New HIPAA regulatory changes will impact how providers manage, access, and disclose protected health information (PHI).
Unpacking 2024 HIPAA changes
HHS Advancing Interoperability Initiative
The CMS Interoperability and Patient Access Final Rule (85 FR 25510) requires covered entities to implement a Patient Access API that allows patients to use an app to access PHI held by or on behalf of a covered entity. These covered entities must use security measures to ensure Privacy Rule and Security Rule compliance.
Furthermore, denying a patient access to their PHI via an app will be considered a HIPAA violation however, “it may be appropriate for an organization to deny or terminate specific applications' connection to its API under certain circumstances in which the application poses an unacceptable risk to the PHI on its systems.”
So, if a patient wants to use a new health app to access their medical records, their provider must offer them a secure app to access PHI unless there is a security risk.
Changes to the HIPAA Privacy Rule
In 2021, the HHS proposed the following modifications to the Privacy Rule, which are expected to come into effect in 2024:
- Permitting disclosures of PHI for substance use disorder, serious mental illness, and emergency circumstances.
- Allowing disclosures for individual-level care coordination and case management.
- Strengthening individual access rights to PHI, including faster response times for access requests.
- Addressing PHI access, including transfers to third parties via a Patient Access API.
- Reducing identity verification burdens so individuals do not face unreasonable obstacles when accessing their PHI.
For example, if a patient with a substance use disorder needs emergency care, the hospital can now disclose their PHI to the relevant emergency medical personnel without needing additional permissions.
New regulations for reproductive health information
Following the Supreme Court's decision in Dobbs v. Jackson Women’s Health Organization, the Office for Civil Rights announced a final rule on April 22, 2024, on the privacy of reproductive health information. The final rule took effect on June 25, 2024, with a compliance date of January 1, 2025, for most requirements.
The rule strengthens protections for reproductive health care information by:
- Prohibiting the use or disclosure of PHI to investigate or impose liability on individuals, healthcare providers, or others involved in lawful reproductive health care.
- Requiring a signed attestation that requests for PHI potentially related to reproductive health care are not for prohibited purposes.
- Requiring updates to Notices of Privacy Practices to support reproductive health care privacy, with a compliance date of February 16, 2026.
- For example, if a patient has an out-of-state abortion, their reproductive health information cannot be used by their home state to prosecute them or their healthcare providers.
Updates to the Health Breach Notification Rule
In April 2024, the FTC updated the Health Breach Notification Rule to better protect sensitive health data, including data generated from health apps. Providers must issue breach notifications within 60 days of discovering a breach, including detailed information about the entities that received the impermissible data. The FTC must also be notified if the breach involves 500 or more individuals.
E-signature requirements
CMS has proposed new transaction codes for healthcare attachment transactions and HIPAA e-signature requirements (87 FR 78438). These changes could impact healthcare transactions, like digitally signing business associate agreements and e-prescribing.
Furthermore, these requirements could enhance patient verification processes for accessing PHI via personal health apps, ensuring patients accessing health information are who they claim to be.
For example, if a patient uses an app to access their health records, the app could need a HIPAA compliant e-signature to verify the patient's identity.
The Security Rule Concept Paper
In December 2023, HHS published a Concept Paper outlining a cybersecurity framework to improve cyber resiliency and better protect patient data. The framework will develop ‘voluntary’ cybersecurity goals and incentivize healthcare providers to adopt best practices to help them reach Cybersecurity Performance Goals (CPGs).
Provider organizations can, for example, update firewalls, encrypt patient data, and implement multi-factor authentication to comply with these new cybersecurity standards. Recognizing the proactive efforts, the OCR can help cover the upgrade costs, ensuring continued HIPAA compliance.
How providers can prepare for HIPAA changes
- Implement or update Patient Access APIs to comply with interoperability requirements.
- Review and align security measures with recognized frameworks to mitigate penalties.
- Update policies to accommodate new Privacy Rule modifications.
- Train staff on the updated reproductive health information regulations.
- Ensure timely and detailed breach notifications as required in the updated Health Breach Notification Rule.
- Use HIPAA e-signature requirements to improve patient verification processes.
FAQs
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
Who must follow HIPAA rules?
HIPAA rules apply to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle patients’ protected health information (PHI).
How soon must breaches be reported under the new FTC rule?
Breaches must be reported within 60 days of discovery, with simultaneous notification to the FTC for breaches involving 500 or more individuals.
Learn more: HIPAA Compliant Email: The Definitive Guide
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.