Healthcare information management professionals striving to stay on top of the latest Health Insurance Portability and Accountability Act (HIPAA) regulations, take note! HIPAA last underwent a large-scale update in 2020, and 2024 will bring several changes to how patient privacy is managed and cybersecurity is strengthened, as well as many other updates.
While there is no set release date for the updates, the Department of Health and Human Services (HHS) will announce them this year through one or more “Final Rules” that will be published in the Federal Register. After publication, HHS posts a news release on its website, which will be picked up by trade publications and compliance websites to be shared with the entire industry.
On December 10, 2020, HHS’ Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM), which proposed a number of changes to the HIPAA Privacy Rule. These changes are now coming due in 2024. While HIPAA regulations and changes have occurred throughout the years, the expected 2024 updates will have a bigger impact than most. 2013 saw the last significant update with the HIPAA Omnibus Final Rule. In the years following, there were amendments made to the regulations.
These records have come under scrutiny and are expected to receive an update concerning how patients are treated and protected. The Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2) regulations which work to protect the privacy of SUD patients who seek treatment at federally assisted programs cover SUD records; other healthcare data falls under the purview of HIPAA.
Healthcare stakeholder groups have asked to move these Part 2 regulations in line with HIPAA to create equal protections for all healthcare data and enable healthcare professionals to see a patient’s entire medical picture at once. Not having this information could mean patients receive opioid prescriptions while they are in recovery. These changes are being thoughtfully considered, since there are also reasons why they should not be merged with other healthcare records. The Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR) within the HHS are working together to ensure Part 2 regulations dovetail better with HIPAA.
Larger changes are also coming to the Security Rule with a Healthcare Sector Cybersecurity “concept paper.” It details the process HHS is implementing to boost cyber resiliency and safeguard patient safety:
This would require all hospitals to meet sector-specific Cybersecurity Performance Goals (CPGs).
Decision makers also sought to improve the HIPAA process itself. OCR reached out to HIPAA-covered organizations in December 2018 for HIPAA Rules feedback to ascertain if any requirements were “overly burdensome or obstructed the provision of healthcare.” It also sought to identify places where HIPAA updates could ameliorate care coordination and data sharing. Out of that feedback, proposals emerged for easing restrictions on disclosures of PHI that require authorizations from patients, as well as several HIPAA changes to strengthen patient rights to access their own PHI.
Stay tuned as the HHS rolls out these changes and others this year. You can stay up-to-date with the latest HIPAA regulations here. The Administrative Simplification Regulations are in three Parts – 45 CFR 160, 162, and 164. Part 164 includes the Security Rule (Subpart C), the Breach Notification Rule (Subpart D), and the Privacy Rule (Subpart E), and we encourage you to review other parts of the title to find any other standards that might apply.
It’s critical to stay compliant with HIPAA and other regulations, and document management software like DigiDoc can help you stay on top of changing rules. With DigiDoc, your version control, encrypted transmissions and storage, and backup measures ensure you stay compliant with all healthcare forms, especially as they are updated to align with current HIPAA regulations. Reach out today for a demo, and see how we can keep you up-to-date on HIPAA.