New HIPAA regulatory changes will impact how providers manage, access, and disclose protected health information (PHI).
The CMS Interoperability and Patient Access Final Rule (85 FR 25510) requires covered entities to implement a Patient Access API that allows patients to use an app to access PHI held by or on behalf of a covered entity. These covered entities must use security measures to ensure Privacy Rule and Security Rule compliance.
Furthermore, denying a patient access to their PHI via an app will be considered a HIPAA violation however, “it may be appropriate for an organization to deny or terminate specific applications' connection to its API under certain circumstances in which the application poses an unacceptable risk to the PHI on its systems.”
So, if a patient wants to use a new health app to access their medical records, their provider must offer them a secure app to access PHI unless there is a security risk.
In 2021, the HHS proposed the following modifications to the Privacy Rule, which are expected to come into effect in 2024:
For example, if a patient with a substance use disorder needs emergency care, the hospital can now disclose their PHI to the relevant emergency medical personnel without needing additional permissions.
Following the Supreme Court's decision in Dobbs v. Jackson Women’s Health Organization, the Office for Civil Rights announced a final rule on April 22, 2024, on the privacy of reproductive health information. The final rule took effect on June 25, 2024, with a compliance date of January 1, 2025, for most requirements.
The rule strengthens protections for reproductive health care information by:
In April 2024, the FTC updated the Health Breach Notification Rule to better protect sensitive health data, including data generated from health apps. Providers must issue breach notifications within 60 days of discovering a breach, including detailed information about the entities that received the impermissible data. The FTC must also be notified if the breach involves 500 or more individuals.
CMS has proposed new transaction codes for healthcare attachment transactions and HIPAA e-signature requirements (87 FR 78438). These changes could impact healthcare transactions, like digitally signing business associate agreements and e-prescribing.
Furthermore, these requirements could enhance patient verification processes for accessing PHI via personal health apps, ensuring patients accessing health information are who they claim to be.
For example, if a patient uses an app to access their health records, the app could need a HIPAA compliant e-signature to verify the patient's identity.
In December 2023, HHS published a Concept Paper outlining a cybersecurity framework to improve cyber resiliency and better protect patient data. The framework will develop ‘voluntary’ cybersecurity goals and incentivize healthcare providers to adopt best practices to help them reach Cybersecurity Performance Goals (CPGs).
Provider organizations can, for example, update firewalls, encrypt patient data, and implement multi-factor authentication to comply with these new cybersecurity standards. Recognizing the proactive efforts, the OCR can help cover the upgrade costs, ensuring continued HIPAA compliance.
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in significant fines and penalties for covered entities.
HIPAA rules apply to healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle patients’ protected health information (PHI).
Breaches must be reported within 60 days of discovery, with simultaneous notification to the FTC for breaches involving 500 or more individuals.
Learn more: HIPAA Compliant Email: The Definitive Guide