Many factors over the past year have affected how your organization meets its healthcare compliance obligations. Here are four healthcare compliance issues you must have on your radar.

Four Healthcare Compliance Issues to Watch — COVID Public Health Emergency Ends

Barring a catastrophic spike in the infection rate from COVID-19 (or the appearance of another pandemic-triggering superbug), the U.S. Public Health Emergency will end on May 11, 2023. As a result, many special exemptions and rule modifications established during the emergency will expire unless otherwise enacted by legislation or regulations.

One of the most significant changes for healthcare providers will affect telehealth. HHS (the Department of Health and Human Services) waived penalties against providers using technologies for telehealth services that didn’t meet the standards of the HIPAA Privacy Rule and the HIPAA Security Rule during the public health emergency. Beginning May 12, 2023, telehealth services by providers must use “HIPAA-compliant” technologies and communication products.

Two other significant changes include:

  • Prescriptions for controlled substances via telemedicine will no longer be allowed after May 11.
  • All states temporarily waived some aspects of state licensure requirements so that providers with equivalent licenses in other states could practice remotely via telehealth. Those policies may end in states where waivers were tied to the end of the federal public health emergency.

Four Healthcare Compliance Issues to Watch — Breaches Caused by Cybercriminals

Data breaches of patient PHI (protected health information) remain a significant problem for everyone in the healthcare industry. The FBI just released its 2022 Internet Crime Report, which showed that the healthcare sector was again the most victimized essential segment of our infrastructure.

The FBI reported at least 210 healthcare-related ransomware complaints in 2022. According to the agency’s Internet Crime Complaint Center, the most common infection vectors for ransomware incidents are phishing emails, Remote Desktop Protocol (RDP) exploitation, and the exploitation of software vulnerabilities.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

Four Healthcare Compliance Issues to Watch — Right of Access Initiative

HHS-OCR (Health and Human Services, Office for Civil Rights) launched a HIPAA Right of Access Initiative in 2019 to emphasize and enforce patients’ rights to prompt access to their medical records without excessive fees from the provider. 

As HIPAA rules and regulations exist today:

  • A covered entity generally has 30 days to provide the patient or the patient’s representative with access to medical records information when requested.
  • The provider can request a 30-day extension in certain instances.
  • The provider can charge a reasonable fee for copying the records requested.

Proposed modifications to the HIPAA Privacy Rule would shorten the response time to be “as soon as practical,” but in no case exceeding 15 calendar days from receipt of the request, with an optional extension.

Another potential change would require providers to establish written policies for prioritizing urgent or other high-priority access requests to limit the need for a 15 day-extension. Other possible modifications include changes related to fees associated with access.

Four Healthcare Compliance Issues to Watch — HIPAA Privacy Rule and the Dobbs Decision

Last year’s decision by the Supreme Court in the Dobbs case created confusion around the HIPAA Privacy Rule and what a healthcare professional can and cannot do moving forward. The issues centered on disclosing PHI without patient authorization for non-healthcare-related purposes, such as disclosures to law enforcement.

At the direction of the Biden administration, HHS issued guidance to clarify the agency’s position on the HIPAA Privacy Rule and permissible disclosures of PHI. 


  • In the absence of an individual’s signed authorization, covered entities and business associates may only use and disclose PHI as expressly permitted or required by the Privacy Rule.
  • Without a court-enforceable mandate, the Privacy Rule’s permissions to disclose PHI for law enforcement purposes don’t allow disclosure to law enforcement by the covered entity or its workforce member to report an abortion or other reproductive healthcare.
  • The Privacy Rule allows, but does not require, a covered entity to disclose PHI if the entity believes: 
    • the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and 
    • the disclosure is to a person who can reasonably prevent or reduce the danger.

Four Healthcare Compliance Issues – Finding Healthcare Compliance Solutions

Finding healthcare compliance solutions for the issues listed above requires technical know-how and an understanding of the requirements and expectations of the law.

You must first have the awareness to address these issues. If you don’t know a problem exists, how can you hope to find an effective healthcare compliance solution?

Compliancy Group offers more than just HIPAA compliance solutions for providers and business associates. We also monitor the regulatory environment and inform you when changes affect your practice or business.

Using any of the automated compliance solutions within The Guard means you have our team of regulatory and legal experts on your side, monitoring potential changes in the law. We will let you know when, or if you need, to change your compliance practices to stay compliant with the law.

Being HIPAA compliant alone does not protect you from potential security and privacy breaches. But it provides the legally-mandated solid foundation to build an effective security and data integrity framework.

Complete Compliance Solution

Make sure your business and the tools you use to run it are compliant.