Maintaining patient confidentiality and data security is essential in the ever-changing healthcare system. For more than two decades, HIPAA has been the gold standard for protecting patients’ private health information. As we enter the year 2023, several new regulations come into effect to improve patient safety and smooth healthcare delivery. In this blog, we will examine the recent changes to HIPAA’s rules, and discuss its significance and implications for the healthcare sector.

Introduction

Many people don’t realize how often new HIPAA rules are issued. Existing rules are also regularly revised and updated. Therefore, to prevent violations due to ignorance, it might be vital for Business Associates and Covered Entities to keep up to date with regulatory changes. Many examples of requirements under the HIPAA Administrative Simplification Regulations have been introduced, changed, or canceled since the release of the “HIPAA Omnibus Final Rule 2013”. Recent modifications, such as those involving transaction codes, affect only minor Business Associates and Covered Entities and hence go unreported.

Many Business Associates and Covered Entities may be affected by changes to HIPAA or related legislation. For instance, the HHS updated the rules in 2016 to include annual inflation adjustments to the maximum and minimum fines for HIPAA violations.

The HITECH Act modification in 2021 is another example of a regulation change that will have an impact on Covered Entities. In establishing the scope of a corrective action plan and/or the quantity of a civil monetary penalty for a breach of HIPAA, “the Office for Civil Rights at HHS” is now needed by the amendment to take compliance of covered entity with a recognized security framework into account.

Updated HIPAA Rules Coming in 2023

The standards of the Privacy Rule will be more closely aligned with the Confidentiality of SUD Patient Records and the Advancing Interoperability programmed under new rules scheduled to go into effect in 2023. The “HHS Office for Civil Rights “published a “Notice of Proposed Rulemaking in 2021” (OCR-0945-AAOO), detailing several proposed changes to the Privacy Rule. These changes include: Allowing disclosures of PHI when necessary to help people with emergency situations, severe mental problems, and substance use disorders.

• To eliminate ambiguity about whether permission is necessary, allow disclosures of PHI for case management and care coordination at the personal level.
• Case management and Care coordination at the personal level are exempt from the Minimum Necessary Standard for disclosures of PHI.
• In addition to decreasing the period for responding to requests for PHI access from 30 to 15 days, it also strengthens people’s access rights to examine and get copies of PHI.
• Taking into account various entry points for protected health information (PHI), such as a Patient Access API and a person’s health apps.
• Limiting the amount of effort needed to confirm an individual’s identification when they use their access rights to avoid placing an “unreasonable burden” on that person.

Further New HIPAA Rules 2023

CMS has proposed adding three new transaction codes for healthcare attachment transactions, in addition to suggested revisions to the Privacy Rule and adjustments to the “CMS Interoperability and Patient Access Final Rule” The “Proposed Rule (87 FR 78438)” lays out all the HIPAA e-signature requirements for when the transaction codes are utilized, even though these new restrictions will not impact many Covered Entities or Business Associates.

The importance of stipulating HIPAA e-signature requirements stems from the widespread use of electronic signatures in healthcare transactions, including those already regulated by the transaction and code sets rules in Part 162, as well as e-prescribing, e-acknowledging receipt of a Notice of Privacy Practices, and digitally signing Business Associate Agreements.

Patients connecting to Covered Entities’ Patient Access APIs through personal health applications may be subject to the new HIPAA standards if the HIPAA e-signature requirements are more extensively implemented across the HIPAA Administrative Simplification standards. To at least make sure the person connecting to the Patient Access API is who they say they are, this might address the problem of validating patient ID without imposing an undue burden.

Conclusion

The healthcare industry is changing, and so are the HIPAA rules that will go into effect in 2023. These laws seek to improve patient privacy, promote data security, and build a culture of compliance within the healthcare business. To guarantee continuing compliance and the safety of patient information, healthcare organizations must keep up to date with these new requirements, evaluate their current policies and processes, and make any required improvements. In an increasingly digitized and linked world, the healthcare business may survive by adapting to these developments and protecting patient privacy.

F.A.Q.s Regarding the New HIPAA Rules

Some of the frequently asked questions regarding HIPAA rules are mentioned below.

What is the greatest resource for staying up to date on HIPAA regulations?

The HIPAA Newsroom on the HHS website is the finest resource for keeping up to date with the newest developments in legislation, particularly as they include Parts 160 and 164 of the Administrative Simplification Regulations. Changes to Part 162 of the Administrative Simplification Regulations and other proposals that may impact the Privacy and Security Rules may also be found by subscribing to HHS’ Email Updates or browsing the articles in the CMS Newsroom.

When will the HIPAA Proposed Rules become finalized?

The quantity and complexity of proposed rules determine how long it will take for new laws to be finalized. The three new transaction codes suggested in December 2022 and the e-signature requirements should be adopted as new HIPAA standards in 2023 because of their simplicity. The HIPAA Privacy Rule had nine suggested changes in January 2021, but after almost two years, they are still in the consultation phase.

Is there any further reworking of HIPAA scheduled for 2023?

More amendments are planned for 2023. In April 2022, “the Department of Health and Human Services Office for Civil Rights issued a Request for Information (RFI)” regarding the implementation of two requirements of the HITECH Act: (1) what constitutes a recognized security framework to comply with the 2021 “Safe Harbour” amendment; and (2) a provision of the HITECH Act relating to “settlement sharing” with a civil monetary penalty is imposed.

How long do new HIPAA standards take to take effect once they are published?

New HIPAA regulations may take different amounts of time to go into effect depending on their level of complexity. CMS has given Covered Entities that are required to implement Patient Access APIs three years to purchase the software, ensure it complies with the Security Rule, develop policies on the software’s use, and train staff, whereas some new HIPAA Rules have an effective date ninety days after publication.

How long has it been since the HIPAA Privacy Rules were updated?

An amendment to 164.512 (“Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required”) was made by the HHS’ Office of Civil Rights in 2016. Under the new sub-rule, authorized Covered Entities may release “protected health information to the National Instant Criminal Background Check System” without the patient’s permission or authorization.

For further details and daily updates please follow us on LinkedIn or join us on Quora.