HIPAA Updates and HIPAA Changes in 2023

By | January 9, 2023

The Health Insurance Portability and Accountability Act was signed into law in 1996 and while there have been some significant HIPAA updates over the last two decades, the last set of major HIPAA updates occurred in 2013 with the introduction of the HIPAA Omnibus Final Rule. Updates to HIPAA are long overdue but steps were finally made to update HIPAA in December 2020, when the HHS issued a notice of Proposed Rulemaking that detailed several proposed changes to the HIPAA Privacy Rule, and a Final Rule is now due which will likely see those HIPAA changes implemented in 2023. There has also been a proposed update to align the 42 CFR Part 2 – Confidentiality Of Substance Use Disorder Patient Records (Part 2) regulations more closely with HIPAA, with those Part 2 and HIPAA changes expected to be signed into law in 2023.

Major HIPAA Updates in the Past 20 Years

Since HIPAA was signed into law there have been a few major HIPAA updates. The HIPAA Privacy and Security Rules were introduced which limited uses and disclosures of protected health information, gave patients new rights over their healthcare data, and introduced a set of minimum security standards. Those HIPAA updates were followed by the incorporation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which saw the introduction of the Breach Notification Rule in 2009 and the Omnibus Final Rule in 2013. Such major HIPAA updates placed a significant burden on HIPAA-covered entities and considerable time and effort were required to introduce new policies and procedures to ensure continued HIPAA compliance.

It is now 10 years since the last major HIPAA update took effect. Over the past 10 years, various issues have arisen with HIPAA due to changes in working practices and the advancement of technology. Rather than tackle these issues with rule changes, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has favored issuing HIPAA guidance to clear up misunderstandings over the requirements of HIPAA, but we are now at a point when changes to HIPAA Rules are needed and are about to be made.

HIPAA Changes in 2023

Over the past few years, there have been increasing calls for HIPAA changes to decrease the administrative burden on HIPAA-covered entities, but the HIPAA 2023 rules and regulations are currently still the same as they were in 2013. OCR responded to feedback from healthcare industry stakeholders by issuing a request for information (RFI) in December 2018 on potential changes to the HIPAA Rules. OCR sought comments from HIPAA-covered entities about possible changes to HIPAA Rules in 2019 and beyond, which are mostly concerned with the easing of certain administrative requirements and the removal of certain provisions of the HIPAA Privacy Rule that have been limiting or discouraging the coordination of care. The comment period closed on February 12, 2019.

OCR asked 54 different questions in its RFI. Some of the main aspects that were under consideration were:

  • Patients’ right to access and obtain copies of their protected health information and the time frame for responding to those requests (Currently 30 days)
  • Removing the requirement to obtain written confirmation of receipt of an organization’s notice of privacy practices
  • Promotion of parent and caregiver roles in care
  • Easing of restrictions on disclosures of PHI without authorization
  • Possible exceptions to the minimum necessary standard for disclosures of PHI
  • Changes to HITECH Act requirements for the accounting of disclosures of PHI for treatment, payment, and healthcare operations
  • Encouragement of information sharing for treatment and care coordination
  • Changing the Privacy Rule to make sharing PHI with other providers mandatory rather than permissible.
  • Expansion of healthcare clearinghouses’ access to PHI
  • Addressing the opioid crisis and serious mental illness

In 2019, then OCR Director, Roger Severino, said, “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information.”

The aim of the HHS is to implement changes that will make compliance less of a burden without negatively affecting patient privacy or decreasing the security of individuals’ protected health information (PHI). There are no planned changes to the HIPAA Security Rule, but several HIPAA Privacy Rule changes have been proposed.

It has been suggested that in many of the areas covered by the RFI, the best solution may not be HIPAA rule changes. Guidance was issued in 2022 and it is likely that further HIPAA guidelines will be issued in 2023 to tackle some of the issues currently experienced with HIPAA compliance by clearing up misconceptions and correcting false interpretations of the HIPAA requirements. However, changes to HIPAA in 2023 are now likely to be implemented, although it may take until 2024 for those changes to become enforceable.

Proposed HIPAA Privacy Rule Changes in 2023

OCR issued a Notice of Proposed Rulemaking on December 10, 2020, that detailed the HIPAA changes to the Privacy Rule that are due to be implemented, based on the responses to its December 2018 RFI. The proposed changes are limited and several HIPAA Privacy Rule changes that healthcare industry stakeholders have been campaigning for have not been included. Most of the proposed HIPAA changes are relatively minor tweaks to strengthen patient access to their PHI, facilitate data sharing, and ease the administrative burden on HIPAA-covered entities.

In 2021, OCR sought feedback on the proposed HIPAA changes for 60 days from the date of publication in the Federal Register, with the comment period extended for a further 45 days to give healthcare industry stakeholders more time to review the proposed changes and provide their feedback. OCR has read the comments and the publication of the Final Rule is now imminent.

The proposed updates to the HIPAA Privacy Rule are as follows:

  • Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
  • Changing the maximum time to provide access to PHI from 30 days to 15 days.
  • Restricting the right of individuals to transfer ePHI to a third party to only ePHI that is maintained in an EHR.
  • Confirming that an individual is permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
  • Stating when individuals should be provided with ePHI without charge.
  • Requiring covered entities to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
  • The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
  • A definition has been added for electronic health records.
  • Wording change to expand the ability of a covered entity to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” (currently it is when harm is “serious and imminent.”)
  • A pathway has been created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Covered entities will not be required to obtain written acknowledgment from an individual that they have received a Notice of Privacy Practices.
  • HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
  • HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
  • The definition of healthcare operations has been broadened to cover care coordination and case management.
  • Covered health care providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans when individuals direct those entities to do so when they exercise the HIPAA right of access.
  • Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
  • The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.

The Proposed HIPAA Changes Will Create Challenges for Healthcare Providers

The pending HIPAA updates are intended to ease the administration burden on HIPAA-covered entities, although in the short term, the burden will be increased. Updates will need to be made to policies and procedures and changes will be required for notices of privacy practices, although there will not, at least, be the requirement to obtain written acknowledgment that the updated NPPs have been received.

What is certain is HIPAA officers and other compliance staff will have a busy few months when the Final Rule is published. The HHS will provide sufficient notice before the 2023 HIPAA changes take effect and become enforceable, but there will likely be a lot of work to be done. It will be important to create a plan for making all of the required changes to ensure they are fully implemented ahead of the compliance deadline.

When the final rule is issued, there will be a requirement to change policies and procedures and that will require retraining of employees. HIPAA requires training to be provided to the workforce during or soon after onboarding, and after any material change in policies and procedures. HIPAA training may not need to be provided to the entire workforce, but a significant number of employees will need to be trained, and that is likely to place a considerable burden on covered entities and has the potential to cause workflow disruptions.

Improved access to medical records could pose problems for healthcare providers, who will need to ensure they have sufficient staffing and efficient procedures for providing copies of records, as the time frame for providing those records will be shortened from 30 days to 15 days. The extension will also be shortened to 15 days, giving healthcare organizations a maximum of 30 days to provide the requested records.

The definition of EHRs has also been updated to include billing records, and these will need to be provided to patients who request a copy of their PHI. That has the potential to make it more time-consuming to provide copies, as billing records are often kept in different systems than healthcare records. It may be necessary to access two different systems in order to provide patients with a copy of their records.

It will be easy for bottlenecks to occur and important not to get into a situation where the 15 days extension is regularly required. There could well be a need to prioritize requests to make sure patients who urgently need a copy of their records get them in a timely manner. Bear in mind that OCR is laser-focused on healthcare providers that fail to provide patients with timely access to their medical records.

Another of the changes related to patient access is the requirement to allow patients to take notes and photographs of their PHI. There will need to be designated places where patients can inspect their PHI privately and, if required, take photographs of their PHI. Healthcare providers will need to implement safeguards to ensure patients are not taking photographs of PHI that they are not authorized to copy.

The proposed HIPAA changes prohibit covered entities from imposing unreasonable measures on individuals exercising their right of access, including unreasonable identity verification requirements. That has the potential to cause problems for healthcare providers.

A definition has also been added for a personal health application. Patients must be allowed to have their records sent to a personal health application of their choosing, but there may be privacy risks associated with doing so. Patients will need to be made aware of those risks. That will add an additional burden on healthcare providers, who may not necessarily have the required information to determine whether there is a privacy and security risk.

Proposed Part 2 and HIPAA Changes in 2023

In November 2022, OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to better align these regulations.

Part 2 protects patient privacy and records related to treatment for substance use disorder (SUD) with HIPAA applying to protected health information. SUD records are treated differently as they are highly sensitive, and require greater protection and restrictions than other health information covered by the HIPAA Privacy Rule. While these additional protections are important, they can hamper care coordination due to the barriers that they put in the way of information sharing.

The proposed changes are intended to ease the complexity of compliance with HIPAA and Part 2, break down barriers to information sharing, and improve care coordination, without removing protections for patients. The update expands patient rights regarding the uses and disclosures of their SUD records.

The key changes that were proposed are:

  • Single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations.
  • Permitted to redisclose SUD records in accordance with the HIPAA Privacy Rule
  • Patients will be able to obtain an accounting of disclosures of their SUD records and request restrictions on certain disclosures
  • Expansion of prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings
  • Part 2 programs must establish a complaints process about Part 2 violations and must not require patients to waive the right to file a complaint as a condition of providing treatment, enrollment, payment, or eligibility for services.
  • The breach notification requirements to the HHS and affected patients will apply to Part 2 records, which will be covered by the HIPAA Breach Notification Rule.
  • The HIPAA Privacy Rule Notice of Privacy Practices requirements have been updated to address the uses and disclosures of Part 2 records and individual rights with respect to those records.
  • The HHS will be able to impose civil money penalties for violations of Part 2, in line with HIPAA and the HITECH Act

The NPRM was issued in November and there is a 60-day comment period, so it is highly likely that the final rule will be issued in 2023. Covered entities will then be given time to implement the changes before they become enforceable.

HITECH Act Updated in 2021 Regarding Recognized Security Practices

Many healthcare industry stakeholders had been campaigning for the addition of a safe harbor for HIPAA-covered entities and business associates that have adopted a common security framework and have implemented industry-standard security best practices, yet still experienced a data breach. It is not possible to prevent all cyberattacks and data breaches, and it is unfair to punish HIPAA-regulated entities for impermissible disclosures of ePHI when they have made all reasonable efforts to secure their systems. A bill was proposed in 2020 that called for the HHS to consider the recognized security practices that have been adopted by HIPAA-regulated entities, that have been in place for the 12 months prior to a data breach occurring when deciding on financial penalties and other sanctions. The bill, HR 7898, was signed into law by President Trump on January 5, 2021.

The purpose of the bill is to encourage healthcare organizations to invest in security and adopt a recognized security framework by providing an incentive. The HITECH Act update has not created a safe harbor for HIPAA-regulated entities that have adopted a security framework and have implemented industry-standard security best practices, but OCR will consider the efforts made with respect to security when making determinations in its investigations of complaints and data breaches. HIPAA-regulated entities that are able to demonstrate they have adopted recognized security practices will benefit from a decrease in the length and extent of audits and investigations of data breaches and OCR will consider recognized security practices as a mitigating factor and will reduce any financial penalties that would otherwise have been applied. In 2022, in response to another request for information, OCR published a video that explains what recognized security practices are and the evidence that can be submitted to prove they have been in place. OCR said that when investigations are launched, OCR will write to the HIPAA-regulated entity and provide an opportunity for evidence of recognized security practices to be submitted.

HIPAA Fines and Settlements Due to be Shared with Victims of HIPAA Violations

In addition to requesting information on recognized security practices, OCR sought comments on how to implement a requirement of the HITECH Act regarding financial penalties and settlements for HIPAA violations. Section 13410(c)(1) of the HITECH Act requires OCR to share a portion of the funds it receives from its HIPAA enforcement activities with the victims of HIPAA violations. This is important, as there is no private cause of action in HIPAA, which means individuals cannot sue HIPAA-regulated entities for HIPAA violations that have resulted in harm being caused.

The problem for OCR, which is why this requirement has not been implemented to date, is the difficulty in implementing a fair method of determining what victims should receive. In its April 6, 2022 RFI, OCR requested comments to help OCR with establishing a methodology under which an individual who is harmed by an offense punishable under HIPAA may receive a percentage of any civil money penalty or monetary settlement collected with respect to the offense. The Government Accountability Office (GAO) has shared a methodology for sharing funds, but OCR is seeking comment on any alternative methodologies. The main problem, however, is identifying the types of harms that should be considered in the distribution of CMPs and monetary settlements to harmed individuals, as “harm” is not defined by statute.

No timescale has been provided on when a Notice of Proposed Rulemaking will be issued in this regard, or when funds will start to be shared with victims of HIPAA violations. These HIPAA changes could occur in 2023, but it may be 2024 before this HITECH Act requirement is implemented.

HIPAA Changes Due to the 2019 Novel Coronavirus (SARS-CoV-2) and COVID-19

In response to the 2019 Novel Coronavirus pandemic, the HHS announced major changes to the enforcement of HIPAA compliance in 2020, which will remain in place for the duration of the nationwide COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over. These “unprecedented HIPAA flexibilities” were announced in March and April by means of Notices of Enforcement Discretion and are intended to ease the burden on healthcare organizations and business associates that are having to overcome major challenges testing and treating COVID-19 patients. The changes to HIPAA enforcement have been introduced to ensure that HIPAA compliance does not get in the way of the provision of high-quality patient care.

Notification of Enforcement Discretion for Telehealth Remote Communications

The first Notice of Enforcement Discretion was announced by OCR on March 17, 2020. The coronavirus pandemic has seen social distancing measures introduced, and with hospitals dealing with huge numbers of cases, Americans are being encouraged to remain indoors. In order to continue to provide quality care to patients while reducing the risk of patients transmitting or contracting COVID-19, telehealth services have been expanded. The CMS has also expanded telehealth to include all Medicare and Medicaid beneficiaries.

To help ensure that patients receive the care they need, OCR has announced that it will not impose sanctions and penalties on healthcare providers in association with the good faith provision of telehealth services for the purpose of diagnosis and treatment, regardless of whether the telehealth services are directly related to COVID-19. OCR will not impose penalties on healthcare providers in relation to the use of everyday communication technologies for providing those services, even if the platforms used would are not completely compliant with HIPAA. For instance, it is permissible to use Skype (rather than Skype for Business), FaceTime, Google Hangouts Video, and Zoom. It is not permitted to use public-facing platforms to provide these services, such as Facebook Live and TikTok.

“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities

The second Notice of Enforcement Discretion was announced by OCR on April 2, 2020, and concerns uses and disclosures of PHI by business associates of HIPAA-covered entities for reasons related to public health and health oversight activities. HIPAA does not permit business associates to disclose PHI for public health and health oversight activities unless it is stated that they can do so in their business associate agreement (BAA) with a HIPAA-covered entity.

Under the Notice of Enforcement Discretion, OCR will not impose sanctions and penalties on business associates or their covered entities for these uses and disclosures to the likes of Federal public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers. Should such a use or disclosure occur, the business associate must notify the covered entity within 10 days of the use or disclosure.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

Notification of Enforcement Discretion for Community-Based Testing Sites

The third Notice of Enforcement Discretion was announced by OCR on April 9, 2020 – backdated to March 13, 2020 – and concerns the good faith participation in the operation of COVID-19 testing centers. OCR will be exercising enforcement discretion and will not impose sanctions and penalties on healthcare providers, including pharmacies, and business associates that participate in the operation of COVID-19 testing sites such as mobile testing centers, walk-up facilities, and drive-through testing centers that only provide COVID-19 specimen collection or testing services to the public.

“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino.  “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action.”

Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

OCR announced a further Notice of Enforcement Discretion on January 19, 2021, that concerns the scheduling of appointments for COVID-19 vaccinations. OCR said financial penalties and sanctions would not be imposed on HIPAA-covered entities or their business associates for violations of the HIPAA Rules in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling appointments for COVID-19 vaccinations.

WBSAs that would not be fully compliant with the HIPAA Rules under normal circumstances can be used for scheduling COVID-19 vaccination appointments without penalty, although it is not permitted to use a WBSA that does not incorporate reasonable security safeguards to ensure the privacy and security of ePHI and the Notice of Enforcement Discretion does not apply if the solution provider has prohibited the use of the WBSA for scheduling healthcare appointments.

OCR explained that the Notice of Enforcement Discretion does not apply to the use of a WBSA for anything other than scheduling COVID-19 vaccination appointments, such as arranging appointments for other medical services or for screening individuals for COVID-19 prior to arranging an in-person healthcare visit.

OCR encourages HIPAA-covered entities and their business associates to implement reasonable safeguards to ensure the privacy and security of healthcare data, such as adhering to the minimum necessary standard when inputting data, using encryption if available, and ensuring all privacy settings in the WBSA are activated.

OCR will be exercising enforcement discretion retroactive to December 11, 2020.

HIPAA Penalties Could Officially Change in 2023

A HIPAA change occurred in 2019 concerning the penalties for HIPAA violations. OCR issued a Notice of Enforcement Discretion in 2019 which stated that OCR has adopted a new penalty structure for non-compliance with HIPAA Rules after a reevaluation of the requirements of the HITECH Act.

The HITECH Act called for penalties for HIPAA violations to be increased and, in 2013, the HHS implemented a new HIPAA penalty structure with minimum and maximum penalties set for the four penalty tiers, based on the level of culpability. In each category, a maximum penalty of $1.5 million, per violation category, per year was set. The HHS reviewed the language of the HITECH Act in 2019 and interpreted the requirements of the HITECH Act differently. “Upon further review of the statute by the HHS Office of the General Counsel, HHS has determined that the better reading of the HITECH Act is to apply annual limits.”

Rather than a maximum penalty of $1.5 million per year in all four categories, the maximum fine was reduced in the first three tiers. The new penalty structure is detailed in the infographic below. Note the figures below are the amounts in 2013 and are subject to inflation increases. The current minimum and maximum penalties, adjusted for inflation, can be found here.

HIPAA Updates and HIPAA Changes in 2023

Currently, OCR is using the new penalty structure, as detailed in the Notice of Enforcement Discretion published in the Federal Register. While that remains in effect indefinitely, the new penalty structure is not legally binding and can be changed at any time. It is possible that this change to HIPAA will be made official in 2023, although first, a Notice of Proposed Rulemaking will need to be issued. OCR may instead decide to just continue to use its new interpretation under its Notice of Enforcement Discretion and this change may not be made official for years to come.

Given the expected HIPAA updates in 2023 outlined in OCR’s NPRMs, further HIPAA changes in 2023 are not expected. OCR is however expected to continue to issue guidance to explain how HIPAA applies in certain situations to clear up confusion about the requirements of HIPAA, as was the case in 2022 in response to the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization and the overturning of Roe v Wade, which removed the federal right to an abortion. OCR confirmed, through guidance how the HIPAA Privacy Rule applies to disclosures of reproductive health information.

The post HIPAA Updates and HIPAA Changes in 2023 appeared first on HIPAA Journal.