The HIPAA guidelines for healthcare professionals have been relatively stable for over a decade. Now, with changes to both requirements and enforcement proposed for 2023, adjusting your organizational cybersecurity may be necessary to avoid penalties.
Are you prepared for the updated HIPAA guidelines? Schedule a consultation to find out!
Proposed Changes to HIPAA Security Standards
The Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) is expected to enact changes to the Health Insurance Portability and Accountability Act (HIPAA) in 2023. The three primary changes organizations should be mindful of for compliance include:
- HIPAA Enforcement flexibilities due to the COVID-19 pandemic will be fully lifted
- The HIPAA Privacy Rule and Enforcement Rule are projected to undergo changes
- Installing established security practices will reduce audit and enforcement severity
While these changes may pose challenges, even for mature organizations, working with a HIPAA compliance consultant will help you achieve and maintain compliance long-term.
COVID-19 Flexibilities to be Lifted in August 2023
The most immediate impact for many organizations will be the discontinuation of COVID-based flexibilities and discretions in the wake of the Public Health Emergency losing that status. Since the onset of the pandemic in 2020, several discretionary announcements were made regarding leniency in pursuing strict HIPAA enforcement, to encourage greater healthcare outcomes.
In particular, HHS had lessened or halted penalties on communications mishaps that might have triggered fines prior, in light of the unprecedented strain on healthcare and related industries.
However, the HHS announced in April 2023 that it would no longer recognize the COVID-19 pandemic as an emergency on May 11, 2023. With that change, it initiated a 90-day grace period in which similar leniency would apply to all businesses. But that period ends on August 11, 2023. At that point, HIPAA audits and enforcement will return to their pre-COVID norms.
Organizations need to get back to their pre-COVID form—or face potentially higher penalties.
Request a Consultation
Changes to the HIPAA Privacy Rule and Enforcement Rule
Organizations in and around healthcare have long had to uphold the provisions of the HIPAA Privacy, Security, and Breach Notification Rules. These have gone relatively unchanged for at least a decade, with few changes in the past 25 years. But at least one is likely changing soon.
The most impactful updates to HIPAA will impact the Privacy Rule, including but not limited to:
- New requirements to post estimated costs (aggregate and individual) for PHI access
- More requirements to make PHI access for patients easier, with a quicker turnaround
- No more requirement to procure written acknowledgments regarding privacy notices
While some changes may lessen the compliance burden on organizations, many will require tinkering with their security infrastructure to make sure new and updated requirements are met.
It’s also worth noting that the scope of Privacy Rule protection will expand with the increased connectivity between 42 CFR Part 2 and HIPAA. Namely, substance use disorder (SUD) data is now subject to Privacy and Security requirements alongside protected health information (PHI).
Another new HIPAA regulation for 2023 is that the stakes for breaking HIPAA rules will be, at minimum, set to their 2022 projections. Including the inflation multiplier, the penalty structure is:
- Tier 1 – Fines start at $127 per violation, capped at $20,487 annually
- Tier 2 – Fines start at $1,280 per violation, capped at $121,946 annually.
- Tier 3 – Fines start at $12,794 per violation, capped at 304,865 annually.
- Tier 4 – Fines start at $60,973 per violation, capped at $1,919,173 annually.
The inflation multiplier for 2023 should increase these amounts further. However, the OCR has not yet officially adopted it—it remains to be seen whether it will come into effect in 2023.
HITECH, Recognized Security Practices, and HITRUST
Finally, in a boon to Covered Entities and Business Associates, the OCR is taking another discretionary measure to make compliance slightly more flexible and accessible. There were calls to update HIPAA and HITECH in 2020 and 2021 to reduce penalties on organizations that adopted HIPAA best practices but nonetheless fell victim to data breaches outside their control.
The OCR will now take these concerns into consideration when determining fault and penalties in the Enforcement process. Audits will be shorter in duration and less intense in scope, and proof that organizations had protections in place will lessen penalties faced by organizations.
This new leniency is one of many reasons organizations in healthcare and beyond should consider implementing the HITRUST CSF framework and becoming HITRUST certified. The CSF is an omnibus set of rules that helps organizations meet the requirements of several compliance frameworks simultaneously—HIPAA included—and is gaining recognition across industries. HITRUST makes breaches less likely and can reduce their impact if they occur.
Find a HIPAA Compliance Consultant Today
While HIPAA is primarily concerned with healthcare and protecting patients’ rights regarding their data, its effects are wide-reaching. Many organizations seemingly outside of or only tangentially related to healthcare need to meet HIPAA standards or risk exposing themselves and their clientele to the dangers of data breaches and HIPAA noncompliance penalties.
RSI Security has helped countless organizations in and adjacent to healthcare meet HIPAA’s evolving requirements. We believe that the right way is the only way to keep your data secure.
To learn more about the existing and proposed HIPAA guidelines for healthcare professionals, or to get started optimizing your protections to meet them, contact RSI Security today!