HIPAA Changes 2023

When discussing recent HIPAA changes, many sources limit the discussion to Part 164 of the HIPAA Administrative Simplification Regulations – the Part of the HIPAA Regulations which contains the Privacy, Security, and Breach Notification Rules. Some sources also refer to the Omnibus Final Rule changes to HIPAA in 2013 as the most recent update to HIPAA.

However, not only have there been more recent HIPAA changes to Part 164 since the Omnibus Final Rule, but there have also been changes elsewhere in the Administrative Simplification Regulations that lay the foundations for new HIPAA regulations in 2023. This article explains what the recent HIPAA changes are and what any new HIPAA regulations may consist of.

HIPAA Privacy Rule Changes 2023 Since 2013

HIPAA Privacy Rule changes are infrequent and – since 2013 – have been in response to a change in law or an Executive Order that impacts a Privacy Rule standard. For example, in 2014, a change to the Clinical Laboratory Improvement Amendments of 1988 made it possible for HHS’ Office for Civil Rights to remove an exception to patients’ rights of access in §164.524 (Access of Individuals to PHI).

Two years later, HHS’ Office for Civil Rights added a subsection to §164.512 (Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required) in response to an Executive Order. The change to the HIPAA Privacy Rule permits Covered Entities to disclose the identities of certain individuals to the National Instant Criminal Background Check System (NICS).

Other HIPAA Privacy Rule changes for 2023 were proposed by HHS’ Office for Civil Rights in 2021. These are discussed in greater detail below (“Will There Be an Omnibus HIPAA Final Rule 2023?”). As with previous HIPAA Privacy Rule changes, some of the proposals are in response to changes in law or Executive Orders. However, others are being introduced to align with HHS’ Advancing Interoperability initiative – which is also discussed in greater detail below.

Other HIPAA Rule Changes up to 2023

The Office for Civil Rights (OCR) is not the only agency within the Department of Health and Human Services (HHS) with the authority to make new HIPAA rules or publish HIPAA rule changes. The Centers for Medicare and Medicaid Services (CMS) also has the authority to publish new HIPAA regulations and is currently the driving force behind HHS’ Advancing Interoperability initiative.

CMS has exercised its authority to publish HIPAA changes on several occasions since 2013. In 2014, the agency changed the compliance date for previously published ICD-10 transaction standards; and, in 2019, a more recent HIPAA change rescinded a previous Rule requiring the adoption of a standard unique health plan identifier following four years of “enforcement discretion”.

However, the most significant CMS HIPAA changes occurred in 2020 when the agency published the “Interoperability and Patient Access” Final Rule (85 FR 25510). Among other provisions, this Rule requires Covered Entities to implement and maintain a standards-based Patient Access API that allows patients to use an app of their choosing to access PHI held by or on behalf of a Covered Entity.

While this Rule does not amend any HIPAA standards other than those in Part 162, it has implications for complying with the patients’ rights standards of the Privacy Rule and the risk assessment standards of the Security Rule. This is because Covered Entities will not be able to refuse access requests if there is no provable risk to the confidentiality, integrity, and availability of electronic PHI maintained by the Covered Entity while a third party app is connected to the Patient Access API.

Other Rules and Changes that Impact HIPAA Compliance

HIPAA is not the only federal law that imposes standards for the privacy of health information. In 2017, the Confidentiality of Alcohol and Drug Abuse Patients Records (42 CFR Part 2) was updated for the first time in 22 years – creating a two-tier scenario in which some individually identifiable health information had fewer permissible uses and disclosures than other health information.

Now referred to as the Confidentiality of Substance Use Disorder Patients Records, this Part of the Public Welfare Code was again updated in 2020 to “align the regulations with advances in the health care delivery system”, and further updates are under consideration that would more closely align Part 2 regulations with those of the HIPAA Privacy Rule to do away with the two tiers of protection.

In addition to other regulations in the Public Welfare Code, other federal laws, and Executive Orders, state rules – and changes to them – can also impact HIPAA compliance. The best example of this is the Texas Medical Privacy Act as amended by HB 300 which classifies all entities that assemble, analyze, use, evaluate, store, or transmit the PHI of a Texas citizen as a Covered Entity.

Conversely, other state laws can exempt HIPAA Covered Entities from complying with state privacy and/or breach notification regulations. This can result in a scenario in which an Organized Health Care Arrangement or other healthcare group can operate on two sides of a state border and be subject to different privacy, security, and breach notification regulations and procedures.

Changes to the Enforcement of HIPAA

In 2009, Section 13410(d) of the HITECH Act amended §1176 of the Social Security Act to introduce a four-tier civil monetary penalty structure for violations of HIPAA according to the culpability of the violating party. The same section also removed the previous affirmative defense to the imposition of penalties if the Covered Entity did not know and with the exercise of reasonable diligence would not have known of the violation, and made Business Associates directly liable for HIPAA violations.

Initially, the maximum penalty per violation type per year was set at $1,500,000. However, following the passage of the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, the minimum and maximum penalties in each penalty tier have been increased annually to account for inflation. As of May 2023, the civil monetary penalties for violations of HIPAA are:

Penalty Tier	Level of Culpability	Minimum Penalty per Violation Type	Maximum Penalty per Violation Type	Annual Penalty Limit
Tier 1	Lack of Knowledge	$127	$31,987	$31,987
Tier 2	Lack of Oversight	$1,280	$63,973	$127,974
Tier 3	Willful Neglect	$12,794	$63,973	$319,865
Tier 4	Willful Neglect not Corrected in 30 days	$63,973	$63,973	$1,919,173

In 2021. an amendment to the HITECH Act allows OCR to use its discretion when imposing a civil monetary penalty or corrective action plan on an organization that can demonstrate 12 months compliance with a recognized security framework. Compliance with a security framework does not absolve an organization of its liability, but it can significantly reduce the financial consequences.

OCR was also allowed to use enforcement discretion with regards to certain activities during the COVID-19 pandemic. The temporary relaxation of enforcement during the public health emergency enabled healthcare providers to better provide remote telehealth services, disclose PHI for public health purposes, and participate in community-based testing and vaccination administration.

Expected Changes to HIPAA in 2023

New HIPAA regulations usually follow a set process. Initially, HHS publishes a Request for Information seeking feedback on a proposed change to one or more HIPAA regulations or a new HIPAA standard. After considering the feedback, the Department publishes a Notice of Proposed Rulemaking (NPRM) which allows a period for further comments before a Final Rule is published.

There have been several NPRMs published in recent years – some of which are complicated and may take some time for the comments to be considered. Others are simpler and/or less contentious, and these will be quicker to progress from NPRM to Final Rule. Two in particular are more straightforward than most and these, we expect, will make changes to HIPAA in 2023.

The first NPRM (CMS-0053-P) proposes three new standards to facilitate healthcare attachment standards and the requirement that e-signatures are used to verify attachments when these standards are used. Although modest in the changes to HIPAA, the e-signature standard could be extended to other transactions and HIPAA-covered procedures as discussed in this article.

The second NPRM (CMS-0057-P) relates to CMS’ “Interoperability and Patient Access” Final Rule published in 2020 (see “Other HIPAA Rule Changes” above). While the NRPM rescinds certain measures and delays the effective date for others, it also introduces new measures to streamline prior authorization processes and standards to facilitate payer-to-payer data exchanges.

Will There Be an Omnibus HIPAA Final Rule 2023?

Compared to the relative simplicity of the two CMS NPRMs, the Proposed Modifications to the HIPAA Privacy Rule published by OCR in January 2021 (OCR-0945-AAOO) cover many possible new HIPAA regulations in 2023 – with the focus on aligning the Privacy Rule more closely with HHS’ Advancing Interoperability initiative. The summary of the major provisions includes:

• Modifying patients’ rights so they can access copies of PHI within 15 days, take photos of PHI, and send copies to a third party provider or app.
• Amending the definition of health care operations to permit disclosures of PHI for individual-level care coordination and case management.
• Creating an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures.
• Replacing language referring to “professional judgement” with “good faith belief” (that disclosures are in the best interests of individuals).
• Changing the wording of disclosures to avert a threat to health and safety to “serious and reasonably foreseeable” from the stricter “serious and imminent”.
• Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a treatment provider’s Notice of Privacy Practices.

Due to the complexity of the NPRM and attempts to align patients’ rights with HHS’ Advancing Interoperability initiative, it is likely that some of the major provisions will be adopted, while others will be delayed for further consideration. Additionally, with further changes to the HIPAA Privacy Rule in the pipeline to accommodate the Part 2 and interoperability proposals, it seems unlikely there will be an Omnibus HIPAA Final Rule 2023 like there was in 2013.

Future HIPAA Updates to be Aware Of

In April 2023, HHS’ Office for Civil Rights published a Notice of Proposed Rule Making in the Federal Register (88 FR 23506) relating to reproductive healthcare and reproductive healthcare records. In the Notice, the agency reported concerns that reproductive health care records could be used to pursue criminal charges against individuals facilitating out-of-state pregnancy terminations, and the threat of a disclosure might prompt patients to withhold information from healthcare providers.

The agency has responded to these concerns by proposing a new definition of reproductive healthcare and putting forward new limitations on the use and disclosure of reproductive healthcare records. Importantly, although unlikely to be finalized this year, the new definition will not only apply to terminations, but to any pregnancy-related event – including contraception, fertility treatment, and miscarriages – regardless of whether the Covered Entity operates in an anti- or pro-abortion state.

It is also important to be aware that uses and disclosures of reproductive healthcare records will be subject to an attestation that the records will not be used for civil, criminal, or administrative proceedings related to an out-of-state termination. If the records are subsequently disclosed in a hearing of this nature, the attestor will be considered to be in violation of §1177 of the Social Security Act – a criminal offence for which the maximum penalty is $250,000 and/or up to ten years in jail.

How to Keep Up to Date with HIPAA Changes in 2023

The most effective way to keep up to date with HIPAA changes in 2023 is to sign up for HHS’ Email Updates. The best of the update services to subscribe to is the “Weekly News Digest” because these are easier to scan to see if there are any recent HIPAA changes that affect your organization. You can also comment on open rules (i.e., Requests for Information and NPRMs) via the HHS Laws and Regulations Home Page.

If your interest extends beyond proposed HIPAA changes to OCR enforcement actions, guidance, and other press releases, the HHS website hosts a dedicated HIPAA Newsroom web page; while the best place to identify proposals that may lead to future new HIPAA regulations – particularly those relating to Part 162 and interoperability – is the CMS Newsroom.

HIPAA Changes 2023: FAQs: