Recent Updates to HIPAA

HIPAA

The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is the federal law protecting patients’ personal health information from fraud and theft (4). In recent years, the Department of Health and Human Services (HHS) has released several proposed updates to the HIPAA Privacy Rule and other aspects of HIPAA that could impact the activities of HIPAA-regulated entities. A Final Rule on these proposed changes is expected to be published on the Federal Register in late 2023 (1). 

The HHS has foreshadowed the upcoming HIPAA changes through several Notices of Proposed Rulemaking (NPRM) published over the last few years. In January 2023, the Office for Civil Rights (OCR) published a list of proposed changes that would amend aspects of the HIPAA Privacy Rule to facilitate the transformation to value-based care (5). The HIPAA Privacy Rule is one of the HIPAA rules that safeguard the privacy of patients’ protected health information (PHI), including any individually identifiable health information maintained by a HIPAA-regulated entity (4). The proposed changes presented by the OCR seek to allow health information to flow more freely and strengthen patients’ rights to access their health information to improve coordinated care and case management (1).  

For example, one of these recent updates to HIPAA would allow patients to view their PHI in person and shortens the length of time in which a healthcare entity needs to provide a patient with their PHI from 20 to 15 days (5). Another change involves the creation of a minimum necessary standard exception in which PHI can be shared for the purposes of individual-level care coordination and case management (5). The OCR also proposed to broaden the definition of healthcare operations to explicitly cover care coordination and case management and create a definition for electronic health records (5). 

Another anticipated update to HIPAA concerns the treatment and protection of substance use disorder and mental health information records. Substance use disorder records are currently protected under part 2 of title 42 of the Code of Federal Regulations, better known as “Part 2” (2). Part 2 regulations preserve the security of health care information for substance use disorder (SUD) patients seeking treatment at federally assisted programs (1). However, the requirements for SUDs under Part 2 are different from HIPAA requirements for PHI, creating confusion for HIPAA-regulated entities that handle both PHI and Part 2 patient records (2). Additionally, clinicians may be unable to access a SUD patient’s complete medical history when providing care due to current Part 2 regulations (2).  

Recent updates to HIPAA also aim to address these shortcomings. In November 2022, the OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) announced changes to Part 2 to better align the regulations around SUD with HIPAA. The proposed changes allow patients to give broad consent for their Part 2 records to be shared for treatment, payment, and other healthcare purposes, rather than obtaining a separate consent form each time Part 2 records are shared (2). Furthermore, the new changes create protections that limit the use of SUD records in legal proceedings and ban discrimination against patients with SUD (2). 

In the wake of the Dobbs v. Jackson Women’s Health Organization Supreme Court decision, the OCR has proposed to increase reproductive healthcare privacy in HIPAA. The proposed changes limit the use of PHI about reproductive healthcare that is provided in a state where the care is lawful in legal proceedings (4). The patchwork of state laws that have risen up to ban or protect abortion rights across the United States has negatively affected the patient-provider relationship (4). For instance, patients may be reluctant to share their medical history with providers if they fear their PHI will be disclosed for legal proceedings (4). In response to these circumstances, the proposed changes prohibit the disclosure of PHI about reproductive health care by a HIPAA-regulated entity for legal investigation or proceedings in instances where that care is provided legally (3). 

References 

  1. Alder, Steve. “New HIPAA Regulations in 2023.” The HIPAA Journal. May 1 2023. www.hipaajournal.com/new-hipaa-regulations 
  1. “HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges.” U.S. Department of Health and Human Services, Nov 28, 2022, www.hhs.gov/about/news/2022/11/28/hhs-proposes-new-protections-increase-care-coordination-confidentiality-patients-substance-use-challenges.html 
  1. “HIPAA Privacy Rule Notice of Proposed Rulemaking to Support Reproductive Health Care Privacy Fact Sheet.” U.S. Department of Health and Human Services, Apr 25 2023, www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/hipaa-reproductive-health-fact-sheet/index.html 
  1. “HIPAA Privacy Rule To Support Reproductive Health Care Privacy.” Federal Register, Apr 17 2023, www.federalregister.gov/documents/2023/04/17/2023-07517/hipaa-privacy-rule-to-support-reproductive-health-care-privacy 
  1. “Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barries to, Coordinated Care and Individual Engagement.” Federal Register, Jan 21 2021, www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care 
  1. “Regulatory Initiatives.” U.S. Department of Health and Human Services, Apr 14 2023, www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html