HIPAA changes occur more often than many people realize due to the Department for Health and Human Services (HHS) responding to external events, Executive Orders, or adopting standards to reduce the administrative burden of HIPAA compliance. While most recent HIPAA changes have been relatively minor, there are significant proposed HIPAA changes in 2024.
Many articles discussing HIPAA changes suggest the sweeping changes to HIPAA in 2013 are the most recent. However, this is not accurate. Although the HIPAA Final Omnibus Rule in 2013 strengthened existing privacy and security protections, and adopted the HITECH provisions for enforcement and breach notifications, there have been many more changes to HIPAA since.
This article looks at the changes to HIPAA that have occurred since 2013, and looks ahead to proposed HIPAA changes in 2024 that could have significant implications on uses and disclosures of PHI, patient access to PHI, and HHS enforcement actions – both civil and criminal. Potentially, the 2024 HIPAA changes could have a far greater impact than those in 2013.
Defining HIPAA Changes
HIPAA changes can take several forms. Changes may consist of new or amended standards in existing Rules, new interpretations of the original Rules, or “discretionary enforcement” against HIPAA violations. Additionally, some changes may be temporary, permanent, or intended to be permanent, but later withdrawn because they were impractical or unenforceable.
Examples of each type of change have been included in this article along with – where applicable – the external event that prompted them. Where there have been multiple changes to HIPAA of a similar nature, only those that may have an impact on future rulemaking are included so visitors to this page can be better prepared for future HIPAA changes.
Part 162 HIPAA Changes
The most commonly updated section of HIPAA is Part 162 of the Administrative Simplification Regulations. This Part includes standards relating to administrative transactions (i.e., eligibility checks, authorizations, billing, and payment), code sets, unique identifiers, and operating rules, and is regulated by HHS’ Centers for Medicare and Medicaid Services (CMS).
Most Part 162 HIPAA changes introduced by CMS are updates to existing standards or the introduction of new standards to respond to other regulatory actions – for example, the 2020 change relating to Schedule II drug refills. However, a proposed Part 162 HIPAA change expected to be finalized in 2024 could have wider implications.
The proposed change was announced in a Notice of Proposed Rulemaking (NPRM) published in March 2023. The proposed change will see the introduction of three new transaction codes to facilitate electronic healthcare attachments. However, when using the new codes, Covered Entities must verify the attachments using a specified e-signature technology.
While the impact of this change by itself may be minimal (as Covered Entities can still send and receive attachments “manually”), the potential exists for e-signature requirements to be extended to other healthcare activities. These could include patient authorizations and the proposed “attestation” of uses and disclosures discussed later in this article.
Other CMS Changes to Take Note Of
In January 2020, CMS published the “Interoperability and Patient Access” Final Rule. Among other measures, this Final Rule stipulates that Covered Entities must implement a standards-based API to facilitate patient access to “claims and encounter data” – effecting extending HIPAA’s right of access provisions to eligibility checks and authorization requests in addition to PHI.
Due to the volume of concerns relating to implementation timeframes, funding the cost of the software, and training or recruiting staff with the necessary technical expertise, the deadlines for many of the measures were extended (currently to 2026), while other measures were withdrawn or put on ice waiting feedback from subsequent “Requests for Further Information”.
However, one measure that has not been withdrawn is allowing patients to access PHI and other data via an app of their choice. Despite serious concerns about the security of PHI when it is transmitted to a patient’s app, CMS states the only reason for not allowing an app to access PHI is if it presents a risk to the security of other PHI in the Covered Entity’s system.
CMS has stated that the worthiness of a health app as a recipient of PHI or what the app might do with the PHI are not acceptable reasons to deny right of access requests. CMS has added that Covered Entities can offer advice about the security shortcomings of an app, but “such efforts […] must stop and education and awareness”. Denying a request for any reason other than a security risk to other PHI will be considered a violation of HIPAA.
Other Rule Changes to Take Note Of
HIPAA is not the only federal law that imposes health information privacy standards. Many healthcare providers are also required to comply with the Confidentiality of Substance Use Disorder Patients Records (42 CFR Part 2), which was updated in 2017 and created a scenario in which some PHI has fewer permissible uses and disclosures than other PHI.
Although updated in 2020 to “align the regulations with advances in the health care delivery system”, further updates are under consideration that would more closely align Part 2 uses and disclosures with those permitted by the Privacy Rule. These updates include:
- Extending the HIPAA right of access provisions and accounting of disclosures standard to Part 2 records.
- Modifying Part 2 confidentiality notice requirements to align with the HIPAA Notice of Privacy Practices.
- Establishing a process for making Part 2 complaints and not conditioning treatment on the waiving of rights.
- Applying the HIPAA Breach Notification Rule to Part 2 records and delegating enforcement to SAMHSA.
- Updating the HIPAA “safe harbor” deidentification standard (§164.514) to specifically include Part 2 records.
- Imposing the same penalty tiers and financial penalties for Part 2 violations as apply to HIPAA violations.
- Adding a new standard that gives patients the right to restrict uses of Part 2 records for TPO purposes.
- Amending the requirements for Part 2 consent to align with the requirements for a valid HIPAA authorization.
- Extending the uses of Part 2 records with consent and allowing a single consent form to cover multiple uses.
- Clarifying the responsibilities of recipients of Part 2 records so that records are not further used or disclosed without consent.
This final proposed update to 42 CFR Part 2 has the potential to be similar to the attested uses and disclosures proposed in an update to the Privacy Rule relating to reproductive healthcare records. If adopted, attested uses and disclosures could be extended to cover many types of sensitive healthcare data – for example, SUD records, psychotherapy notes, and HIV/AIDS information.
HIPAA Privacy Rule Changes 2024
There have been two minor HIPAA Privacy Rule changes since 2013 – the first, in 2014, added patient access to test reports to the Privacy Rule to align the Rule with the Clinical Laboratory Improvement Amendments. The second, in 2016, allowed certain Covered Entities to disclose PHI to the National Instant Criminal Background Check System.
Since then, there have been several Requests for Information and NPRMs with the objectives of empowering patients, improving coordinated care, and reducing regulatory burdens. The comment period for the most recent NPRM closed in May 2021; and, having had more than two years to examine the comments, HHS is expected to finalize the HIPAA Privacy Rule changes in 2024 with many of the following changes:
- Restricting the right of individuals to transfer ePHI to a third party to ePHI that is maintained in an EHR
- Allowing patients to inspect their PHI in person, take notes, and take photographs of their health records.
- Reducing the timeframe for providing access to PHI or copies of an individual’s PHI from 30 days to 15 days
- The creation of a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Clarification that an individual is permitted to direct a covered entity to provide their ePHI to a personal health application
- Eliminating the requirement for HIPAA-covered entities to obtain written acknowledgment from an individual that they have received the Notice of Privacy Practices.
- A requirement for HIPAA-covered entities to post estimated fee schedules on their websites for PHI access and disclosures consistent with a valid authorization and to provide individualized estimates for fees for providing an individual with a copy of their own PHI.
- Amending the definition of healthcare operations to broaden the scope of care coordination and case management that constitute health care operations.
- Specifying when ePHI must be provided to an individual free of charge.
- Covered entities will be required to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered rather than a copy.
- Covered health care providers and health plans will be required to respond to certain records requests received from other covered health care providers and health plans, when directed by individuals pursuant to the HIPAA right of access.
- Permitting covered entities to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interests of the individual.
- The creation of an exception to the “minimum necessary” standard for individual-level care coordination and case management uses and disclosures, irrespective of whether the activities constitute treatment or health care operations.
- Expanding the Armed Forces permission to use or disclose PHI to all uniformed services.
- Expansion of the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is “seriously and reasonably foreseeable,” rather than the current definition of “serious and imminent.”
The proposed HIPAA Privacy Rule changes 2024 mostly relate to patients’ rights of access and promoting interoperability between providers similar to CMS’ “Interoperability and Patient Access” Final Rule discussed above. There are also some redefinitions, easing of existing standards, and new exceptions – for example, to the minimum necessary standard to support coordinated care.
However, possibly more significant is a further NPRM published in March 2023 in response to the Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization. This NPRM is the first to propose attested uses and disclosures of PHI; and, due to how this might create substantial changes to the HIPAA Privacy Rule, a separate section is dedicated to this proposal below.
How Dobbs May Cause Privacy Rule Changes
Following the decision in Dobbs v. Jackson Women`s Health Organization, a number of states enacted legislation prohibiting abortion. This led to many women crossing state borders to seek terminations in states where the procedure is legal. Some states which had criminalized abortions responded by criminalizing the act of facilitating an abortion – even by providing transport.
This raised concerns that PHI could be disclosed under the “required by law” standard of the Privacy Rule to pursue a criminal conviction – even though the procedure was performed in a state in which it was legal. As a consequence, HHS was concerned the risk of a disclosure may prompt pregnant women to withhold information from their healthcare providers.
HHS proposes to address the concerns by proposing a new category of PHI – “reproductive healthcare” – and stipulating it can only be used or disclosed (other than for TPO purposes) if the recipient of reproductive healthcare data provides a signed attestation that the data will not be used for civil, criminal, or administrative proceedings relating to an out-of-state termination.
Importantly, the new category of PHI not only applies to terminations, but also to any reproductive healthcare records. Therefore, data relating to contraception, fertility treatments, and miscarriages will also be protected by the proposed attestation standard – and, if an individual falsely attests to subsequent uses and disclosures, they will be in violation of §1177 of the Social Security Act, which carries a maximum penalty of up to $250,000 and/or up to ten years in jail.
Other Proposed Changes to HIPAA
One long-overdue change to HIPAA is the sharing of civil monetary penalties with the victims of HIPAA violations. The reason for this proposed HIPAA change being long overdue is that the Secretary for Health and Human Services was instructed to create a penalty-sharing process in the HITECH Act 2009, but has not done so yet due to the challenges of implementing a fair system of distribution.
Several attempts have been made to enact this provision of the HITECH Act, and HHS’ Office for Civil Rights has published Requests for Information and Advanced Notices of Proposed Rulemaking on three occasions. However, although the Government Accountability Office has published a methodology for sharing funds, the issue still exists of how to define and apportion “harm”.
A further change to the HIPAA Privacy Rule which has been gathering dust for a while is the “Presumption of Good Faith of HealthCare Providers” This change would “clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share PHI with an incapacitated patient’s family members unless there is evidence a provider has acted in bad faith.”
The purpose of this proposed change is to prevent scenarios in which healthcare providers are unwilling to share PHI without a patient’s consent or authorization due to the potential of being accused of a HIPAA violation. The “Good Faith” amendment to the Privacy Rule – when finalized – will enable healthcare providers to feel confident about sharing information without regulatory concerns or hospital policies preventing them from acting in the patient’s best interests.
Changes to HIPAA Enforcement
When the HITECH Act introduced a four-tier penalty structure for HIPAA violations in 2009, initially the maximum penalty per violation type per year was capped at $1,500,000. The minimum and maximum penalties stayed at the same level until the passage of the Federal Civil Penalties Inflation Adjustment Act in 2015, which allowed HHS’ Office for Civil Rights to increase the penalties for HIPAA violations in line with inflation. As of December 2023, the civil monetary penalties for HIPAA violations are:
|Level of Culpability
|Minimum Penalty per Violation Type
|Maximum Penalty per Violation Type
|Annual Penalty Limit
|Lack of Knowledge
|Lack of Oversight
|Willful Neglect not Corrected in 30 days
Other changes to HIPAA enforcement have been attributable to “enforcement discretion”. HHS’ Office for Civil Rights is authorized to use its discretion during public health emergencies to relax the enforcement of some HIPAA standards temporarily. This authority has been used for localized events (for example, the Californian wildfires of 2020) and for nationwide public health emergencies such as the COVID-19 pandemic.
Since 2021, HHS’ Office for Civil Rights has also been authorized to use enforcement discretion when investigating data breaches if the breached entity can demonstrate twelve months compliance with a “recognized security framework”. Although compliance will not necessarily absolve a breached entity, HHS’ Office for Civil Rights will take the entity’s good faith efforts into account when calculating the severity of a corrective action plan or civil monetary penalty.
The authority for HHS’ Office for Civil Rights to exercise enforcement discretion is due to a change in the HITECH Act authorized by HR 7898. The Bill aims to incentive HIPAA-Covered Entities and Business Associates to better protect electronic PHI by adopting security best practices based on NIST standards, §405(d) of the Cybersecurity Act, or other recognized frameworks promulgated through regulations under other statutory authorities.
How to Keep Up To Speed with HIPAA Changes
As has been shown above, there have been many changes to HIPAA In the past ten years, and there could be many more HIPAA changes in 2024. To keep up to speed with HIPAA changes – or to find out what is in the pipeline – you can subscribe to HHS’ Weekly Email News Digest, follow HHSGov on social media, or regularly visit the HIPAA Newsroom and CMS Newsroom.