The healthcare industry constantly adapts to new regulations, and the Health Insurance Portability and Accountability Act (HIPAA) is no exception. A range of proposed and anticipated HIPAA changes are set to reshape the compliance field for covered entities and business associates. From updates to the privacy rule to advancements in interoperability, the coming years promise to be a dynamic and transformative period for HIPAA compliance.
One major development is the series of proposed modifications to the HIPAA Privacy Rule. These proposed changes try to address a variety of areas, including:
The proposed rules would allow for increased disclosures of protected health information (PHI) when needed to assist individuals with substance use disorder or serious mental illness, as well as in emergency circumstances.
The modifications would clarify the permissibility of disclosing PHI for individual-level care coordination and case management, reducing the need for obtaining consent in these scenarios.
The proposals seek to bolster individuals' rights to access their PHI, including through personal health applications and third-party transfers, while reducing the time covered entities can respond to access requests.
The proposed rules try to reduce the burden on individuals exercising their access rights by minimizing the verification requirements, ensuring they do not experience unreasonable obstacles.
Read also: What is the HIPAA Privacy Rule?
In addition to the Privacy Rule modifications, HHS has also sought to address the disparities between HIPAA and the Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2). The agency published a Final Rule in February 2024 that aims to better align the requirements of the HIPAA Privacy Rule with those governing the confidentiality of substance use disorder patient records.
Changes introduced by this Final Rule include:
Read more: Interpreting the confidentiality of substance use disorder (SUD)
The push for greater healthcare interoperability has also impacted HIPAA compliance. The CMS Interoperability and Patient Access Final Rule has introduced new requirements for covered entities, including the need to:
These changes have implications for both Privacy Rule standards related to patients' rights and Security Rule standards regarding risk analyses.
In the wake of the Supreme Court's decision in Dobbs v. Jackson Women's Health Organization, which overturned Roe v. Wade and removed the federal right to abortion, HHS has acted to strengthen the privacy protections for reproductive health information under the HIPAA Privacy Rule.
The new Final Rule, effective June 25, 2024, introduces the following main provisions:
Related: What is a Notice of Privacy Practices?
Recognizing the growing threat of cybersecurity incidents in the healthcare sector, HHS has also turned its attention to the HIPAA Security Rule. In a December 2023 Concept Paper, the agency outlined plans to develop a cybersecurity framework directed at improving cyber resilience and better protecting patient data.
The elements of this framework include:
To support low-resourced healthcare providers, HHS has also requested additional funding to provide financial assistance for the implementation of the new CPGs.
While HHS primarily enforces HIPAA compliance, the Federal Trade Commission (FTC) also has a part in regulating healthcare data through its Health Breach Notification Rule. In April 2023, the FTC published a final rule that updates this regulation to better protect consumers' sensitive health data.
Changes to the FTC's Health Breach Notification Rule include:
Healthcare organizations must stay informed about HIPAA regulations and be prepared for any upcoming changes. Some considerations include:
Closely monitoring the Federal Register, HHS and CMS news sources, and industry publications can help identify new HIPAA-related proposals and final rules as they emerge.
The time it takes for proposed rules to become new HIPAA regulations can vary greatly, depending on the complexity of the changes. Familiarizing yourself with typical implementation timelines can help organizations plan and prepare accordingly.
As the HIPAA regulations continue to change, covered entities and business associates must be proactive in ensuring compliance and mitigating the risks of non-compliance. This may involve:
Healthcare organizations can confidently handle the coming years while safeguarding the privacy and security of patient data by constantly adapting and changing.
In a recent interview, OCR Director Melanie Fontes Rainer revealed that the HHS has proposed regulatory revisions related to the HIPAA Security Rule. These updates try to modernize the 20-year-old regulation and address the changes in healthcare, including the increasing reliance on online services and the need for encryption. Director Rainer indicates that the Security Rule's technology-neutral and scalable nature has allowed for its continued enforcement, but the proposed changes seek to ensure it reflects the current state of healthcare delivery.
According to Director Rainer, OCR plans to reinitiate the HITECH audit program, which will focus on the Security Rule, specifically targeting security risk analyses and risk management. With limited resources, OCR is trying to drive voluntary compliance, and these audits will serve as an educational tool for HIPAA-regulated entities. Healthcare providers should be prepared for the possibility of a HITECH audit in the coming year, as OCR seeks to ensure that organizations have an understanding and implementation of the Security Rule's requirements.
The Health Insurance Portability and Accountability Act (HIPAA) sets national standards for protecting the privacy and security of certain health information, known as protected health information (PHI).
HIPAA is designed to protect the privacy and security of individuals’ health information and to ensure that healthcare providers and insurers can securely exchange electronic health information. Violations of HIPAA can result in big fines and penalties for covered entities.
HIPAA applies to covered entities, which include healthcare providers, health plans, and healthcare clearinghouses. It also applies to business associates of these covered entities. These are entities that perform certain functions or activities on behalf of the covered entity.
In most cases, covered entities can share PHI without patient consent for treatment, payment, and healthcare operations. However, there are exceptions and limitations, and reviewing the specific requirements outlined in the Privacy Rule is necessary.
There are various tools available to assist with HIPAA compliance, including HIPAA compliance software, secure email solutions, encryption technologies, and training programs. Choose tools that align with your organization's specific needs and requirements.
Learn more: HIPAA Compliant Email: The Definitive Guide