In healthcare, some things are predictable while others are not. We spoke with top regulatory attorneys, analyzed OCR fines over the last year, and diligently reviewed the HHS site to make predictions about what’s to come for healthcare compliance in 2024. There are a handful of emerging compliance trends for 2024 that are evident.
2024 HIPAA Predictions
- Right of access enforcement will continue to be a top priority
- The HIPAA right of access standard will give patients more rights
- HIPAA Privacy Rule protections will be strengthened
- 42 CFR Part 2 will be amended to facilitate care coordination
- Rules for the proper use and disclosure of PHI will be changed
- OCR will enforce use of tracking technologies without patient consent
- HHS will release a cybersecurity framework
2024 HIPAA Predictions: Enforcement Trends & HIPAA Changes
At the end of 2022, Compliancy Group predicted that, with the COVID-19 crisis at last in the rear-view mirror, HHS would return to “normal” – would spend the bulk of its time and resources on traditional enforcement priorities. Traditional enforcement priorities for HHS’ Office of Civil Rights, would include enforcement of the HIPAA Privacy Rule right of access and enforcement of the HIPAA Security Rule.
The prediction has come true.
In 2023, OCR continued to enforce compliance with the HIPAA Privacy Rule right of access rule. OCR also continued to enforce compliance with the HIPAA Security Rule. These 13 enforcement efforts, through which OCR raked in $4.2 million in settlement money, included the first ransomware breach settlement agreement and the first phishing breach settlement agreement.
So, what are our 2024 HIPAA predictions?
1. Right of access enforcement will continue to be a top priority
OCR began its “Right of Access Initiative” – its crackdown on providers who do not timely respond to patient requests for access to their PHI – in late 2019. To date, OCR has brought 46 “right of access” enforcement actions, which have resulted in monetary settlements or penalties, and corrective action plans.
The initiative was announced in the waning days of the Trump administration, and both that administration and the Biden administration have prioritized enforcement. It can be expected that OCR will continue to investigate “right of access” complaints, and, if it believes there has been a violation of the right of access provision, it will continue to enforce the right of access rule. There have been roughly 12 enforcement actions per year. Healthcare providers of all types and sizes have been, and will likely remain to be, the subject of these actions.
2. The HIPAA right of access standard will give patients more rights
In 2024, it is likely that HHS will amend the HIPAA right of access to give patients more rights. Proposed changes include:
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension)
- Clarifying the form and format required for responding to individuals’ requests for their PHI
- Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
- Reducing the identity verification burden on individuals exercising their access rights
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge
- Amending the permissible fee structure for responding to requests to direct records to a third party
- Requiring covered entities to post estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests
3. HIPAA Privacy Rule protections will be strengthened
On April 12, 2023, OCR issued a Notice of Proposed Rulemaking (NPRM) to strengthen the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protections by prohibiting the use or disclosure of protected health information (PHI) to identify, investigate, prosecute, or sue patients, providers and others involved in the provision of legal reproductive health care, including abortion.
It is possible that HHS will issue a final rule in 2024. If a final rule is issued, reproductive healthcare providers will have to, by updating their policies and procedures and training staff on the new requirements, ensure that their use or disclosure of PHI does not violate the new law’s provisions.
4. 42 CFR Part 2 will be amended to facilitate care coordination
In late 2022, HHS issued a proposed rule that would bring 42 CFR Part 2 (the law governing use and disclosure of certain substance use and disorder records) into closer alignment with HIPAA to permit greater coordination of care between Part 2 providers and primary care physicians and other specialists. Issuance of a final rule in 2024 is a distinct possibility.
5. Rules for the proper use and disclosure of PHI will be changed
There have been several other proposed changes that have been up in the air for quite some time, but 2024 may see these HIPAA changes go into effect.
Some proposed HIPAA changes in 2024 include:
- Amending the definition of health care operations to clarify the scope of permitted uses and disclosures for individual-level care coordination and case management that constitute health care operations.
- Creating an exception to the ‘‘minimum necessary’’ standard for individual-level care coordination and case management uses and disclosures. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered health care provider for care coordination and case management activities.
- Clarifying the scope of covered entities’ abilities to disclose PHI to social services agencies, community-based organizations, home and community-based service (HCBS) providers, and other similar third parties that provide health-related services, to facilitate coordination of care and case management for individuals.
- Replacing the privacy standard that permits covered entities to make certain uses and disclosures of PHI based on their ‘‘professional judgment’’ with a standard permitting such uses or disclosures based on a covered entity’s good faith belief that the use or disclosure is in the individual’s best interests.
- Expanding the ability of covered entities to disclose PHI to avert a threat to health or safety when a harm is ‘‘serious and reasonably foreseeable,’’ instead of the current stricter standard which requires a ‘‘serious and imminent’’ threat to health or safety.
- Eliminating the requirement to obtain an individual’s written acknowledgment of receipt of a direct treatment provider’s Notice of Privacy Practices (NPP).
- Modifying the content requirements of the NPP to clarify for individuals their rights with respect to their PHI and how to exercise those rights.
6. OCR will enforce use of tracking technologies without patient consent
We have already seen New York take action to enforce the December 2022 guidance on tracking technologies. Under this guidance, covered entities may not use tracking technologies (like the Meta/Facebook pixel feature) in a way that would result in a prohibited disclosure of PHI to third-party analytics and social media companies. According to the guidance, patient authorization is required for these disclosures.
HHS has not withdrawn this guidance, even in the face of a lawsuit filed by the American Hospital Association alleging that HHS does not have the authority to impose the guidance. It is fair to expect that OCR will bring enforcement actions against providers who use tracking technologies to share PHI with third-party analytics and social media companies without patient consent.
7. HHS will release a cybersecurity framework
In December 2023, HHS published a Concept Paper titled “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services.” The concept paper outlines a proposed HHS cybersecurity framework to improve cyber resiliency and to improve protection of patient data. The framework calls for incentivizing healthcare providers to help them reach cybersecurity performance goals. The framework also calls for new cybersecurity regulations to be added to the HIPAA Security Rule. The incentive for compliance? HIPAA-covered entities, through their compliance, will avoid civil monetary penalties. More palatably, HHS envisions the creation of an incentives program (as in, $$$$$) to encourage all hospitals to invest in advanced cybersecurity practices.
Keeping Up with 2024 HIPAA Changes
With so many potential HIPAA changes on the horizon for 2024, ensuring compliance with the regulations can be difficult. Compliancy Group’s comprehensive healthcare compliance software keeps users up to date on regulatory changes, automatically assigning new policies and training as applicable. Make tracking and managing your compliance easy with our software!
