As we head into summer, the Health Insurance Portability and Accountability Act (HIPAA) will have its first major revisions in ten years. HIPAA is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA has three major components: the Privacy Rule, the Security Rule and the Breach Notification Rule. Each of these will be updated as part of these major revisions. 

Many of the changes are aimed at increasing patient access to their own electronic health records containing protected health information, or ePHI. Under the newly revised HIPPA:

There are some new flexibilities for when and how providers may share ePHI with other healthcare providers. Providers will be permitted to make certain uses and disclosures of ePHI based on their good-faith belief that it is in the best interest of the patient, such as sharing information with other providers or those within a treatment network. They will also be allowed to share information for better care-coordination and cases management between and among providers. 

Despite these new flexibilities, providers need to be cautious as the new rules may soon allow impacted patients to collect part of the fines that may be associated with a HIPAA breach. In the past, patients could report a HIPAA breach to the Department of Health and Human Services’ Office of Civil Rights, but they were not compensated for their efforts and there was no private right of action. That appears to be changing and will likely be clarified in late 2023/2024.

In addition, there will be a tiered structure for HIPAA penalties: 

These fines can add up quickly and, with the potential new incentives for reporters, breach reporting is likely to increase. Providers need to make sure that their privacy and security practices are up to date and adequate, that they are prepared to respond to an incident and that their workforce is educated on cybersecurity and the associated risks.

Finally, the new changes are aimed at aligning HIPAA better with HIPPA Part 2, which creates additional protections specifically for mental health and substance use disorder records. The changes are intended to help create a single patient consent for all uses and disclosures of records that contain mental health and substance use disorder information, such as for treatment, payment and additional healthcare, and to allow patients to obtain an accounting of those disclosures. These changes are especially important as HHS will be able to impose civil money penalties for violations of HIPAA Part 2, in line with the tiered system outlined above. 

Once the new rules are published this spring, there should be a “grace period” for enforcement. However, please note, this article does not cover all the changes that are forthcoming. Providers and patients should be aware of these changes and educate themselves on this new privacy landscape.  

Heather Macre is an attorney with Fennemore, where she is the Healthcare Practice Group leader. Macre’s healthcare practice encompasses healthcare agreements, non-compete covenants and disciplinary proceedings, CMS compliance, HIPAA and Stark and False Claims Act compliance, among other matters. 

Leave a Reply

Your email address will not be published. Required fields are marked *