24-Q&C-514-Navigation HIPPA Compliance Blog 02. Blog Image-V1-MD (1)

Navigating HIPAA Compliance: Recent and Upcoming Changes in 2024

July 5, 2024
July 5, 2024

As healthcare continues to evolve, so must the regulations that govern it. This year marks a significant transformation for HIPAA compliance, with substantial changes on the horizon that will impact healthcare providers, patients, and the broader healthcare technology industry.

A Decade Since the Last Major Update

The last significant update to the HIPAA Rules came in 2013 with the HIPAA Omnibus Final Rule, which introduced new regulations mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Since then, the healthcare landscape has undergone tremendous changes, necessitating a fresh look at HIPAA regulations to address new challenges and opportunities.

Strengthening Reproductive Healthcare Privacy

In April 2024, a final rule was published to strengthen reproductive healthcare privacy. These changes, effective from June 25, 2024, and enforceable starting January 1, 2025, include:

  • A new definition of "reproductive health care" encompassing terminations, contraception, fertility, and miscarriage care.
  • Enhanced limitations on the use and disclosure of PHI related to reproductive healthcare, which cannot be bypassed by consent or authorization.
  • Mandatory attestations accompanying requests for reproductive healthcare information to ensure it is not used for out-of-state judicial or administrative proceedings.
  • Clarification that facilitating reproductive healthcare does not constitute abuse, neglect, or domestic violence.
  • Patient reassurance through updated Notices of Privacy Practices, with compliance required by February 16, 2026.

The Office for Civil Rights (OCR) has also clarified that any unauthorized disclosure of reproductive health care data will be treated as a notifiable data breach under the HIPAA Privacy Rule.

Expanding Coverage to Health Apps and Technologies

On April 26, 2024, the Federal Trade Commission (FTC) issued a final rule updating the Health Breach Notification Rule. This rule now includes health apps and other technologies not previously covered by HIPAA, such as websites collecting health data but not operated by HIPAA-regulated entities. Key updates include:

  • Expanded definitions to cover more technologies.
  • New requirements for consumer notification content.
  • Mandatory FTC notifications for breaches of 500 or more records within 60 days of discovery.

Upcoming Changes and Patient Rights Enhancements

Looking forward, several more changes are expected in 2024. Following a request for feedback from HIPAA-covered entities in 2018, the OCR proposed new regulations in December 2020 aimed at reducing administrative burdens and enhancing patient rights. Proposed changes include:

  • Allowing patients to inspect and photograph their PHI in person.
  • Reducing the maximum time to provide PHI access from 30 to 15 days.
  • Limiting ePHI transfer requests to the ePHI maintained in an EHR.
  • Enabling PHI transfers to personal health applications.
  • Providing ePHI at no cost in specified circumstances.
  • Requiring covered entities to inform individuals of their right to direct PHI copies to third parties.
  • Mandating online posting of PHI access and disclosure fee schedules.
  • Dropping the requirement for written confirmation of Notices of Privacy Practices.
  • Broadening the definition of healthcare operations to include care coordination and case management.

Challenges for Healthcare Organizations

Implementing these changes will require significant effort from healthcare organizations. Updated HIPAA policies and procedures will need to be communicated to patients and health plan members, and employees will require further training. Training courses will need to be updated, as updated training is to be provided whenever there is a material change to HIPAA policies.

Strengthening Cybersecurity in Healthcare

Since the last major update in 2013, the Security Rule has remained relatively unchanged. However, 2024 will likely bring substantial revisions driven by a new Healthcare Sector Cybersecurity concept paper. This initiative outlines steps to enhance cyber resiliency and patient safety, including:

  1. Establishing voluntary cybersecurity goals.
  2. Providing resources for cybersecurity practice implementation.
  3. Supporting greater enforcement and accountability.
  4. Expanding the HHS one-stop shop for healthcare sector cybersecurity.

Additionally, the finalized HPH Cybersecurity Performance Goals (CPGs) announced in January 2024 outline high-impact practices divided into Essential and Enhanced CPGs, with the goal of mitigating cyber threats effectively.

Compliance Audits and Future Readiness

Under the HITECH Act, OCR is mandated to conduct periodic audits of HIPAA-regulated entities. In 2024, these audits will focus on HIPAA Security Rule compliance, ensuring that healthcare organizations adhere to the latest standards and are prepared for future challenges.

The recent and anticipated changes to HIPAA regulations in 2024 represent a significant shift towards enhanced privacy, security, and patient empowerment. Healthcare organizations need strategies to stay informed and proactive while implementing these changes to maintain compliance and continue providing high-quality care.

Learn about how HealthStream’s ComplyQ can help your organization stay compliant with ever-changing regulations.

Request Demo