2024 HIPAA Predictions: Enforcement Trends & HIPAA Changes
At the end of 2022, Compliancy Group predicted that, with the COVID-19 crisis at last in the rear-view mirror, HHS would return to “normal” – would spend the bulk of its time and resources on traditional enforcement priorities. Traditional enforcement priorities for HHS’ Office of Civil Rights, would include enforcement of the HIPAA Privacy Rule right of access and enforcement of the HIPAA Security Rule.
The prediction has come true.
In 2023, OCR continued to enforce compliance with the HIPAA Privacy Rule right of access rule. OCR also continued to enforce compliance with the HIPAA Security Rule. These 13 enforcement efforts, through which OCR raked in $4.2 million in settlement money, included the first ransomware breach settlement agreement and the first phishing breach settlement agreement.
So, what are our 2024 HIPAA predictions?
1. Right of access enforcement will continue to be a top priority
OCR began its “Right of Access Initiative” – its crackdown on providers who do not timely respond to patient requests for access to their PHI – in late 2019. To date, OCR has brought 46 “right of access” enforcement actions, which have resulted in monetary settlements or penalties, and corrective action plans.
The initiative was announced in the waning days of the Trump administration, and both that administration and the Biden administration have prioritized enforcement. It can be expected that OCR will continue to investigate “right of access” complaints, and, if it believes there has been a violation of the right of access provision, it will continue to enforce the right of access rule. There have been roughly 12 enforcement actions per year. Healthcare providers of all types and sizes have been, and will likely remain to be, the subject of these actions.
2. The HIPAA right of access standard will give patients more rights
In 2024, it is likely that HHS will amend the HIPAA right of access to give patients more rights. Proposed changes include:
- Shortening covered entities’ required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension)
- Clarifying the form and format required for responding to individuals’ requests for their PHI
- Requiring covered entities to inform individuals that they retain their right to obtain or direct copies of PHI to a third party when a summary of PHI is offered in lieu of a copy
- Reducing the identity verification burden on individuals exercising their access rights
- Creating a pathway for individuals to direct the sharing of PHI in an EHR among covered health care providers and health plans, by requiring covered health care providers and health plans to submit an individual’s access request to another health care provider and to receive back the requested electronic copies of the individual’s PHI in an EHR
- Requiring covered health care providers and health plans to respond to certain records requests received from other covered health care providers and health plans when directed by individuals pursuant to the right of access
- Limiting the individual right of access to direct the transmission of PHI to a third party to electronic copies of PHI in an EHR
- Specifying when electronic PHI (ePHI) must be provided to the individual at no charge
- Amending the permissible fee structure for responding to requests to direct records to a third party
- Requiring covered entities to post estimated fee schedules on their websites for access and disclosures with an individual’s valid authorization and, upon request, provide individualized estimates of fees for an individual’s request for copies of PHI, and itemized bills for completed requests