The best place to find changes to HIPAA law depends on which part of HIPAA law you are interested in because HIPAA was not only responsible for the creation of the Administrative Simplification Regulations, but also for amendments to a number of existing Acts.
The term HIPAA law is often interpreted as solely referring to the Administrative Simplification Regulations – Parts 160,162, and 164 of the Code of Federal Regulations Chapter 45 – which (among other Rules) include the General Rules (Part 160), the Transaction Rules (Part 162), and the Privacy, Security, and Breach Notification Rules (Part 164).
However, in addition to being responsible for the creation of the Administrative Simplification Regulations, HIPAA amended several other existing Acts including the Public Health Service Act, the Employee Retirement Income Security Act, the Consolidated Omnibus Reconciliation Act, the False Claims Act, and the Tax Reform Act.
Because HIPAA relates to much more than the privacy and security of individually identifiable health information, HIPAA is regulated by several U.S. government departments. Therefore, changes to HIPAA law can be published by the Department of the Treasury, the Department of Labor, and the Department for Health and Human Services.
Where to Find Changes to HIPAA Law
All three U.S. government departments host newsrooms on their websites that can be searched to look for changes to HIPAA law (i.e., https://www.dol.gov/newsroom), but they are not particularly user-friendly inasmuch as the search results often include every news item relating to HIPAA whether it concerns a change to the law or not.
Additionally, because HIPAA amended existing Acts regulated by the Department of the Treasury and Department of Labor, it is more likely that any news items relating to changes in Treasury or Labor laws will reference the existing law (i.e., the Employee Retirement Income Security Act) rather than HIPAA or the changes made by HIPAA.
This leaves the Department for Health and Human Services – within which there are three agencies primarily responsible for making changes to HIPAA law or making changes to other laws that may affect HIPAA compliance. The three agencies are:
- The Office for Civil Rights (OCR)
- The Centers for Medicare and Medicaid Services (CMS)
- The Substance Abuse and Mental Health Services Administration (SAMHSA)
Each of these agencies also have their own newsrooms; but, because of the range of services they provide, finding changes to HIPAA law in each newsroom can still be longwinded (notwithstanding that there haven’t been that many recent changes to HIPAA). Therefore, it is necessary to be more granular when trying to find changes to HIPAA law.
The Options for Granular Searches
The options for granular searches depend on which Part(s) of the HIPAA Administrative Simplification Regulations you are interested in. For example, to find changes to the Privacy, Security, and Breach Notification Rules, it is best to look under the History sections of each page (Privacy Rule History, Security Rule History, Breach Notification Rule History).
Changes to Part 162 of the Administrative Simplification Regulations and proposals to increase interoperability between Covered Entities can be found by searching for “HIPAA” in the CMS Newsroom, while it is best to visit the Press Announcements section of the SAMHSA website and search for “HIPAA” to find changes to Part 2 regulations that may affect HIPAA compliance.
Alternatively, if you are unfamiliar with the language used in Requests for Information, Notices of Proposed Rulemaking, Interim Rules, and Final Rules (or just want a synopsis of these publications), this site hosts a frequently-updated HIPAA Changes page which provides an overview of the latest changes to HIPAA law and changes that are in the pipeline.