Upcoming 2024 HIPAA updates and changes

The healthcare industry constantly adapts to new regulations, and the Health Insurance Portability and Accountability Act (HIPAA) is no exception. A range of proposed and anticipated HIPAA changes are set to reshape the compliance field for covered entities and business associates. From updates to the privacy rule to advancements in interoperability, the coming years promise to be a dynamic and transformative period for HIPAA compliance.

Proposed modifications to the HIPAA privacy rule

One major development is the series of proposed modifications to the HIPAA Privacy Rule. These proposed changes try to address a variety of areas, including:

Permitting disclosures for substance use disorder and mental health care

The proposed rules would allow for increased disclosures of protected health information (PHI) when needed to assist individuals with substance use disorder or serious mental illness, as well as in emergency circumstances.

Facilitating care coordination and case management

The modifications would clarify the permissibility of disclosing PHI for individual-level care coordination and case management, reducing the need for obtaining consent in these scenarios.

Strengthening access rights and reducing response times

The proposals seek to bolster individuals' rights to access their PHI, including through personal health applications and third-party transfers, while reducing the time covered entities can respond to access requests.

Streamlining identity verification

The proposed rules try to reduce the burden on individuals exercising their access rights by minimizing the verification requirements, ensuring they do not experience unreasonable obstacles.

Read also: What is the HIPAA Privacy Rule? 

Aligning HIPAA with the confidentiality of substance use disorder patient records

In addition to the Privacy Rule modifications, HHS has also sought to address the disparities between HIPAA and the Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2). The agency published a Final Rule in February 2024 that aims to better align the requirements of the HIPAA Privacy Rule with those governing the confidentiality of substance use disorder patient records.

Changes introduced by this Final Rule include:

• Allowing re-disclosures of Part 2 records by HIPAA-covered entities, provided the disclosures are permitted under the HIPAA Privacy Rule
• Aligning the content of Substance Use Disorder Patient Notices with HIPAA Notices of Privacy Practices
• Requiring breach notifications consistent with the HIPAA Breach Notification Rule

Read more: Interpreting the confidentiality of substance use disorder (SUD) 

Advancing interoperability and patient access

The push for greater healthcare interoperability has also impacted HIPAA compliance. The CMS Interoperability and Patient Access Final Rule has introduced new requirements for covered entities, including the need to:

• Implement a Patient Access API that allows patients to use an app of their choosing to access their PHI
• Ensure that denying a patient access to their PHI via an app is only permissible if a genuine risk to the confidentiality, integrity, and availability of electronic PHI can be demonstrated

These changes have implications for both Privacy Rule standards related to patients' rights and Security Rule standards regarding risk analyses.

Reproductive health information and HIPAA privacy protections

In the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization, which overturned Roe v. Wade and removed the federal right to abortion, HHS has acted to strengthen the privacy protections for reproductive health information under the HIPAA Privacy Rule.

The new Final Rule, effective June 25, 2024, introduces the following main provisions:

• A prohibition on the use or disclosure of PHI related to reproductive health care that is sought to investigate or impose liability on individuals, healthcare providers, or others who seek, obtain, provide, or facilitate such care
• A requirement for regulated healthcare providers, plans, and clearinghouses to obtain a signed attestation that certain requests for PHI potentially related to reproductive health care are not for the prohibited purposes
• Modifications to Notices of Privacy Practices to support the enhanced privacy protections for reproductive health information

Related: What is a Notice of Privacy Practices? 

Cybersecurity and the HIPAA Security Rule

Recognizing the growing threat of cybersecurity incidents in the healthcare sector, HHS has also turned its attention to the HIPAA Security Rule. In a December 2023 Concept Paper, the agency outlined plans to develop a cybersecurity framework directed at improving cyber resilience and better protecting patient data.

The elements of this framework include:

• The introduction of "voluntary" Cybersecurity Performance Goals (CPGs) that healthcare providers will be incentivized to adopt
• Proposed updates to the HIPAA Security Rule, which are expected to be published in Spring 2024 and take effect in 2025, after a grace period for compliance

To support low-resourced healthcare providers, HHS has also requested additional funding to provide financial assistance for the implementation of the new CPGs.

Expanding the reach of the FTC's Breach Notification Rule

While HHS primarily enforces HIPAA compliance, the Federal Trade Commission (FTC) also has a part in regulating healthcare data through its Health Breach Notification Rule. In April 2023, the FTC published a final rule that updates this regulation to better protect consumers' sensitive health data.

Changes to the FTC's Health Breach Notification Rule include:

• Expanded definitions to ensure the rule applies to health apps and similar technologies not covered by HIPAA
• The introduction of a new "emergent health data" classification, which includes purchase records and location data related to healthcare
• Revised notification requirements, including shorter timelines for issuing breach notifications and mandatory reporting to the FTC for breaches involving 500 or more individuals

Monitoring the HIPAA regulatory pipeline

Healthcare organizations must stay informed about HIPAA regulations and be prepared for any upcoming changes. Some considerations include:

Tracking proposed rules and final rules

Closely monitoring the Federal Register, HHS and CMS news sources, and industry publications can help identify new HIPAA-related proposals and final rules as they emerge.

Understanding implementation timelines

The time it takes for proposed rules to become new HIPAA regulations can vary greatly, depending on the complexity of the changes. Familiarizing yourself with typical implementation timelines can help organizations plan and prepare accordingly.

Ensuring compliance and mitigating risks

As the HIPAA regulations continue to change, covered entities and business associates must be proactive in ensuring compliance and mitigating the risks of non-compliance. This may involve:

• Regularly reviewing and updating policies and procedures to align with new HIPAA requirements
• Providing training to all staff members on the latest HIPAA changes and their implications
• Conducting thorough risk assessments and implementing security measures to protect electronic PHI
• Staying informed about enforcement actions and industry trends to identify potential areas of vulnerability

Healthcare organizations can confidently handle the coming years while safeguarding the privacy and security of patient data by constantly adapting and changing.

In the news

In a recent interview, OCR Director Melanie Fontes Rainer revealed that the HHS has proposed regulatory revisions related to the HIPAA Security Rule. These updates try to modernize the 20-year-old regulation and address the changes in healthcare, including the increasing reliance on online services and the need for encryption. Director Rainer indicates that the Security Rule's technology-neutral and scalable nature has allowed for its continued enforcement, but the proposed changes seek to ensure it reflects the current state of healthcare delivery.

According to Director Rainer, OCR plans to reinitiate the HITECH audit program, which will focus on the Security Rule, specifically targeting security risk analyses and risk management. With limited resources, OCR is trying to drive voluntary compliance, and these audits will serve as an educational tool for HIPAA-regulated entities. Healthcare providers should be prepared for the possibility of a HITECH audit in the coming year, as OCR seeks to ensure that organizations have an understanding and implementation of the Security Rule's requirements.

FAQs

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).

HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in big fines and penalties for covered entities.

Who does HIPAA apply to?

HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.

Do I need patient consent to share protected health information (PHI) with other entities?

In most cases, covered entities can share PHI without patient consent for treatment, payment, and healthcare operations. However, there are exceptions and limitations, and reviewing the specific requirements outlined in the Privacy Rule is necessary.

What tools can I use to ensure HIPAA compliance?

There are various tools available to assist with HIPAA compliance, including HIPAA compliance software, secure email solutions, encryption technologies, and training programs. Choose tools that align with your organization's specific needs and requirements.

Learn more: HIPAA Compliant Email: The Definitive Guide