HIPAA changes – and changes to other Rules that impact HIPAA compliance – happen more frequently than many people appreciate; but, because they have a limited impact on covered entities and business associates, they are often overlooked. This article looks at some of the recent changes to HIPAA and HIPAA compliance, and looks ahead to potentially more substantial HIPAA changes in 2024.
Since the publication of the HIPAA Omnibus Final Rule in 2013, there have only been two minor changes to Part 164 of the HIPAA Administration Simplification Regulations – the Part of the Administrative Simplification Regulations that include the HIPAA Privacy, Security, and Breach Notification Requirements.
The first, in 2014, added test reports to the data individuals can access via patients’ rights of access provisions; while the second, in 2016, permitted designated covered entities to disclose PHI to the National Instant Criminal Background Check System subject to certain conditions (i.e., diagnostic and clinical conditions cannot be disclosed).
Other than these two changes to the HIPAA Privacy Rule, every other change to the Administrative Simplification Regulations has been in Part 162 – the Part relating to administrative transactions, code sets, and operating rules (etc.). These changes affect covered entities that process claims in-house and business associates that process claims on behalf of covered entities.
Rule Changes that May Affect HIPAA Compliance (1)
Beyond the HIPAA changes that directly affect covered entities, there have been several Rule changes that can affect HIPAA compliance. One notable one is the “CMS Interoperability and Patient Access” Final Rule. Among other provisions, this Rule – published in 2020 – requires covered entities to adopt a standards-based API to accelerate the flow of healthcare data.
The reason this Rule may affect HIPAA compliance is that CMS wants to give patients more choice over their health plans and healthcare providers, and requires covered entities to allow patients to connect with the API via an app of their choice – even if concerns exist about the security of the app and the privacy of PHI transmitted to the app.
CMS has noted that concerns may exist, and has advised covered entities to educate patients on secure choices. However, if a patient insists on connecting to a covered entity`s API via an unsecure app, the failure to provide access to PHI will be considered a HIPAA violation unless the covered entity can prove a risk exists to other PHI stored in its system.
Rule Changes that May Affect HIPAA Compliance (2)
A second Rule change that may affect HIPAA compliance is the SAMHSA 42 CFR Part 2 Revised Rule. Also published in 2020, the Revised Rule modified several sections of the existing Part 2 regulations to facilitate the coordination of care activities by non-Part 2 providers, eliminate confusion about case management disclosures, and ensure appropriate communications in emergencies.
The revisions to the regulations created a two-tier system of protections for the privacy of PHI in which covered entities that are not Part 2 providers have to seek patient consent for some disclosures of PHI but not others. There are also challenges with regards to accounting of disclosure requests and ensuring Part 2 records disclosed compliantly are not further disclosed by the recipient.
Further changes to 42 CFR Part 2 have been proposed to address these challenges. The changes would more closely align 42 CFR Part 2 with the HIPAA Privacy Rule plus create a process through which patients could complain about Part 2 violations. However, the Part 2 regulations – and new penalties similar to those applicable to HIPAA violations – would be enforced by SAMHSA.
Changes to the Penalties for HIPAA Violations
Two Rule changes also affected how financial penalties for HIPAA violations are calculated. The first Rule change – in 2015 – enabled HHS’ Office for Civil Rights to increase the minimum and maximum penalties in each violation tier – and the annual penalty limit – according to the rate of inflation. The minimum and maximum penalties in each tier as of December 2023 are:
Subsequently, an amendment to the HITECH Act in 2021 instructed HHS’ Office for Civil Rights to apply enforcement discretion when calculating the amount of a penalty if the violating entity can demonstrate twelve months previous compliance with a recognized security framework. This amendment can also affect the length of an audit or the scope of a Corrective Action Plan.
Additionally, HHS’ Office for Civil Rights has the authority to apply enforcement discretion during emergency events. The agency regularly exercises this authority during localized natural disasters and applied it nationwide during the COVID-19 public health emergency to activities such as telehealth, community testing, and disclosures relating to public health activities.
Proposed HIPAA Changes 2023
Due to the volume of Requests for Information (RFIs) and Notices of Proposed Rulemaking (NPRMs) published over the past few years, it would be a surprise if there were no new HIPAA changes in 2024. It is also likely the HIPAA changes will be combined into one Omnibus Final Rule 2024 similar to the sweeping changes to HIPAA introduced by the Omnibus Final Rule 2013.
Some proposed HIPAA changes for 2024 may have minimal effect initially, but may be extended out to other healthcare activities at a later date. An example of this is the new transaction codes proposed for healthcare attachment transactions. This proposed Rule stipulates a standard for digital signatures that may ultimately be applied to other HIPAA-covered activities.
More likely to have a direct impact on HIPAA covered entities are the nine changes to the HIPAA Privacy Rule proposed in 2020. Most of the HIPAA changes in this NPRM are intended to accommodate CMS’ Interoperability and Patient Access Final Rule from 2020 (discussed above), but some proposals are aimed at improving coordinated care and reducing regulatory burdens.
With regards to the potential for a HIPAA Omnibus Final Rule 2024, this became more likely with the publication of an NPRM in response to the Supreme Court’s decision in Dobbs. This NPRM proposes a new category of PHI for reproductive healthcare that will require attestation before it can be used or disclosed for purposes other than treatment, payment, and healthcare operations.
In theory, the attestation proposal could be extended to other uses and disclosures of PHI – for example, SUD records. If so, it would be simpler for the Department of Health and Human Services to publish one Omnibus Final Rule 2024 rather than individual Final Rules to account for changes to the HIPAA Privacy Rule and Part 2 Regulations, and updates to the CMS Interoperability Final Rule.
Where to Find News about Changes to HIPAA
There are multiple sources that publish news about changes to HIPAA. Possibly the best is the HHS’ HIPAA Newsroom; but if you require further information about changes to Part 162 regulations or CMS’ Interoperability proposals, it is better to visit the CMS Newsroom. Alternatively, if you require news about changes to Part 2 regulations that may affect HIPAA compliance, head to the Press Announcements section of the SAMHSA website and search for “HIPAA”.