Articles & Blogs

HIPAA UPDATES 2023

March 15, 2023 | By Accorian
HIPAA Updates 2023

Written By Vigneswar Ravi & Vignesh M R II 

The Latest on HIPAA Compliance

HIPAA Compliance will be undergoing significant changes, this year in 2023, which you need to be aware of. But, let’s look at its history before we get into the upcoming changes in the HIPAA Privacy Rule.

The United States established HIPAA in 1996.  However, there were no set rules for gaining access to medical records till then. In fact, all the local and state governments had established their own rules and fees. HIPAA established standardized rights and responsibilities for managing and safeguarding Protected Health Information (PHI).

However, changes in working practices and technological advancements over the last ten years have given rise to various issues with HIPAA. To address these concerns, the department of Health and Human Services (HHS) Office for Civil Rights (OCR) had to issue HIPAA guidelines to clarify misunderstandings about HIPAA requirements rather than make rule changes. The major HIPAA update was enacted a decade ago, and changes to HIPAA Rules are now required. The latest response was due earlier this year but has been postponed until March 2023.

Proposed HIPAA Updates to the Privacy Rule in 2023

PART 1

  • Allowing patients to examine their PHI in person and take notes or photographs.
  • Reducing the maximum time for providing PHI access from 30 days to 15 days.
  • Restricting the rights of individuals to transfer ePHI to a third party maintained in an Electronic Health Record (EHR).
  • Confirming that an individual has the authority to instruct a covered entity to transmit their electronically Protected Health Information (ePHI) to a personal health application upon the individual’s request.
  • Specifying when individuals receive ePHI free of charge.
  • Mandating that covered entities notify individuals about their entitlement to receive or authorize the transfer of their Protected Health Information (PHI) to a third party, in cases where they are provided with a summary of the PHI instead of a complete copy.
  • Extending the authorization of the armed forces to disclose or use the PHI to all uniformed services.
  • Adding a definition for electronic health records.
  • Modifying the language to enhance the ability of a covered entity to disclose PHI to prevent a potential threat to health or safety in circumstances where the harm is “reasonably and significantly predictable.”
  • Creating a pathway for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
  • Obtaining a written acknowledgment from a person for receiving a Notice of Privacy Practices will not be required by covered entities.
  • Requiring HIPAA-covered entities to publish on their website the estimated fee schedules they charge for PHI access and disclosures.
  • Furnishing personalized cost estimates for supplying individuals with a copy of their PHI will be required of HIPAA-covered entities.
  • Broadening the scope of healthcare operations to include care coordination and case management.
  • Requiring HIPAA-covered healthcare providers and health plans to respond to records requests from other covered entities when individuals exercise their HIPAA right of access.
  • Granting authorization to covered entities to utilize and disclose certain Protected Health Information (PHI) if they genuinely believe it is in the individual’s best interest.
  • Introducing an exemption to the minimum necessary standard for individual-level care coordination and case management purposes, irrespective of whether these actions are classified as treatment or healthcare operations.

PART 2

In November 2022, Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a Notice of Proposed Rulemaking (NPRM) which sees both Part 2 and HIPAA changes to align these regulations better.

Part 2 protects patient privacy and treatment records for substance use disorder (SUD), with HIPAA governing protected health information. Since SUD records are highly sensitive, they require more safeguards and restrictions than other types of health information covered by the HIPAA Privacy Rule. While these extra safeguards are necessary, they can impede care coordination by creating barriers to information sharing.

The proposed changes intend to simplify HIPAA and Part 2 compliance, eliminate obstacles to information sharing, enhance care coordination, and safeguard patients. The amendments give patients more freedom in using and disclosing their SUD records.

The following are the key HIPAA updates that have been proposed:

  • Implementing a single patient consent for all future treatment, payment, healthcare operations related uses, and disclosures of their SUD records.
  • Permitting the disclosure of SUD records in accordance with the HIPAA Privacy Rule.
  • Allowing patients to request an accounting of their SUD records, disclosures, and restrictions on certain disclosures.
  • Extending restrictions on using and disclosing Part 2 records in civil, criminal, administrative, and legislative proceedings.
  • Requiring Part 2 programs to create a procedure for addressing complaints related to violations of Part 2 regulations, and prohibiting compelling patients from waiving their right to file a complaint as a prerequisite for receiving treatment, enrolment, payment, or eligibility for services.
  • Applying the HIPAA breach notification rule to Part 2 records, implying that breach notification requirements would apply to affected patients and the Department of Health and Human Services (HHS).
  • Updating the HIPAA Privacy Rule Notice of Privacy Practices requirements to address the uses and disclosures of Part 2 records and individual rights concerning those records.
  • Authorizing the HHS to impose civil monetary penalties for violations of Part 2 in accordance with HIPAA and the HITECH Act.

Estimated Compliance Efforts for New Regulations: A High-Level Overview

  • Developing policies centrally that can then be implemented locally.
  • Interpreting HIPAA regulations for the organization.
  • Creating a Notice of Privacy Practices (NPP).
  • Updating rules of the HIPAA Program for business processes.
  • Developing standards (policies, contract language, etc.)
  • Creating education and training on the HIPAA regulation update.
  • Managing the legal services process in accordance with the new HIPAA regulations.
  • Updating the audit, certification, testing, and ongoing compliance monitoring process.
  • Creating a procedure to allow disclosures to Telecommunications Relay Services (TRS) communications assistants.

HIPAA 2023: Get Ready for the New Privacy Health Regulation

Once the final rule is issued, you will have a grace period to make the necessary changes. Although you are expected to have a 180 day window, this may be subject to change.

Click on the ‘Contact Us’ tab to submit your information and we’ll notify you when the new Privacy Regulation goes into effect.

Recent Blog

Ready to Start?

Ready to Start?​


Drop your CVs to joinourteam@accorian.com

Interested Position

Download Case study

Download SOC2 Guide