Most of the recent changes to HIPAA have been relatively minor. However, there have been multiple Requests for Information (RFIs) and Notices of Proposed Rulemaking (NPRMs) published in recent years which imply some significant changes are about to take place.
The HIPAA Administrative Simplification Regulations (45 CFR Parts 160,162, and 164) have not changed a great deal since the publication of the HIPAA Omnibus Final Rule in 2013. However, there have been changes elsewhere that impact the penalties for HIPAA violations and how individuals can exercise their HIPAA access rights.
This article looks at the recent changes to HIPAA and the changes that impact how HIPAA is enforced. It also looks at some of the RFIs and NPRMs issued by HHS’ Office for Civil Rights to identify potential changes to HIPAA in 2023 so Covered Entities and Business Associates can bear the potential changes in mind when reviewing existing policies and procedures.
Changes to the Administrative Simplification Regulations
The majority of the recent changes to HIPAA Administrative Simplification Regulations only affected a minority of Covered Entities and Business Associates. This is because, as far as the changes to the HIPAA Privacy Rule are concerned, these only related to patient access to laboratory test results and disclosures of PHI to the National Instant Criminal Background Check System.
Covered Entities and Business Associates that process claims transactions will have seen more recent changes to HIPAA Administrative Simplification Regulations due to the frequency with which HHS’ Centers for Medicare and Medicaid Services (CMS) update Part 162 standards relating to code sets, unique identifiers, and operating rules.
However, a recent NPRM suggests a significant change may be on the way. This NPRM proposes the introduction of three new transaction codes for electronic healthcare attachments. Covered Entities and Business Associates are not required to use the codes if they submit healthcare attachments by fax or mail; but, if they submit healthcare attachments electronically, not only will the transaction codes have to be used, but the attachments must be digitally signed to verify their authenticity.
This is the first time the Department for Health and Human Services has required e-signatures for any transaction (although the technology is already used to comply with FDA regulations), and the possibility exists that the requirement could be extended to other types of transactions. Thereafter, digital signatures could be required for other healthcare activities such as patient authorizations, Business Associate Agreements, and disclosure attestations (explained in greater detail below).
Recent Changes to HIPAA Enforcement
The recent changes to HIPAA enforcement have related to the penalties for HIPAA violations that can be imposed by HHS’ Office for Civil Rights. The first change in 2015 allowed HHS’ Office for Civil Rights to annually increase the minimum and maximum fines in each penalty tier to account for inflation. Therefore, rather than the maximum penalty per violation type being capped at $1.5 million, it is now $1,919,173. The range of civil monetary penalties as of May 2023 is:
|Penalty Tier||Level of Culpability||Minimum Penalty per Violation Type||Maximum Penalty per Violation Type||Annual Penalty Limit|
|Tier 1||Lack of Knowledge||$127||$31,987||$31,987|
|Tier 2||Lack of Oversight||$1,280||$63,973||$127,974|
|Tier 3||Willful Neglect||$12,794||$63,973||$319,865|
|Tier 4||Willful Neglect not Corrected in 30 days||$63,973||$63,973||$1,919,173|
The recent second change to HIPAA enforcement came as a result of an Executive Order in 2021. The Executive Order amended the HITECH Act and instructed the Secretary for Health and Human Services to employ enforcement discretion when calculating the scope of an audit or corrective action plan – or the amount of a civil monetary penalty – following a HIPAA violation if the violating entity can demonstrate twelve months compliance with a recognized security framework.
Additionally, HHS’ Office for Civil Rights has been able to employ enforcement discretion during emergency situations. The agency has exercised its discretion on numerous occasions to relax enforcement action during localized events (for example the Californian wildfires of 2020) and also during the nationwide COVID-19 public health emergency – albeit only for certain types of violations in areas such as telehealth, disclosures for public health activities, and community-based testing.
Changes to Right of Access Provisions
In January 2020, CMS published an “Interoperability and Patient Access” Final Rule. This Rule aims to overcome the issue of patients receiving treatments in facilities that do not have access to their medical histories by stipulating Covered Entities must implement a standards-based API to exchange information. The requirement to implement a standards-based API also applies to health plans.
The reason for the Rule applying to health plans is that patients will also be able to access the API – not only to access PHI, but also claims data such as eligibility checks and treatment authorizations. The reason for this change to the right of access provision is that CMS believes patients should have the right to choose their health plan as well as their healthcare provider, and having more access to claims data will help patients make better informed decisions.
Concerns have been raised that allowing patients to connect with Covered Entities’ APIs via “an app of their choice” will create risks to the security of PHI and claims data. However, CMS has stated that the security of apps as recipients of sensitive data, or concerns regarding how the app may further use or disclose the data once it has been recorded, should not be of concern to Covered Entities and are not acceptable reasons to deny remote right of access requests.
Covered Entities can only deny right of access requests if there is a genuine security risk to PHI or claims data maintained by the Covered Entity. According to CMS, security risks include a lack of authentication controls, a lack of encryption, and reverse engineering capabilities. CMS has added Covered Entities can provide advice about using “unsafe” apps (i.e., those lacking privacy policies), but denying a right of access request unjustifiably will be considered a violation of the Privacy Rule.
Potential Changes to HIPAA in 2023
As mentioned in the introduction to this article, there have been multiple RFIs and NPRMs published in recent years which imply some significant changes are about to take place. The potential changes to HIPAA in 2023 include (but are not limited to):
Sharing Violation Settlements
This potential change to HIPAA originated in the HITECH Act but has not yet been implemented by HHS’ Office for Civil Rights due to the difficulty of defining “harm” and settling on a fair means of distribution.
Updates to 42 CFR Part 2
Although this chapter of the Welfare Code was updated in 2020, further updates are planned to align the confidentiality of substance use disorder medical records more closely with the HIPAA Privacy Rule.
HIPAA Privacy Rule Updates
Nine potential HIPAA Privacy Rule updates were published in an NPRM in 2020. Most related to the CMS’ Operability and Patient Access Final Rule, but there are also proposals to improve coordinated care and reduce regulatory burdens.
Attested Uses and Disclosures
Possibly the biggest potential change to HIPAA in 2023 is the new category of PHI for reproductive healthcare and the requirement that uses and disclosures other than for TPO purposes will be subject to attestations.
Each of the above potential changes to HIPAA in 2023 could be significant. If HHS’ Office for Civil Rights is required to share violations settlements, more pressure could be put on the agency to fine Covered Entities for violations of HIPAA. The updates to 42 CFR Part 2 and the HIPAA Privacy Rule – if finalized – will result in material changes to policies; while the new attestation requirements could result in criminal charges being brought against individuals who make false attestations.
Stay Informed on Potential Changes to HIPAA
Although most of the recent changes to HIPAA will not have impacted many Covered Entities and Business Associates, changes to the right of access provisions and other potential changes to HIPAA in 2023 could have a significant impact on the ways in which PHI is accessed, used, and disclosed. Covered Entities and Business Associates that stay informed on potential changes to HIPAA will have more time to prepare for eventual changes and will be less likely investigated for HIPAA violations.
The best way to stay informed om potential changes to HIPAA is to subscribe to HHS email updates, follow HHSGov on Twitter, or regularly visit the HIPAA Newsroom and CMS Newsroom. While these sources may include information that is not always relevant to HIPAA compliance, they generally tend to be first with HIPAA updates – or changes to other Rules that impact HIPAA compliance – and provide links to where you can find further information about each subject.