New HIPAA Regulations in 2022
It has been several years since new HIPAA regulations have been signed into law, but HIPAA changes in 2022 are expected. The last update to the HIPAA Rules was the HIPAA Omnibus Rule in 2013, which introduced new requirements mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR issued a Notice of Proposed Rulemaking (NPRM) on December 10, 2020, that proposed a slew of changes to the HIPAA Privacy Rule, and a Final Rule is expected to be issued in 2022; however, no date has yet been provided on when the 2022 HIPAA changes will take effect and become enforceable.
Over the past few years, new HIPAA regulations under consideration include changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS is considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided.
There have been calls from many healthcare stakeholder groups to align Part 2 regulations more closely with HIPAA to allow clinicians to view patients’ entire medical records, including SUD records, to get a complete view of a patient’s health history to inform treatment decisions. If details of treatment for SUD are withheld from doctors, there is a risk that a patient may be prescribed opioids when they are in recovery. There was progress on this front in 2020, not through HHS or OCR rulemaking, but instead as part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.
2020 CARES Act Aligned 42 CFR Part 2 Regulations More Closely with HIPAA
The CARES Act was passed by Congress on March 27, 2020, to ensure that every American has access to the care they need during the COVID-19 pandemic and to address the economic fallout from the 2019 Novel Coronavirus and COVID-19.
Individuals suffering from substance abuse disorder (SUD) must also be able to get the treatment they need during the COVID-19 pandemic, which has meant changes needed to be made to 42 CFR Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.
The CARES Act improves 42 CFR Part 2 regulations by expanding the ability of healthcare providers to share the records of individuals with SUD but also tightens the requirements in the event of a breach of confidentiality. In short, the changes made by the CARES Act have aligned 42 CFR Part 2 regulations more closely with HIPAA.
The change to 42 CFR Part 2 regulations is based on the Legacy Act, which was introduced by Sens. Capito (R-WV) and Manchin (D-WV). Rather than having to obtain consent from a SUD patient for each use or disclosure, and for consent forms to state the specific parties with whom the information will be shared named in the consent form, patients can give broad consent for their SUD records to be shared for the purposes of treatment, payment, and healthcare operations.
The SUD records can then be shared by a covered entity or business associate for all TPO reasons, as is the case with HIPAA. Uses and disclosures must be limited to the minimum necessary information and consent can be withdrawn (in writing) by the patient at any time. The CARES Act also allows SUD information to be shared with a public health authority if it is de-identified in accordance with HIPAA Rules.
Protections have been put in place for SUD patients, which place limitations on the use of SUD records in criminal, civil, or administrative investigations or proceedings, and there are prohibitions on discrimination against patients suffering from SUD. The same breach notification requirements as HIPAA will apply, so any data breach will require the patient to be notified without unnecessary delay, and no later than 60 days from the discovery of the breach.
New HIPAA Regulations in 2021
While there have not been changes to HIPAA regulations in 2021, new legislation has been introduced that is related to the HIPAA Privacy and Security Rules, in terms of cybersecurity, patient access to healthcare data, and HIPAA enforcement.
2021 HIPAA Safe Harbor Law
On January 5, 2021, the HIPAA Safe Harbor Bill (HR 7898) was signed into law by President Trump and amended the HITECH Act. The purpose of the HIPAA Safe Harbor Bill was to encourage healthcare organizations to adopt recognized cybersecurity practices to improve their defenses against cyberattacks.
The HIPAA Safe Harbor Bill instructs the HHS to take into account the cybersecurity best practices that a HIPPA-regulated entity has adopted in the 12 months preceding any data breach when considering HIPAA enforcement actions and calculating financial penalties related to security breaches. The bill also requires the HHS to decrease the length and extent of any audits in response to those breaches if industry security best practices have been implemented.
Organizations that have adopted recognized cybersecurity best practices and have completed a HIPAA Security Risk Analysis, reduced identified risks to a low and acceptable level, and have implemented technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) will be treated more leniently by OCR, but financial penalties for organizations that have not complied with cybersecurity best practices cannot be increased.
In addition to facing lower penalties and sanctions, HIPAA-regulated entities that adopt cybersecurity best practices and are compliant with the requirements of the HIPAA Security Rule will be better protected against security incidents and data breaches.
21st Century Cures Act
The 21st Century Cures Act (Cures Act) of 2016 was introduced to encourage innovation in medical research, and one of the ways that this was achieved was to make it easier for patients to obtain their healthcare data and share that information with research institutions. The Cures Act called for the HHS to create a new Rule that would improve the flow of healthcare data between providers, patients, and developers of Health IT such as electronic health record (EHR) vendors.
The HHS’ Office of the National Coordinator for Health Information Technology (ONC) published its Interoperability and Information Blocking Final Rule in March 2020, and health care providers, developers of Certified Health IT, and health information networks or exchanges were given until April 5, 2021, to comply with the information blocking provisions of the Final Rule. The Centers for Medicare and Medicaid Services (CMS) also published an interoperability rule in March 2020 that applies to Medicare- and Medicaid-participating short-term acute care hospitals, long-term care hospitals, rehabilitation hospitals, psychiatric hospitals, children’s hospitals, cancer hospitals, and critical access hospitals (CAHs). The compliance date for the CMS rule was July 1, 2021.
Under the CMS Final Rule, CMS-regulated payers including MA organizations, Medicaid Fee-for-Service (FFS) programs, Medicaid managed care plans, CHIP FFS programs, CHIP managed care entities, and QHP issuers, must implement and maintain a secure, standards-based Application Programming Interface (API)) to allow patients to access their claims and receive information through a third-party app of their choice, make provider directory information publicly available through a standards-based API, and send electronic patient event notifications of a patient’s admission, discharge or transfer to another healthcare facility or another community provider or practitioner.
The final interoperability and information blocking rules do not amend HIPAA or the HITECH Act, although they are related. The final rules promote patient access to ePHI and are intended to make access easier. It is possible that HIPAA policies and procedures could violate the ONC Final Rule if they include practices considered to constitute information blocking. Any entity that engages in information blocking can face financial penalties, which are capped at $1 million (adjusted annually for inflation).
How are New HIPAA Regulations Introduced?
The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2019, 2020, and 2021 has shown. It has now been more than 8 years since there was a major update to the HIPAA Rules and changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services seeks feedback on aspects of HIPAA regulations that are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.
After considering the comments and feedback, the HHS then submits an NPRM which is followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule is issued. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and the HIPAA changes become enforceable.
The NPRM for the proposed HIPAA Privacy Rule changes was published in the Federal Register on January 21, 2021, and healthcare industry stakeholders were invited to submit comments on the 357-page proposal, with the deadline for submitting comments set as March 22, 2021. The proposed HIPAA Privacy Rule changes are far-reaching and affect almost everyone that interacts with the health care system. Due to the extent of the proposed HIPAA changes and their potential impact, the deadline for submitting comments was extended to May 6, 2021. As 2021 draws to a close, OCR has yet to provide a date for when the Final Rule will be issued, but it is likely to result in HIPAA changes in 2022, although they may not become enforceable this year.
New HIPAA Regulations in 2022
There are expected to be new HIPAA regulations in 2022 when OCR publishes the final rule on the proposed changes to the HIPAA Privacy Rule. While there have been calls from industry stakeholders to make several other HIPAA updates in 2022, there are unlikely to be any other new HIPAA laws in 2022. Given the extent of the HIPAA changes 2022 through the Privacy Rule update and their impact on HIPAA-regulated entities, further notices of proposed rulemaking on HIPAA updates are unlikely in 2022.
Final Rule Expected on Proposed Changes to the HIPAA Privacy Rule
OCR issued a request for information in December 2018 asking HIPAA-covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.
OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care. The changes to HIPAA include easing of restrictions on disclosures of PHI that require authorizations from patients and several HIPAA changes to strengthen patient rights to access their own PHI. One proposed change that has attracted some criticism is the requirement to make the sharing of ePHI with other providers mandatory. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about mandatory sharing of healthcare data, and also against another proposed change that shortens the timescale for responding to patient requests for copies of their medical records.
HHS Deputy Secretary Eric Hargan had previously explained that complaints had been received that some provisions of the HIPAA Privacy Rule are stopping patients and their families from getting the help they need and that changes are necessary to help with the fight against the current opioid crisis in the United States. HIPAA changes have also been proposed to reduce the administrative burden on HIPAA-covered entities.
The proposed new HIPAA regulations announced by OCR in December 2020 are as follows:
- Allowing patients to inspect their PHI in person and take notes or photographs of their PHI.
- Changing the maximum time to provide access to PHI from 30 days to 15 days.
- Requests by individuals to transfer ePHI to a third party will be limited to the ePHI maintained in an EHR.
- Individuals will be permitted to request their PHI be transferred to a personal health application.
- States when individuals should be provided with ePHI at no cost.
- Covered entities will be required to inform individuals that they have the right to obtain or direct copies of their PHI to a third party when a summary of PHI is offered instead of a copy.
- HIPAA-covered entities will be required to post estimated fee schedules on their websites for PHI access and disclosures.
- HIPAA-covered entities will be required to provide individualized estimates of the fees for providing an individual with a copy of their own PHI.
- Pathway created for individuals to direct the sharing of PHI maintained in an EHR among covered entities.
- Healthcare providers and health plans will be required to respond to certain records requests from other covered health care providers and health plans, in cases when an individual directs those entities to do so under the HIPAA Right of Access.
- The requirement for HIPAA-covered entities to obtain written confirmation that a Notice of Privacy practices has been provided has been dropped.
- Covered entities will be allowed to disclose PHI to avert a threat to health or safety when harm is “seriously and reasonably foreseeable.” The current definition is when harm is “serious and imminent.”
- Covered entities will be permitted to make certain uses and disclosures of PHI based on their good faith belief that it is in the best interest of the individual.
- The addition of a minimum necessary standard exception for individual-level care coordination and case management uses and disclosures, regardless of whether the activities constitute treatment or health care operations.
- The definition of healthcare operations has been broadened to cover care coordination and case management.
- The Armed Forces’ permission to use or disclose PHI to all uniformed services has been expanded.
- A definition has been added for electronic health records.
Challenges Complying with the New HIPAA Regulations in 2022
The proposed changes to the HIPAA Privacy Rule are a cause of concern for many covered entities, business associates, and patient privacy advocates due to the potential impact the proposed changes will have on the privacy and security of healthcare data, the economic burdens the changes may place on healthcare providers. There was also hope that the changes would align HIPAA more closely with the Part 2 regulations and the 21st Century Cures Act.
While some of the proposed changes to the HIPAA Privacy Rule are intended to ease the administrative burden on healthcare organizations, when the Final Rule is published, considerable time and effort will need to be put into implementing the changes. There will be a need to update HIPAA policies and procedures and communicate those changes to patients and health plan members. Employees will need to be given further HIPAA training, as the HIPAA Privacy Rule requires training to be provided whenever there is a material change to HIPAA policies. Training courses will need to be updated, and providing training to the workforce has the potential to cause workflow disruptions.
The Privacy Rule has largely been concerned with restricting the uses and disclosures of PHI. The latest HIPAA changes introduce new requirements to make healthcare information flow more freely and improve access rights for patients. Implementing those HIPAA changes could well create challenges for healthcare organizations. The Office For Civil Rights has been cracking down on violations of the HIPAA Right of Access when timely access to medical records in a designated data set is not provided. The time frame for providing those records has been shortened. Based on the number of financial penalties for HIPAA Right of Access violations, many healthcare providers have struggled to provide records within 30 days, so providing the records within 15 days will be particularly challenging, especially considering the maximum extension has also been shortened to 15 days.
Another area of concern is the definition of electronic health record, which includes billing records. Billing records will need to be provided when individuals request a copy of their records. Billing records are often kept in a different system – not in the EHR – which could slow down the processing HIPAA Right of Access requests. Individuals must have to deal with unreasonable measures when exercising their right of access, which includes unreasonable identity checks. The updates to the HIPAA Privacy Rule do not specify what constitutes unreasonable, which could be a source of confusion for HIPAA-covered entities.
A definition has been added for Personal Health Application – an application used by an individual to access their health records. Healthcare organizations will be required to inform individuals about the privacy and security risks of sending their PHI to a third-party application, which is not required to have safeguards mandated by HIPAA. Healthcare providers are likely to have to develop their own patient warnings to ensure patients are made aware of the risks. A change has also been made which allows patients to orally request a copy of their PHI be sent to a third party. Healthcare organizations may struggle to implement the necessary changes to allow those requests to be processed correctly.
There has also been a change to the language of the HIPAA Privacy Rule regarding the need to provide copies of ePHI in the format requested by the individual. “Readily producible” copies of PHI now include copies requested through standards-based APIs using individuals’ personal health applications. It may not be easy for some healthcare providers to provide records in those formats, as they may be restricted by the EHR system they have implemented.
The new HIPAA regulations will allow patients to inspect their PHI in person and take notes and photographs. That too will create challenges, as patients will need to be allowed to inspect their PHI privately, and care will need to be taken to ensure they are not photographing PHI that they are not authorized to obtain – either their own or the PHI of others. HIPAA-covered entities will need to determine how best to provide that information. It may be necessary to create an area where records can be viewed electronically, and even to supervise individuals who are inspecting their PHI in person. In-person requests to inspect PHI will also need to be provided free of charge, even though providing in-person access has the potential to have a cost impact on a HIPAA-covered entity.
As these issues show, while the changes in many cases are minor, the implications for HIPAA-covered entities are considerable. It will likely take considerable planning and resources to implement all of the changes, update policies and procedures, and provide training to the workforce. Efforts to implement the new HIPAA changes will need to be initiated promptly after the Final Rule is published to ensure it is possible to be compliant with the new HIPAA regulations in 2022 and certainly by the effective date.
Recent Changes to HIPAA Enforcement
Halfway through 2018, OCR had only agreed to three settlements with HIPAA-covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of compliance with the HIPAA Rules. However, OCR announced many more settlements in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018. 2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.
OCR’s enforcement activities continued at a high level in 2019 and OCR closed the year with 10 settlements and civil monetary penalties, totaling $12,274,000. In late 2019, OCR announced it was embarking on a new enforcement drive focused on compliance with the HIPAA Right of Access, which requires individuals to be provided with timely access to their medical records for only a reasonable, cost-based fee.
OCR settled two cases in 2019 under this initiative – both for $85,000 – and a further 11 settlements were announced in 2020 to resolve potential violations of the HIPAA Right of Access. In addition to noncompliance with the HIPAA Right of Access, OCR imposed financial penalties for particularly egregious cases of noncompliance. The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards all attracted HIPAA fines in 2020. 2020 saw more financial penalties imposed for potential violations of the HIPAA Rules than any other year, with the year closing with 19 settlements totaling $13,554,900.
There was a slight reduction in HIPAA enforcement actions in 2021, with 14 financial penalties announced to resolve HIPAA violations, the majority of which (12) were for violations of the HIPAA Right of Access. Aside from one financial penalty of $5,100,000 for Excellus Health Plan, the financial penalties were far lower in 2021 than in recent years, with the penalties totaling $5,982,150 for the year. 2021 also saw an increase in the number of penalties for small healthcare providers.
HIPAA Civil Monetary Penalty Overturned
In 2018, OCR imposed a civil monetary penalty of $4,348,000 on the University of Texas MD Anderson Cancer Center. OCR launched an investigation into three data breaches that collectively resulted in an impermissible disclosure of thePHI of almost 35,000 individuals. The incidents occurred in 2012 and 2013 and involved the theft of an unencrypted laptop computer and two flash drives.
OCR determined MD Anderson had violated the HIPAA Rules by failing to encrypt the devices. In April 2019, MD Anderson appealed the fine alleging the HHS did not have the authority to impose the penalty and that it was excessive. In January 2021, the penalty was overturned and OCR admitted it could not defend a fine of more than $450,000. The case was remanded for further proceedings and the civil monetary penalties were vacated by the Fifth Circuit Court of Appeals. The judge stated the civil monetary penalties were “arbitrary, capricious and otherwise unlawful.”
The overturning of the HIPAA fine is likely to force OCR to change its approach to HIPAA enforcement. The decision could also encourage other covered entities to appeal any proposed financial penalties for HIPAA violations. It remains to be seen how OCR’s approach to HIPAA enforcement will change in 2022, but it is likely that OCR will continue to crack down on healthcare providers that fail to provide patients with timely access to their medical records.
OCR Gets New Director
In September 2021, 8 months into the Biden administration, Lisa J. Pino was appointed as the new OCR Director, taking over from acting OCR director Robinsue Frohboese who headed the agency since the resignation of Roger Severino in January 2021. In contrast to past directors, Pino has cybersecurity and data breach experience, having served as a senior executive service official and senior counsel in the U.S. Department of Homeland Security (DHS). Pino’s cybersecurity experience may result in a change to how OCR conducts investigations of data breaches, especially in light of the HIPAA Safe Harbor Law. She will also have to guide OCR’s enforcement efforts, taking into consideration the findings of the Fith Circuit Court of Appeals.
Penalty Structure for Violations of HIPAA Regulations in 2022
In 2019, there was a notable HIPAA change related to HIPAA enforcement actions. OCR issued a Notice of Enforcement Discretion after reinterpreting the requirements of the HITECH Act regarding penalties for non-compliance with the HIPAA Rules. The HITECH Act called for an increase in penalties for non-compliance with the HIPAA. Rules and at the time, the HHS interpreted the language of the HITECH Act as requiring a cap of $1.5 million for HIPAA violations across all four penalty tiers. In 2019, the requirements of the HITECH Act were reassessed and interpreted differently. Rather than capping the penalties at $1.5 million across all four tiers, different maximum fines were set for each of the four tiers, as detailed in the infographic below.
Since the change was addressed through a Notice of Enforcement Discretion, it is not legally binding. OCR is expected to make the new penalty levels permanent with a Notice of Proposed Rulemaking, which may be published in 2022. In the meantime, the Notice of Enforcement Discretion remains in effect indefinitely.
HIPAA Changes in 2020/2021 Due to the COVID-19 Pandemic Remain in Effect
The COVID-19 pandemic has not resulted in any permanent changes to HIPAA, but it has seen unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates on the front line in the fight against COVID-19.
During emergency situations such as disease outbreaks, HIPAA Rules remain in effect and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased.
OCR has announced three Notices of Enforcement Discretion in 2020 and one in 2021 in response to the COVID-19 pandemic, which will see penalties and sanctions for certain HIPAA violations waived for the duration of the COVID-19 nationwide public health emergency.
The Notices of Enforcement Discretion are as follows:
Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
The first Notice of Enforcement Discretion in relation to COVID-19 was announced by OCR on March 17, 2020, and concerns the good faith provision of telehealth services. OCR is waiving potential penalties for HIPAA violations by healthcare providers that provide virtual care to patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This means healthcare providers are permitted to use everyday communications tools to provide telehealth services to patients, even if those tools would not normally be considered fully HIPAA compliant.
Platforms such as FaceTime, Skype, Zoom, and Google Hangouts video can be used in the good faith provision of telehealth services to patients without penalty for the duration of the public health emergency. However, public-facing platforms such as TikTok and Facebook Live must not be used.
Good Faith Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities
On April 2, 2020, OCR announced it will be exercising enforcement discretion and will not impose sanctions and penalties on business associates of HIPAA-covered entities for uses and disclosures of PHI for public health and health oversight activities. HIPAA prohibits these uses and disclosures unless it is stated in a business associate agreement (BAA) that the disclosures are permitted. For the duration of the public health emergency, business associates will not face penalties for these uses and disclosure, provided they notify the covered entity after the event, within 10 days of the use or disclosure occurring.
Participation in the Operation of Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020, OCR announced it will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites and will refrain from imposing sanctions and penalties on covered entities and business associates at drive-through, walk-up, and mobile sites.
The Notice of Enforcement Discretion covers the operation of these sites and all activities that support the collection of specimens from individuals for COVID-19 testing only. While penalties will not be applied, “OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI.”
The Notice of Enforcement Discretion is retroactive to March 13, 2020.
Notice of Enforcement Discretion Regarding Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
OCR announced a further Notice of Enforcement Discretion on January 19, 2021, to help HIPAA-covered entities with the rollout of COVID-19 vaccines.
OCR said HIPAA sanctions and penalties will not be imposed on HIPAA-covered entities or their business associates in relation to the good faith use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments.
WBSAs can be used for scheduling COVID-19 vaccination appointments, even if their use would not normally be considered fully compliant with the HIPAA Rules (e.g., no business associate agreement).
The Notice of Enforcement Discretion does not cover the use of WBSAs for scheduling vaccination appointments if the WBSA provider has prohibited the use of its WBSA for making healthcare appointments. Enforcement discretion will not apply if the WBSA is used for anything other than booking COVID-19 appointments, such as arranging appointments for other medical services or for conducting screening for COVID-19 prior to arranging an in-person healthcare visit.
Any WBSA must have privacy and security safeguards that can be activated to ensure the privacy and confidentiality of healthcare data, and OCR encourages HIPAA covered entities and their business associates to ensure that safeguards are implemented, such as the use of encryption, if possible, adhering to the minimum necessary standard, and activating all privacy controls.
The Notice of Enforcement Discretion took effect on January 19, 2021, and is retroactive to December 11, 2020.
New HIPAA Regulations FAQs
Once a Notice of Proposed Rulemaking has been issued, is it guaranteed there will be a change to the HIPAA Rules?
Not necessarily. In 2014, the Department of Health & Human Services issued a Notice of Proposed Rulemaking that would have required health plans to prove compliance with certain areas of the Administration Simplification standards via certification. The proposed Rule was withdrawn in 2017 due to concerns it would place a significant burden on employers´ self-funded health plans.
How likely is it that all the new HIPAA regulations being proposed in the current NPRM will be adopted?
Most unlikely. The American Hospital Association (AHA) is one of a number of stakeholders that have raised concerns about the proposed changes – particularly changes relating to a reduction in the maximum time allowed to respond to patient requests, allowing patients to photograph PHI, and transferring PHI to personal health applications.
Will there definitely be some new HIPAA regulations in 2022?
It is impossible to know for sure. It can take years from relatively simple Rules (such as the NICS Rule) to be finalized; and, due to potential conflicts between the proposed new HIPAA regulations, 42 CFR Part 2 regulations (relating to the confidentiality of substance use disorder patient records), and Cures Act regulations, it could be some time until any new HIPAA regulations are finalized.
How much disruption might the new HIPAA regulations create?
This will depend on how many of the proposals are adopted in the Final Rule. If patients are allowed to photograph PHI or the maximum time allowed to respond to patient requests is reduced, this will create significant disruption in terms of developing new policies and procedures, training employees on the new policies and procedures, and monitoring compliance.
When a Final Rule is published, will Covered Entities have to comply with it immediately?
This is unlikely. When the original Privacy Rule Final Rule was published in 2002, Covered Entities were given a year to make systems, policies, and procedures HIPAA compliant. Small health plans were given two years. Consequently, if a Final Rule is published 2022, the OCR will allow a similar period of time for Covered Entities to make the necessary adjustments.