Businesses both within and adjacent to healthcare need to comply with the HIPAA data security requirements, which may see changes in 2024. To protect your company from costly fines, you must store and protect patient data, while ensuring you have the necessary infrastructure to report breaches.
Is your organization ready for seamless HIPAA compliance? Schedule a consultation to find out!
HIPAA Compliance in 2024 and Beyond
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is one of the most widely applicable regulations in the US. It applies to both covered entities within healthcare and their business associates, all of whom need to safeguard protected health information (PHI). In 2024 and beyond, that means keeping up with—or ahead of—changes to its requirements.
The full scope of HIPAA compliance requires eligible organizations to:
- Understand recent and upcoming changes to the HIPAA rules
- Implement Privacy Rule protections for HIPAA compliant storage
- Abide by Security Rule mandates for risk management
- Prepare for timely and accurate breach notification
- Consider comprehensive compliance solutions
Working with a HIPAA advisor is the best way to ensure you achieve and maintain compliance.
Recent Updates to HIPAA Regulations
Recent HIPAA regulatory initiatives have prioritized quality-of-life improvements for patients, such as efforts to make care more accessible across providers. For example, in 2021, the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) proposed rulemaking changes to the Privacy Rule that would make it easier for providers to coordinate care by removing barriers to data sharing with patients’ consent and best interests in mind.
Other changes have addressed particular issues related to specialist care that have become more prevalent as public health concerns in recent years. Updates to the Code of Federal Regulations (CFR) 42 Part 2 in 2022 included mental health records as part of regulated PHI that organizations need to protect. And the HHS announced in 2023 that it is expanding the scope of protections for data related to reproductive health to protect both patients and providers from legal and other complications in the wake of the Dobbs decision.
Future Changes to HIPAA Requirements
Although recent updates have been relatively minor, there are changes expected for 2024 that could make HIPAA compliance more challenging to achieve. They include but are not limited to:
- Decreasing the mandated PHI access window to patients from 30 to 15 days
- Specifying conditions under which free access to PHI must be provided to patients
- Permitting PHI sharing under threat of “seriously and reasonably foreseeable” harm
- Requiring estimated cost schedules for PHI access on publicly available websites
- Expanding the scope of covered entities to include care coordination providers
Another consideration is how the future of cloud computing, AI, and other technologies will impact PHI security. At present, the HHS’s guidance on HIPAA and the cloud is limited to suggestions and extensions of Privacy and Security Rule requirements. In the future, making cloud based storage HIPAA compliant may require robust configurations and targeted testing.
HIPAA Privacy Rule Requirements
The HIPAA data storage requirements organizations need to meet to ensure compliance begin with the protections codified in the Privacy Rule. The Privacy Rule is the first and most critical part of HIPAA; it defines concepts like PHI and covered entities at length, along with what kinds of disclosures and uses of PHI are permitted. It also prescribes methods for de-identifying PHI, as the required protections (and definition of a breach) all relate to identifiable data specifically.
Controlling the Use and Disclosure of PHI
One of the main regulatory functions of the Privacy Rule is defining the parameters of HIPAA compliant storage. Unlike other frameworks, HIPAA does not specify particular configurations that need to be applied. Instead, it prescribes qualities that must be met, irrespective of means.
Namely, PHI must be made available to its subjects (or their representatives) when they request it formally. But, beyond that, it cannot be used or disclosed outside of certain Permitted cases:
- Uses or disclosures by or to the individual – Providing access to the individual who is the subject of the PHI in question, or to their representative, is almost always permitted.
- Uses or disclosures for healthcare operations – Covered entities may use PHI in the course of treatment provision, payment processing, and other operational processes.
- Uses or disclosures with opportunities to object – Subjects may provide informal consent or objection for notification purposes or via platforms such as a facility directory.
- Uses or disclosures incidental to authorized uses – This is when covered entities are engaged in other authorized forms of access and incidental or partial disclosure occurs.
- Uses in the public interest – These use cases include but are not limited to:
-
-
- Uses or disclosures required by statutes, regulations, laws, or court orders
- Uses conducted for public health activities, such as outbreak prevention
- Disclosures conducted in the best interest of victims of abuse
- Uses for health oversight purposes, such as benefit monitoring
- Uses and disclosures for judicial and administrative proceedings
- Other uses required or requested by law enforcement
- Uses and disclosures in the service of funerary rites coordination
- Uses that facilitate cadaveric organ or tissue donation
- Uses or disclosures in the service of scientific research
- Uses that prevent serious health or safety threats
- Uses or disclosure in the service of essential government functions
- Uses or disclosures related to workers’ compensation administration
-
- Uses or disclosures of limited data sets – Covered entities may share limited and partially or fully de-identified PHI in accordance with the other use cases listed above.
All uses and disclosures, except to the individual or to law enforcement, must be limited by the Minimum Necessary principle. Visibility and accountability infrastructure make that possible.
Data Storage and De-Identification
As noted above, PHI restrictions apply specifically to identifiable information. Organizations must also take measures to de-identify PHI to the extent possible so that, if a breach does occur, cybercriminals will not be able to target specific individuals whose data they access.
The HHS prescribes two distinct methods for de-identification:
- Expert determination – Credentialed experts apply qualified scientific or mathematical principles to determine probabilistically that the risk of identification is acceptably low.
- Safe harbor – Organizations remove all identifiers from PHI, including:
-
- Names
- Geographic subdivisions below the state level
- Dates (except years, unless they relate to age)
- Telephone numbers
- Vehicle identifying numbers
- Fax numbers
- Device identifying numbers
- Email addresses
- Universal Resource Locators (URLs)
- Social Security numbers
- Internet Protocol addresses (IPs)
- Medical record identifying numbers
- Biometric identifiers (i.e., fingerprints)
- Health plan identifying numbers
- Photographs and likenesses
- Account identifying numbers
- Other identifying numbers
- Certification or license numbers
Covered entities should create indexed HIPAA compliance databases that separate identifiable and de-identified PHI and account for any changes to individual documents’ status in real time.
HIPAA Security Rule Requirements
Beyond safe storage, HIPAA data protection also includes measures for risk assessment and mitigation, which are prescribed in the Security Rule. The Security Rule’s primary aim is to ensure the confidentiality, integrity, and availability of PHI proactively. The Security Rule initially applied only to electronic PHI (ePHI), but updates under the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009 expanded its scope to apply to all PHI.
Ongoing Security Risk Assessments
At a baseline, HIPAA compliant data storage needs to include regular risk assessments that identify and address threats and vulnerabilities that could impact PHI. The HHS does not prescribe a specific method that organizations must use for these assessments. Instead, it provides guidance on risk assessments, including several resources, to facilitate them.
Covered entities and/or business associates need to account for where and how PHI is collected, along with where it is stored. In those areas, the potential for intentional intrusions (i.e., cyberattacks) and unintentional phenomena (natural disasters) need to be documented and assigned risk scores. The HHS recommends using tools like the National Institute for Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) or its own Security Risk Assessment (SRA) Tool for uniform and easily accessible/addressable metrics.
Mandatory Cybersecurity Safeguards
The other major prescriptive thrust of the Security Rule comes in the form of safeguards that covered entities and business associates must implement. These come in three categories:
- Administrative safeguards – Controls that substantiate cybersecurity governance—
-
-
- Enforcement of security management processes
- Delegation of security personnel
- Systematic information access management
- Ongoing workforce training and management
- Regular evaluation of cybersecurity governance
-
- Physical safeguards – Controls that limit physical and proximal access to PHI—
-
-
- Restricting facility access
- Monitoring workstation and device usage
-
- Technical safeguards – Controls that limit virtual access to PHI—
-
- Systematic access control procedures
- Regular auditing of PHI systems
- Integrity and change management assurances
- Monitoring and restriction of PHI transmission
As with other HIPAA requirements, the technical specifications for these safeguards are not as fully fleshed out as in many other regulatory frameworks. The HHS gives organizations flexibility in how they achieve these aims—as long as they’re all accounted for, it doesn’t matter how.
HIPAA Breach Notification Readiness
Another critical yet easy-to-overlook element of HIPAA data security is what covered entities need to do if a data breach occurs. HIPAA defines a data breach as any instance in which the Privacy or Security Rules’ protections have been bypassed and de-identified PHI is exposed.
Compliance with the Privacy and Security Rules is about preventing breaches and making them less likely to cause harm if they do happen. But complying with the Breach Notification Rule is about being able to detect breaches and mitigate their impact with swift, accurate reporting. If a breach is suspected to have occurred, covered entities need to have infrastructure in place to report on the incident, its causes and impacts, and resolution protocols to three distinct parties.
Mandatory Reporting and Infrastructure
If a breach impacting identifiable PHI occurs, covered entities and/or business associates are required to provide notice to at least two and sometimes three parties. Who gets notice, and in what form, is dependent on the extent of the breach in terms of how many people are impacted.
The two kinds of HIPAA breach notification that are always required are:
- Individual notice – All parties impacted by a HIPAA breach need to be notified of the breach in detail within 60 days of its discovery. The notice must come in writing to a physical or virtual address. If covered entities lack contact information for more than 10 individuals, the notice must be posted on the homepage of the organization’s website.
- HHS Secretary notice – The HHS Secretary must be notified of a breach no later than 60 days after the end of the calendar year in which it occurred. However, if the breach impacted over 500 individuals, the notice must come within 60 days of its discovery.
And, if a breach impacts 500 or more individuals, a third kind of notice is required:
- Media notice – Local media outlets must be notified of a breach if it has impacted at least 500 individuals within the area covered by the outlet. If the 500 people are spread across media markets, multiple outlets may need to be contacted or coordinated with.
Accounting for accurate, timely breach reporting means training staff and ensuring they’re equipped to communicate efficiently to the appropriate parties during and after an incident.
Comprehensive Compliance Solutions
Just as HIPAA applies far beyond the confines of the healthcare industry, many organizations’ regulatory obligations are far-reaching and varied. HIPAA might apply alongside other common rulesets, such as the Payment Card Industry Data Security Standards (PCI-DSS) or the EU’s General Data Protection Regulation (GDPR). In these contexts, compliance can be challenging.
The HITRUST Alliance’s HITRUST CSF was originally developed for healthcare organizations but has been expanded and optimized over time into a one-size-fits-all compliance solution. Working with an accredited HITRUST partner, you can satisfy HIPAA requirements alongside most if not all other regulatory requirements simultaneously—“assess once, report many.”
Optimize Your HIPAA Compliance
HIPAA compliance in 2024 and beyond will require adapting to recent and upcoming changes, implementing Privacy and Security Rule protections, and preparing for breach notice mandates if an attack does occur. Comprehensive suites like HITRUST are some of the most effective ways to meet all HIPAA and other applicable regulatory obligations simultaneously.
RSI Security has helped countless organizations both within and adjacent to healthcare achieve and maintain HIPAA compliance. We believe that discipline upfront unlocks greater freedom to grow later on, and we’re committed to helping you rethink and optimize your compliance.
To learn more about efficient HIPAA data security practices, contact RSI Security today!