy Rule more closely with HHS’ Advancing Interoperability initiative. The summary of the major provisions includes:
- Modifying patients’ rights so they can access copies of PHI within 15 days, take photos of PHI, and send copies to a third party provider or app.
- Amending the definition of health care operations to permit disclosures of PHI for individual-level care coordination and case management.
- Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures.
- Replacing language referring to “professional judgement” with “good faith belief” (that disclosures are in the best interests of individuals).
- Changing the wording of disclosures to avert a threat to health and safety to “serious and reasonably foreseeable” from the stricter “serious and imminent”.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a treatment provider’s Notice of Privacy Practices.
Due to the complexity of the NPRM and attempts to align patients’ rights with HHS’ Advancing Interoperability initiative, it is likely that some of the major provisions will be adopted, while others will be delayed for further consideration. With further changes to the HIPAA Privacy Rule in the pipeline to accommodate the Part 2 and interoperability proposals, it seems unlikely there will be an Omnibus HIPAA Final Rule 2024 like there was in 2013.
Future HIPAA Updates to be Aware Of
In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rule Making in the Federal Register (88 FR 23506) relating to reproductive healthcare and reproductive healthcare records. In the Notice, the agency reported concerns that reproductive health care records could be used to pursue criminal charges against individuals facilitating out-of-state pregnancy terminations, and the threat of a disclosure might prompt patients to withhold information from healthcare providers.
The agency has responded to these concerns by proposing a new definition of reproductive healthcare and putting forward new limitations on the use and disclosure of reproductive healthcare records. Due to the sensitive nature of reproductive health in the current political climate the proposed Rule will likely be finalized in 2024. The new definition will not only apply to terminations, but to any pregnancy-related event – including contraception, fertility treatment, and miscarriages – regardless of whether the covered entity operates in an anti- or pro-abortion state.
It is also important to be aware that uses and disclosures of reproductive healthcare records will be subject to an attestation that the records will not be used for civil, criminal, or administrative proceedings related to an out-of-state termination. If the records are subsequently disclosed in a hearing of this nature, the attestor will be considered to be in violation of §1177 of the Social Security Act – a criminal offence for which the maximum penalty is $250,000 and/or up to ten years in jail.
How to Keep Up to Date with HIPAA Changes in 2024
The most effective way to keep up to date with HIPAA changes in 2024 is to sign up for HHS’ Email Updates. The best of the update services to subscribe to is the “Weekly News Digest” because these are easier to scan to see if there are any recent HIPAA changes that affect your organization. You can also comment on open rules (i.e., Requests for Information and NPRMs) via the HHS Laws and Regulations Home Page.
If your interest extends beyond proposed HIPAA changes to OCR enforcement actions, guidance, and other press releases, the HHS website hosts a dedicated HIPAA Newsroom web page; while the best place to identify proposals that may lead to future new HIPAA regulations – particularly those relating to Part 162 and interoperability – is the CMS Newsroom.
HIPAA Changes 2023-2024: FAQs:
What did the Omnibus Final Rule changes to HIPAA in 2013 do?
The Omnibus Final Rule changes to HIPAA in 2013 implemented most of the changes stipulated by the HITECH Act 2009. These included increasing the limitations on uses and disclosures of PHI, making Business Associates directly liable for HIPAA violations, and expanding patients’ rights. The Omnibus Final Rule also finalized the changes to HIPAA enforcement that, up to that point, had been governed by an Interim Rule.
When was HIPAA last updated?
HIPAA was last updated in 2020 with the publication of CMS’ “Interoperability and Patient Access” Final Rule. However, this Final Rule is under review and many of its provisions may be rescinded or delayed. Prior to 2020, the previous update was the Privacy Rule change to accommodate disclosures of PHI required for the National Instant Criminal Background Check System in 2016.
What were the changes to HIPAA in 2017?
There were no changes to HIPAA in 2017. However, there were changes to the Public Welfare Code (42 CFR Part 2) that impacted HIPAA Covered Entities who create, receive, use, store, or transmit patient records that include information about substance abuse disorders. This information is currently subject to stricter uses and disclosures than PHI. However, this may change in 2024.
Where is the best place to find the latest changes to HIPAA law?
The best place to find the latest changes to HIPAA law – or at least changes to the Administrative Simplification Regulations that resulted from the passage of HIPAA – is the HHS’ Office for Civil Rights website. As mentioned in the above article, the opportunity exists to sign up for a “Weekly News Digest” that will deliver the latest changes to HIPAA law to your email inbox.
How will HHS announce HIPAA law changes in 2024?
HHS will announce HIPAA laws changes in 2024 via one or more Final Rules published in the Federal Register. Final Rules tend to be long-winded, but they do provide the background to why a standard is being added, amended, or rescinded, and reference the standard in the Code of Federal Regulations so it can be viewed in context of other standards in the same section.
Where can you find the latest version of HIPAA?
You can find the latest version of HIPAA via the online eCFR system (https://www.ecfr.gov/). The HIPAA Administrative Simplification Rules are in three Parts – 45 CFR 160, 162, and 164. If you only want to find the latest version of the HIPAA Privacy Rule, you can navigate directly to 45 CFR Part 164 Subpart E. (The Security Rule is in Subpart C and the Breach Notification Rule is in Subpart D).